eap_server_ttls.c (281806) | eap_server_ttls.c (289549) |
---|---|
1/* 2 * hostapd / EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 --- 57 unchanged lines hidden (view full) --- 66 67 68static void eap_ttls_state(struct eap_ttls_data *data, int state) 69{ 70 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s", 71 eap_ttls_state_txt(data->state), 72 eap_ttls_state_txt(state)); 73 data->state = state; | 1/* 2 * hostapd / EAP-TTLS (RFC 5281) 3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 --- 57 unchanged lines hidden (view full) --- 66 67 68static void eap_ttls_state(struct eap_ttls_data *data, int state) 69{ 70 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s", 71 eap_ttls_state_txt(data->state), 72 eap_ttls_state_txt(state)); 73 data->state = state; |
74 if (state == FAILURE) 75 tls_connection_remove_session(data->ssl.conn); |
|
74} 75 76 | 76} 77 78 |
79static void eap_ttls_valid_session(struct eap_sm *sm, 80 struct eap_ttls_data *data) 81{ 82 struct wpabuf *buf; 83 84 if (!sm->tls_session_lifetime) 85 return; 86 87 buf = wpabuf_alloc(1 + 1 + sm->identity_len); 88 if (!buf) 89 return; 90 wpabuf_put_u8(buf, EAP_TYPE_TTLS); 91 if (sm->identity) { 92 u8 id_len; 93 94 if (sm->identity_len <= 255) 95 id_len = sm->identity_len; 96 else 97 id_len = 255; 98 wpabuf_put_u8(buf, id_len); 99 wpabuf_put_data(buf, sm->identity, id_len); 100 } else { 101 wpabuf_put_u8(buf, 0); 102 } 103 tls_connection_set_success_data(data->ssl.conn, buf); 104} 105 106 |
|
77static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 78 int mandatory, size_t len) 79{ 80 struct ttls_avp_vendor *avp; 81 u8 flags; 82 size_t hdrlen; 83 84 avp = (struct ttls_avp_vendor *) avphdr; --- 227 unchanged lines hidden (view full) --- 312 struct eap_ttls_data *data; 313 314 data = os_zalloc(sizeof(*data)); 315 if (data == NULL) 316 return NULL; 317 data->ttls_version = EAP_TTLS_VERSION; 318 data->state = START; 319 | 107static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id, 108 int mandatory, size_t len) 109{ 110 struct ttls_avp_vendor *avp; 111 u8 flags; 112 size_t hdrlen; 113 114 avp = (struct ttls_avp_vendor *) avphdr; --- 227 unchanged lines hidden (view full) --- 342 struct eap_ttls_data *data; 343 344 data = os_zalloc(sizeof(*data)); 345 if (data == NULL) 346 return NULL; 347 data->ttls_version = EAP_TTLS_VERSION; 348 data->state = START; 349 |
320 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) { | 350 if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) { |
321 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 322 eap_ttls_reset(sm, data); 323 return NULL; 324 } 325 326 return data; 327} 328 --- 184 unchanged lines hidden (view full) --- 513 user_password_len) != 0) { 514 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password"); 515 eap_ttls_state(data, FAILURE); 516 return; 517 } 518 519 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password"); 520 eap_ttls_state(data, SUCCESS); | 351 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL."); 352 eap_ttls_reset(sm, data); 353 return NULL; 354 } 355 356 return data; 357} 358 --- 184 unchanged lines hidden (view full) --- 543 user_password_len) != 0) { 544 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password"); 545 eap_ttls_state(data, FAILURE); 546 return; 547 } 548 549 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password"); 550 eap_ttls_state(data, SUCCESS); |
551 eap_ttls_valid_session(sm, data); |
|
521} 522 523 524static void eap_ttls_process_phase2_chap(struct eap_sm *sm, 525 struct eap_ttls_data *data, 526 const u8 *challenge, 527 size_t challenge_len, 528 const u8 *password, --- 42 unchanged lines hidden (view full) --- 571 /* MD5(Ident + Password + Challenge) */ 572 chap_md5(password[0], sm->user->password, sm->user->password_len, 573 challenge, challenge_len, hash); 574 575 if (os_memcmp_const(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 576 0) { 577 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password"); 578 eap_ttls_state(data, SUCCESS); | 552} 553 554 555static void eap_ttls_process_phase2_chap(struct eap_sm *sm, 556 struct eap_ttls_data *data, 557 const u8 *challenge, 558 size_t challenge_len, 559 const u8 *password, --- 42 unchanged lines hidden (view full) --- 602 /* MD5(Ident + Password + Challenge) */ 603 chap_md5(password[0], sm->user->password, sm->user->password_len, 604 challenge, challenge_len, hash); 605 606 if (os_memcmp_const(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 607 0) { 608 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password"); 609 eap_ttls_state(data, SUCCESS); |
610 eap_ttls_valid_session(sm, data); |
|
579 } else { 580 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password"); 581 eap_ttls_state(data, FAILURE); 582 } 583} 584 585 586static void eap_ttls_process_phase2_mschap(struct eap_sm *sm, --- 26 unchanged lines hidden (view full) --- 613 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 614 if (chal == NULL) { 615 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate " 616 "challenge from TLS data"); 617 eap_ttls_state(data, FAILURE); 618 return; 619 } 620 | 611 } else { 612 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password"); 613 eap_ttls_state(data, FAILURE); 614 } 615} 616 617 618static void eap_ttls_process_phase2_mschap(struct eap_sm *sm, --- 26 unchanged lines hidden (view full) --- 645 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1); 646 if (chal == NULL) { 647 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate " 648 "challenge from TLS data"); 649 eap_ttls_state(data, FAILURE); 650 return; 651 } 652 |
653#ifdef CONFIG_TESTING_OPTIONS 654 eap_server_mschap_rx_callback(sm, "TTLS-MSCHAP", 655 sm->identity, sm->identity_len, 656 challenge, response + 2 + 24); 657#endif /* CONFIG_TESTING_OPTIONS */ 658 |
|
621 if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) 622 != 0 || 623 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) { 624 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch"); 625 os_free(chal); 626 eap_ttls_state(data, FAILURE); 627 return; 628 } 629 os_free(chal); 630 631 if (sm->user->password_hash) 632 challenge_response(challenge, sm->user->password, nt_response); 633 else 634 nt_challenge_response(challenge, sm->user->password, 635 sm->user->password_len, nt_response); 636 637 if (os_memcmp_const(nt_response, response + 2 + 24, 24) == 0) { 638 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response"); 639 eap_ttls_state(data, SUCCESS); | 659 if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) 660 != 0 || 661 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) { 662 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch"); 663 os_free(chal); 664 eap_ttls_state(data, FAILURE); 665 return; 666 } 667 os_free(chal); 668 669 if (sm->user->password_hash) 670 challenge_response(challenge, sm->user->password, nt_response); 671 else 672 nt_challenge_response(challenge, sm->user->password, 673 sm->user->password_len, nt_response); 674 675 if (os_memcmp_const(nt_response, response + 2 + 24, 24) == 0) { 676 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response"); 677 eap_ttls_state(data, SUCCESS); |
678 eap_ttls_valid_session(sm, data); |
|
640 } else { 641 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response"); 642 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received", 643 response + 2 + 24, 24); 644 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected", 645 nt_response, 24); 646 eap_ttls_state(data, FAILURE); 647 } --- 87 unchanged lines hidden (view full) --- 735 generate_nt_response(auth_challenge, peer_challenge, 736 username, username_len, 737 sm->user->password, 738 sm->user->password_len, 739 nt_response); 740 } 741 742 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8; | 679 } else { 680 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response"); 681 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received", 682 response + 2 + 24, 24); 683 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected", 684 nt_response, 24); 685 eap_ttls_state(data, FAILURE); 686 } --- 87 unchanged lines hidden (view full) --- 774 generate_nt_response(auth_challenge, peer_challenge, 775 username, username_len, 776 sm->user->password, 777 sm->user->password_len, 778 nt_response); 779 } 780 781 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8; |
782#ifdef CONFIG_TESTING_OPTIONS 783 { 784 u8 challenge2[8]; 785 786 if (challenge_hash(peer_challenge, auth_challenge, 787 username, username_len, challenge2) == 0) { 788 eap_server_mschap_rx_callback(sm, "TTLS-MSCHAPV2", 789 username, username_len, 790 challenge2, rx_resp); 791 } 792 } 793#endif /* CONFIG_TESTING_OPTIONS */ |
|
743 if (os_memcmp_const(nt_response, rx_resp, 24) == 0) { 744 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct " 745 "NT-Response"); 746 data->mschapv2_resp_ok = 1; 747 748 if (sm->user->password_hash) { 749 generate_authenticator_response_pwhash( 750 sm->user->password, --- 132 unchanged lines hidden (view full) --- 883 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 884 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize " 885 "EAP type %d", next_type); 886 eap_ttls_state(data, FAILURE); 887 } 888 break; 889 case PHASE2_METHOD: 890 eap_ttls_state(data, SUCCESS); | 794 if (os_memcmp_const(nt_response, rx_resp, 24) == 0) { 795 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct " 796 "NT-Response"); 797 data->mschapv2_resp_ok = 1; 798 799 if (sm->user->password_hash) { 800 generate_authenticator_response_pwhash( 801 sm->user->password, --- 132 unchanged lines hidden (view full) --- 934 if (eap_ttls_phase2_eap_init(sm, data, next_type)) { 935 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize " 936 "EAP type %d", next_type); 937 eap_ttls_state(data, FAILURE); 938 } 939 break; 940 case PHASE2_METHOD: 941 eap_ttls_state(data, SUCCESS); |
942 eap_ttls_valid_session(sm, data); |
|
891 break; 892 case FAILURE: 893 break; 894 default: 895 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 896 __func__, data->state); 897 break; 898 } --- 207 unchanged lines hidden (view full) --- 1106 eap_ttls_start_tnc(sm, data); 1107 break; 1108 case PHASE2_MSCHAPV2_RESP: 1109 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) == 1110 0) { 1111 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1112 "acknowledged response"); 1113 eap_ttls_state(data, SUCCESS); | 943 break; 944 case FAILURE: 945 break; 946 default: 947 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d", 948 __func__, data->state); 949 break; 950 } --- 207 unchanged lines hidden (view full) --- 1158 eap_ttls_start_tnc(sm, data); 1159 break; 1160 case PHASE2_MSCHAPV2_RESP: 1161 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) == 1162 0) { 1163 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1164 "acknowledged response"); 1165 eap_ttls_state(data, SUCCESS); |
1166 eap_ttls_valid_session(sm, data); |
|
1114 } else if (!data->mschapv2_resp_ok) { 1115 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1116 "acknowledged error"); 1117 eap_ttls_state(data, FAILURE); 1118 } else { 1119 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected " 1120 "frame from peer (payload len %lu, " 1121 "expected empty frame)", --- 10 unchanged lines hidden (view full) --- 1132 } 1133} 1134 1135 1136static void eap_ttls_process(struct eap_sm *sm, void *priv, 1137 struct wpabuf *respData) 1138{ 1139 struct eap_ttls_data *data = priv; | 1167 } else if (!data->mschapv2_resp_ok) { 1168 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " 1169 "acknowledged error"); 1170 eap_ttls_state(data, FAILURE); 1171 } else { 1172 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected " 1173 "frame from peer (payload len %lu, " 1174 "expected empty frame)", --- 10 unchanged lines hidden (view full) --- 1185 } 1186} 1187 1188 1189static void eap_ttls_process(struct eap_sm *sm, void *priv, 1190 struct wpabuf *respData) 1191{ 1192 struct eap_ttls_data *data = priv; |
1193 const struct wpabuf *buf; 1194 const u8 *pos; 1195 u8 id_len; 1196 |
|
1140 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1141 EAP_TYPE_TTLS, eap_ttls_process_version, | 1197 if (eap_server_tls_process(sm, &data->ssl, respData, data, 1198 EAP_TYPE_TTLS, eap_ttls_process_version, |
1142 eap_ttls_process_msg) < 0) | 1199 eap_ttls_process_msg) < 0) { |
1143 eap_ttls_state(data, FAILURE); | 1200 eap_ttls_state(data, FAILURE); |
1201 return; 1202 } 1203 1204 if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || 1205 !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) 1206 return; 1207 1208 buf = tls_connection_get_success_data(data->ssl.conn); 1209 if (!buf || wpabuf_len(buf) < 1) { 1210 wpa_printf(MSG_DEBUG, 1211 "EAP-TTLS: No success data in resumed session - reject attempt"); 1212 eap_ttls_state(data, FAILURE); 1213 return; 1214 } 1215 1216 pos = wpabuf_head(buf); 1217 if (*pos != EAP_TYPE_TTLS) { 1218 wpa_printf(MSG_DEBUG, 1219 "EAP-TTLS: Resumed session for another EAP type (%u) - reject attempt", 1220 *pos); 1221 eap_ttls_state(data, FAILURE); 1222 return; 1223 } 1224 1225 pos++; 1226 id_len = *pos++; 1227 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: Identity from cached session", 1228 pos, id_len); 1229 os_free(sm->identity); 1230 sm->identity = os_malloc(id_len ? id_len : 1); 1231 if (!sm->identity) { 1232 sm->identity_len = 0; 1233 eap_ttls_state(data, FAILURE); 1234 return; 1235 } 1236 1237 os_memcpy(sm->identity, pos, id_len); 1238 sm->identity_len = id_len; 1239 1240 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { 1241 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not found in the user database", 1242 sm->identity, sm->identity_len); 1243 eap_ttls_state(data, FAILURE); 1244 return; 1245 } 1246 1247 wpa_printf(MSG_DEBUG, 1248 "EAP-TTLS: Resuming previous session - skip Phase2"); 1249 eap_ttls_state(data, SUCCESS); 1250 tls_connection_set_success_data_resumed(data->ssl.conn); |
|
1144} 1145 1146 1147static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv) 1148{ 1149 struct eap_ttls_data *data = priv; 1150 return data->state == SUCCESS || data->state == FAILURE; 1151} --- 102 unchanged lines hidden --- | 1251} 1252 1253 1254static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv) 1255{ 1256 struct eap_ttls_data *data = priv; 1257 return data->state == SUCCESS || data->state == FAILURE; 1258} --- 102 unchanged lines hidden --- |