1/*
2 * EAP peer method: EAP-TTLS (RFC 5281)
3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/ms_funcs.h"
13#include "crypto/sha1.h"
14#include "crypto/tls.h"
15#include "eap_common/chap.h"
16#include "eap_common/eap_ttls.h"
17#include "mschapv2.h"
18#include "eap_i.h"
19#include "eap_tls_common.h"
20#include "eap_config.h"
21
22
23#define EAP_TTLS_VERSION 0
24
25
26static void eap_ttls_deinit(struct eap_sm *sm, void *priv);
27
28
29struct eap_ttls_data {
30	struct eap_ssl_data ssl;
31
32	int ttls_version;
33
34	const struct eap_method *phase2_method;
35	void *phase2_priv;
36	int phase2_success;
37	int phase2_start;
38
39	enum phase2_types {
40		EAP_TTLS_PHASE2_EAP,
41		EAP_TTLS_PHASE2_MSCHAPV2,
42		EAP_TTLS_PHASE2_MSCHAP,
43		EAP_TTLS_PHASE2_PAP,
44		EAP_TTLS_PHASE2_CHAP
45	} phase2_type;
46	struct eap_method_type phase2_eap_type;
47	struct eap_method_type *phase2_eap_types;
48	size_t num_phase2_eap_types;
49
50	u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN];
51	int auth_response_valid;
52	u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */
53	u8 ident;
54	int resuming; /* starting a resumed session */
55	int reauth; /* reauthentication */
56	u8 *key_data;
57
58	struct wpabuf *pending_phase2_req;
59
60#ifdef EAP_TNC
61	int ready_for_tnc;
62	int tnc_started;
63#endif /* EAP_TNC */
64};
65
66
67static void * eap_ttls_init(struct eap_sm *sm)
68{
69	struct eap_ttls_data *data;
70	struct eap_peer_config *config = eap_get_config(sm);
71	char *selected;
72
73	data = os_zalloc(sizeof(*data));
74	if (data == NULL)
75		return NULL;
76	data->ttls_version = EAP_TTLS_VERSION;
77	selected = "EAP";
78	data->phase2_type = EAP_TTLS_PHASE2_EAP;
79
80	if (config && config->phase2) {
81		if (os_strstr(config->phase2, "autheap=")) {
82			selected = "EAP";
83			data->phase2_type = EAP_TTLS_PHASE2_EAP;
84		} else if (os_strstr(config->phase2, "auth=MSCHAPV2")) {
85			selected = "MSCHAPV2";
86			data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2;
87		} else if (os_strstr(config->phase2, "auth=MSCHAP")) {
88			selected = "MSCHAP";
89			data->phase2_type = EAP_TTLS_PHASE2_MSCHAP;
90		} else if (os_strstr(config->phase2, "auth=PAP")) {
91			selected = "PAP";
92			data->phase2_type = EAP_TTLS_PHASE2_PAP;
93		} else if (os_strstr(config->phase2, "auth=CHAP")) {
94			selected = "CHAP";
95			data->phase2_type = EAP_TTLS_PHASE2_CHAP;
96		}
97	}
98	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected);
99
100	if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {
101		if (eap_peer_select_phase2_methods(config, "autheap=",
102						   &data->phase2_eap_types,
103						   &data->num_phase2_eap_types)
104		    < 0) {
105			eap_ttls_deinit(sm, data);
106			return NULL;
107		}
108
109		data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
110		data->phase2_eap_type.method = EAP_TYPE_NONE;
111	}
112
113	if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) {
114		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
115		eap_ttls_deinit(sm, data);
116		return NULL;
117	}
118
119	return data;
120}
121
122
123static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm,
124				       struct eap_ttls_data *data)
125{
126	if (data->phase2_priv && data->phase2_method) {
127		data->phase2_method->deinit(sm, data->phase2_priv);
128		data->phase2_method = NULL;
129		data->phase2_priv = NULL;
130	}
131}
132
133
134static void eap_ttls_deinit(struct eap_sm *sm, void *priv)
135{
136	struct eap_ttls_data *data = priv;
137	if (data == NULL)
138		return;
139	eap_ttls_phase2_eap_deinit(sm, data);
140	os_free(data->phase2_eap_types);
141	eap_peer_tls_ssl_deinit(sm, &data->ssl);
142	os_free(data->key_data);
143	wpabuf_free(data->pending_phase2_req);
144	os_free(data);
145}
146
147
148static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
149			     int mandatory, size_t len)
150{
151	struct ttls_avp_vendor *avp;
152	u8 flags;
153	size_t hdrlen;
154
155	avp = (struct ttls_avp_vendor *) avphdr;
156	flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
157	if (vendor_id) {
158		flags |= AVP_FLAGS_VENDOR;
159		hdrlen = sizeof(*avp);
160		avp->vendor_id = host_to_be32(vendor_id);
161	} else {
162		hdrlen = sizeof(struct ttls_avp);
163	}
164
165	avp->avp_code = host_to_be32(avp_code);
166	avp->avp_length = host_to_be32((flags << 24) | (u32) (hdrlen + len));
167
168	return avphdr + hdrlen;
169}
170
171
172static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code,
173			     u32 vendor_id, int mandatory,
174			     const u8 *data, size_t len)
175{
176	u8 *pos;
177	pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len);
178	os_memcpy(pos, data, len);
179	pos += len;
180	AVP_PAD(start, pos);
181	return pos;
182}
183
184
185static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code,
186				    int mandatory)
187{
188	struct wpabuf *msg;
189	u8 *avp, *pos;
190
191	msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4);
192	if (msg == NULL) {
193		wpabuf_free(*resp);
194		*resp = NULL;
195		return -1;
196	}
197
198	avp = wpabuf_mhead(msg);
199	pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp));
200	os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp));
201	pos += wpabuf_len(*resp);
202	AVP_PAD(avp, pos);
203	wpabuf_free(*resp);
204	wpabuf_put(msg, pos - avp);
205	*resp = msg;
206	return 0;
207}
208
209
210static int eap_ttls_v0_derive_key(struct eap_sm *sm,
211				  struct eap_ttls_data *data)
212{
213	os_free(data->key_data);
214	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,
215						 "ttls keying material",
216						 EAP_TLS_KEY_LEN);
217	if (!data->key_data) {
218		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key");
219		return -1;
220	}
221
222	wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
223			data->key_data, EAP_TLS_KEY_LEN);
224
225	return 0;
226}
227
228
229static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
230					struct eap_ttls_data *data, size_t len)
231{
232	return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len);
233}
234
235
236static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data,
237					      u8 method)
238{
239	size_t i;
240	for (i = 0; i < data->num_phase2_eap_types; i++) {
241		if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF ||
242		    data->phase2_eap_types[i].method != method)
243			continue;
244
245		data->phase2_eap_type.vendor =
246			data->phase2_eap_types[i].vendor;
247		data->phase2_eap_type.method =
248			data->phase2_eap_types[i].method;
249		wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
250			   "Phase 2 EAP vendor %d method %d",
251			   data->phase2_eap_type.vendor,
252			   data->phase2_eap_type.method);
253		break;
254	}
255}
256
257
258static int eap_ttls_phase2_eap_process(struct eap_sm *sm,
259				       struct eap_ttls_data *data,
260				       struct eap_method_ret *ret,
261				       struct eap_hdr *hdr, size_t len,
262				       struct wpabuf **resp)
263{
264	struct wpabuf msg;
265	struct eap_method_ret iret;
266
267	os_memset(&iret, 0, sizeof(iret));
268	wpabuf_set(&msg, hdr, len);
269	*resp = data->phase2_method->process(sm, data->phase2_priv, &iret,
270					     &msg);
271	if ((iret.methodState == METHOD_DONE ||
272	     iret.methodState == METHOD_MAY_CONT) &&
273	    (iret.decision == DECISION_UNCOND_SUCC ||
274	     iret.decision == DECISION_COND_SUCC ||
275	     iret.decision == DECISION_FAIL)) {
276		ret->methodState = iret.methodState;
277		ret->decision = iret.decision;
278	}
279
280	return 0;
281}
282
283
284static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm,
285					      struct eap_ttls_data *data,
286					      struct eap_method_ret *ret,
287					      struct eap_hdr *hdr, size_t len,
288					      u8 method, struct wpabuf **resp)
289{
290#ifdef EAP_TNC
291	if (data->tnc_started && data->phase2_method &&
292	    data->phase2_priv && method == EAP_TYPE_TNC &&
293	    data->phase2_eap_type.method == EAP_TYPE_TNC)
294		return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len,
295						   resp);
296
297	if (data->ready_for_tnc && !data->tnc_started &&
298	    method == EAP_TYPE_TNC) {
299		wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
300			   "EAP method");
301		data->tnc_started = 1;
302	}
303
304	if (data->tnc_started) {
305		if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF ||
306		    data->phase2_eap_type.method == EAP_TYPE_TNC) {
307			wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP "
308				   "type %d for TNC", method);
309			return -1;
310		}
311
312		data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
313		data->phase2_eap_type.method = method;
314		wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
315			   "Phase 2 EAP vendor %d method %d (TNC)",
316			   data->phase2_eap_type.vendor,
317			   data->phase2_eap_type.method);
318
319		if (data->phase2_type == EAP_TTLS_PHASE2_EAP)
320			eap_ttls_phase2_eap_deinit(sm, data);
321	}
322#endif /* EAP_TNC */
323
324	if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF &&
325	    data->phase2_eap_type.method == EAP_TYPE_NONE)
326		eap_ttls_phase2_select_eap_method(data, method);
327
328	if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE)
329	{
330		if (eap_peer_tls_phase2_nak(data->phase2_eap_types,
331					    data->num_phase2_eap_types,
332					    hdr, resp))
333			return -1;
334		return 0;
335	}
336
337	if (data->phase2_priv == NULL) {
338		data->phase2_method = eap_peer_get_eap_method(
339			EAP_VENDOR_IETF, method);
340		if (data->phase2_method) {
341			sm->init_phase2 = 1;
342			data->phase2_priv = data->phase2_method->init(sm);
343			sm->init_phase2 = 0;
344		}
345	}
346	if (data->phase2_priv == NULL || data->phase2_method == NULL) {
347		wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize "
348			   "Phase 2 EAP method %d", method);
349		return -1;
350	}
351
352	return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp);
353}
354
355
356static int eap_ttls_phase2_request_eap(struct eap_sm *sm,
357				       struct eap_ttls_data *data,
358				       struct eap_method_ret *ret,
359				       struct eap_hdr *hdr,
360				       struct wpabuf **resp)
361{
362	size_t len = be_to_host16(hdr->length);
363	u8 *pos;
364	struct eap_peer_config *config = eap_get_config(sm);
365
366	if (len <= sizeof(struct eap_hdr)) {
367		wpa_printf(MSG_INFO, "EAP-TTLS: too short "
368			   "Phase 2 request (len=%lu)", (unsigned long) len);
369		return -1;
370	}
371	pos = (u8 *) (hdr + 1);
372	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos);
373	switch (*pos) {
374	case EAP_TYPE_IDENTITY:
375		*resp = eap_sm_buildIdentity(sm, hdr->identifier, 1);
376		break;
377	default:
378		if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len,
379						       *pos, resp) < 0)
380			return -1;
381		break;
382	}
383
384	if (*resp == NULL &&
385	    (config->pending_req_identity || config->pending_req_password ||
386	     config->pending_req_otp)) {
387		return 0;
388	}
389
390	if (*resp == NULL)
391		return -1;
392
393	wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response",
394			*resp);
395	return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1);
396}
397
398
399static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
400					    struct eap_ttls_data *data,
401					    struct eap_method_ret *ret,
402					    struct wpabuf **resp)
403{
404#ifdef EAP_MSCHAPv2
405	struct wpabuf *msg;
406	u8 *buf, *pos, *challenge, *peer_challenge;
407	const u8 *identity, *password;
408	size_t identity_len, password_len;
409	int pwhash;
410
411	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
412
413	identity = eap_get_config_identity(sm, &identity_len);
414	password = eap_get_config_password2(sm, &password_len, &pwhash);
415	if (identity == NULL || password == NULL)
416		return -1;
417
418	msg = wpabuf_alloc(identity_len + 1000);
419	if (msg == NULL) {
420		wpa_printf(MSG_ERROR,
421			   "EAP-TTLS/MSCHAPV2: Failed to allocate memory");
422		return -1;
423	}
424	pos = buf = wpabuf_mhead(msg);
425
426	/* User-Name */
427	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
428			       identity, identity_len);
429
430	/* MS-CHAP-Challenge */
431	challenge = eap_ttls_implicit_challenge(
432		sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
433	if (challenge == NULL) {
434		wpabuf_free(msg);
435		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
436			   "implicit challenge");
437		return -1;
438	}
439
440	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
441			       RADIUS_VENDOR_ID_MICROSOFT, 1,
442			       challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
443
444	/* MS-CHAP2-Response */
445	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
446			       RADIUS_VENDOR_ID_MICROSOFT, 1,
447			       EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
448	data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
449	*pos++ = data->ident;
450	*pos++ = 0; /* Flags */
451	if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) {
452		os_free(challenge);
453		wpabuf_free(msg);
454		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get "
455			   "random data for peer challenge");
456		return -1;
457	}
458	peer_challenge = pos;
459	pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
460	os_memset(pos, 0, 8); /* Reserved, must be zero */
461	pos += 8;
462	if (mschapv2_derive_response(identity, identity_len, password,
463				     password_len, pwhash, challenge,
464				     peer_challenge, pos, data->auth_response,
465				     data->master_key)) {
466		os_free(challenge);
467		wpabuf_free(msg);
468		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
469			   "response");
470		return -1;
471	}
472	data->auth_response_valid = 1;
473
474	pos += 24;
475	os_free(challenge);
476	AVP_PAD(buf, pos);
477
478	wpabuf_put(msg, pos - buf);
479	*resp = msg;
480
481	if (sm->workaround) {
482		/* At least FreeRADIUS seems to be terminating
483		 * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success
484		 * packet. */
485		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - "
486			   "allow success without tunneled response");
487		ret->methodState = METHOD_MAY_CONT;
488		ret->decision = DECISION_COND_SUCC;
489	}
490
491	return 0;
492#else /* EAP_MSCHAPv2 */
493	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
494	return -1;
495#endif /* EAP_MSCHAPv2 */
496}
497
498
499static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
500					  struct eap_ttls_data *data,
501					  struct eap_method_ret *ret,
502					  struct wpabuf **resp)
503{
504	struct wpabuf *msg;
505	u8 *buf, *pos, *challenge;
506	const u8 *identity, *password;
507	size_t identity_len, password_len;
508	int pwhash;
509
510	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
511
512	identity = eap_get_config_identity(sm, &identity_len);
513	password = eap_get_config_password2(sm, &password_len, &pwhash);
514	if (identity == NULL || password == NULL)
515		return -1;
516
517	msg = wpabuf_alloc(identity_len + 1000);
518	if (msg == NULL) {
519		wpa_printf(MSG_ERROR,
520			   "EAP-TTLS/MSCHAP: Failed to allocate memory");
521		return -1;
522	}
523	pos = buf = wpabuf_mhead(msg);
524
525	/* User-Name */
526	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
527			       identity, identity_len);
528
529	/* MS-CHAP-Challenge */
530	challenge = eap_ttls_implicit_challenge(
531		sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
532	if (challenge == NULL) {
533		wpabuf_free(msg);
534		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
535			   "implicit challenge");
536		return -1;
537	}
538
539	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
540			       RADIUS_VENDOR_ID_MICROSOFT, 1,
541			       challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
542
543	/* MS-CHAP-Response */
544	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
545			       RADIUS_VENDOR_ID_MICROSOFT, 1,
546			       EAP_TTLS_MSCHAP_RESPONSE_LEN);
547	data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
548	*pos++ = data->ident;
549	*pos++ = 1; /* Flags: Use NT style passwords */
550	os_memset(pos, 0, 24); /* LM-Response */
551	pos += 24;
552	if (pwhash) {
553		challenge_response(challenge, password, pos); /* NT-Response */
554		wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash",
555				password, 16);
556	} else {
557		nt_challenge_response(challenge, password, password_len,
558				      pos); /* NT-Response */
559		wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
560				      password, password_len);
561	}
562	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
563		    challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
564	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
565	pos += 24;
566	os_free(challenge);
567	AVP_PAD(buf, pos);
568
569	wpabuf_put(msg, pos - buf);
570	*resp = msg;
571
572	/* EAP-TTLS/MSCHAP does not provide tunneled success
573	 * notification, so assume that Phase2 succeeds. */
574	ret->methodState = METHOD_DONE;
575	ret->decision = DECISION_COND_SUCC;
576
577	return 0;
578}
579
580
581static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
582				       struct eap_ttls_data *data,
583				       struct eap_method_ret *ret,
584				       struct wpabuf **resp)
585{
586	struct wpabuf *msg;
587	u8 *buf, *pos;
588	size_t pad;
589	const u8 *identity, *password;
590	size_t identity_len, password_len;
591
592	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request");
593
594	identity = eap_get_config_identity(sm, &identity_len);
595	password = eap_get_config_password(sm, &password_len);
596	if (identity == NULL || password == NULL)
597		return -1;
598
599	msg = wpabuf_alloc(identity_len + password_len + 100);
600	if (msg == NULL) {
601		wpa_printf(MSG_ERROR,
602			   "EAP-TTLS/PAP: Failed to allocate memory");
603		return -1;
604	}
605	pos = buf = wpabuf_mhead(msg);
606
607	/* User-Name */
608	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
609			       identity, identity_len);
610
611	/* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
612	 * the data, so no separate encryption is used in the AVP itself.
613	 * However, the password is padded to obfuscate its length. */
614	pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15;
615	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
616			       password_len + pad);
617	os_memcpy(pos, password, password_len);
618	pos += password_len;
619	os_memset(pos, 0, pad);
620	pos += pad;
621	AVP_PAD(buf, pos);
622
623	wpabuf_put(msg, pos - buf);
624	*resp = msg;
625
626	/* EAP-TTLS/PAP does not provide tunneled success notification,
627	 * so assume that Phase2 succeeds. */
628	ret->methodState = METHOD_DONE;
629	ret->decision = DECISION_COND_SUCC;
630
631	return 0;
632}
633
634
635static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
636					struct eap_ttls_data *data,
637					struct eap_method_ret *ret,
638					struct wpabuf **resp)
639{
640	struct wpabuf *msg;
641	u8 *buf, *pos, *challenge;
642	const u8 *identity, *password;
643	size_t identity_len, password_len;
644
645	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
646
647	identity = eap_get_config_identity(sm, &identity_len);
648	password = eap_get_config_password(sm, &password_len);
649	if (identity == NULL || password == NULL)
650		return -1;
651
652	msg = wpabuf_alloc(identity_len + 1000);
653	if (msg == NULL) {
654		wpa_printf(MSG_ERROR,
655			   "EAP-TTLS/CHAP: Failed to allocate memory");
656		return -1;
657	}
658	pos = buf = wpabuf_mhead(msg);
659
660	/* User-Name */
661	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
662			       identity, identity_len);
663
664	/* CHAP-Challenge */
665	challenge = eap_ttls_implicit_challenge(
666		sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
667	if (challenge == NULL) {
668		wpabuf_free(msg);
669		wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
670			   "implicit challenge");
671		return -1;
672	}
673
674	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
675			       challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
676
677	/* CHAP-Password */
678	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
679			       1 + EAP_TTLS_CHAP_PASSWORD_LEN);
680	data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
681	*pos++ = data->ident;
682
683	/* MD5(Ident + Password + Challenge) */
684	chap_md5(data->ident, password, password_len, challenge,
685		 EAP_TTLS_CHAP_CHALLENGE_LEN, pos);
686
687	wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
688			  identity, identity_len);
689	wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
690			      password, password_len);
691	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
692		    challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
693	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
694		    pos, EAP_TTLS_CHAP_PASSWORD_LEN);
695	pos += EAP_TTLS_CHAP_PASSWORD_LEN;
696	os_free(challenge);
697	AVP_PAD(buf, pos);
698
699	wpabuf_put(msg, pos - buf);
700	*resp = msg;
701
702	/* EAP-TTLS/CHAP does not provide tunneled success
703	 * notification, so assume that Phase2 succeeds. */
704	ret->methodState = METHOD_DONE;
705	ret->decision = DECISION_COND_SUCC;
706
707	return 0;
708}
709
710
711static int eap_ttls_phase2_request(struct eap_sm *sm,
712				   struct eap_ttls_data *data,
713				   struct eap_method_ret *ret,
714				   struct eap_hdr *hdr,
715				   struct wpabuf **resp)
716{
717	int res = 0;
718	size_t len;
719	enum phase2_types phase2_type = data->phase2_type;
720
721#ifdef EAP_TNC
722	if (data->tnc_started) {
723		wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC");
724		phase2_type = EAP_TTLS_PHASE2_EAP;
725	}
726#endif /* EAP_TNC */
727
728	if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
729	    phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
730	    phase2_type == EAP_TTLS_PHASE2_PAP ||
731	    phase2_type == EAP_TTLS_PHASE2_CHAP) {
732		if (eap_get_config_identity(sm, &len) == NULL) {
733			wpa_printf(MSG_INFO,
734				   "EAP-TTLS: Identity not configured");
735			eap_sm_request_identity(sm);
736			if (eap_get_config_password(sm, &len) == NULL)
737				eap_sm_request_password(sm);
738			return 0;
739		}
740
741		if (eap_get_config_password(sm, &len) == NULL) {
742			wpa_printf(MSG_INFO,
743				   "EAP-TTLS: Password not configured");
744			eap_sm_request_password(sm);
745			return 0;
746		}
747	}
748
749	switch (phase2_type) {
750	case EAP_TTLS_PHASE2_EAP:
751		res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp);
752		break;
753	case EAP_TTLS_PHASE2_MSCHAPV2:
754		res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp);
755		break;
756	case EAP_TTLS_PHASE2_MSCHAP:
757		res = eap_ttls_phase2_request_mschap(sm, data, ret, resp);
758		break;
759	case EAP_TTLS_PHASE2_PAP:
760		res = eap_ttls_phase2_request_pap(sm, data, ret, resp);
761		break;
762	case EAP_TTLS_PHASE2_CHAP:
763		res = eap_ttls_phase2_request_chap(sm, data, ret, resp);
764		break;
765	default:
766		wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
767		res = -1;
768		break;
769	}
770
771	if (res < 0) {
772		ret->methodState = METHOD_DONE;
773		ret->decision = DECISION_FAIL;
774	}
775
776	return res;
777}
778
779
780struct ttls_parse_avp {
781	u8 *mschapv2;
782	u8 *eapdata;
783	size_t eap_len;
784	int mschapv2_error;
785};
786
787
788static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen,
789				   struct ttls_parse_avp *parse)
790{
791	wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
792	if (parse->eapdata == NULL) {
793		parse->eapdata = os_malloc(dlen);
794		if (parse->eapdata == NULL) {
795			wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
796				   "memory for Phase 2 EAP data");
797			return -1;
798		}
799		os_memcpy(parse->eapdata, dpos, dlen);
800		parse->eap_len = dlen;
801	} else {
802		u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen);
803		if (neweap == NULL) {
804			wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
805				   "memory for Phase 2 EAP data");
806			return -1;
807		}
808		os_memcpy(neweap + parse->eap_len, dpos, dlen);
809		parse->eapdata = neweap;
810		parse->eap_len += dlen;
811	}
812
813	return 0;
814}
815
816
817static int eap_ttls_parse_avp(u8 *pos, size_t left,
818			      struct ttls_parse_avp *parse)
819{
820	struct ttls_avp *avp;
821	u32 avp_code, avp_length, vendor_id = 0;
822	u8 avp_flags, *dpos;
823	size_t dlen;
824
825	avp = (struct ttls_avp *) pos;
826	avp_code = be_to_host32(avp->avp_code);
827	avp_length = be_to_host32(avp->avp_length);
828	avp_flags = (avp_length >> 24) & 0xff;
829	avp_length &= 0xffffff;
830	wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
831		   "length=%d", (int) avp_code, avp_flags,
832		   (int) avp_length);
833
834	if (avp_length > left) {
835		wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
836			   "(len=%d, left=%lu) - dropped",
837			   (int) avp_length, (unsigned long) left);
838		return -1;
839	}
840
841	if (avp_length < sizeof(*avp)) {
842		wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d",
843			   avp_length);
844		return -1;
845	}
846
847	dpos = (u8 *) (avp + 1);
848	dlen = avp_length - sizeof(*avp);
849	if (avp_flags & AVP_FLAGS_VENDOR) {
850		if (dlen < 4) {
851			wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP "
852				   "underflow");
853			return -1;
854		}
855		vendor_id = WPA_GET_BE32(dpos);
856		wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
857			   (int) vendor_id);
858		dpos += 4;
859		dlen -= 4;
860	}
861
862	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
863
864	if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
865		if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0)
866			return -1;
867	} else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) {
868		/* This is an optional message that can be displayed to
869		 * the user. */
870		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message",
871				  dpos, dlen);
872	} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
873		   avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) {
874		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success",
875				  dpos, dlen);
876		if (dlen != 43) {
877			wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected "
878				   "MS-CHAP2-Success length "
879				   "(len=%lu, expected 43)",
880				   (unsigned long) dlen);
881			return -1;
882		}
883		parse->mschapv2 = dpos;
884	} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
885		   avp_code == RADIUS_ATTR_MS_CHAP_ERROR) {
886		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error",
887				  dpos, dlen);
888		parse->mschapv2_error = 1;
889	} else if (avp_flags & AVP_FLAGS_MANDATORY) {
890		wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP "
891			   "code %d vendor_id %d - dropped",
892			   (int) avp_code, (int) vendor_id);
893		return -1;
894	} else {
895		wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP "
896			   "code %d vendor_id %d",
897			   (int) avp_code, (int) vendor_id);
898	}
899
900	return avp_length;
901}
902
903
904static int eap_ttls_parse_avps(struct wpabuf *in_decrypted,
905			       struct ttls_parse_avp *parse)
906{
907	u8 *pos;
908	size_t left, pad;
909	int avp_length;
910
911	pos = wpabuf_mhead(in_decrypted);
912	left = wpabuf_len(in_decrypted);
913	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left);
914	if (left < sizeof(struct ttls_avp)) {
915		wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame"
916			   " len=%lu expected %lu or more - dropped",
917			   (unsigned long) left,
918			   (unsigned long) sizeof(struct ttls_avp));
919		return -1;
920	}
921
922	/* Parse AVPs */
923	os_memset(parse, 0, sizeof(*parse));
924
925	while (left > 0) {
926		avp_length = eap_ttls_parse_avp(pos, left, parse);
927		if (avp_length < 0)
928			return -1;
929
930		pad = (4 - (avp_length & 3)) & 3;
931		pos += avp_length + pad;
932		if (left < avp_length + pad)
933			left = 0;
934		else
935			left -= avp_length + pad;
936	}
937
938	return 0;
939}
940
941
942static u8 * eap_ttls_fake_identity_request(void)
943{
944	struct eap_hdr *hdr;
945	u8 *buf;
946
947	wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of "
948		   "Phase 2 - use fake EAP-Request Identity");
949	buf = os_malloc(sizeof(*hdr) + 1);
950	if (buf == NULL) {
951		wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate "
952			   "memory for fake EAP-Identity Request");
953		return NULL;
954	}
955
956	hdr = (struct eap_hdr *) buf;
957	hdr->code = EAP_CODE_REQUEST;
958	hdr->identifier = 0;
959	hdr->length = host_to_be16(sizeof(*hdr) + 1);
960	buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY;
961
962	return buf;
963}
964
965
966static int eap_ttls_encrypt_response(struct eap_sm *sm,
967				     struct eap_ttls_data *data,
968				     struct wpabuf *resp, u8 identifier,
969				     struct wpabuf **out_data)
970{
971	if (resp == NULL)
972		return 0;
973
974	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data",
975			    resp);
976	if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
977				 data->ttls_version, identifier,
978				 resp, out_data)) {
979		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 "
980			   "frame");
981		return -1;
982	}
983	wpabuf_free(resp);
984
985	return 0;
986}
987
988
989static int eap_ttls_process_phase2_eap(struct eap_sm *sm,
990				       struct eap_ttls_data *data,
991				       struct eap_method_ret *ret,
992				       struct ttls_parse_avp *parse,
993				       struct wpabuf **resp)
994{
995	struct eap_hdr *hdr;
996	size_t len;
997
998	if (parse->eapdata == NULL) {
999		wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the "
1000			   "packet - dropped");
1001		return -1;
1002	}
1003
1004	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP",
1005		    parse->eapdata, parse->eap_len);
1006	hdr = (struct eap_hdr *) parse->eapdata;
1007
1008	if (parse->eap_len < sizeof(*hdr)) {
1009		wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP "
1010			   "frame (len=%lu, expected %lu or more) - dropped",
1011			   (unsigned long) parse->eap_len,
1012			   (unsigned long) sizeof(*hdr));
1013		return -1;
1014	}
1015	len = be_to_host16(hdr->length);
1016	if (len > parse->eap_len) {
1017		wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 "
1018			   "EAP frame (EAP hdr len=%lu, EAP data len in "
1019			   "AVP=%lu)",
1020			   (unsigned long) len,
1021			   (unsigned long) parse->eap_len);
1022		return -1;
1023	}
1024	wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d "
1025		   "identifier=%d length=%lu",
1026		   hdr->code, hdr->identifier, (unsigned long) len);
1027	switch (hdr->code) {
1028	case EAP_CODE_REQUEST:
1029		if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) {
1030			wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1031				   "processing failed");
1032			return -1;
1033		}
1034		break;
1035	default:
1036		wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in "
1037			   "Phase 2 EAP header", hdr->code);
1038		return -1;
1039	}
1040
1041	return 0;
1042}
1043
1044
1045static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
1046					    struct eap_ttls_data *data,
1047					    struct eap_method_ret *ret,
1048					    struct ttls_parse_avp *parse)
1049{
1050#ifdef EAP_MSCHAPv2
1051	if (parse->mschapv2_error) {
1052		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received "
1053			   "MS-CHAP-Error - failed");
1054		ret->methodState = METHOD_DONE;
1055		ret->decision = DECISION_FAIL;
1056		/* Reply with empty data to ACK error */
1057		return 1;
1058	}
1059
1060	if (parse->mschapv2 == NULL) {
1061#ifdef EAP_TNC
1062		if (data->phase2_success && parse->eapdata) {
1063			/*
1064			 * Allow EAP-TNC to be started after successfully
1065			 * completed MSCHAPV2.
1066			 */
1067			return 1;
1068		}
1069#endif /* EAP_TNC */
1070		wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP "
1071			   "received for Phase2 MSCHAPV2");
1072		return -1;
1073	}
1074	if (parse->mschapv2[0] != data->ident) {
1075		wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 "
1076			   "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)",
1077			   parse->mschapv2[0], data->ident);
1078		return -1;
1079	}
1080	if (!data->auth_response_valid ||
1081	    mschapv2_verify_auth_response(data->auth_response,
1082					  parse->mschapv2 + 1, 42)) {
1083		wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator "
1084			   "response in Phase 2 MSCHAPV2 success request");
1085		return -1;
1086	}
1087
1088	wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 "
1089		   "authentication succeeded");
1090	ret->methodState = METHOD_DONE;
1091	ret->decision = DECISION_UNCOND_SUCC;
1092	data->phase2_success = 1;
1093
1094	/*
1095	 * Reply with empty data; authentication server will reply
1096	 * with EAP-Success after this.
1097	 */
1098	return 1;
1099#else /* EAP_MSCHAPv2 */
1100	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
1101	return -1;
1102#endif /* EAP_MSCHAPv2 */
1103}
1104
1105
1106#ifdef EAP_TNC
1107static int eap_ttls_process_tnc_start(struct eap_sm *sm,
1108				      struct eap_ttls_data *data,
1109				      struct eap_method_ret *ret,
1110				      struct ttls_parse_avp *parse,
1111				      struct wpabuf **resp)
1112{
1113	/* TNC uses inner EAP method after non-EAP TTLS phase 2. */
1114	if (parse->eapdata == NULL) {
1115		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1116			   "unexpected tunneled data (no EAP)");
1117		return -1;
1118	}
1119
1120	if (!data->ready_for_tnc) {
1121		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1122			   "EAP after non-EAP, but not ready for TNC");
1123		return -1;
1124	}
1125
1126	wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
1127		   "non-EAP method");
1128	data->tnc_started = 1;
1129
1130	if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0)
1131		return -1;
1132
1133	return 0;
1134}
1135#endif /* EAP_TNC */
1136
1137
1138static int eap_ttls_process_decrypted(struct eap_sm *sm,
1139				      struct eap_ttls_data *data,
1140				      struct eap_method_ret *ret,
1141				      u8 identifier,
1142				      struct ttls_parse_avp *parse,
1143				      struct wpabuf *in_decrypted,
1144				      struct wpabuf **out_data)
1145{
1146	struct wpabuf *resp = NULL;
1147	struct eap_peer_config *config = eap_get_config(sm);
1148	int res;
1149	enum phase2_types phase2_type = data->phase2_type;
1150
1151#ifdef EAP_TNC
1152	if (data->tnc_started)
1153		phase2_type = EAP_TTLS_PHASE2_EAP;
1154#endif /* EAP_TNC */
1155
1156	switch (phase2_type) {
1157	case EAP_TTLS_PHASE2_EAP:
1158		if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) <
1159		    0)
1160			return -1;
1161		break;
1162	case EAP_TTLS_PHASE2_MSCHAPV2:
1163		res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse);
1164#ifdef EAP_TNC
1165		if (res == 1 && parse->eapdata && data->phase2_success) {
1166			/*
1167			 * TNC may be required as the next
1168			 * authentication method within the tunnel.
1169			 */
1170			ret->methodState = METHOD_MAY_CONT;
1171			data->ready_for_tnc = 1;
1172			if (eap_ttls_process_tnc_start(sm, data, ret, parse,
1173						       &resp) == 0)
1174				break;
1175		}
1176#endif /* EAP_TNC */
1177		return res;
1178	case EAP_TTLS_PHASE2_MSCHAP:
1179	case EAP_TTLS_PHASE2_PAP:
1180	case EAP_TTLS_PHASE2_CHAP:
1181#ifdef EAP_TNC
1182		if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) <
1183		    0)
1184			return -1;
1185		break;
1186#else /* EAP_TNC */
1187		/* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled
1188		 * requests to the supplicant */
1189		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected "
1190			   "tunneled data");
1191		return -1;
1192#endif /* EAP_TNC */
1193	}
1194
1195	if (resp) {
1196		if (eap_ttls_encrypt_response(sm, data, resp, identifier,
1197					      out_data) < 0)
1198			return -1;
1199	} else if (config->pending_req_identity ||
1200		   config->pending_req_password ||
1201		   config->pending_req_otp ||
1202		   config->pending_req_new_password) {
1203		wpabuf_free(data->pending_phase2_req);
1204		data->pending_phase2_req = wpabuf_dup(in_decrypted);
1205	}
1206
1207	return 0;
1208}
1209
1210
1211static int eap_ttls_implicit_identity_request(struct eap_sm *sm,
1212					      struct eap_ttls_data *data,
1213					      struct eap_method_ret *ret,
1214					      u8 identifier,
1215					      struct wpabuf **out_data)
1216{
1217	int retval = 0;
1218	struct eap_hdr *hdr;
1219	struct wpabuf *resp;
1220
1221	hdr = (struct eap_hdr *) eap_ttls_fake_identity_request();
1222	if (hdr == NULL) {
1223		ret->methodState = METHOD_DONE;
1224		ret->decision = DECISION_FAIL;
1225		return -1;
1226	}
1227
1228	resp = NULL;
1229	if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) {
1230		wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1231			   "processing failed");
1232		retval = -1;
1233	} else {
1234		struct eap_peer_config *config = eap_get_config(sm);
1235		if (resp == NULL &&
1236		    (config->pending_req_identity ||
1237		     config->pending_req_password ||
1238		     config->pending_req_otp ||
1239		     config->pending_req_new_password)) {
1240			/*
1241			 * Use empty buffer to force implicit request
1242			 * processing when EAP request is re-processed after
1243			 * user input.
1244			 */
1245			wpabuf_free(data->pending_phase2_req);
1246			data->pending_phase2_req = wpabuf_alloc(0);
1247		}
1248
1249		retval = eap_ttls_encrypt_response(sm, data, resp, identifier,
1250						   out_data);
1251	}
1252
1253	os_free(hdr);
1254
1255	if (retval < 0) {
1256		ret->methodState = METHOD_DONE;
1257		ret->decision = DECISION_FAIL;
1258	}
1259
1260	return retval;
1261}
1262
1263
1264static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data,
1265				 struct eap_method_ret *ret, u8 identifier,
1266				 struct wpabuf **out_data)
1267{
1268	data->phase2_start = 0;
1269
1270	/*
1271	 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only
1272	 * if TLS part was indeed resuming a previous session. Most
1273	 * Authentication Servers terminate EAP-TTLS before reaching this
1274	 * point, but some do not. Make wpa_supplicant stop phase 2 here, if
1275	 * needed.
1276	 */
1277	if (data->reauth &&
1278	    tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
1279		wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - "
1280			   "skip phase 2");
1281		*out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS,
1282						   data->ttls_version);
1283		ret->methodState = METHOD_DONE;
1284		ret->decision = DECISION_UNCOND_SUCC;
1285		data->phase2_success = 1;
1286		return 0;
1287	}
1288
1289	return eap_ttls_implicit_identity_request(sm, data, ret, identifier,
1290						  out_data);
1291}
1292
1293
1294static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
1295			    struct eap_method_ret *ret, u8 identifier,
1296			    const struct wpabuf *in_data,
1297			    struct wpabuf **out_data)
1298{
1299	struct wpabuf *in_decrypted = NULL;
1300	int retval = 0;
1301	struct ttls_parse_avp parse;
1302
1303	os_memset(&parse, 0, sizeof(parse));
1304
1305	wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1306		   " Phase 2",
1307		   in_data ? (unsigned long) wpabuf_len(in_data) : 0);
1308
1309	if (data->pending_phase2_req) {
1310		wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - "
1311			   "skip decryption and use old data");
1312		/* Clear TLS reassembly state. */
1313		eap_peer_tls_reset_input(&data->ssl);
1314
1315		in_decrypted = data->pending_phase2_req;
1316		data->pending_phase2_req = NULL;
1317		if (wpabuf_len(in_decrypted) == 0) {
1318			wpabuf_free(in_decrypted);
1319			return eap_ttls_implicit_identity_request(
1320				sm, data, ret, identifier, out_data);
1321		}
1322		goto continue_req;
1323	}
1324
1325	if ((in_data == NULL || wpabuf_len(in_data) == 0) &&
1326	    data->phase2_start) {
1327		return eap_ttls_phase2_start(sm, data, ret, identifier,
1328					     out_data);
1329	}
1330
1331	if (in_data == NULL || wpabuf_len(in_data) == 0) {
1332		/* Received TLS ACK - requesting more fragments */
1333		return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
1334					    data->ttls_version,
1335					    identifier, NULL, out_data);
1336	}
1337
1338	retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
1339	if (retval)
1340		goto done;
1341
1342continue_req:
1343	data->phase2_start = 0;
1344
1345	if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) {
1346		retval = -1;
1347		goto done;
1348	}
1349
1350	retval = eap_ttls_process_decrypted(sm, data, ret, identifier,
1351					    &parse, in_decrypted, out_data);
1352
1353done:
1354	wpabuf_free(in_decrypted);
1355	os_free(parse.eapdata);
1356
1357	if (retval < 0) {
1358		ret->methodState = METHOD_DONE;
1359		ret->decision = DECISION_FAIL;
1360	}
1361
1362	return retval;
1363}
1364
1365
1366static int eap_ttls_process_handshake(struct eap_sm *sm,
1367				      struct eap_ttls_data *data,
1368				      struct eap_method_ret *ret,
1369				      u8 identifier,
1370				      const u8 *in_data, size_t in_len,
1371				      struct wpabuf **out_data)
1372{
1373	int res;
1374
1375	res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS,
1376					  data->ttls_version, identifier,
1377					  in_data, in_len, out_data);
1378
1379	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1380		wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to "
1381			   "Phase 2");
1382		if (data->resuming) {
1383			wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may "
1384				   "skip Phase 2");
1385			ret->decision = DECISION_COND_SUCC;
1386			ret->methodState = METHOD_MAY_CONT;
1387		}
1388		data->phase2_start = 1;
1389		eap_ttls_v0_derive_key(sm, data);
1390
1391		if (*out_data == NULL || wpabuf_len(*out_data) == 0) {
1392			if (eap_ttls_decrypt(sm, data, ret, identifier,
1393					     NULL, out_data)) {
1394				wpa_printf(MSG_WARNING, "EAP-TTLS: "
1395					   "failed to process early "
1396					   "start for Phase 2");
1397			}
1398			res = 0;
1399		}
1400		data->resuming = 0;
1401	}
1402
1403	if (res == 2) {
1404		struct wpabuf msg;
1405		/*
1406		 * Application data included in the handshake message.
1407		 */
1408		wpabuf_free(data->pending_phase2_req);
1409		data->pending_phase2_req = *out_data;
1410		*out_data = NULL;
1411		wpabuf_set(&msg, in_data, in_len);
1412		res = eap_ttls_decrypt(sm, data, ret, identifier, &msg,
1413				       out_data);
1414	}
1415
1416	return res;
1417}
1418
1419
1420static void eap_ttls_check_auth_status(struct eap_sm *sm,
1421				       struct eap_ttls_data *data,
1422				       struct eap_method_ret *ret)
1423{
1424	if (ret->methodState == METHOD_DONE) {
1425		ret->allowNotifications = FALSE;
1426		if (ret->decision == DECISION_UNCOND_SUCC ||
1427		    ret->decision == DECISION_COND_SUCC) {
1428			wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1429				   "completed successfully");
1430			data->phase2_success = 1;
1431#ifdef EAP_TNC
1432			if (!data->ready_for_tnc && !data->tnc_started) {
1433				/*
1434				 * TNC may be required as the next
1435				 * authentication method within the tunnel.
1436				 */
1437				ret->methodState = METHOD_MAY_CONT;
1438				data->ready_for_tnc = 1;
1439			}
1440#endif /* EAP_TNC */
1441		}
1442	} else if (ret->methodState == METHOD_MAY_CONT &&
1443		   (ret->decision == DECISION_UNCOND_SUCC ||
1444		    ret->decision == DECISION_COND_SUCC)) {
1445			wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1446				   "completed successfully (MAY_CONT)");
1447			data->phase2_success = 1;
1448	}
1449}
1450
1451
1452static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv,
1453					struct eap_method_ret *ret,
1454					const struct wpabuf *reqData)
1455{
1456	size_t left;
1457	int res;
1458	u8 flags, id;
1459	struct wpabuf *resp;
1460	const u8 *pos;
1461	struct eap_ttls_data *data = priv;
1462
1463	pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret,
1464					reqData, &left, &flags);
1465	if (pos == NULL)
1466		return NULL;
1467	id = eap_get_id(reqData);
1468
1469	if (flags & EAP_TLS_FLAGS_START) {
1470		wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own "
1471			   "ver=%d)", flags & EAP_TLS_VERSION_MASK,
1472			   data->ttls_version);
1473
1474		/* RFC 5281, Ch. 9.2:
1475		 * "This packet MAY contain additional information in the form
1476		 * of AVPs, which may provide useful hints to the client"
1477		 * For now, ignore any potential extra data.
1478		 */
1479		left = 0;
1480	}
1481
1482	resp = NULL;
1483	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1484	    !data->resuming) {
1485		struct wpabuf msg;
1486		wpabuf_set(&msg, pos, left);
1487		res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp);
1488	} else {
1489		res = eap_ttls_process_handshake(sm, data, ret, id,
1490						 pos, left, &resp);
1491	}
1492
1493	eap_ttls_check_auth_status(sm, data, ret);
1494
1495	/* FIX: what about res == -1? Could just move all error processing into
1496	 * the other functions and get rid of this res==1 case here. */
1497	if (res == 1) {
1498		wpabuf_free(resp);
1499		return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS,
1500					      data->ttls_version);
1501	}
1502	return resp;
1503}
1504
1505
1506static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
1507{
1508	struct eap_ttls_data *data = priv;
1509	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1510		data->phase2_success;
1511}
1512
1513
1514static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv)
1515{
1516	struct eap_ttls_data *data = priv;
1517	wpabuf_free(data->pending_phase2_req);
1518	data->pending_phase2_req = NULL;
1519#ifdef EAP_TNC
1520	data->ready_for_tnc = 0;
1521	data->tnc_started = 0;
1522#endif /* EAP_TNC */
1523}
1524
1525
1526static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv)
1527{
1528	struct eap_ttls_data *data = priv;
1529	os_free(data->key_data);
1530	data->key_data = NULL;
1531	if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
1532		os_free(data);
1533		return NULL;
1534	}
1535	if (data->phase2_priv && data->phase2_method &&
1536	    data->phase2_method->init_for_reauth)
1537		data->phase2_method->init_for_reauth(sm, data->phase2_priv);
1538	data->phase2_start = 0;
1539	data->phase2_success = 0;
1540	data->resuming = 1;
1541	data->reauth = 1;
1542	return priv;
1543}
1544
1545
1546static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf,
1547			       size_t buflen, int verbose)
1548{
1549	struct eap_ttls_data *data = priv;
1550	int len, ret;
1551
1552	len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
1553	ret = os_snprintf(buf + len, buflen - len,
1554			  "EAP-TTLSv%d Phase2 method=",
1555			  data->ttls_version);
1556	if (ret < 0 || (size_t) ret >= buflen - len)
1557		return len;
1558	len += ret;
1559	switch (data->phase2_type) {
1560	case EAP_TTLS_PHASE2_EAP:
1561		ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n",
1562				  data->phase2_method ?
1563				  data->phase2_method->name : "?");
1564		break;
1565	case EAP_TTLS_PHASE2_MSCHAPV2:
1566		ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n");
1567		break;
1568	case EAP_TTLS_PHASE2_MSCHAP:
1569		ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n");
1570		break;
1571	case EAP_TTLS_PHASE2_PAP:
1572		ret = os_snprintf(buf + len, buflen - len, "PAP\n");
1573		break;
1574	case EAP_TTLS_PHASE2_CHAP:
1575		ret = os_snprintf(buf + len, buflen - len, "CHAP\n");
1576		break;
1577	default:
1578		ret = 0;
1579		break;
1580	}
1581	if (ret < 0 || (size_t) ret >= buflen - len)
1582		return len;
1583	len += ret;
1584
1585	return len;
1586}
1587
1588
1589static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv)
1590{
1591	struct eap_ttls_data *data = priv;
1592	return data->key_data != NULL && data->phase2_success;
1593}
1594
1595
1596static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1597{
1598	struct eap_ttls_data *data = priv;
1599	u8 *key;
1600
1601	if (data->key_data == NULL || !data->phase2_success)
1602		return NULL;
1603
1604	key = os_malloc(EAP_TLS_KEY_LEN);
1605	if (key == NULL)
1606		return NULL;
1607
1608	*len = EAP_TLS_KEY_LEN;
1609	os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
1610
1611	return key;
1612}
1613
1614
1615int eap_peer_ttls_register(void)
1616{
1617	struct eap_method *eap;
1618	int ret;
1619
1620	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1621				    EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1622	if (eap == NULL)
1623		return -1;
1624
1625	eap->init = eap_ttls_init;
1626	eap->deinit = eap_ttls_deinit;
1627	eap->process = eap_ttls_process;
1628	eap->isKeyAvailable = eap_ttls_isKeyAvailable;
1629	eap->getKey = eap_ttls_getKey;
1630	eap->get_status = eap_ttls_get_status;
1631	eap->has_reauth_data = eap_ttls_has_reauth_data;
1632	eap->deinit_for_reauth = eap_ttls_deinit_for_reauth;
1633	eap->init_for_reauth = eap_ttls_init_for_reauth;
1634
1635	ret = eap_peer_method_register(eap);
1636	if (ret)
1637		eap_peer_method_free(eap);
1638	return ret;
1639}
1640