1/*
2 * hostapd / EAP-TTLS (RFC 5281)
3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/ms_funcs.h"
13#include "crypto/sha1.h"
14#include "crypto/tls.h"
15#include "eap_server/eap_i.h"
16#include "eap_server/eap_tls_common.h"
17#include "eap_common/chap.h"
18#include "eap_common/eap_ttls.h"
19
20
21#define EAP_TTLS_VERSION 0
22
23
24static void eap_ttls_reset(struct eap_sm *sm, void *priv);
25
26
27struct eap_ttls_data {
28	struct eap_ssl_data ssl;
29	enum {
30		START, PHASE1, PHASE2_START, PHASE2_METHOD,
31		PHASE2_MSCHAPV2_RESP, SUCCESS, FAILURE
32	} state;
33
34	int ttls_version;
35	const struct eap_method *phase2_method;
36	void *phase2_priv;
37	int mschapv2_resp_ok;
38	u8 mschapv2_auth_response[20];
39	u8 mschapv2_ident;
40	struct wpabuf *pending_phase2_eap_resp;
41	int tnc_started;
42};
43
44
45static const char * eap_ttls_state_txt(int state)
46{
47	switch (state) {
48	case START:
49		return "START";
50	case PHASE1:
51		return "PHASE1";
52	case PHASE2_START:
53		return "PHASE2_START";
54	case PHASE2_METHOD:
55		return "PHASE2_METHOD";
56	case PHASE2_MSCHAPV2_RESP:
57		return "PHASE2_MSCHAPV2_RESP";
58	case SUCCESS:
59		return "SUCCESS";
60	case FAILURE:
61		return "FAILURE";
62	default:
63		return "Unknown?!";
64	}
65}
66
67
68static void eap_ttls_state(struct eap_ttls_data *data, int state)
69{
70	wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
71		   eap_ttls_state_txt(data->state),
72		   eap_ttls_state_txt(state));
73	data->state = state;
74}
75
76
77static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
78			     int mandatory, size_t len)
79{
80	struct ttls_avp_vendor *avp;
81	u8 flags;
82	size_t hdrlen;
83
84	avp = (struct ttls_avp_vendor *) avphdr;
85	flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
86	if (vendor_id) {
87		flags |= AVP_FLAGS_VENDOR;
88		hdrlen = sizeof(*avp);
89		avp->vendor_id = host_to_be32(vendor_id);
90	} else {
91		hdrlen = sizeof(struct ttls_avp);
92	}
93
94	avp->avp_code = host_to_be32(avp_code);
95	avp->avp_length = host_to_be32(((u32) flags << 24) |
96				       ((u32) (hdrlen + len)));
97
98	return avphdr + hdrlen;
99}
100
101
102static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
103						u32 avp_code, int mandatory)
104{
105	struct wpabuf *avp;
106	u8 *pos;
107
108	avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
109	if (avp == NULL) {
110		wpabuf_free(resp);
111		return NULL;
112	}
113
114	pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
115			       wpabuf_len(resp));
116	os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
117	pos += wpabuf_len(resp);
118	AVP_PAD((const u8 *) wpabuf_head(avp), pos);
119	wpabuf_free(resp);
120	wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
121	return avp;
122}
123
124
125struct eap_ttls_avp {
126	 /* Note: eap is allocated memory; caller is responsible for freeing
127	  * it. All the other pointers are pointing to the packet data, i.e.,
128	  * they must not be freed separately. */
129	u8 *eap;
130	size_t eap_len;
131	u8 *user_name;
132	size_t user_name_len;
133	u8 *user_password;
134	size_t user_password_len;
135	u8 *chap_challenge;
136	size_t chap_challenge_len;
137	u8 *chap_password;
138	size_t chap_password_len;
139	u8 *mschap_challenge;
140	size_t mschap_challenge_len;
141	u8 *mschap_response;
142	size_t mschap_response_len;
143	u8 *mschap2_response;
144	size_t mschap2_response_len;
145};
146
147
148static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse)
149{
150	struct ttls_avp *avp;
151	u8 *pos;
152	int left;
153
154	pos = wpabuf_mhead(buf);
155	left = wpabuf_len(buf);
156	os_memset(parse, 0, sizeof(*parse));
157
158	while (left > 0) {
159		u32 avp_code, avp_length, vendor_id = 0;
160		u8 avp_flags, *dpos;
161		size_t pad, dlen;
162		avp = (struct ttls_avp *) pos;
163		avp_code = be_to_host32(avp->avp_code);
164		avp_length = be_to_host32(avp->avp_length);
165		avp_flags = (avp_length >> 24) & 0xff;
166		avp_length &= 0xffffff;
167		wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
168			   "length=%d", (int) avp_code, avp_flags,
169			   (int) avp_length);
170		if ((int) avp_length > left) {
171			wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
172				   "(len=%d, left=%d) - dropped",
173				   (int) avp_length, left);
174			goto fail;
175		}
176		if (avp_length < sizeof(*avp)) {
177			wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
178				   "%d", avp_length);
179			goto fail;
180		}
181		dpos = (u8 *) (avp + 1);
182		dlen = avp_length - sizeof(*avp);
183		if (avp_flags & AVP_FLAGS_VENDOR) {
184			if (dlen < 4) {
185				wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
186					   "underflow");
187				goto fail;
188			}
189			vendor_id = be_to_host32(* (be32 *) dpos);
190			wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
191				   (int) vendor_id);
192			dpos += 4;
193			dlen -= 4;
194		}
195
196		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
197
198		if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
199			wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
200			if (parse->eap == NULL) {
201				parse->eap = os_malloc(dlen);
202				if (parse->eap == NULL) {
203					wpa_printf(MSG_WARNING, "EAP-TTLS: "
204						   "failed to allocate memory "
205						   "for Phase 2 EAP data");
206					goto fail;
207				}
208				os_memcpy(parse->eap, dpos, dlen);
209				parse->eap_len = dlen;
210			} else {
211				u8 *neweap = os_realloc(parse->eap,
212							parse->eap_len + dlen);
213				if (neweap == NULL) {
214					wpa_printf(MSG_WARNING, "EAP-TTLS: "
215						   "failed to allocate memory "
216						   "for Phase 2 EAP data");
217					goto fail;
218				}
219				os_memcpy(neweap + parse->eap_len, dpos, dlen);
220				parse->eap = neweap;
221				parse->eap_len += dlen;
222			}
223		} else if (vendor_id == 0 &&
224			   avp_code == RADIUS_ATTR_USER_NAME) {
225			wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
226					  dpos, dlen);
227			parse->user_name = dpos;
228			parse->user_name_len = dlen;
229		} else if (vendor_id == 0 &&
230			   avp_code == RADIUS_ATTR_USER_PASSWORD) {
231			u8 *password = dpos;
232			size_t password_len = dlen;
233			while (password_len > 0 &&
234			       password[password_len - 1] == '\0') {
235				password_len--;
236			}
237			wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
238					      "User-Password (PAP)",
239					      password, password_len);
240			parse->user_password = password;
241			parse->user_password_len = password_len;
242		} else if (vendor_id == 0 &&
243			   avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
244			wpa_hexdump(MSG_DEBUG,
245				    "EAP-TTLS: CHAP-Challenge (CHAP)",
246				    dpos, dlen);
247			parse->chap_challenge = dpos;
248			parse->chap_challenge_len = dlen;
249		} else if (vendor_id == 0 &&
250			   avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
251			wpa_hexdump(MSG_DEBUG,
252				    "EAP-TTLS: CHAP-Password (CHAP)",
253				    dpos, dlen);
254			parse->chap_password = dpos;
255			parse->chap_password_len = dlen;
256		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
257			   avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
258			wpa_hexdump(MSG_DEBUG,
259				    "EAP-TTLS: MS-CHAP-Challenge",
260				    dpos, dlen);
261			parse->mschap_challenge = dpos;
262			parse->mschap_challenge_len = dlen;
263		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
264			   avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
265			wpa_hexdump(MSG_DEBUG,
266				    "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
267				    dpos, dlen);
268			parse->mschap_response = dpos;
269			parse->mschap_response_len = dlen;
270		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
271			   avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
272			wpa_hexdump(MSG_DEBUG,
273				    "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
274				    dpos, dlen);
275			parse->mschap2_response = dpos;
276			parse->mschap2_response_len = dlen;
277		} else if (avp_flags & AVP_FLAGS_MANDATORY) {
278			wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
279				   "mandatory AVP code %d vendor_id %d - "
280				   "dropped", (int) avp_code, (int) vendor_id);
281			goto fail;
282		} else {
283			wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
284				   "AVP code %d vendor_id %d",
285				   (int) avp_code, (int) vendor_id);
286		}
287
288		pad = (4 - (avp_length & 3)) & 3;
289		pos += avp_length + pad;
290		left -= avp_length + pad;
291	}
292
293	return 0;
294
295fail:
296	os_free(parse->eap);
297	parse->eap = NULL;
298	return -1;
299}
300
301
302static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
303					struct eap_ttls_data *data, size_t len)
304{
305	return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge",
306					 len);
307}
308
309
310static void * eap_ttls_init(struct eap_sm *sm)
311{
312	struct eap_ttls_data *data;
313
314	data = os_zalloc(sizeof(*data));
315	if (data == NULL)
316		return NULL;
317	data->ttls_version = EAP_TTLS_VERSION;
318	data->state = START;
319
320	if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
321		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
322		eap_ttls_reset(sm, data);
323		return NULL;
324	}
325
326	return data;
327}
328
329
330static void eap_ttls_reset(struct eap_sm *sm, void *priv)
331{
332	struct eap_ttls_data *data = priv;
333	if (data == NULL)
334		return;
335	if (data->phase2_priv && data->phase2_method)
336		data->phase2_method->reset(sm, data->phase2_priv);
337	eap_server_tls_ssl_deinit(sm, &data->ssl);
338	wpabuf_free(data->pending_phase2_eap_resp);
339	os_free(data);
340}
341
342
343static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
344					    struct eap_ttls_data *data, u8 id)
345{
346	struct wpabuf *req;
347
348	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
349			    EAP_CODE_REQUEST, id);
350	if (req == NULL) {
351		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
352			   " request");
353		eap_ttls_state(data, FAILURE);
354		return NULL;
355	}
356
357	wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
358
359	eap_ttls_state(data, PHASE1);
360
361	return req;
362}
363
364
365static struct wpabuf * eap_ttls_build_phase2_eap_req(
366	struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
367{
368	struct wpabuf *buf, *encr_req;
369
370
371	buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
372	if (buf == NULL)
373		return NULL;
374
375	wpa_hexdump_buf_key(MSG_DEBUG,
376			    "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
377
378	buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
379	if (buf == NULL) {
380		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
381			   "packet");
382		return NULL;
383	}
384
385	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated "
386			    "Phase 2 data", buf);
387
388	encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
389	wpabuf_free(buf);
390
391	return encr_req;
392}
393
394
395static struct wpabuf * eap_ttls_build_phase2_mschapv2(
396	struct eap_sm *sm, struct eap_ttls_data *data)
397{
398	struct wpabuf *encr_req, msgbuf;
399	u8 *req, *pos, *end;
400	int ret;
401
402	pos = req = os_malloc(100);
403	if (req == NULL)
404		return NULL;
405	end = req + 100;
406
407	if (data->mschapv2_resp_ok) {
408		pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
409				       RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
410		*pos++ = data->mschapv2_ident;
411		ret = os_snprintf((char *) pos, end - pos, "S=");
412		if (ret >= 0 && ret < end - pos)
413			pos += ret;
414		pos += wpa_snprintf_hex_uppercase(
415			(char *) pos, end - pos, data->mschapv2_auth_response,
416			sizeof(data->mschapv2_auth_response));
417	} else {
418		pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
419				       RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
420		os_memcpy(pos, "Failed", 6);
421		pos += 6;
422		AVP_PAD(req, pos);
423	}
424
425	wpabuf_set(&msgbuf, req, pos - req);
426	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
427			    "data", &msgbuf);
428
429	encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
430	os_free(req);
431
432	return encr_req;
433}
434
435
436static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
437{
438	struct eap_ttls_data *data = priv;
439
440	if (data->ssl.state == FRAG_ACK) {
441		return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
442						data->ttls_version);
443	}
444
445	if (data->ssl.state == WAIT_FRAG_ACK) {
446		return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
447						data->ttls_version, id);
448	}
449
450	switch (data->state) {
451	case START:
452		return eap_ttls_build_start(sm, data, id);
453	case PHASE1:
454		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
455			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
456				   "starting Phase2");
457			eap_ttls_state(data, PHASE2_START);
458		}
459		break;
460	case PHASE2_METHOD:
461		wpabuf_free(data->ssl.tls_out);
462		data->ssl.tls_out_pos = 0;
463		data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
464								  id);
465		break;
466	case PHASE2_MSCHAPV2_RESP:
467		wpabuf_free(data->ssl.tls_out);
468		data->ssl.tls_out_pos = 0;
469		data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
470		break;
471	default:
472		wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
473			   __func__, data->state);
474		return NULL;
475	}
476
477	return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
478					data->ttls_version, id);
479}
480
481
482static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
483			      struct wpabuf *respData)
484{
485	const u8 *pos;
486	size_t len;
487
488	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
489	if (pos == NULL || len < 1) {
490		wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
491		return TRUE;
492	}
493
494	return FALSE;
495}
496
497
498static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
499					struct eap_ttls_data *data,
500					const u8 *user_password,
501					size_t user_password_len)
502{
503	if (!sm->user || !sm->user->password || sm->user->password_hash ||
504	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
505		wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
506			   "password configured");
507		eap_ttls_state(data, FAILURE);
508		return;
509	}
510
511	if (sm->user->password_len != user_password_len ||
512	    os_memcmp(sm->user->password, user_password, user_password_len) !=
513	    0) {
514		wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
515		eap_ttls_state(data, FAILURE);
516		return;
517	}
518
519	wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
520	eap_ttls_state(data, SUCCESS);
521}
522
523
524static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
525					 struct eap_ttls_data *data,
526					 const u8 *challenge,
527					 size_t challenge_len,
528					 const u8 *password,
529					 size_t password_len)
530{
531	u8 *chal, hash[CHAP_MD5_LEN];
532
533	if (challenge == NULL || password == NULL ||
534	    challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
535	    password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
536		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
537			   "(challenge len %lu password len %lu)",
538			   (unsigned long) challenge_len,
539			   (unsigned long) password_len);
540		eap_ttls_state(data, FAILURE);
541		return;
542	}
543
544	if (!sm->user || !sm->user->password || sm->user->password_hash ||
545	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
546		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
547			   "password configured");
548		eap_ttls_state(data, FAILURE);
549		return;
550	}
551
552	chal = eap_ttls_implicit_challenge(sm, data,
553					   EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
554	if (chal == NULL) {
555		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
556			   "challenge from TLS data");
557		eap_ttls_state(data, FAILURE);
558		return;
559	}
560
561	if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 ||
562	    password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
563		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
564		os_free(chal);
565		eap_ttls_state(data, FAILURE);
566		return;
567	}
568	os_free(chal);
569
570	/* MD5(Ident + Password + Challenge) */
571	chap_md5(password[0], sm->user->password, sm->user->password_len,
572		 challenge, challenge_len, hash);
573
574	if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) {
575		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
576		eap_ttls_state(data, SUCCESS);
577	} else {
578		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
579		eap_ttls_state(data, FAILURE);
580	}
581}
582
583
584static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
585					   struct eap_ttls_data *data,
586					   u8 *challenge, size_t challenge_len,
587					   u8 *response, size_t response_len)
588{
589	u8 *chal, nt_response[24];
590
591	if (challenge == NULL || response == NULL ||
592	    challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
593	    response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
594		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
595			   "attributes (challenge len %lu response len %lu)",
596			   (unsigned long) challenge_len,
597			   (unsigned long) response_len);
598		eap_ttls_state(data, FAILURE);
599		return;
600	}
601
602	if (!sm->user || !sm->user->password ||
603	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
604		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
605			   "configured");
606		eap_ttls_state(data, FAILURE);
607		return;
608	}
609
610	chal = eap_ttls_implicit_challenge(sm, data,
611					   EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
612	if (chal == NULL) {
613		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
614			   "challenge from TLS data");
615		eap_ttls_state(data, FAILURE);
616		return;
617	}
618
619	if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 ||
620	    response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
621		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
622		os_free(chal);
623		eap_ttls_state(data, FAILURE);
624		return;
625	}
626	os_free(chal);
627
628	if (sm->user->password_hash)
629		challenge_response(challenge, sm->user->password, nt_response);
630	else
631		nt_challenge_response(challenge, sm->user->password,
632				      sm->user->password_len, nt_response);
633
634	if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) {
635		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
636		eap_ttls_state(data, SUCCESS);
637	} else {
638		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
639		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
640			    response + 2 + 24, 24);
641		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
642			    nt_response, 24);
643		eap_ttls_state(data, FAILURE);
644	}
645}
646
647
648static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
649					     struct eap_ttls_data *data,
650					     u8 *challenge,
651					     size_t challenge_len,
652					     u8 *response, size_t response_len)
653{
654	u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
655		*auth_challenge;
656	size_t username_len, i;
657
658	if (challenge == NULL || response == NULL ||
659	    challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
660	    response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
661		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
662			   "attributes (challenge len %lu response len %lu)",
663			   (unsigned long) challenge_len,
664			   (unsigned long) response_len);
665		eap_ttls_state(data, FAILURE);
666		return;
667	}
668
669	if (!sm->user || !sm->user->password ||
670	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
671		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
672			   "configured");
673		eap_ttls_state(data, FAILURE);
674		return;
675	}
676
677	if (sm->identity == NULL) {
678		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
679			   "known");
680		eap_ttls_state(data, FAILURE);
681		return;
682	}
683
684	/* MSCHAPv2 does not include optional domain name in the
685	 * challenge-response calculation, so remove domain prefix
686	 * (if present). */
687	username = sm->identity;
688	username_len = sm->identity_len;
689	for (i = 0; i < username_len; i++) {
690		if (username[i] == '\\') {
691			username_len -= i + 1;
692			username += i + 1;
693			break;
694		}
695	}
696
697	chal = eap_ttls_implicit_challenge(
698		sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
699	if (chal == NULL) {
700		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
701			   "challenge from TLS data");
702		eap_ttls_state(data, FAILURE);
703		return;
704	}
705
706	if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 ||
707	    response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
708		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
709		os_free(chal);
710		eap_ttls_state(data, FAILURE);
711		return;
712	}
713	os_free(chal);
714
715	auth_challenge = challenge;
716	peer_challenge = response + 2;
717
718	wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
719			  username, username_len);
720	wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
721		    auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
722	wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
723		    peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
724
725	if (sm->user->password_hash) {
726		generate_nt_response_pwhash(auth_challenge, peer_challenge,
727					    username, username_len,
728					    sm->user->password,
729					    nt_response);
730	} else {
731		generate_nt_response(auth_challenge, peer_challenge,
732				     username, username_len,
733				     sm->user->password,
734				     sm->user->password_len,
735				     nt_response);
736	}
737
738	rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
739	if (os_memcmp(nt_response, rx_resp, 24) == 0) {
740		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
741			   "NT-Response");
742		data->mschapv2_resp_ok = 1;
743
744		if (sm->user->password_hash) {
745			generate_authenticator_response_pwhash(
746				sm->user->password,
747				peer_challenge, auth_challenge,
748				username, username_len, nt_response,
749				data->mschapv2_auth_response);
750		} else {
751			generate_authenticator_response(
752				sm->user->password, sm->user->password_len,
753				peer_challenge, auth_challenge,
754				username, username_len, nt_response,
755				data->mschapv2_auth_response);
756		}
757	} else {
758		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
759			   "NT-Response");
760		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
761			    rx_resp, 24);
762		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
763			    nt_response, 24);
764		data->mschapv2_resp_ok = 0;
765	}
766	eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
767	data->mschapv2_ident = response[0];
768}
769
770
771static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
772				    struct eap_ttls_data *data,
773				    EapType eap_type)
774{
775	if (data->phase2_priv && data->phase2_method) {
776		data->phase2_method->reset(sm, data->phase2_priv);
777		data->phase2_method = NULL;
778		data->phase2_priv = NULL;
779	}
780	data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
781							eap_type);
782	if (!data->phase2_method)
783		return -1;
784
785	sm->init_phase2 = 1;
786	data->phase2_priv = data->phase2_method->init(sm);
787	sm->init_phase2 = 0;
788	return data->phase2_priv == NULL ? -1 : 0;
789}
790
791
792static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
793						 struct eap_ttls_data *data,
794						 u8 *in_data, size_t in_len)
795{
796	u8 next_type = EAP_TYPE_NONE;
797	struct eap_hdr *hdr;
798	u8 *pos;
799	size_t left;
800	struct wpabuf buf;
801	const struct eap_method *m = data->phase2_method;
802	void *priv = data->phase2_priv;
803
804	if (priv == NULL) {
805		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
806			   "initialized?!", __func__);
807		return;
808	}
809
810	hdr = (struct eap_hdr *) in_data;
811	pos = (u8 *) (hdr + 1);
812
813	if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
814		left = in_len - sizeof(*hdr);
815		wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
816			    "allowed types", pos + 1, left - 1);
817		eap_sm_process_nak(sm, pos + 1, left - 1);
818		if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
819		    sm->user->methods[sm->user_eap_method_index].method !=
820		    EAP_TYPE_NONE) {
821			next_type = sm->user->methods[
822				sm->user_eap_method_index++].method;
823			wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
824				   next_type);
825			if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
826				wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to "
827					   "initialize EAP type %d",
828					   next_type);
829				eap_ttls_state(data, FAILURE);
830				return;
831			}
832		} else {
833			eap_ttls_state(data, FAILURE);
834		}
835		return;
836	}
837
838	wpabuf_set(&buf, in_data, in_len);
839
840	if (m->check(sm, priv, &buf)) {
841		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
842			   "ignore the packet");
843		return;
844	}
845
846	m->process(sm, priv, &buf);
847
848	if (sm->method_pending == METHOD_PENDING_WAIT) {
849		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
850			   "pending wait state - save decrypted response");
851		wpabuf_free(data->pending_phase2_eap_resp);
852		data->pending_phase2_eap_resp = wpabuf_dup(&buf);
853	}
854
855	if (!m->isDone(sm, priv))
856		return;
857
858	if (!m->isSuccess(sm, priv)) {
859		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
860		eap_ttls_state(data, FAILURE);
861		return;
862	}
863
864	switch (data->state) {
865	case PHASE2_START:
866		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
867			wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
868					  "Identity not found in the user "
869					  "database",
870					  sm->identity, sm->identity_len);
871			eap_ttls_state(data, FAILURE);
872			break;
873		}
874
875		eap_ttls_state(data, PHASE2_METHOD);
876		next_type = sm->user->methods[0].method;
877		sm->user_eap_method_index = 1;
878		wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
879		if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
880			wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize "
881				   "EAP type %d", next_type);
882			eap_ttls_state(data, FAILURE);
883		}
884		break;
885	case PHASE2_METHOD:
886		eap_ttls_state(data, SUCCESS);
887		break;
888	case FAILURE:
889		break;
890	default:
891		wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
892			   __func__, data->state);
893		break;
894	}
895}
896
897
898static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
899					struct eap_ttls_data *data,
900					const u8 *eap, size_t eap_len)
901{
902	struct eap_hdr *hdr;
903	size_t len;
904
905	if (data->state == PHASE2_START) {
906		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
907		if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
908		{
909			wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
910				   "initialize EAP-Identity");
911			return;
912		}
913	}
914
915	if (eap_len < sizeof(*hdr)) {
916		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
917			   "packet (len=%lu)", (unsigned long) eap_len);
918		return;
919	}
920
921	hdr = (struct eap_hdr *) eap;
922	len = be_to_host16(hdr->length);
923	wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
924		   "identifier=%d length=%lu", hdr->code, hdr->identifier,
925		   (unsigned long) len);
926	if (len > eap_len) {
927		wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
928			   " EAP frame (hdr len=%lu, data len in AVP=%lu)",
929			   (unsigned long) len, (unsigned long) eap_len);
930		return;
931	}
932
933	switch (hdr->code) {
934	case EAP_CODE_RESPONSE:
935		eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
936						     len);
937		break;
938	default:
939		wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
940			   "Phase 2 EAP header", hdr->code);
941		break;
942	}
943}
944
945
946static void eap_ttls_process_phase2(struct eap_sm *sm,
947				    struct eap_ttls_data *data,
948				    struct wpabuf *in_buf)
949{
950	struct wpabuf *in_decrypted;
951	struct eap_ttls_avp parse;
952
953	wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
954		   " Phase 2", (unsigned long) wpabuf_len(in_buf));
955
956	if (data->pending_phase2_eap_resp) {
957		wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
958			   "- skip decryption and use old data");
959		eap_ttls_process_phase2_eap(
960			sm, data, wpabuf_head(data->pending_phase2_eap_resp),
961			wpabuf_len(data->pending_phase2_eap_resp));
962		wpabuf_free(data->pending_phase2_eap_resp);
963		data->pending_phase2_eap_resp = NULL;
964		return;
965	}
966
967	in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
968					      in_buf);
969	if (in_decrypted == NULL) {
970		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
971			   "data");
972		eap_ttls_state(data, FAILURE);
973		return;
974	}
975
976	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
977			    in_decrypted);
978
979	if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) {
980		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
981		wpabuf_free(in_decrypted);
982		eap_ttls_state(data, FAILURE);
983		return;
984	}
985
986	if (parse.user_name) {
987		os_free(sm->identity);
988		sm->identity = os_malloc(parse.user_name_len);
989		if (sm->identity == NULL) {
990			eap_ttls_state(data, FAILURE);
991			goto done;
992		}
993		os_memcpy(sm->identity, parse.user_name, parse.user_name_len);
994		sm->identity_len = parse.user_name_len;
995		if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
996		    != 0) {
997			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
998				   "found in the user database");
999			eap_ttls_state(data, FAILURE);
1000			goto done;
1001		}
1002	}
1003
1004#ifdef EAP_SERVER_TNC
1005	if (data->tnc_started && parse.eap == NULL) {
1006		wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1007			   "response from peer");
1008		eap_ttls_state(data, FAILURE);
1009		goto done;
1010	}
1011#endif /* EAP_SERVER_TNC */
1012
1013	if (parse.eap) {
1014		eap_ttls_process_phase2_eap(sm, data, parse.eap,
1015					    parse.eap_len);
1016	} else if (parse.user_password) {
1017		eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1018					    parse.user_password_len);
1019	} else if (parse.chap_password) {
1020		eap_ttls_process_phase2_chap(sm, data,
1021					     parse.chap_challenge,
1022					     parse.chap_challenge_len,
1023					     parse.chap_password,
1024					     parse.chap_password_len);
1025	} else if (parse.mschap_response) {
1026		eap_ttls_process_phase2_mschap(sm, data,
1027					       parse.mschap_challenge,
1028					       parse.mschap_challenge_len,
1029					       parse.mschap_response,
1030					       parse.mschap_response_len);
1031	} else if (parse.mschap2_response) {
1032		eap_ttls_process_phase2_mschapv2(sm, data,
1033						 parse.mschap_challenge,
1034						 parse.mschap_challenge_len,
1035						 parse.mschap2_response,
1036						 parse.mschap2_response_len);
1037	}
1038
1039done:
1040	wpabuf_free(in_decrypted);
1041	os_free(parse.eap);
1042}
1043
1044
1045static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1046{
1047#ifdef EAP_SERVER_TNC
1048	if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
1049		return;
1050
1051	wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1052	if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) {
1053		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1054		eap_ttls_state(data, FAILURE);
1055		return;
1056	}
1057
1058	data->tnc_started = 1;
1059	eap_ttls_state(data, PHASE2_METHOD);
1060#endif /* EAP_SERVER_TNC */
1061}
1062
1063
1064static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
1065				    int peer_version)
1066{
1067	struct eap_ttls_data *data = priv;
1068	if (peer_version < data->ttls_version) {
1069		wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1070			   "use version %d",
1071			   peer_version, data->ttls_version, peer_version);
1072		data->ttls_version = peer_version;
1073	}
1074
1075	return 0;
1076}
1077
1078
1079static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
1080				 const struct wpabuf *respData)
1081{
1082	struct eap_ttls_data *data = priv;
1083
1084	switch (data->state) {
1085	case PHASE1:
1086		if (eap_server_tls_phase1(sm, &data->ssl) < 0)
1087			eap_ttls_state(data, FAILURE);
1088		break;
1089	case PHASE2_START:
1090	case PHASE2_METHOD:
1091		eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
1092		eap_ttls_start_tnc(sm, data);
1093		break;
1094	case PHASE2_MSCHAPV2_RESP:
1095		if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
1096		    0) {
1097			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1098				   "acknowledged response");
1099			eap_ttls_state(data, SUCCESS);
1100		} else if (!data->mschapv2_resp_ok) {
1101			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1102				   "acknowledged error");
1103			eap_ttls_state(data, FAILURE);
1104		} else {
1105			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1106				   "frame from peer (payload len %lu, "
1107				   "expected empty frame)",
1108				   (unsigned long)
1109				   wpabuf_len(data->ssl.tls_in));
1110			eap_ttls_state(data, FAILURE);
1111		}
1112		eap_ttls_start_tnc(sm, data);
1113		break;
1114	default:
1115		wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1116			   data->state, __func__);
1117		break;
1118	}
1119}
1120
1121
1122static void eap_ttls_process(struct eap_sm *sm, void *priv,
1123			     struct wpabuf *respData)
1124{
1125	struct eap_ttls_data *data = priv;
1126	if (eap_server_tls_process(sm, &data->ssl, respData, data,
1127				   EAP_TYPE_TTLS, eap_ttls_process_version,
1128				   eap_ttls_process_msg) < 0)
1129		eap_ttls_state(data, FAILURE);
1130}
1131
1132
1133static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1134{
1135	struct eap_ttls_data *data = priv;
1136	return data->state == SUCCESS || data->state == FAILURE;
1137}
1138
1139
1140static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1141{
1142	struct eap_ttls_data *data = priv;
1143	u8 *eapKeyData;
1144
1145	if (data->state != SUCCESS)
1146		return NULL;
1147
1148	eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1149					       "ttls keying material",
1150					       EAP_TLS_KEY_LEN);
1151	if (eapKeyData) {
1152		*len = EAP_TLS_KEY_LEN;
1153		wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1154				eapKeyData, EAP_TLS_KEY_LEN);
1155	} else {
1156		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1157	}
1158
1159	return eapKeyData;
1160}
1161
1162
1163static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1164{
1165	struct eap_ttls_data *data = priv;
1166	return data->state == SUCCESS;
1167}
1168
1169
1170int eap_server_ttls_register(void)
1171{
1172	struct eap_method *eap;
1173	int ret;
1174
1175	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1176				      EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1177	if (eap == NULL)
1178		return -1;
1179
1180	eap->init = eap_ttls_init;
1181	eap->reset = eap_ttls_reset;
1182	eap->buildReq = eap_ttls_buildReq;
1183	eap->check = eap_ttls_check;
1184	eap->process = eap_ttls_process;
1185	eap->isDone = eap_ttls_isDone;
1186	eap->getKey = eap_ttls_getKey;
1187	eap->isSuccess = eap_ttls_isSuccess;
1188
1189	ret = eap_server_method_register(eap);
1190	if (ret)
1191		eap_server_method_free(eap);
1192	return ret;
1193}
1194