1189251Ssam/* 2189251Ssam * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt) 3346981Scy * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> 4189251Ssam * 5252726Srpaulo * This software may be distributed under the terms of the BSD license. 6252726Srpaulo * See README for more details. 7189251Ssam */ 8189251Ssam 9189251Ssam#include "includes.h" 10189251Ssam 11189251Ssam#include "common.h" 12189251Ssam#include "crypto/sha1.h" 13214734Srpaulo#include "crypto/tls.h" 14214734Srpaulo#include "eap_common/eap_tlv_common.h" 15214734Srpaulo#include "eap_common/eap_peap_common.h" 16189251Ssam#include "eap_i.h" 17189251Ssam#include "eap_tls_common.h" 18189251Ssam#include "eap_config.h" 19189251Ssam#include "tncc.h" 20189251Ssam 21189251Ssam 22189251Ssam/* Maximum supported PEAP version 23189251Ssam * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt 24189251Ssam * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt 25189251Ssam */ 26189251Ssam#define EAP_PEAP_VERSION 1 27189251Ssam 28189251Ssam 29189251Ssamstatic void eap_peap_deinit(struct eap_sm *sm, void *priv); 30189251Ssam 31189251Ssam 32189251Ssamstruct eap_peap_data { 33189251Ssam struct eap_ssl_data ssl; 34189251Ssam 35189251Ssam int peap_version, force_peap_version, force_new_label; 36189251Ssam 37189251Ssam const struct eap_method *phase2_method; 38189251Ssam void *phase2_priv; 39189251Ssam int phase2_success; 40189251Ssam int phase2_eap_success; 41189251Ssam int phase2_eap_started; 42189251Ssam 43189251Ssam struct eap_method_type phase2_type; 44189251Ssam struct eap_method_type *phase2_types; 45189251Ssam size_t num_phase2_types; 46189251Ssam 47189251Ssam int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner 48189251Ssam * EAP-Success 49189251Ssam * 1 = reply with tunneled EAP-Success to inner 50189251Ssam * EAP-Success and expect AS to send outer 51189251Ssam * (unencrypted) EAP-Success after this 52189251Ssam * 2 = reply with PEAP/TLS ACK to inner 53189251Ssam * EAP-Success and expect AS to send outer 54189251Ssam * (unencrypted) EAP-Success after this */ 55189251Ssam int resuming; /* starting a resumed session */ 56189251Ssam int reauth; /* reauthentication */ 57189251Ssam u8 *key_data; 58281806Srpaulo u8 *session_id; 59281806Srpaulo size_t id_len; 60189251Ssam 61189251Ssam struct wpabuf *pending_phase2_req; 62337817Scy struct wpabuf *pending_resp; 63189251Ssam enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding; 64189251Ssam int crypto_binding_used; 65189251Ssam u8 binding_nonce[32]; 66189251Ssam u8 ipmk[40]; 67189251Ssam u8 cmk[20]; 68189251Ssam int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) 69189251Ssam * is enabled. */ 70189251Ssam}; 71189251Ssam 72189251Ssam 73337817Scystatic void eap_peap_parse_phase1(struct eap_peap_data *data, 74337817Scy const char *phase1) 75189251Ssam{ 76189251Ssam const char *pos; 77189251Ssam 78189251Ssam pos = os_strstr(phase1, "peapver="); 79189251Ssam if (pos) { 80189251Ssam data->force_peap_version = atoi(pos + 8); 81189251Ssam data->peap_version = data->force_peap_version; 82189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d", 83189251Ssam data->force_peap_version); 84189251Ssam } 85189251Ssam 86189251Ssam if (os_strstr(phase1, "peaplabel=1")) { 87189251Ssam data->force_new_label = 1; 88189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key " 89189251Ssam "derivation"); 90189251Ssam } 91189251Ssam 92189251Ssam if (os_strstr(phase1, "peap_outer_success=0")) { 93189251Ssam data->peap_outer_success = 0; 94189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on " 95189251Ssam "tunneled EAP-Success"); 96189251Ssam } else if (os_strstr(phase1, "peap_outer_success=1")) { 97189251Ssam data->peap_outer_success = 1; 98189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success " 99189251Ssam "after receiving tunneled EAP-Success"); 100189251Ssam } else if (os_strstr(phase1, "peap_outer_success=2")) { 101189251Ssam data->peap_outer_success = 2; 102189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after " 103189251Ssam "receiving tunneled EAP-Success"); 104189251Ssam } 105189251Ssam 106189251Ssam if (os_strstr(phase1, "crypto_binding=0")) { 107189251Ssam data->crypto_binding = NO_BINDING; 108189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding"); 109189251Ssam } else if (os_strstr(phase1, "crypto_binding=1")) { 110189251Ssam data->crypto_binding = OPTIONAL_BINDING; 111189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding"); 112189251Ssam } else if (os_strstr(phase1, "crypto_binding=2")) { 113189251Ssam data->crypto_binding = REQUIRE_BINDING; 114189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); 115189251Ssam } 116189251Ssam 117189251Ssam#ifdef EAP_TNC 118189251Ssam if (os_strstr(phase1, "tnc=soh2")) { 119189251Ssam data->soh = 2; 120189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 121189251Ssam } else if (os_strstr(phase1, "tnc=soh1")) { 122189251Ssam data->soh = 1; 123189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled"); 124189251Ssam } else if (os_strstr(phase1, "tnc=soh")) { 125189251Ssam data->soh = 2; 126189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 127189251Ssam } 128189251Ssam#endif /* EAP_TNC */ 129189251Ssam} 130189251Ssam 131189251Ssam 132189251Ssamstatic void * eap_peap_init(struct eap_sm *sm) 133189251Ssam{ 134189251Ssam struct eap_peap_data *data; 135189251Ssam struct eap_peer_config *config = eap_get_config(sm); 136189251Ssam 137189251Ssam data = os_zalloc(sizeof(*data)); 138189251Ssam if (data == NULL) 139189251Ssam return NULL; 140189251Ssam sm->peap_done = FALSE; 141189251Ssam data->peap_version = EAP_PEAP_VERSION; 142189251Ssam data->force_peap_version = -1; 143189251Ssam data->peap_outer_success = 2; 144189251Ssam data->crypto_binding = OPTIONAL_BINDING; 145189251Ssam 146337817Scy if (config && config->phase1) 147337817Scy eap_peap_parse_phase1(data, config->phase1); 148189251Ssam 149189251Ssam if (eap_peer_select_phase2_methods(config, "auth=", 150189251Ssam &data->phase2_types, 151189251Ssam &data->num_phase2_types) < 0) { 152189251Ssam eap_peap_deinit(sm, data); 153189251Ssam return NULL; 154189251Ssam } 155189251Ssam 156189251Ssam data->phase2_type.vendor = EAP_VENDOR_IETF; 157189251Ssam data->phase2_type.method = EAP_TYPE_NONE; 158189251Ssam 159252726Srpaulo if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) { 160189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); 161189251Ssam eap_peap_deinit(sm, data); 162189251Ssam return NULL; 163189251Ssam } 164189251Ssam 165189251Ssam return data; 166189251Ssam} 167189251Ssam 168189251Ssam 169281806Srpaulostatic void eap_peap_free_key(struct eap_peap_data *data) 170281806Srpaulo{ 171281806Srpaulo if (data->key_data) { 172346981Scy bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); 173281806Srpaulo data->key_data = NULL; 174281806Srpaulo } 175281806Srpaulo} 176281806Srpaulo 177281806Srpaulo 178189251Ssamstatic void eap_peap_deinit(struct eap_sm *sm, void *priv) 179189251Ssam{ 180189251Ssam struct eap_peap_data *data = priv; 181189251Ssam if (data == NULL) 182189251Ssam return; 183189251Ssam if (data->phase2_priv && data->phase2_method) 184189251Ssam data->phase2_method->deinit(sm, data->phase2_priv); 185189251Ssam os_free(data->phase2_types); 186189251Ssam eap_peer_tls_ssl_deinit(sm, &data->ssl); 187281806Srpaulo eap_peap_free_key(data); 188281806Srpaulo os_free(data->session_id); 189346981Scy wpabuf_clear_free(data->pending_phase2_req); 190346981Scy wpabuf_clear_free(data->pending_resp); 191346981Scy bin_clear_free(data, sizeof(*data)); 192189251Ssam} 193189251Ssam 194189251Ssam 195189251Ssam/** 196189251Ssam * eap_tlv_build_nak - Build EAP-TLV NAK message 197189251Ssam * @id: EAP identifier for the header 198189251Ssam * @nak_type: TLV type (EAP_TLV_*) 199189251Ssam * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure 200189251Ssam * 201252726Srpaulo * This function builds an EAP-TLV NAK message. The caller is responsible for 202189251Ssam * freeing the returned buffer. 203189251Ssam */ 204189251Ssamstatic struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type) 205189251Ssam{ 206189251Ssam struct wpabuf *msg; 207189251Ssam 208189251Ssam msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10, 209189251Ssam EAP_CODE_RESPONSE, id); 210189251Ssam if (msg == NULL) 211189251Ssam return NULL; 212189251Ssam 213189251Ssam wpabuf_put_u8(msg, 0x80); /* Mandatory */ 214189251Ssam wpabuf_put_u8(msg, EAP_TLV_NAK_TLV); 215189251Ssam wpabuf_put_be16(msg, 6); /* Length */ 216189251Ssam wpabuf_put_be32(msg, 0); /* Vendor-Id */ 217189251Ssam wpabuf_put_be16(msg, nak_type); /* NAK-Type */ 218189251Ssam 219189251Ssam return msg; 220189251Ssam} 221189251Ssam 222189251Ssam 223189251Ssamstatic int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, 224189251Ssam u8 *isk, size_t isk_len) 225189251Ssam{ 226189251Ssam u8 *key; 227189251Ssam size_t key_len; 228189251Ssam 229189251Ssam os_memset(isk, 0, isk_len); 230189251Ssam if (data->phase2_method == NULL || data->phase2_priv == NULL || 231189251Ssam data->phase2_method->isKeyAvailable == NULL || 232189251Ssam data->phase2_method->getKey == NULL) 233189251Ssam return 0; 234189251Ssam 235189251Ssam if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || 236189251Ssam (key = data->phase2_method->getKey(sm, data->phase2_priv, 237189251Ssam &key_len)) == NULL) { 238189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material " 239189251Ssam "from Phase 2"); 240189251Ssam return -1; 241189251Ssam } 242189251Ssam 243189251Ssam if (key_len > isk_len) 244189251Ssam key_len = isk_len; 245189251Ssam os_memcpy(isk, key, key_len); 246189251Ssam os_free(key); 247189251Ssam 248189251Ssam return 0; 249189251Ssam} 250189251Ssam 251189251Ssam 252189251Ssamstatic int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) 253189251Ssam{ 254189251Ssam u8 *tk; 255189251Ssam u8 isk[32], imck[60]; 256346981Scy int resumed, res; 257189251Ssam 258189251Ssam /* 259189251Ssam * Tunnel key (TK) is the first 60 octets of the key generated by 260189251Ssam * phase 1 of PEAP (based on TLS). 261189251Ssam */ 262189251Ssam tk = data->key_data; 263189251Ssam if (tk == NULL) 264189251Ssam return -1; 265189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); 266189251Ssam 267337817Scy resumed = tls_connection_resumed(sm->ssl_ctx, data->ssl.conn); 268337817Scy wpa_printf(MSG_DEBUG, 269337817Scy "EAP-PEAP: CMK derivation - reauth=%d resumed=%d phase2_eap_started=%d phase2_success=%d", 270337817Scy data->reauth, resumed, data->phase2_eap_started, 271337817Scy data->phase2_success); 272337817Scy if (data->reauth && !data->phase2_eap_started && resumed) { 273189251Ssam /* Fast-connect: IPMK|CMK = TK */ 274189251Ssam os_memcpy(data->ipmk, tk, 40); 275189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", 276189251Ssam data->ipmk, 40); 277189251Ssam os_memcpy(data->cmk, tk + 40, 20); 278189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK", 279189251Ssam data->cmk, 20); 280189251Ssam return 0; 281189251Ssam } 282189251Ssam 283189251Ssam if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) 284189251Ssam return -1; 285189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk)); 286189251Ssam 287189251Ssam /* 288189251Ssam * IPMK Seed = "Inner Methods Compound Keys" | ISK 289189251Ssam * TempKey = First 40 octets of TK 290189251Ssam * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60) 291189251Ssam * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space 292189251Ssam * in the end of the label just before ISK; is that just a typo?) 293189251Ssam */ 294189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40); 295346981Scy res = peap_prfplus(data->peap_version, tk, 40, 296346981Scy "Inner Methods Compound Keys", 297346981Scy isk, sizeof(isk), imck, sizeof(imck)); 298351611Scy forced_memzero(isk, sizeof(isk)); 299346981Scy if (res < 0) 300252726Srpaulo return -1; 301189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", 302189251Ssam imck, sizeof(imck)); 303189251Ssam 304189251Ssam os_memcpy(data->ipmk, imck, 40); 305189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); 306189251Ssam os_memcpy(data->cmk, imck + 40, 20); 307189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); 308351611Scy forced_memzero(imck, sizeof(imck)); 309189251Ssam 310189251Ssam return 0; 311189251Ssam} 312189251Ssam 313189251Ssam 314189251Ssamstatic int eap_tlv_add_cryptobinding(struct eap_sm *sm, 315189251Ssam struct eap_peap_data *data, 316189251Ssam struct wpabuf *buf) 317189251Ssam{ 318189251Ssam u8 *mac; 319189251Ssam u8 eap_type = EAP_TYPE_PEAP; 320189251Ssam const u8 *addr[2]; 321189251Ssam size_t len[2]; 322189251Ssam u16 tlv_type; 323189251Ssam 324189251Ssam /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 325189251Ssam addr[0] = wpabuf_put(buf, 0); 326189251Ssam len[0] = 60; 327189251Ssam addr[1] = &eap_type; 328189251Ssam len[1] = 1; 329189251Ssam 330189251Ssam tlv_type = EAP_TLV_CRYPTO_BINDING_TLV; 331189251Ssam wpabuf_put_be16(buf, tlv_type); 332189251Ssam wpabuf_put_be16(buf, 56); 333189251Ssam 334189251Ssam wpabuf_put_u8(buf, 0); /* Reserved */ 335189251Ssam wpabuf_put_u8(buf, data->peap_version); /* Version */ 336189251Ssam wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ 337189251Ssam wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */ 338189251Ssam wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ 339189251Ssam mac = wpabuf_put(buf, 20); /* Compound_MAC */ 340189251Ssam wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); 341189251Ssam wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1", 342189251Ssam addr[0], len[0]); 343189251Ssam wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2", 344189251Ssam addr[1], len[1]); 345337817Scy if (hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac) < 0) 346337817Scy return -1; 347189251Ssam wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN); 348189251Ssam data->crypto_binding_used = 1; 349189251Ssam 350189251Ssam return 0; 351189251Ssam} 352189251Ssam 353189251Ssam 354189251Ssam/** 355189251Ssam * eap_tlv_build_result - Build EAP-TLV Result message 356189251Ssam * @id: EAP identifier for the header 357189251Ssam * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE) 358189251Ssam * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure 359189251Ssam * 360252726Srpaulo * This function builds an EAP-TLV Result message. The caller is responsible 361252726Srpaulo * for freeing the returned buffer. 362189251Ssam */ 363189251Ssamstatic struct wpabuf * eap_tlv_build_result(struct eap_sm *sm, 364189251Ssam struct eap_peap_data *data, 365189251Ssam int crypto_tlv_used, 366189251Ssam int id, u16 status) 367189251Ssam{ 368189251Ssam struct wpabuf *msg; 369189251Ssam size_t len; 370189251Ssam 371189251Ssam if (data->crypto_binding == NO_BINDING) 372189251Ssam crypto_tlv_used = 0; 373189251Ssam 374189251Ssam len = 6; 375189251Ssam if (crypto_tlv_used) 376189251Ssam len += 60; /* Cryptobinding TLV */ 377189251Ssam msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len, 378189251Ssam EAP_CODE_RESPONSE, id); 379189251Ssam if (msg == NULL) 380189251Ssam return NULL; 381189251Ssam 382189251Ssam wpabuf_put_u8(msg, 0x80); /* Mandatory */ 383189251Ssam wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV); 384189251Ssam wpabuf_put_be16(msg, 2); /* Length */ 385189251Ssam wpabuf_put_be16(msg, status); /* Status */ 386189251Ssam 387189251Ssam if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { 388346981Scy wpabuf_clear_free(msg); 389189251Ssam return NULL; 390189251Ssam } 391189251Ssam 392189251Ssam return msg; 393189251Ssam} 394189251Ssam 395189251Ssam 396189251Ssamstatic int eap_tlv_validate_cryptobinding(struct eap_sm *sm, 397189251Ssam struct eap_peap_data *data, 398189251Ssam const u8 *crypto_tlv, 399189251Ssam size_t crypto_tlv_len) 400189251Ssam{ 401189251Ssam u8 buf[61], mac[SHA1_MAC_LEN]; 402189251Ssam const u8 *pos; 403189251Ssam 404189251Ssam if (eap_peap_derive_cmk(sm, data) < 0) { 405189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK"); 406189251Ssam return -1; 407189251Ssam } 408189251Ssam 409189251Ssam if (crypto_tlv_len != 4 + 56) { 410189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV " 411189251Ssam "length %d", (int) crypto_tlv_len); 412189251Ssam return -1; 413189251Ssam } 414189251Ssam 415189251Ssam pos = crypto_tlv; 416189251Ssam pos += 4; /* TLV header */ 417189251Ssam if (pos[1] != data->peap_version) { 418189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version " 419189251Ssam "mismatch (was %d; expected %d)", 420189251Ssam pos[1], data->peap_version); 421189251Ssam return -1; 422189251Ssam } 423189251Ssam 424189251Ssam if (pos[3] != 0) { 425189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV " 426189251Ssam "SubType %d", pos[3]); 427189251Ssam return -1; 428189251Ssam } 429189251Ssam pos += 4; 430189251Ssam os_memcpy(data->binding_nonce, pos, 32); 431189251Ssam pos += 32; /* Nonce */ 432189251Ssam 433189251Ssam /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 434189251Ssam os_memcpy(buf, crypto_tlv, 60); 435189251Ssam os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */ 436189251Ssam buf[60] = EAP_TYPE_PEAP; 437189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data", 438189251Ssam buf, sizeof(buf)); 439189251Ssam hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); 440189251Ssam 441281806Srpaulo if (os_memcmp_const(mac, pos, SHA1_MAC_LEN) != 0) { 442189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in " 443189251Ssam "cryptobinding TLV"); 444189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC", 445189251Ssam pos, SHA1_MAC_LEN); 446189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC", 447189251Ssam mac, SHA1_MAC_LEN); 448189251Ssam return -1; 449189251Ssam } 450189251Ssam 451189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received"); 452189251Ssam 453189251Ssam return 0; 454189251Ssam} 455189251Ssam 456189251Ssam 457189251Ssam/** 458189251Ssam * eap_tlv_process - Process a received EAP-TLV message and generate a response 459189251Ssam * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 460189251Ssam * @ret: Return values from EAP request validation and processing 461189251Ssam * @req: EAP-TLV request to be processed. The caller must have validated that 462189251Ssam * the buffer is large enough to contain full request (hdr->length bytes) and 463189251Ssam * that the EAP type is EAP_TYPE_TLV. 464189251Ssam * @resp: Buffer to return a pointer to the allocated response message. This 465189251Ssam * field should be initialized to %NULL before the call. The value will be 466189251Ssam * updated if a response message is generated. The caller is responsible for 467189251Ssam * freeing the allocated message. 468189251Ssam * @force_failure: Force negotiation to fail 469189251Ssam * Returns: 0 on success, -1 on failure 470189251Ssam */ 471189251Ssamstatic int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, 472189251Ssam struct eap_method_ret *ret, 473189251Ssam const struct wpabuf *req, struct wpabuf **resp, 474189251Ssam int force_failure) 475189251Ssam{ 476189251Ssam size_t left, tlv_len; 477189251Ssam const u8 *pos; 478189251Ssam const u8 *result_tlv = NULL, *crypto_tlv = NULL; 479189251Ssam size_t result_tlv_len = 0, crypto_tlv_len = 0; 480189251Ssam int tlv_type, mandatory; 481189251Ssam 482189251Ssam /* Parse TLVs */ 483189251Ssam pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left); 484189251Ssam if (pos == NULL) 485189251Ssam return -1; 486189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left); 487189251Ssam while (left >= 4) { 488189251Ssam mandatory = !!(pos[0] & 0x80); 489189251Ssam tlv_type = WPA_GET_BE16(pos) & 0x3fff; 490189251Ssam pos += 2; 491189251Ssam tlv_len = WPA_GET_BE16(pos); 492189251Ssam pos += 2; 493189251Ssam left -= 4; 494189251Ssam if (tlv_len > left) { 495189251Ssam wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun " 496189251Ssam "(tlv_len=%lu left=%lu)", 497189251Ssam (unsigned long) tlv_len, 498189251Ssam (unsigned long) left); 499189251Ssam return -1; 500189251Ssam } 501189251Ssam switch (tlv_type) { 502189251Ssam case EAP_TLV_RESULT_TLV: 503189251Ssam result_tlv = pos; 504189251Ssam result_tlv_len = tlv_len; 505189251Ssam break; 506189251Ssam case EAP_TLV_CRYPTO_BINDING_TLV: 507189251Ssam crypto_tlv = pos; 508189251Ssam crypto_tlv_len = tlv_len; 509189251Ssam break; 510189251Ssam default: 511189251Ssam wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type " 512189251Ssam "%d%s", tlv_type, 513189251Ssam mandatory ? " (mandatory)" : ""); 514189251Ssam if (mandatory) { 515189251Ssam /* NAK TLV and ignore all TLVs in this packet. 516189251Ssam */ 517189251Ssam *resp = eap_tlv_build_nak(eap_get_id(req), 518189251Ssam tlv_type); 519189251Ssam return *resp == NULL ? -1 : 0; 520189251Ssam } 521189251Ssam /* Ignore this TLV, but process other TLVs */ 522189251Ssam break; 523189251Ssam } 524189251Ssam 525189251Ssam pos += tlv_len; 526189251Ssam left -= tlv_len; 527189251Ssam } 528189251Ssam if (left) { 529189251Ssam wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in " 530189251Ssam "Request (left=%lu)", (unsigned long) left); 531189251Ssam return -1; 532189251Ssam } 533189251Ssam 534189251Ssam /* Process supported TLVs */ 535189251Ssam if (crypto_tlv && data->crypto_binding != NO_BINDING) { 536189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV", 537189251Ssam crypto_tlv, crypto_tlv_len); 538189251Ssam if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, 539189251Ssam crypto_tlv_len + 4) < 0) { 540189251Ssam if (result_tlv == NULL) 541189251Ssam return -1; 542189251Ssam force_failure = 1; 543189251Ssam crypto_tlv = NULL; /* do not include Cryptobinding TLV 544189251Ssam * in response, if the received 545189251Ssam * cryptobinding was invalid. */ 546189251Ssam } 547189251Ssam } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { 548189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV"); 549189251Ssam return -1; 550189251Ssam } 551189251Ssam 552189251Ssam if (result_tlv) { 553189251Ssam int status, resp_status; 554189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV", 555189251Ssam result_tlv, result_tlv_len); 556189251Ssam if (result_tlv_len < 2) { 557189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV " 558189251Ssam "(len=%lu)", 559189251Ssam (unsigned long) result_tlv_len); 560189251Ssam return -1; 561189251Ssam } 562189251Ssam status = WPA_GET_BE16(result_tlv); 563189251Ssam if (status == EAP_TLV_RESULT_SUCCESS) { 564189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success " 565189251Ssam "- EAP-TLV/Phase2 Completed"); 566189251Ssam if (force_failure) { 567189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure" 568189251Ssam " - force failed Phase 2"); 569189251Ssam resp_status = EAP_TLV_RESULT_FAILURE; 570189251Ssam ret->decision = DECISION_FAIL; 571189251Ssam } else { 572189251Ssam resp_status = EAP_TLV_RESULT_SUCCESS; 573189251Ssam ret->decision = DECISION_UNCOND_SUCC; 574189251Ssam } 575189251Ssam } else if (status == EAP_TLV_RESULT_FAILURE) { 576189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure"); 577189251Ssam resp_status = EAP_TLV_RESULT_FAILURE; 578189251Ssam ret->decision = DECISION_FAIL; 579189251Ssam } else { 580189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result " 581189251Ssam "Status %d", status); 582189251Ssam resp_status = EAP_TLV_RESULT_FAILURE; 583189251Ssam ret->decision = DECISION_FAIL; 584189251Ssam } 585189251Ssam ret->methodState = METHOD_DONE; 586189251Ssam 587189251Ssam *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, 588189251Ssam eap_get_id(req), resp_status); 589189251Ssam } 590189251Ssam 591189251Ssam return 0; 592189251Ssam} 593189251Ssam 594189251Ssam 595189251Ssamstatic int eap_peap_phase2_request(struct eap_sm *sm, 596189251Ssam struct eap_peap_data *data, 597189251Ssam struct eap_method_ret *ret, 598189251Ssam struct wpabuf *req, 599189251Ssam struct wpabuf **resp) 600189251Ssam{ 601189251Ssam struct eap_hdr *hdr = wpabuf_mhead(req); 602189251Ssam size_t len = be_to_host16(hdr->length); 603189251Ssam u8 *pos; 604189251Ssam struct eap_method_ret iret; 605189251Ssam struct eap_peer_config *config = eap_get_config(sm); 606189251Ssam 607189251Ssam if (len <= sizeof(struct eap_hdr)) { 608189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: too short " 609189251Ssam "Phase 2 request (len=%lu)", (unsigned long) len); 610189251Ssam return -1; 611189251Ssam } 612189251Ssam pos = (u8 *) (hdr + 1); 613189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos); 614189251Ssam switch (*pos) { 615189251Ssam case EAP_TYPE_IDENTITY: 616189251Ssam *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 617189251Ssam break; 618189251Ssam case EAP_TYPE_TLV: 619189251Ssam os_memset(&iret, 0, sizeof(iret)); 620189251Ssam if (eap_tlv_process(sm, data, &iret, req, resp, 621189251Ssam data->phase2_eap_started && 622189251Ssam !data->phase2_eap_success)) { 623189251Ssam ret->methodState = METHOD_DONE; 624189251Ssam ret->decision = DECISION_FAIL; 625189251Ssam return -1; 626189251Ssam } 627189251Ssam if (iret.methodState == METHOD_DONE || 628189251Ssam iret.methodState == METHOD_MAY_CONT) { 629189251Ssam ret->methodState = iret.methodState; 630189251Ssam ret->decision = iret.decision; 631189251Ssam data->phase2_success = 1; 632189251Ssam } 633189251Ssam break; 634189251Ssam case EAP_TYPE_EXPANDED: 635189251Ssam#ifdef EAP_TNC 636189251Ssam if (data->soh) { 637189251Ssam const u8 *epos; 638189251Ssam size_t eleft; 639189251Ssam 640189251Ssam epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, 641189251Ssam req, &eleft); 642189251Ssam if (epos) { 643189251Ssam struct wpabuf *buf; 644189251Ssam wpa_printf(MSG_DEBUG, 645189251Ssam "EAP-PEAP: SoH EAP Extensions"); 646189251Ssam buf = tncc_process_soh_request(data->soh, 647189251Ssam epos, eleft); 648189251Ssam if (buf) { 649189251Ssam *resp = eap_msg_alloc( 650189251Ssam EAP_VENDOR_MICROSOFT, 0x21, 651189251Ssam wpabuf_len(buf), 652189251Ssam EAP_CODE_RESPONSE, 653189251Ssam hdr->identifier); 654189251Ssam if (*resp == NULL) { 655189251Ssam ret->methodState = METHOD_DONE; 656189251Ssam ret->decision = DECISION_FAIL; 657346981Scy wpabuf_clear_free(buf); 658189251Ssam return -1; 659189251Ssam } 660189251Ssam wpabuf_put_buf(*resp, buf); 661346981Scy wpabuf_clear_free(buf); 662189251Ssam break; 663189251Ssam } 664189251Ssam } 665189251Ssam } 666189251Ssam#endif /* EAP_TNC */ 667189251Ssam /* fall through */ 668189251Ssam default: 669189251Ssam if (data->phase2_type.vendor == EAP_VENDOR_IETF && 670189251Ssam data->phase2_type.method == EAP_TYPE_NONE) { 671189251Ssam size_t i; 672189251Ssam for (i = 0; i < data->num_phase2_types; i++) { 673189251Ssam if (data->phase2_types[i].vendor != 674189251Ssam EAP_VENDOR_IETF || 675189251Ssam data->phase2_types[i].method != *pos) 676189251Ssam continue; 677189251Ssam 678189251Ssam data->phase2_type.vendor = 679189251Ssam data->phase2_types[i].vendor; 680189251Ssam data->phase2_type.method = 681189251Ssam data->phase2_types[i].method; 682189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected " 683189251Ssam "Phase 2 EAP vendor %d method %d", 684189251Ssam data->phase2_type.vendor, 685189251Ssam data->phase2_type.method); 686189251Ssam break; 687189251Ssam } 688189251Ssam } 689189251Ssam if (*pos != data->phase2_type.method || 690189251Ssam *pos == EAP_TYPE_NONE) { 691189251Ssam if (eap_peer_tls_phase2_nak(data->phase2_types, 692189251Ssam data->num_phase2_types, 693189251Ssam hdr, resp)) 694189251Ssam return -1; 695189251Ssam return 0; 696189251Ssam } 697189251Ssam 698189251Ssam if (data->phase2_priv == NULL) { 699189251Ssam data->phase2_method = eap_peer_get_eap_method( 700189251Ssam data->phase2_type.vendor, 701189251Ssam data->phase2_type.method); 702189251Ssam if (data->phase2_method) { 703189251Ssam sm->init_phase2 = 1; 704189251Ssam data->phase2_priv = 705189251Ssam data->phase2_method->init(sm); 706189251Ssam sm->init_phase2 = 0; 707189251Ssam } 708189251Ssam } 709189251Ssam if (data->phase2_priv == NULL || data->phase2_method == NULL) { 710189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize " 711189251Ssam "Phase 2 EAP method %d", *pos); 712189251Ssam ret->methodState = METHOD_DONE; 713189251Ssam ret->decision = DECISION_FAIL; 714189251Ssam return -1; 715189251Ssam } 716189251Ssam data->phase2_eap_started = 1; 717189251Ssam os_memset(&iret, 0, sizeof(iret)); 718189251Ssam *resp = data->phase2_method->process(sm, data->phase2_priv, 719189251Ssam &iret, req); 720189251Ssam if ((iret.methodState == METHOD_DONE || 721189251Ssam iret.methodState == METHOD_MAY_CONT) && 722189251Ssam (iret.decision == DECISION_UNCOND_SUCC || 723189251Ssam iret.decision == DECISION_COND_SUCC)) { 724189251Ssam data->phase2_eap_success = 1; 725189251Ssam data->phase2_success = 1; 726189251Ssam } 727189251Ssam break; 728189251Ssam } 729189251Ssam 730189251Ssam if (*resp == NULL && 731189251Ssam (config->pending_req_identity || config->pending_req_password || 732346981Scy config->pending_req_otp || config->pending_req_new_password || 733346981Scy config->pending_req_sim)) { 734346981Scy wpabuf_clear_free(data->pending_phase2_req); 735189251Ssam data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); 736189251Ssam } 737189251Ssam 738189251Ssam return 0; 739189251Ssam} 740189251Ssam 741189251Ssam 742189251Ssamstatic int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, 743189251Ssam struct eap_method_ret *ret, 744189251Ssam const struct eap_hdr *req, 745189251Ssam const struct wpabuf *in_data, 746189251Ssam struct wpabuf **out_data) 747189251Ssam{ 748189251Ssam struct wpabuf *in_decrypted = NULL; 749189251Ssam int res, skip_change = 0; 750189251Ssam struct eap_hdr *hdr, *rhdr; 751189251Ssam struct wpabuf *resp = NULL; 752189251Ssam size_t len; 753189251Ssam 754189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" 755189251Ssam " Phase 2", (unsigned long) wpabuf_len(in_data)); 756189251Ssam 757189251Ssam if (data->pending_phase2_req) { 758189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " 759189251Ssam "skip decryption and use old data"); 760189251Ssam /* Clear TLS reassembly state. */ 761189251Ssam eap_peer_tls_reset_input(&data->ssl); 762189251Ssam in_decrypted = data->pending_phase2_req; 763189251Ssam data->pending_phase2_req = NULL; 764189251Ssam skip_change = 1; 765189251Ssam goto continue_req; 766189251Ssam } 767189251Ssam 768189251Ssam if (wpabuf_len(in_data) == 0 && sm->workaround && 769189251Ssam data->phase2_success) { 770189251Ssam /* 771189251Ssam * Cisco ACS seems to be using TLS ACK to terminate 772189251Ssam * EAP-PEAPv0/GTC. Try to reply with TLS ACK. 773189251Ssam */ 774189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " 775189251Ssam "expected data - acknowledge with TLS ACK since " 776189251Ssam "Phase 2 has been completed"); 777189251Ssam ret->decision = DECISION_COND_SUCC; 778189251Ssam ret->methodState = METHOD_DONE; 779189251Ssam return 1; 780189251Ssam } else if (wpabuf_len(in_data) == 0) { 781189251Ssam /* Received TLS ACK - requesting more fragments */ 782189251Ssam return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 783189251Ssam data->peap_version, 784189251Ssam req->identifier, NULL, out_data); 785189251Ssam } 786189251Ssam 787189251Ssam res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 788189251Ssam if (res) 789189251Ssam return res; 790189251Ssam 791189251Ssamcontinue_req: 792189251Ssam wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", 793189251Ssam in_decrypted); 794189251Ssam 795189251Ssam hdr = wpabuf_mhead(in_decrypted); 796189251Ssam if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST && 797189251Ssam be_to_host16(hdr->length) == 5 && 798189251Ssam eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) { 799189251Ssam /* At least FreeRADIUS seems to send full EAP header with 800189251Ssam * EAP Request Identity */ 801189251Ssam skip_change = 1; 802189251Ssam } 803189251Ssam if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST && 804189251Ssam eap_get_type(in_decrypted) == EAP_TYPE_TLV) { 805189251Ssam skip_change = 1; 806189251Ssam } 807189251Ssam 808189251Ssam if (data->peap_version == 0 && !skip_change) { 809189251Ssam struct eap_hdr *nhdr; 810189251Ssam struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) + 811189251Ssam wpabuf_len(in_decrypted)); 812189251Ssam if (nmsg == NULL) { 813346981Scy wpabuf_clear_free(in_decrypted); 814189251Ssam return 0; 815189251Ssam } 816189251Ssam nhdr = wpabuf_put(nmsg, sizeof(*nhdr)); 817189251Ssam wpabuf_put_buf(nmsg, in_decrypted); 818189251Ssam nhdr->code = req->code; 819189251Ssam nhdr->identifier = req->identifier; 820189251Ssam nhdr->length = host_to_be16(sizeof(struct eap_hdr) + 821189251Ssam wpabuf_len(in_decrypted)); 822189251Ssam 823346981Scy wpabuf_clear_free(in_decrypted); 824189251Ssam in_decrypted = nmsg; 825189251Ssam } 826189251Ssam 827189251Ssam hdr = wpabuf_mhead(in_decrypted); 828189251Ssam if (wpabuf_len(in_decrypted) < sizeof(*hdr)) { 829189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 " 830189251Ssam "EAP frame (len=%lu)", 831189251Ssam (unsigned long) wpabuf_len(in_decrypted)); 832346981Scy wpabuf_clear_free(in_decrypted); 833189251Ssam return 0; 834189251Ssam } 835189251Ssam len = be_to_host16(hdr->length); 836189251Ssam if (len > wpabuf_len(in_decrypted)) { 837189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in " 838189251Ssam "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 839189251Ssam (unsigned long) wpabuf_len(in_decrypted), 840189251Ssam (unsigned long) len); 841346981Scy wpabuf_clear_free(in_decrypted); 842189251Ssam return 0; 843189251Ssam } 844189251Ssam if (len < wpabuf_len(in_decrypted)) { 845189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has " 846189251Ssam "shorter length than full decrypted data " 847189251Ssam "(%lu < %lu)", 848189251Ssam (unsigned long) len, 849189251Ssam (unsigned long) wpabuf_len(in_decrypted)); 850189251Ssam } 851189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d " 852189251Ssam "identifier=%d length=%lu", hdr->code, hdr->identifier, 853189251Ssam (unsigned long) len); 854189251Ssam switch (hdr->code) { 855189251Ssam case EAP_CODE_REQUEST: 856189251Ssam if (eap_peap_phase2_request(sm, data, ret, in_decrypted, 857189251Ssam &resp)) { 858346981Scy wpabuf_clear_free(in_decrypted); 859189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request " 860189251Ssam "processing failed"); 861189251Ssam return 0; 862189251Ssam } 863189251Ssam break; 864189251Ssam case EAP_CODE_SUCCESS: 865189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success"); 866189251Ssam if (data->peap_version == 1) { 867189251Ssam /* EAP-Success within TLS tunnel is used to indicate 868189251Ssam * shutdown of the TLS channel. The authentication has 869189251Ssam * been completed. */ 870189251Ssam if (data->phase2_eap_started && 871189251Ssam !data->phase2_eap_success) { 872189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " 873189251Ssam "Success used to indicate success, " 874189251Ssam "but Phase 2 EAP was not yet " 875189251Ssam "completed successfully"); 876189251Ssam ret->methodState = METHOD_DONE; 877189251Ssam ret->decision = DECISION_FAIL; 878346981Scy wpabuf_clear_free(in_decrypted); 879189251Ssam return 0; 880189251Ssam } 881189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - " 882189251Ssam "EAP-Success within TLS tunnel - " 883189251Ssam "authentication completed"); 884189251Ssam ret->decision = DECISION_UNCOND_SUCC; 885189251Ssam ret->methodState = METHOD_DONE; 886189251Ssam data->phase2_success = 1; 887189251Ssam if (data->peap_outer_success == 2) { 888346981Scy wpabuf_clear_free(in_decrypted); 889189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK " 890189251Ssam "to finish authentication"); 891189251Ssam return 1; 892189251Ssam } else if (data->peap_outer_success == 1) { 893189251Ssam /* Reply with EAP-Success within the TLS 894189251Ssam * channel to complete the authentication. */ 895189251Ssam resp = wpabuf_alloc(sizeof(struct eap_hdr)); 896189251Ssam if (resp) { 897189251Ssam rhdr = wpabuf_put(resp, sizeof(*rhdr)); 898189251Ssam rhdr->code = EAP_CODE_SUCCESS; 899189251Ssam rhdr->identifier = hdr->identifier; 900189251Ssam rhdr->length = 901189251Ssam host_to_be16(sizeof(*rhdr)); 902189251Ssam } 903189251Ssam } else { 904189251Ssam /* No EAP-Success expected for Phase 1 (outer, 905189251Ssam * unencrypted auth), so force EAP state 906189251Ssam * machine to SUCCESS state. */ 907189251Ssam sm->peap_done = TRUE; 908189251Ssam } 909189251Ssam } else { 910189251Ssam /* FIX: ? */ 911189251Ssam } 912189251Ssam break; 913189251Ssam case EAP_CODE_FAILURE: 914189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure"); 915189251Ssam ret->decision = DECISION_FAIL; 916189251Ssam ret->methodState = METHOD_MAY_CONT; 917189251Ssam ret->allowNotifications = FALSE; 918189251Ssam /* Reply with EAP-Failure within the TLS channel to complete 919189251Ssam * failure reporting. */ 920189251Ssam resp = wpabuf_alloc(sizeof(struct eap_hdr)); 921189251Ssam if (resp) { 922189251Ssam rhdr = wpabuf_put(resp, sizeof(*rhdr)); 923189251Ssam rhdr->code = EAP_CODE_FAILURE; 924189251Ssam rhdr->identifier = hdr->identifier; 925189251Ssam rhdr->length = host_to_be16(sizeof(*rhdr)); 926189251Ssam } 927189251Ssam break; 928189251Ssam default: 929189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in " 930189251Ssam "Phase 2 EAP header", hdr->code); 931189251Ssam break; 932189251Ssam } 933189251Ssam 934346981Scy wpabuf_clear_free(in_decrypted); 935189251Ssam 936189251Ssam if (resp) { 937189251Ssam int skip_change2 = 0; 938189251Ssam struct wpabuf *rmsg, buf; 939189251Ssam 940189251Ssam wpa_hexdump_buf_key(MSG_DEBUG, 941189251Ssam "EAP-PEAP: Encrypting Phase 2 data", resp); 942189251Ssam /* PEAP version changes */ 943189251Ssam if (wpabuf_len(resp) >= 5 && 944189251Ssam wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE && 945189251Ssam eap_get_type(resp) == EAP_TYPE_TLV) 946189251Ssam skip_change2 = 1; 947189251Ssam rmsg = resp; 948189251Ssam if (data->peap_version == 0 && !skip_change2) { 949189251Ssam wpabuf_set(&buf, wpabuf_head_u8(resp) + 950189251Ssam sizeof(struct eap_hdr), 951189251Ssam wpabuf_len(resp) - sizeof(struct eap_hdr)); 952189251Ssam rmsg = &buf; 953189251Ssam } 954189251Ssam 955189251Ssam if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 956189251Ssam data->peap_version, req->identifier, 957189251Ssam rmsg, out_data)) { 958189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt " 959189251Ssam "a Phase 2 frame"); 960189251Ssam } 961346981Scy wpabuf_clear_free(resp); 962189251Ssam } 963189251Ssam 964189251Ssam return 0; 965189251Ssam} 966189251Ssam 967189251Ssam 968189251Ssamstatic struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, 969189251Ssam struct eap_method_ret *ret, 970189251Ssam const struct wpabuf *reqData) 971189251Ssam{ 972189251Ssam const struct eap_hdr *req; 973189251Ssam size_t left; 974189251Ssam int res; 975189251Ssam u8 flags, id; 976189251Ssam struct wpabuf *resp; 977189251Ssam const u8 *pos; 978189251Ssam struct eap_peap_data *data = priv; 979289549Srpaulo struct wpabuf msg; 980189251Ssam 981189251Ssam pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, 982189251Ssam reqData, &left, &flags); 983189251Ssam if (pos == NULL) 984189251Ssam return NULL; 985189251Ssam req = wpabuf_head(reqData); 986189251Ssam id = req->identifier; 987189251Ssam 988189251Ssam if (flags & EAP_TLS_FLAGS_START) { 989189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own " 990214734Srpaulo "ver=%d)", flags & EAP_TLS_VERSION_MASK, 991189251Ssam data->peap_version); 992214734Srpaulo if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) 993214734Srpaulo data->peap_version = flags & EAP_TLS_VERSION_MASK; 994189251Ssam if (data->force_peap_version >= 0 && 995189251Ssam data->force_peap_version != data->peap_version) { 996189251Ssam wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select " 997189251Ssam "forced PEAP version %d", 998189251Ssam data->force_peap_version); 999189251Ssam ret->methodState = METHOD_DONE; 1000189251Ssam ret->decision = DECISION_FAIL; 1001189251Ssam ret->allowNotifications = FALSE; 1002189251Ssam return NULL; 1003189251Ssam } 1004189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d", 1005189251Ssam data->peap_version); 1006189251Ssam left = 0; /* make sure that this frame is empty, even though it 1007189251Ssam * should always be, anyway */ 1008189251Ssam } 1009189251Ssam 1010289549Srpaulo wpabuf_set(&msg, pos, left); 1011289549Srpaulo 1012189251Ssam resp = NULL; 1013189251Ssam if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1014189251Ssam !data->resuming) { 1015189251Ssam res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); 1016189251Ssam } else { 1017337817Scy if (sm->waiting_ext_cert_check && data->pending_resp) { 1018337817Scy struct eap_peer_config *config = eap_get_config(sm); 1019337817Scy 1020337817Scy if (config->pending_ext_cert_check == 1021337817Scy EXT_CERT_CHECK_GOOD) { 1022337817Scy wpa_printf(MSG_DEBUG, 1023337817Scy "EAP-PEAP: External certificate check succeeded - continue handshake"); 1024337817Scy resp = data->pending_resp; 1025337817Scy data->pending_resp = NULL; 1026337817Scy sm->waiting_ext_cert_check = 0; 1027337817Scy return resp; 1028337817Scy } 1029337817Scy 1030337817Scy if (config->pending_ext_cert_check == 1031337817Scy EXT_CERT_CHECK_BAD) { 1032337817Scy wpa_printf(MSG_DEBUG, 1033337817Scy "EAP-PEAP: External certificate check failed - force authentication failure"); 1034337817Scy ret->methodState = METHOD_DONE; 1035337817Scy ret->decision = DECISION_FAIL; 1036337817Scy sm->waiting_ext_cert_check = 0; 1037337817Scy return NULL; 1038337817Scy } 1039337817Scy 1040337817Scy wpa_printf(MSG_DEBUG, 1041337817Scy "EAP-PEAP: Continuing to wait external server certificate validation"); 1042337817Scy return NULL; 1043337817Scy } 1044337817Scy 1045189251Ssam res = eap_peer_tls_process_helper(sm, &data->ssl, 1046189251Ssam EAP_TYPE_PEAP, 1047289549Srpaulo data->peap_version, id, &msg, 1048289549Srpaulo &resp); 1049189251Ssam 1050289549Srpaulo if (res < 0) { 1051289549Srpaulo wpa_printf(MSG_DEBUG, 1052289549Srpaulo "EAP-PEAP: TLS processing failed"); 1053289549Srpaulo ret->methodState = METHOD_DONE; 1054289549Srpaulo ret->decision = DECISION_FAIL; 1055289549Srpaulo return resp; 1056289549Srpaulo } 1057337817Scy 1058337817Scy 1059337817Scy if (sm->waiting_ext_cert_check) { 1060337817Scy wpa_printf(MSG_DEBUG, 1061337817Scy "EAP-PEAP: Waiting external server certificate validation"); 1062346981Scy wpabuf_clear_free(data->pending_resp); 1063337817Scy data->pending_resp = resp; 1064337817Scy return NULL; 1065337817Scy } 1066337817Scy 1067189251Ssam if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1068189251Ssam char *label; 1069189251Ssam wpa_printf(MSG_DEBUG, 1070189251Ssam "EAP-PEAP: TLS done, proceed to Phase 2"); 1071281806Srpaulo eap_peap_free_key(data); 1072189251Ssam /* draft-josefsson-ppext-eap-tls-eap-05.txt 1073189251Ssam * specifies that PEAPv1 would use "client PEAP 1074189251Ssam * encryption" as the label. However, most existing 1075189251Ssam * PEAPv1 implementations seem to be using the old 1076189251Ssam * label, "client EAP encryption", instead. Use the old 1077189251Ssam * label by default, but allow it to be configured with 1078189251Ssam * phase1 parameter peaplabel=1. */ 1079281806Srpaulo if (data->force_new_label) 1080189251Ssam label = "client PEAP encryption"; 1081189251Ssam else 1082189251Ssam label = "client EAP encryption"; 1083189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in " 1084189251Ssam "key derivation", label); 1085189251Ssam data->key_data = 1086189251Ssam eap_peer_tls_derive_key(sm, &data->ssl, label, 1087346981Scy NULL, 0, 1088346981Scy EAP_TLS_KEY_LEN + 1089346981Scy EAP_EMSK_LEN); 1090189251Ssam if (data->key_data) { 1091346981Scy wpa_hexdump_key(MSG_DEBUG, 1092189251Ssam "EAP-PEAP: Derived key", 1093189251Ssam data->key_data, 1094189251Ssam EAP_TLS_KEY_LEN); 1095346981Scy wpa_hexdump_key(MSG_DEBUG, 1096346981Scy "EAP-PEAP: Derived EMSK", 1097346981Scy data->key_data + 1098346981Scy EAP_TLS_KEY_LEN, 1099346981Scy EAP_EMSK_LEN); 1100189251Ssam } else { 1101189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " 1102189251Ssam "derive key"); 1103189251Ssam } 1104189251Ssam 1105281806Srpaulo os_free(data->session_id); 1106281806Srpaulo data->session_id = 1107281806Srpaulo eap_peer_tls_derive_session_id(sm, &data->ssl, 1108281806Srpaulo EAP_TYPE_PEAP, 1109281806Srpaulo &data->id_len); 1110281806Srpaulo if (data->session_id) { 1111281806Srpaulo wpa_hexdump(MSG_DEBUG, 1112281806Srpaulo "EAP-PEAP: Derived Session-Id", 1113281806Srpaulo data->session_id, data->id_len); 1114281806Srpaulo } else { 1115281806Srpaulo wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to " 1116281806Srpaulo "derive Session-Id"); 1117281806Srpaulo } 1118281806Srpaulo 1119189251Ssam if (sm->workaround && data->resuming) { 1120189251Ssam /* 1121189251Ssam * At least few RADIUS servers (Aegis v1.1.6; 1122189251Ssam * but not v1.1.4; and Cisco ACS) seem to be 1123189251Ssam * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco 1124189251Ssam * ACS) session resumption with outer 1125189251Ssam * EAP-Success. This does not seem to follow 1126189251Ssam * draft-josefsson-pppext-eap-tls-eap-05.txt 1127189251Ssam * section 4.2, so only allow this if EAP 1128189251Ssam * workarounds are enabled. 1129189251Ssam */ 1130189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " 1131189251Ssam "allow outer EAP-Success to " 1132189251Ssam "terminate PEAP resumption"); 1133189251Ssam ret->decision = DECISION_COND_SUCC; 1134189251Ssam data->phase2_success = 1; 1135189251Ssam } 1136189251Ssam 1137189251Ssam data->resuming = 0; 1138189251Ssam } 1139189251Ssam 1140189251Ssam if (res == 2) { 1141189251Ssam /* 1142189251Ssam * Application data included in the handshake message. 1143189251Ssam */ 1144346981Scy wpabuf_clear_free(data->pending_phase2_req); 1145189251Ssam data->pending_phase2_req = resp; 1146189251Ssam resp = NULL; 1147189251Ssam res = eap_peap_decrypt(sm, data, ret, req, &msg, 1148189251Ssam &resp); 1149189251Ssam } 1150189251Ssam } 1151189251Ssam 1152189251Ssam if (ret->methodState == METHOD_DONE) { 1153189251Ssam ret->allowNotifications = FALSE; 1154189251Ssam } 1155189251Ssam 1156189251Ssam if (res == 1) { 1157346981Scy wpabuf_clear_free(resp); 1158189251Ssam return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP, 1159189251Ssam data->peap_version); 1160189251Ssam } 1161189251Ssam 1162189251Ssam return resp; 1163189251Ssam} 1164189251Ssam 1165189251Ssam 1166189251Ssamstatic Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) 1167189251Ssam{ 1168189251Ssam struct eap_peap_data *data = priv; 1169189251Ssam return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1170189251Ssam data->phase2_success; 1171189251Ssam} 1172189251Ssam 1173189251Ssam 1174189251Ssamstatic void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv) 1175189251Ssam{ 1176189251Ssam struct eap_peap_data *data = priv; 1177346981Scy 1178346981Scy if (data->phase2_priv && data->phase2_method && 1179346981Scy data->phase2_method->deinit_for_reauth) 1180346981Scy data->phase2_method->deinit_for_reauth(sm, data->phase2_priv); 1181346981Scy wpabuf_clear_free(data->pending_phase2_req); 1182189251Ssam data->pending_phase2_req = NULL; 1183346981Scy wpabuf_clear_free(data->pending_resp); 1184337817Scy data->pending_resp = NULL; 1185189251Ssam data->crypto_binding_used = 0; 1186189251Ssam} 1187189251Ssam 1188189251Ssam 1189189251Ssamstatic void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv) 1190189251Ssam{ 1191189251Ssam struct eap_peap_data *data = priv; 1192281806Srpaulo eap_peap_free_key(data); 1193281806Srpaulo os_free(data->session_id); 1194281806Srpaulo data->session_id = NULL; 1195189251Ssam if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1196189251Ssam os_free(data); 1197189251Ssam return NULL; 1198189251Ssam } 1199189251Ssam if (data->phase2_priv && data->phase2_method && 1200189251Ssam data->phase2_method->init_for_reauth) 1201189251Ssam data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1202189251Ssam data->phase2_success = 0; 1203189251Ssam data->phase2_eap_success = 0; 1204189251Ssam data->phase2_eap_started = 0; 1205189251Ssam data->resuming = 1; 1206189251Ssam data->reauth = 1; 1207189251Ssam sm->peap_done = FALSE; 1208189251Ssam return priv; 1209189251Ssam} 1210189251Ssam 1211189251Ssam 1212189251Ssamstatic int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf, 1213189251Ssam size_t buflen, int verbose) 1214189251Ssam{ 1215189251Ssam struct eap_peap_data *data = priv; 1216189251Ssam int len, ret; 1217189251Ssam 1218189251Ssam len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1219189251Ssam if (data->phase2_method) { 1220189251Ssam ret = os_snprintf(buf + len, buflen - len, 1221189251Ssam "EAP-PEAPv%d Phase2 method=%s\n", 1222189251Ssam data->peap_version, 1223189251Ssam data->phase2_method->name); 1224281806Srpaulo if (os_snprintf_error(buflen - len, ret)) 1225189251Ssam return len; 1226189251Ssam len += ret; 1227189251Ssam } 1228189251Ssam return len; 1229189251Ssam} 1230189251Ssam 1231189251Ssam 1232189251Ssamstatic Boolean eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv) 1233189251Ssam{ 1234189251Ssam struct eap_peap_data *data = priv; 1235189251Ssam return data->key_data != NULL && data->phase2_success; 1236189251Ssam} 1237189251Ssam 1238189251Ssam 1239189251Ssamstatic u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) 1240189251Ssam{ 1241189251Ssam struct eap_peap_data *data = priv; 1242189251Ssam u8 *key; 1243189251Ssam 1244189251Ssam if (data->key_data == NULL || !data->phase2_success) 1245189251Ssam return NULL; 1246189251Ssam 1247189251Ssam key = os_malloc(EAP_TLS_KEY_LEN); 1248189251Ssam if (key == NULL) 1249189251Ssam return NULL; 1250189251Ssam 1251189251Ssam *len = EAP_TLS_KEY_LEN; 1252189251Ssam 1253189251Ssam if (data->crypto_binding_used) { 1254189251Ssam u8 csk[128]; 1255189251Ssam /* 1256189251Ssam * Note: It looks like Microsoft implementation requires null 1257189251Ssam * termination for this label while the one used for deriving 1258189251Ssam * IPMK|CMK did not use null termination. 1259189251Ssam */ 1260252726Srpaulo if (peap_prfplus(data->peap_version, data->ipmk, 40, 1261252726Srpaulo "Session Key Generating Function", 1262252726Srpaulo (u8 *) "\00", 1, csk, sizeof(csk)) < 0) { 1263252726Srpaulo os_free(key); 1264252726Srpaulo return NULL; 1265252726Srpaulo } 1266189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk)); 1267189251Ssam os_memcpy(key, csk, EAP_TLS_KEY_LEN); 1268189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", 1269189251Ssam key, EAP_TLS_KEY_LEN); 1270351611Scy forced_memzero(csk, sizeof(csk)); 1271189251Ssam } else 1272189251Ssam os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1273189251Ssam 1274189251Ssam return key; 1275189251Ssam} 1276189251Ssam 1277189251Ssam 1278346981Scystatic u8 * eap_peap_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1279346981Scy{ 1280346981Scy struct eap_peap_data *data = priv; 1281346981Scy u8 *key; 1282346981Scy 1283346981Scy if (!data->key_data || !data->phase2_success) 1284346981Scy return NULL; 1285346981Scy 1286346981Scy if (data->crypto_binding_used) { 1287346981Scy /* [MS-PEAP] does not define EMSK derivation */ 1288346981Scy return NULL; 1289346981Scy } 1290346981Scy 1291346981Scy key = os_memdup(data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN); 1292346981Scy if (!key) 1293346981Scy return NULL; 1294346981Scy 1295346981Scy *len = EAP_EMSK_LEN; 1296346981Scy 1297346981Scy return key; 1298346981Scy} 1299346981Scy 1300346981Scy 1301281806Srpaulostatic u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1302281806Srpaulo{ 1303281806Srpaulo struct eap_peap_data *data = priv; 1304281806Srpaulo u8 *id; 1305281806Srpaulo 1306281806Srpaulo if (data->session_id == NULL || !data->phase2_success) 1307281806Srpaulo return NULL; 1308281806Srpaulo 1309346981Scy id = os_memdup(data->session_id, data->id_len); 1310281806Srpaulo if (id == NULL) 1311281806Srpaulo return NULL; 1312281806Srpaulo 1313281806Srpaulo *len = data->id_len; 1314281806Srpaulo 1315281806Srpaulo return id; 1316281806Srpaulo} 1317281806Srpaulo 1318281806Srpaulo 1319189251Ssamint eap_peer_peap_register(void) 1320189251Ssam{ 1321189251Ssam struct eap_method *eap; 1322189251Ssam 1323189251Ssam eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1324189251Ssam EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP"); 1325189251Ssam if (eap == NULL) 1326189251Ssam return -1; 1327189251Ssam 1328189251Ssam eap->init = eap_peap_init; 1329189251Ssam eap->deinit = eap_peap_deinit; 1330189251Ssam eap->process = eap_peap_process; 1331189251Ssam eap->isKeyAvailable = eap_peap_isKeyAvailable; 1332189251Ssam eap->getKey = eap_peap_getKey; 1333346981Scy eap->get_emsk = eap_peap_get_emsk; 1334189251Ssam eap->get_status = eap_peap_get_status; 1335189251Ssam eap->has_reauth_data = eap_peap_has_reauth_data; 1336189251Ssam eap->deinit_for_reauth = eap_peap_deinit_for_reauth; 1337189251Ssam eap->init_for_reauth = eap_peap_init_for_reauth; 1338281806Srpaulo eap->getSessionId = eap_peap_get_session_id; 1339189251Ssam 1340337817Scy return eap_peer_method_register(eap); 1341189251Ssam} 1342