contrib/hostapd/src/eap_peer/eap_leap.c

   1 /*
   2  * EAP peer method: LEAP
   3  * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "eap_i.h"
  19 #include "ms_funcs.h"
  20 #include "crypto.h"
  21
  22 #define LEAP_VERSION 1
  23 #define LEAP_CHALLENGE_LEN 8
  24 #define LEAP_RESPONSE_LEN 24
  25 #define LEAP_KEY_LEN 16
  26
  27
  28 struct eap_leap_data {
  29         enum {
  30                 LEAP_WAIT_CHALLENGE,
  31                 LEAP_WAIT_SUCCESS,
  32                 LEAP_WAIT_RESPONSE,
  33                 LEAP_DONE
  34         } state;
  35
  36         u8 peer_challenge[LEAP_CHALLENGE_LEN];
  37         u8 peer_response[LEAP_RESPONSE_LEN];
  38
  39         u8 ap_challenge[LEAP_CHALLENGE_LEN];
  40         u8 ap_response[LEAP_RESPONSE_LEN];
  41 };
  42
  43
  44 static void * eap_leap_init(struct eap_sm *sm)
  45 {
  46         struct eap_leap_data *data;
  47
  48         data = os_zalloc(sizeof(*data));
  49         if (data == NULL)
  50                 return NULL;
  51         data->state = LEAP_WAIT_CHALLENGE;
  52
  53         sm->leap_done = FALSE;
  54         return data;
  55 }
  56
  57
  58 static void eap_leap_deinit(struct eap_sm *sm, void *priv)
  59 {
  60         os_free(priv);
  61 }
  62
  63
  64 static struct wpabuf * eap_leap_process_request(struct eap_sm *sm, void *priv,
  65                                                 struct eap_method_ret *ret,
  66                                                 const struct wpabuf *reqData)
  67 {
  68         struct eap_leap_data *data = priv;
  69         struct wpabuf *resp;
  70         const u8 *pos, *challenge, *identity, *password;
  71         u8 challenge_len, *rpos;
  72         size_t identity_len, password_len, len;
  73         int pwhash;
  74
  75         wpa_printf(MSG_DEBUG, "EAP-LEAP: Processing EAP-Request");
  76
  77         identity = eap_get_config_identity(sm, &identity_len);
  78         password = eap_get_config_password2(sm, &password_len, &pwhash);
  79         if (identity == NULL || password == NULL)
  80                 return NULL;
  81
  82         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_LEAP, reqData, &len);
  83         if (pos == NULL || len < 3) {
  84                 wpa_printf(MSG_INFO, "EAP-LEAP: Invalid EAP-Request frame");
  85                 ret->ignore = TRUE;
  86                 return NULL;
  87         }
  88
  89         if (*pos != LEAP_VERSION) {
  90                 wpa_printf(MSG_WARNING, "EAP-LEAP: Unsupported LEAP version "
  91                            "%d", *pos);
  92                 ret->ignore = TRUE;
  93                 return NULL;
  94         }
  95         pos++;
  96
  97         pos++; /* skip unused byte */
  98
  99         challenge_len = *pos++;
 100         if (challenge_len != LEAP_CHALLENGE_LEN || challenge_len > len - 3) {
 101                 wpa_printf(MSG_INFO, "EAP-LEAP: Invalid challenge "
 102                            "(challenge_len=%d reqDataLen=%lu)",
 103                            challenge_len, (unsigned long) wpabuf_len(reqData));
 104                 ret->ignore = TRUE;
 105                 return NULL;
 106         }
 107         challenge = pos;
 108         os_memcpy(data->peer_challenge, challenge, LEAP_CHALLENGE_LEN);
 109         wpa_hexdump(MSG_MSGDUMP, "EAP-LEAP: Challenge from AP",
 110                     challenge, LEAP_CHALLENGE_LEN);
 111
 112         wpa_printf(MSG_DEBUG, "EAP-LEAP: Generating Challenge Response");
 113
 114         resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_LEAP,
 115                              3 + LEAP_RESPONSE_LEN + identity_len,
 116                              EAP_CODE_RESPONSE, eap_get_id(reqData));
 117         if (resp == NULL)
 118                 return NULL;
 119         wpabuf_put_u8(resp, LEAP_VERSION);
 120         wpabuf_put_u8(resp, 0); /* unused */
 121         wpabuf_put_u8(resp, LEAP_RESPONSE_LEN);
 122         rpos = wpabuf_put(resp, LEAP_RESPONSE_LEN);
 123         if (pwhash)
 124                 challenge_response(challenge, password, rpos);
 125         else
 126                 nt_challenge_response(challenge, password, password_len, rpos);
 127         os_memcpy(data->peer_response, rpos, LEAP_RESPONSE_LEN);
 128         wpa_hexdump(MSG_MSGDUMP, "EAP-LEAP: Response",
 129                     rpos, LEAP_RESPONSE_LEN);
 130         wpabuf_put_data(resp, identity, identity_len);
 131
 132         data->state = LEAP_WAIT_SUCCESS;
 133
 134         return resp;
 135 }
 136
 137
 138 static struct wpabuf * eap_leap_process_success(struct eap_sm *sm, void *priv,
 139                                                 struct eap_method_ret *ret,
 140                                                 const struct wpabuf *reqData)
 141 {
 142         struct eap_leap_data *data = priv;
 143         struct wpabuf *resp;
 144         u8 *pos;
 145         const u8 *identity;
 146         size_t identity_len;
 147
 148         wpa_printf(MSG_DEBUG, "EAP-LEAP: Processing EAP-Success");
 149
 150         identity = eap_get_config_identity(sm, &identity_len);
 151         if (identity == NULL)
 152                 return NULL;
 153
 154         if (data->state != LEAP_WAIT_SUCCESS) {
 155                 wpa_printf(MSG_INFO, "EAP-LEAP: EAP-Success received in "
 156                            "unexpected state (%d) - ignored", data->state);
 157                 ret->ignore = TRUE;
 158                 return NULL;
 159         }
 160
 161         resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_LEAP,
 162                              3 + LEAP_CHALLENGE_LEN + identity_len,
 163                              EAP_CODE_REQUEST, eap_get_id(reqData));
 164         if (resp == NULL)
 165                 return NULL;
 166         wpabuf_put_u8(resp, LEAP_VERSION);
 167         wpabuf_put_u8(resp, 0); /* unused */
 168         wpabuf_put_u8(resp, LEAP_CHALLENGE_LEN);
 169         pos = wpabuf_put(resp, LEAP_CHALLENGE_LEN);
 170         if (os_get_random(pos, LEAP_CHALLENGE_LEN)) {
 171                 wpa_printf(MSG_WARNING, "EAP-LEAP: Failed to read random data "
 172                            "for challenge");
 173                 wpabuf_free(resp);
 174                 ret->ignore = TRUE;
 175                 return NULL;
 176         }
 177         os_memcpy(data->ap_challenge, pos, LEAP_CHALLENGE_LEN);
 178         wpa_hexdump(MSG_MSGDUMP, "EAP-LEAP: Challenge to AP/AS", pos,
 179                     LEAP_CHALLENGE_LEN);
 180         wpabuf_put_data(resp, identity, identity_len);
 181
 182         data->state = LEAP_WAIT_RESPONSE;
 183
 184         return resp;
 185 }
 186
 187
 188 static struct wpabuf * eap_leap_process_response(struct eap_sm *sm, void *priv,
 189                                                  struct eap_method_ret *ret,
 190                                                  const struct wpabuf *reqData)
 191 {
 192         struct eap_leap_data *data = priv;
 193         const u8 *pos, *password;
 194         u8 response_len, pw_hash[16], pw_hash_hash[16],
 195                 expected[LEAP_RESPONSE_LEN];
 196         size_t password_len, len;
 197         int pwhash;
 198
 199         wpa_printf(MSG_DEBUG, "EAP-LEAP: Processing EAP-Response");
 200
 201         password = eap_get_config_password2(sm, &password_len, &pwhash);
 202         if (password == NULL)
 203                 return NULL;
 204
 205         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_LEAP, reqData, &len);
 206         if (pos == NULL || len < 3) {
 207                 wpa_printf(MSG_INFO, "EAP-LEAP: Invalid EAP-Response frame");
 208                 ret->ignore = TRUE;
 209                 return NULL;
 210         }
 211
 212         if (*pos != LEAP_VERSION) {
 213                 wpa_printf(MSG_WARNING, "EAP-LEAP: Unsupported LEAP version "
 214                            "%d", *pos);
 215                 ret->ignore = TRUE;
 216                 return NULL;
 217         }
 218         pos++;
 219
 220         pos++; /* skip unused byte */
 221
 222         response_len = *pos++;
 223         if (response_len != LEAP_RESPONSE_LEN || response_len > len - 3) {
 224                 wpa_printf(MSG_INFO, "EAP-LEAP: Invalid response "
 225                            "(response_len=%d reqDataLen=%lu)",
 226                            response_len, (unsigned long) wpabuf_len(reqData));
 227                 ret->ignore = TRUE;
 228                 return NULL;
 229         }
 230
 231         wpa_hexdump(MSG_DEBUG, "EAP-LEAP: Response from AP",
 232                     pos, LEAP_RESPONSE_LEN);
 233         os_memcpy(data->ap_response, pos, LEAP_RESPONSE_LEN);
 234
 235         if (pwhash) {
 236                 hash_nt_password_hash(password, pw_hash_hash);
 237         } else {
 238                 nt_password_hash(password, password_len, pw_hash);
 239                 hash_nt_password_hash(pw_hash, pw_hash_hash);
 240         }
 241         challenge_response(data->ap_challenge, pw_hash_hash, expected);
 242
 243         ret->methodState = METHOD_DONE;
 244         ret->allowNotifications = FALSE;
 245
 246         if (os_memcmp(pos, expected, LEAP_RESPONSE_LEN) != 0) {
 247                 wpa_printf(MSG_WARNING, "EAP-LEAP: AP sent an invalid "
 248                            "response - authentication failed");
 249                 wpa_hexdump(MSG_DEBUG, "EAP-LEAP: Expected response from AP",
 250                             expected, LEAP_RESPONSE_LEN);
 251                 ret->decision = DECISION_FAIL;
 252                 return NULL;
 253         }
 254
 255         ret->decision = DECISION_UNCOND_SUCC;
 256
 257         /* LEAP is somewhat odd method since it sends EAP-Success in the middle
 258          * of the authentication. Use special variable to transit EAP state
 259          * machine to SUCCESS state. */
 260         sm->leap_done = TRUE;
 261         data->state = LEAP_DONE;
 262
 263         /* No more authentication messages expected; AP will send EAPOL-Key
 264          * frames if encryption is enabled. */
 265         return NULL;
 266 }
 267
 268
 269 static struct wpabuf * eap_leap_process(struct eap_sm *sm, void *priv,
 270                                         struct eap_method_ret *ret,
 271                                         const struct wpabuf *reqData)
 272 {
 273         const struct eap_hdr *eap;
 274         size_t password_len;
 275         const u8 *password;
 276
 277         password = eap_get_config_password(sm, &password_len);
 278         if (password == NULL) {
 279                 wpa_printf(MSG_INFO, "EAP-LEAP: Password not configured");
 280                 eap_sm_request_password(sm);
 281                 ret->ignore = TRUE;
 282                 return NULL;
 283         }
 284
 285         /*
 286          * LEAP needs to be able to handle EAP-Success frame which does not
 287          * include Type field. Consequently, eap_hdr_validate() cannot be used
 288          * here. This validation will be done separately for EAP-Request and
 289          * EAP-Response frames.
 290          */
 291         eap = wpabuf_head(reqData);
 292         if (wpabuf_len(reqData) < sizeof(*eap) ||
 293             be_to_host16(eap->length) > wpabuf_len(reqData)) {
 294                 wpa_printf(MSG_INFO, "EAP-LEAP: Invalid frame");
 295                 ret->ignore = TRUE;
 296                 return NULL;
 297         }
 298
 299         ret->ignore = FALSE;
 300         ret->allowNotifications = TRUE;
 301         ret->methodState = METHOD_MAY_CONT;
 302         ret->decision = DECISION_FAIL;
 303
 304         sm->leap_done = FALSE;
 305
 306         switch (eap->code) {
 307         case EAP_CODE_REQUEST:
 308                 return eap_leap_process_request(sm, priv, ret, reqData);
 309         case EAP_CODE_SUCCESS:
 310                 return eap_leap_process_success(sm, priv, ret, reqData);
 311         case EAP_CODE_RESPONSE:
 312                 return eap_leap_process_response(sm, priv, ret, reqData);
 313         default:
 314                 wpa_printf(MSG_INFO, "EAP-LEAP: Unexpected EAP code (%d) - "
 315                            "ignored", eap->code);
 316                 ret->ignore = TRUE;
 317                 return NULL;
 318         }
 319 }
 320
 321
 322 static Boolean eap_leap_isKeyAvailable(struct eap_sm *sm, void *priv)
 323 {
 324         struct eap_leap_data *data = priv;
 325         return data->state == LEAP_DONE;
 326 }
 327
 328
 329 static u8 * eap_leap_getKey(struct eap_sm *sm, void *priv, size_t *len)
 330 {
 331         struct eap_leap_data *data = priv;
 332         u8 *key, pw_hash_hash[16], pw_hash[16];
 333         const u8 *addr[5], *password;
 334         size_t elen[5], password_len;
 335         int pwhash;
 336
 337         if (data->state != LEAP_DONE)
 338                 return NULL;
 339
 340         password = eap_get_config_password2(sm, &password_len, &pwhash);
 341         if (password == NULL)
 342                 return NULL;
 343
 344         key = os_malloc(LEAP_KEY_LEN);
 345         if (key == NULL)
 346                 return NULL;
 347
 348         if (pwhash)
 349                 hash_nt_password_hash(password, pw_hash_hash);
 350         else {
 351                 nt_password_hash(password, password_len, pw_hash);
 352                 hash_nt_password_hash(pw_hash, pw_hash_hash);
 353         }
 354         wpa_hexdump_key(MSG_DEBUG, "EAP-LEAP: pw_hash_hash",
 355                         pw_hash_hash, 16);
 356         wpa_hexdump(MSG_DEBUG, "EAP-LEAP: peer_challenge",
 357                     data->peer_challenge, LEAP_CHALLENGE_LEN);
 358         wpa_hexdump(MSG_DEBUG, "EAP-LEAP: peer_response",
 359                     data->peer_response, LEAP_RESPONSE_LEN);
 360         wpa_hexdump(MSG_DEBUG, "EAP-LEAP: ap_challenge",
 361                     data->ap_challenge, LEAP_CHALLENGE_LEN);
 362         wpa_hexdump(MSG_DEBUG, "EAP-LEAP: ap_response",
 363                     data->ap_response, LEAP_RESPONSE_LEN);
 364
 365         addr[0] = pw_hash_hash;
 366         elen[0] = 16;
 367         addr[1] = data->ap_challenge;
 368         elen[1] = LEAP_CHALLENGE_LEN;
 369         addr[2] = data->ap_response;
 370         elen[2] = LEAP_RESPONSE_LEN;
 371         addr[3] = data->peer_challenge;
 372         elen[3] = LEAP_CHALLENGE_LEN;
 373         addr[4] = data->peer_response;
 374         elen[4] = LEAP_RESPONSE_LEN;
 375         md5_vector(5, addr, elen, key);
 376         wpa_hexdump_key(MSG_DEBUG, "EAP-LEAP: master key", key, LEAP_KEY_LEN);
 377         *len = LEAP_KEY_LEN;
 378
 379         return key;
 380 }
 381
 382
 383 int eap_peer_leap_register(void)
 384 {
 385         struct eap_method *eap;
 386         int ret;
 387
 388         eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
 389                                     EAP_VENDOR_IETF, EAP_TYPE_LEAP, "LEAP");
 390         if (eap == NULL)
 391                 return -1;
 392
 393         eap->init = eap_leap_init;
 394         eap->deinit = eap_leap_deinit;
 395         eap->process = eap_leap_process;
 396         eap->isKeyAvailable = eap_leap_isKeyAvailable;
 397         eap->getKey = eap_leap_getKey;
 398
 399         ret = eap_peer_method_register(eap);
 400         if (ret)
 401                 eap_peer_method_free(eap);
 402         return ret;
 403 }