| 1 | /* |
| 2 | * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt) |
| 3 | * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> |
| 4 | * |
| 5 | * This software may be distributed under the terms of the BSD license. |
| 6 | * See README for more details. |
| 7 | */ |
| 8 | |
| 9 | #include "includes.h" |
| 10 | |
| 11 | #include "common.h" |
| 12 | #include "crypto/sha1.h" |
| 13 | #include "crypto/tls.h" |
| 14 | #include "eap_common/eap_tlv_common.h" |
| 15 | #include "eap_common/eap_peap_common.h" |
| 16 | #include "eap_i.h" |
| 17 | #include "eap_tls_common.h" |
| 18 | #include "eap_config.h" |
| 19 | #include "tncc.h" |
| 20 | |
| 21 | |
| 22 | /* Maximum supported PEAP version |
| 23 | * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt |
| 24 | * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt |
| 25 | */ |
| 26 | #define EAP_PEAP_VERSION 1 |
| 27 | |
| 28 | |
| 29 | static void eap_peap_deinit(struct eap_sm *sm, void *priv); |
| 30 | |
| 31 | |
| 32 | struct eap_peap_data { |
| 33 | struct eap_ssl_data ssl; |
| 34 | |
| 35 | int peap_version, force_peap_version, force_new_label; |
| 36 | |
| 37 | const struct eap_method *phase2_method; |
| 38 | void *phase2_priv; |
| 39 | int phase2_success; |
| 40 | int phase2_eap_success; |
| 41 | int phase2_eap_started; |
| 42 | |
| 43 | struct eap_method_type phase2_type; |
| 44 | struct eap_method_type *phase2_types; |
| 45 | size_t num_phase2_types; |
| 46 | |
| 47 | int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner |
| 48 | * EAP-Success |
| 49 | * 1 = reply with tunneled EAP-Success to inner |
| 50 | * EAP-Success and expect AS to send outer |
| 51 | * (unencrypted) EAP-Success after this |
| 52 | * 2 = reply with PEAP/TLS ACK to inner |
| 53 | * EAP-Success and expect AS to send outer |
| 54 | * (unencrypted) EAP-Success after this */ |
| 55 | int resuming; /* starting a resumed session */ |
| 56 | int reauth; /* reauthentication */ |
| 57 | u8 *key_data; |
| 58 | u8 *session_id; |
| 59 | size_t id_len; |
| 60 | |
| 61 | struct wpabuf *pending_phase2_req; |
| 62 | enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding; |
| 63 | int crypto_binding_used; |
| 64 | u8 binding_nonce[32]; |
| 65 | u8 ipmk[40]; |
| 66 | u8 cmk[20]; |
| 67 | int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) |
| 68 | * is enabled. */ |
| 69 | }; |
| 70 | |
| 71 | |
| 72 | static int eap_peap_parse_phase1(struct eap_peap_data *data, |
| 73 | const char *phase1) |
| 74 | { |
| 75 | const char *pos; |
| 76 | |
| 77 | pos = os_strstr(phase1, "peapver="); |
| 78 | if (pos) { |
| 79 | data->force_peap_version = atoi(pos + 8); |
| 80 | data->peap_version = data->force_peap_version; |
| 81 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d", |
| 82 | data->force_peap_version); |
| 83 | } |
| 84 | |
| 85 | if (os_strstr(phase1, "peaplabel=1")) { |
| 86 | data->force_new_label = 1; |
| 87 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key " |
| 88 | "derivation"); |
| 89 | } |
| 90 | |
| 91 | if (os_strstr(phase1, "peap_outer_success=0")) { |
| 92 | data->peap_outer_success = 0; |
| 93 | wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on " |
| 94 | "tunneled EAP-Success"); |
| 95 | } else if (os_strstr(phase1, "peap_outer_success=1")) { |
| 96 | data->peap_outer_success = 1; |
| 97 | wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success " |
| 98 | "after receiving tunneled EAP-Success"); |
| 99 | } else if (os_strstr(phase1, "peap_outer_success=2")) { |
| 100 | data->peap_outer_success = 2; |
| 101 | wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after " |
| 102 | "receiving tunneled EAP-Success"); |
| 103 | } |
| 104 | |
| 105 | if (os_strstr(phase1, "crypto_binding=0")) { |
| 106 | data->crypto_binding = NO_BINDING; |
| 107 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding"); |
| 108 | } else if (os_strstr(phase1, "crypto_binding=1")) { |
| 109 | data->crypto_binding = OPTIONAL_BINDING; |
| 110 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding"); |
| 111 | } else if (os_strstr(phase1, "crypto_binding=2")) { |
| 112 | data->crypto_binding = REQUIRE_BINDING; |
| 113 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); |
| 114 | } |
| 115 | |
| 116 | #ifdef EAP_TNC |
| 117 | if (os_strstr(phase1, "tnc=soh2")) { |
| 118 | data->soh = 2; |
| 119 | wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); |
| 120 | } else if (os_strstr(phase1, "tnc=soh1")) { |
| 121 | data->soh = 1; |
| 122 | wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled"); |
| 123 | } else if (os_strstr(phase1, "tnc=soh")) { |
| 124 | data->soh = 2; |
| 125 | wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); |
| 126 | } |
| 127 | #endif /* EAP_TNC */ |
| 128 | |
| 129 | return 0; |
| 130 | } |
| 131 | |
| 132 | |
| 133 | static void * eap_peap_init(struct eap_sm *sm) |
| 134 | { |
| 135 | struct eap_peap_data *data; |
| 136 | struct eap_peer_config *config = eap_get_config(sm); |
| 137 | |
| 138 | data = os_zalloc(sizeof(*data)); |
| 139 | if (data == NULL) |
| 140 | return NULL; |
| 141 | sm->peap_done = FALSE; |
| 142 | data->peap_version = EAP_PEAP_VERSION; |
| 143 | data->force_peap_version = -1; |
| 144 | data->peap_outer_success = 2; |
| 145 | data->crypto_binding = OPTIONAL_BINDING; |
| 146 | |
| 147 | if (config && config->phase1 && |
| 148 | eap_peap_parse_phase1(data, config->phase1) < 0) { |
| 149 | eap_peap_deinit(sm, data); |
| 150 | return NULL; |
| 151 | } |
| 152 | |
| 153 | if (eap_peer_select_phase2_methods(config, "auth=", |
| 154 | &data->phase2_types, |
| 155 | &data->num_phase2_types) < 0) { |
| 156 | eap_peap_deinit(sm, data); |
| 157 | return NULL; |
| 158 | } |
| 159 | |
| 160 | data->phase2_type.vendor = EAP_VENDOR_IETF; |
| 161 | data->phase2_type.method = EAP_TYPE_NONE; |
| 162 | |
| 163 | if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) { |
| 164 | wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); |
| 165 | eap_peap_deinit(sm, data); |
| 166 | return NULL; |
| 167 | } |
| 168 | |
| 169 | return data; |
| 170 | } |
| 171 | |
| 172 | |
| 173 | static void eap_peap_deinit(struct eap_sm *sm, void *priv) |
| 174 | { |
| 175 | struct eap_peap_data *data = priv; |
| 176 | if (data == NULL) |
| 177 | return; |
| 178 | if (data->phase2_priv && data->phase2_method) |
| 179 | data->phase2_method->deinit(sm, data->phase2_priv); |
| 180 | os_free(data->phase2_types); |
| 181 | eap_peer_tls_ssl_deinit(sm, &data->ssl); |
| 182 | os_free(data->key_data); |
| 183 | os_free(data->session_id); |
| 184 | wpabuf_free(data->pending_phase2_req); |
| 185 | os_free(data); |
| 186 | } |
| 187 | |
| 188 | |
| 189 | /** |
| 190 | * eap_tlv_build_nak - Build EAP-TLV NAK message |
| 191 | * @id: EAP identifier for the header |
| 192 | * @nak_type: TLV type (EAP_TLV_*) |
| 193 | * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure |
| 194 | * |
| 195 | * This function builds an EAP-TLV NAK message. The caller is responsible for |
| 196 | * freeing the returned buffer. |
| 197 | */ |
| 198 | static struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type) |
| 199 | { |
| 200 | struct wpabuf *msg; |
| 201 | |
| 202 | msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10, |
| 203 | EAP_CODE_RESPONSE, id); |
| 204 | if (msg == NULL) |
| 205 | return NULL; |
| 206 | |
| 207 | wpabuf_put_u8(msg, 0x80); /* Mandatory */ |
| 208 | wpabuf_put_u8(msg, EAP_TLV_NAK_TLV); |
| 209 | wpabuf_put_be16(msg, 6); /* Length */ |
| 210 | wpabuf_put_be32(msg, 0); /* Vendor-Id */ |
| 211 | wpabuf_put_be16(msg, nak_type); /* NAK-Type */ |
| 212 | |
| 213 | return msg; |
| 214 | } |
| 215 | |
| 216 | |
| 217 | static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, |
| 218 | u8 *isk, size_t isk_len) |
| 219 | { |
| 220 | u8 *key; |
| 221 | size_t key_len; |
| 222 | |
| 223 | os_memset(isk, 0, isk_len); |
| 224 | if (data->phase2_method == NULL || data->phase2_priv == NULL || |
| 225 | data->phase2_method->isKeyAvailable == NULL || |
| 226 | data->phase2_method->getKey == NULL) |
| 227 | return 0; |
| 228 | |
| 229 | if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || |
| 230 | (key = data->phase2_method->getKey(sm, data->phase2_priv, |
| 231 | &key_len)) == NULL) { |
| 232 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material " |
| 233 | "from Phase 2"); |
| 234 | return -1; |
| 235 | } |
| 236 | |
| 237 | if (key_len > isk_len) |
| 238 | key_len = isk_len; |
| 239 | os_memcpy(isk, key, key_len); |
| 240 | os_free(key); |
| 241 | |
| 242 | return 0; |
| 243 | } |
| 244 | |
| 245 | |
| 246 | static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) |
| 247 | { |
| 248 | u8 *tk; |
| 249 | u8 isk[32], imck[60]; |
| 250 | |
| 251 | /* |
| 252 | * Tunnel key (TK) is the first 60 octets of the key generated by |
| 253 | * phase 1 of PEAP (based on TLS). |
| 254 | */ |
| 255 | tk = data->key_data; |
| 256 | if (tk == NULL) |
| 257 | return -1; |
| 258 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); |
| 259 | |
| 260 | if (data->reauth && |
| 261 | tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { |
| 262 | /* Fast-connect: IPMK|CMK = TK */ |
| 263 | os_memcpy(data->ipmk, tk, 40); |
| 264 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", |
| 265 | data->ipmk, 40); |
| 266 | os_memcpy(data->cmk, tk + 40, 20); |
| 267 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK", |
| 268 | data->cmk, 20); |
| 269 | return 0; |
| 270 | } |
| 271 | |
| 272 | if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) |
| 273 | return -1; |
| 274 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk)); |
| 275 | |
| 276 | /* |
| 277 | * IPMK Seed = "Inner Methods Compound Keys" | ISK |
| 278 | * TempKey = First 40 octets of TK |
| 279 | * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60) |
| 280 | * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space |
| 281 | * in the end of the label just before ISK; is that just a typo?) |
| 282 | */ |
| 283 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40); |
| 284 | if (peap_prfplus(data->peap_version, tk, 40, |
| 285 | "Inner Methods Compound Keys", |
| 286 | isk, sizeof(isk), imck, sizeof(imck)) < 0) |
| 287 | return -1; |
| 288 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", |
| 289 | imck, sizeof(imck)); |
| 290 | |
| 291 | os_memcpy(data->ipmk, imck, 40); |
| 292 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); |
| 293 | os_memcpy(data->cmk, imck + 40, 20); |
| 294 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); |
| 295 | |
| 296 | return 0; |
| 297 | } |
| 298 | |
| 299 | |
| 300 | static int eap_tlv_add_cryptobinding(struct eap_sm *sm, |
| 301 | struct eap_peap_data *data, |
| 302 | struct wpabuf *buf) |
| 303 | { |
| 304 | u8 *mac; |
| 305 | u8 eap_type = EAP_TYPE_PEAP; |
| 306 | const u8 *addr[2]; |
| 307 | size_t len[2]; |
| 308 | u16 tlv_type; |
| 309 | |
| 310 | /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ |
| 311 | addr[0] = wpabuf_put(buf, 0); |
| 312 | len[0] = 60; |
| 313 | addr[1] = &eap_type; |
| 314 | len[1] = 1; |
| 315 | |
| 316 | tlv_type = EAP_TLV_CRYPTO_BINDING_TLV; |
| 317 | wpabuf_put_be16(buf, tlv_type); |
| 318 | wpabuf_put_be16(buf, 56); |
| 319 | |
| 320 | wpabuf_put_u8(buf, 0); /* Reserved */ |
| 321 | wpabuf_put_u8(buf, data->peap_version); /* Version */ |
| 322 | wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ |
| 323 | wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */ |
| 324 | wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ |
| 325 | mac = wpabuf_put(buf, 20); /* Compound_MAC */ |
| 326 | wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); |
| 327 | wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1", |
| 328 | addr[0], len[0]); |
| 329 | wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2", |
| 330 | addr[1], len[1]); |
| 331 | hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac); |
| 332 | wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN); |
| 333 | data->crypto_binding_used = 1; |
| 334 | |
| 335 | return 0; |
| 336 | } |
| 337 | |
| 338 | |
| 339 | /** |
| 340 | * eap_tlv_build_result - Build EAP-TLV Result message |
| 341 | * @id: EAP identifier for the header |
| 342 | * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE) |
| 343 | * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure |
| 344 | * |
| 345 | * This function builds an EAP-TLV Result message. The caller is responsible |
| 346 | * for freeing the returned buffer. |
| 347 | */ |
| 348 | static struct wpabuf * eap_tlv_build_result(struct eap_sm *sm, |
| 349 | struct eap_peap_data *data, |
| 350 | int crypto_tlv_used, |
| 351 | int id, u16 status) |
| 352 | { |
| 353 | struct wpabuf *msg; |
| 354 | size_t len; |
| 355 | |
| 356 | if (data->crypto_binding == NO_BINDING) |
| 357 | crypto_tlv_used = 0; |
| 358 | |
| 359 | len = 6; |
| 360 | if (crypto_tlv_used) |
| 361 | len += 60; /* Cryptobinding TLV */ |
| 362 | msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len, |
| 363 | EAP_CODE_RESPONSE, id); |
| 364 | if (msg == NULL) |
| 365 | return NULL; |
| 366 | |
| 367 | wpabuf_put_u8(msg, 0x80); /* Mandatory */ |
| 368 | wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV); |
| 369 | wpabuf_put_be16(msg, 2); /* Length */ |
| 370 | wpabuf_put_be16(msg, status); /* Status */ |
| 371 | |
| 372 | if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { |
| 373 | wpabuf_free(msg); |
| 374 | return NULL; |
| 375 | } |
| 376 | |
| 377 | return msg; |
| 378 | } |
| 379 | |
| 380 | |
| 381 | static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, |
| 382 | struct eap_peap_data *data, |
| 383 | const u8 *crypto_tlv, |
| 384 | size_t crypto_tlv_len) |
| 385 | { |
| 386 | u8 buf[61], mac[SHA1_MAC_LEN]; |
| 387 | const u8 *pos; |
| 388 | |
| 389 | if (eap_peap_derive_cmk(sm, data) < 0) { |
| 390 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK"); |
| 391 | return -1; |
| 392 | } |
| 393 | |
| 394 | if (crypto_tlv_len != 4 + 56) { |
| 395 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV " |
| 396 | "length %d", (int) crypto_tlv_len); |
| 397 | return -1; |
| 398 | } |
| 399 | |
| 400 | pos = crypto_tlv; |
| 401 | pos += 4; /* TLV header */ |
| 402 | if (pos[1] != data->peap_version) { |
| 403 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version " |
| 404 | "mismatch (was %d; expected %d)", |
| 405 | pos[1], data->peap_version); |
| 406 | return -1; |
| 407 | } |
| 408 | |
| 409 | if (pos[3] != 0) { |
| 410 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV " |
| 411 | "SubType %d", pos[3]); |
| 412 | return -1; |
| 413 | } |
| 414 | pos += 4; |
| 415 | os_memcpy(data->binding_nonce, pos, 32); |
| 416 | pos += 32; /* Nonce */ |
| 417 | |
| 418 | /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ |
| 419 | os_memcpy(buf, crypto_tlv, 60); |
| 420 | os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */ |
| 421 | buf[60] = EAP_TYPE_PEAP; |
| 422 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data", |
| 423 | buf, sizeof(buf)); |
| 424 | hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); |
| 425 | |
| 426 | if (os_memcmp(mac, pos, SHA1_MAC_LEN) != 0) { |
| 427 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in " |
| 428 | "cryptobinding TLV"); |
| 429 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC", |
| 430 | pos, SHA1_MAC_LEN); |
| 431 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC", |
| 432 | mac, SHA1_MAC_LEN); |
| 433 | return -1; |
| 434 | } |
| 435 | |
| 436 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received"); |
| 437 | |
| 438 | return 0; |
| 439 | } |
| 440 | |
| 441 | |
| 442 | /** |
| 443 | * eap_tlv_process - Process a received EAP-TLV message and generate a response |
| 444 | * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() |
| 445 | * @ret: Return values from EAP request validation and processing |
| 446 | * @req: EAP-TLV request to be processed. The caller must have validated that |
| 447 | * the buffer is large enough to contain full request (hdr->length bytes) and |
| 448 | * that the EAP type is EAP_TYPE_TLV. |
| 449 | * @resp: Buffer to return a pointer to the allocated response message. This |
| 450 | * field should be initialized to %NULL before the call. The value will be |
| 451 | * updated if a response message is generated. The caller is responsible for |
| 452 | * freeing the allocated message. |
| 453 | * @force_failure: Force negotiation to fail |
| 454 | * Returns: 0 on success, -1 on failure |
| 455 | */ |
| 456 | static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, |
| 457 | struct eap_method_ret *ret, |
| 458 | const struct wpabuf *req, struct wpabuf **resp, |
| 459 | int force_failure) |
| 460 | { |
| 461 | size_t left, tlv_len; |
| 462 | const u8 *pos; |
| 463 | const u8 *result_tlv = NULL, *crypto_tlv = NULL; |
| 464 | size_t result_tlv_len = 0, crypto_tlv_len = 0; |
| 465 | int tlv_type, mandatory; |
| 466 | |
| 467 | /* Parse TLVs */ |
| 468 | pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left); |
| 469 | if (pos == NULL) |
| 470 | return -1; |
| 471 | wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left); |
| 472 | while (left >= 4) { |
| 473 | mandatory = !!(pos[0] & 0x80); |
| 474 | tlv_type = WPA_GET_BE16(pos) & 0x3fff; |
| 475 | pos += 2; |
| 476 | tlv_len = WPA_GET_BE16(pos); |
| 477 | pos += 2; |
| 478 | left -= 4; |
| 479 | if (tlv_len > left) { |
| 480 | wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun " |
| 481 | "(tlv_len=%lu left=%lu)", |
| 482 | (unsigned long) tlv_len, |
| 483 | (unsigned long) left); |
| 484 | return -1; |
| 485 | } |
| 486 | switch (tlv_type) { |
| 487 | case EAP_TLV_RESULT_TLV: |
| 488 | result_tlv = pos; |
| 489 | result_tlv_len = tlv_len; |
| 490 | break; |
| 491 | case EAP_TLV_CRYPTO_BINDING_TLV: |
| 492 | crypto_tlv = pos; |
| 493 | crypto_tlv_len = tlv_len; |
| 494 | break; |
| 495 | default: |
| 496 | wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type " |
| 497 | "%d%s", tlv_type, |
| 498 | mandatory ? " (mandatory)" : ""); |
| 499 | if (mandatory) { |
| 500 | /* NAK TLV and ignore all TLVs in this packet. |
| 501 | */ |
| 502 | *resp = eap_tlv_build_nak(eap_get_id(req), |
| 503 | tlv_type); |
| 504 | return *resp == NULL ? -1 : 0; |
| 505 | } |
| 506 | /* Ignore this TLV, but process other TLVs */ |
| 507 | break; |
| 508 | } |
| 509 | |
| 510 | pos += tlv_len; |
| 511 | left -= tlv_len; |
| 512 | } |
| 513 | if (left) { |
| 514 | wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in " |
| 515 | "Request (left=%lu)", (unsigned long) left); |
| 516 | return -1; |
| 517 | } |
| 518 | |
| 519 | /* Process supported TLVs */ |
| 520 | if (crypto_tlv && data->crypto_binding != NO_BINDING) { |
| 521 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV", |
| 522 | crypto_tlv, crypto_tlv_len); |
| 523 | if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, |
| 524 | crypto_tlv_len + 4) < 0) { |
| 525 | if (result_tlv == NULL) |
| 526 | return -1; |
| 527 | force_failure = 1; |
| 528 | crypto_tlv = NULL; /* do not include Cryptobinding TLV |
| 529 | * in response, if the received |
| 530 | * cryptobinding was invalid. */ |
| 531 | } |
| 532 | } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { |
| 533 | wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV"); |
| 534 | return -1; |
| 535 | } |
| 536 | |
| 537 | if (result_tlv) { |
| 538 | int status, resp_status; |
| 539 | wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV", |
| 540 | result_tlv, result_tlv_len); |
| 541 | if (result_tlv_len < 2) { |
| 542 | wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV " |
| 543 | "(len=%lu)", |
| 544 | (unsigned long) result_tlv_len); |
| 545 | return -1; |
| 546 | } |
| 547 | status = WPA_GET_BE16(result_tlv); |
| 548 | if (status == EAP_TLV_RESULT_SUCCESS) { |
| 549 | wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success " |
| 550 | "- EAP-TLV/Phase2 Completed"); |
| 551 | if (force_failure) { |
| 552 | wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure" |
| 553 | " - force failed Phase 2"); |
| 554 | resp_status = EAP_TLV_RESULT_FAILURE; |
| 555 | ret->decision = DECISION_FAIL; |
| 556 | } else { |
| 557 | resp_status = EAP_TLV_RESULT_SUCCESS; |
| 558 | ret->decision = DECISION_UNCOND_SUCC; |
| 559 | } |
| 560 | } else if (status == EAP_TLV_RESULT_FAILURE) { |
| 561 | wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure"); |
| 562 | resp_status = EAP_TLV_RESULT_FAILURE; |
| 563 | ret->decision = DECISION_FAIL; |
| 564 | } else { |
| 565 | wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result " |
| 566 | "Status %d", status); |
| 567 | resp_status = EAP_TLV_RESULT_FAILURE; |
| 568 | ret->decision = DECISION_FAIL; |
| 569 | } |
| 570 | ret->methodState = METHOD_DONE; |
| 571 | |
| 572 | *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, |
| 573 | eap_get_id(req), resp_status); |
| 574 | } |
| 575 | |
| 576 | return 0; |
| 577 | } |
| 578 | |
| 579 | |
| 580 | static int eap_peap_phase2_request(struct eap_sm *sm, |
| 581 | struct eap_peap_data *data, |
| 582 | struct eap_method_ret *ret, |
| 583 | struct wpabuf *req, |
| 584 | struct wpabuf **resp) |
| 585 | { |
| 586 | struct eap_hdr *hdr = wpabuf_mhead(req); |
| 587 | size_t len = be_to_host16(hdr->length); |
| 588 | u8 *pos; |
| 589 | struct eap_method_ret iret; |
| 590 | struct eap_peer_config *config = eap_get_config(sm); |
| 591 | |
| 592 | if (len <= sizeof(struct eap_hdr)) { |
| 593 | wpa_printf(MSG_INFO, "EAP-PEAP: too short " |
| 594 | "Phase 2 request (len=%lu)", (unsigned long) len); |
| 595 | return -1; |
| 596 | } |
| 597 | pos = (u8 *) (hdr + 1); |
| 598 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos); |
| 599 | switch (*pos) { |
| 600 | case EAP_TYPE_IDENTITY: |
| 601 | *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); |
| 602 | break; |
| 603 | case EAP_TYPE_TLV: |
| 604 | os_memset(&iret, 0, sizeof(iret)); |
| 605 | if (eap_tlv_process(sm, data, &iret, req, resp, |
| 606 | data->phase2_eap_started && |
| 607 | !data->phase2_eap_success)) { |
| 608 | ret->methodState = METHOD_DONE; |
| 609 | ret->decision = DECISION_FAIL; |
| 610 | return -1; |
| 611 | } |
| 612 | if (iret.methodState == METHOD_DONE || |
| 613 | iret.methodState == METHOD_MAY_CONT) { |
| 614 | ret->methodState = iret.methodState; |
| 615 | ret->decision = iret.decision; |
| 616 | data->phase2_success = 1; |
| 617 | } |
| 618 | break; |
| 619 | case EAP_TYPE_EXPANDED: |
| 620 | #ifdef EAP_TNC |
| 621 | if (data->soh) { |
| 622 | const u8 *epos; |
| 623 | size_t eleft; |
| 624 | |
| 625 | epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, |
| 626 | req, &eleft); |
| 627 | if (epos) { |
| 628 | struct wpabuf *buf; |
| 629 | wpa_printf(MSG_DEBUG, |
| 630 | "EAP-PEAP: SoH EAP Extensions"); |
| 631 | buf = tncc_process_soh_request(data->soh, |
| 632 | epos, eleft); |
| 633 | if (buf) { |
| 634 | *resp = eap_msg_alloc( |
| 635 | EAP_VENDOR_MICROSOFT, 0x21, |
| 636 | wpabuf_len(buf), |
| 637 | EAP_CODE_RESPONSE, |
| 638 | hdr->identifier); |
| 639 | if (*resp == NULL) { |
| 640 | ret->methodState = METHOD_DONE; |
| 641 | ret->decision = DECISION_FAIL; |
| 642 | return -1; |
| 643 | } |
| 644 | wpabuf_put_buf(*resp, buf); |
| 645 | wpabuf_free(buf); |
| 646 | break; |
| 647 | } |
| 648 | } |
| 649 | } |
| 650 | #endif /* EAP_TNC */ |
| 651 | /* fall through */ |
| 652 | default: |
| 653 | if (data->phase2_type.vendor == EAP_VENDOR_IETF && |
| 654 | data->phase2_type.method == EAP_TYPE_NONE) { |
| 655 | size_t i; |
| 656 | for (i = 0; i < data->num_phase2_types; i++) { |
| 657 | if (data->phase2_types[i].vendor != |
| 658 | EAP_VENDOR_IETF || |
| 659 | data->phase2_types[i].method != *pos) |
| 660 | continue; |
| 661 | |
| 662 | data->phase2_type.vendor = |
| 663 | data->phase2_types[i].vendor; |
| 664 | data->phase2_type.method = |
| 665 | data->phase2_types[i].method; |
| 666 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected " |
| 667 | "Phase 2 EAP vendor %d method %d", |
| 668 | data->phase2_type.vendor, |
| 669 | data->phase2_type.method); |
| 670 | break; |
| 671 | } |
| 672 | } |
| 673 | if (*pos != data->phase2_type.method || |
| 674 | *pos == EAP_TYPE_NONE) { |
| 675 | if (eap_peer_tls_phase2_nak(data->phase2_types, |
| 676 | data->num_phase2_types, |
| 677 | hdr, resp)) |
| 678 | return -1; |
| 679 | return 0; |
| 680 | } |
| 681 | |
| 682 | if (data->phase2_priv == NULL) { |
| 683 | data->phase2_method = eap_peer_get_eap_method( |
| 684 | data->phase2_type.vendor, |
| 685 | data->phase2_type.method); |
| 686 | if (data->phase2_method) { |
| 687 | sm->init_phase2 = 1; |
| 688 | data->phase2_priv = |
| 689 | data->phase2_method->init(sm); |
| 690 | sm->init_phase2 = 0; |
| 691 | } |
| 692 | } |
| 693 | if (data->phase2_priv == NULL || data->phase2_method == NULL) { |
| 694 | wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize " |
| 695 | "Phase 2 EAP method %d", *pos); |
| 696 | ret->methodState = METHOD_DONE; |
| 697 | ret->decision = DECISION_FAIL; |
| 698 | return -1; |
| 699 | } |
| 700 | data->phase2_eap_started = 1; |
| 701 | os_memset(&iret, 0, sizeof(iret)); |
| 702 | *resp = data->phase2_method->process(sm, data->phase2_priv, |
| 703 | &iret, req); |
| 704 | if ((iret.methodState == METHOD_DONE || |
| 705 | iret.methodState == METHOD_MAY_CONT) && |
| 706 | (iret.decision == DECISION_UNCOND_SUCC || |
| 707 | iret.decision == DECISION_COND_SUCC)) { |
| 708 | data->phase2_eap_success = 1; |
| 709 | data->phase2_success = 1; |
| 710 | } |
| 711 | break; |
| 712 | } |
| 713 | |
| 714 | if (*resp == NULL && |
| 715 | (config->pending_req_identity || config->pending_req_password || |
| 716 | config->pending_req_otp || config->pending_req_new_password)) { |
| 717 | wpabuf_free(data->pending_phase2_req); |
| 718 | data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); |
| 719 | } |
| 720 | |
| 721 | return 0; |
| 722 | } |
| 723 | |
| 724 | |
| 725 | static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, |
| 726 | struct eap_method_ret *ret, |
| 727 | const struct eap_hdr *req, |
| 728 | const struct wpabuf *in_data, |
| 729 | struct wpabuf **out_data) |
| 730 | { |
| 731 | struct wpabuf *in_decrypted = NULL; |
| 732 | int res, skip_change = 0; |
| 733 | struct eap_hdr *hdr, *rhdr; |
| 734 | struct wpabuf *resp = NULL; |
| 735 | size_t len; |
| 736 | |
| 737 | wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" |
| 738 | " Phase 2", (unsigned long) wpabuf_len(in_data)); |
| 739 | |
| 740 | if (data->pending_phase2_req) { |
| 741 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " |
| 742 | "skip decryption and use old data"); |
| 743 | /* Clear TLS reassembly state. */ |
| 744 | eap_peer_tls_reset_input(&data->ssl); |
| 745 | in_decrypted = data->pending_phase2_req; |
| 746 | data->pending_phase2_req = NULL; |
| 747 | skip_change = 1; |
| 748 | goto continue_req; |
| 749 | } |
| 750 | |
| 751 | if (wpabuf_len(in_data) == 0 && sm->workaround && |
| 752 | data->phase2_success) { |
| 753 | /* |
| 754 | * Cisco ACS seems to be using TLS ACK to terminate |
| 755 | * EAP-PEAPv0/GTC. Try to reply with TLS ACK. |
| 756 | */ |
| 757 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " |
| 758 | "expected data - acknowledge with TLS ACK since " |
| 759 | "Phase 2 has been completed"); |
| 760 | ret->decision = DECISION_COND_SUCC; |
| 761 | ret->methodState = METHOD_DONE; |
| 762 | return 1; |
| 763 | } else if (wpabuf_len(in_data) == 0) { |
| 764 | /* Received TLS ACK - requesting more fragments */ |
| 765 | return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, |
| 766 | data->peap_version, |
| 767 | req->identifier, NULL, out_data); |
| 768 | } |
| 769 | |
| 770 | res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); |
| 771 | if (res) |
| 772 | return res; |
| 773 | |
| 774 | continue_req: |
| 775 | wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", |
| 776 | in_decrypted); |
| 777 | |
| 778 | hdr = wpabuf_mhead(in_decrypted); |
| 779 | if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST && |
| 780 | be_to_host16(hdr->length) == 5 && |
| 781 | eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) { |
| 782 | /* At least FreeRADIUS seems to send full EAP header with |
| 783 | * EAP Request Identity */ |
| 784 | skip_change = 1; |
| 785 | } |
| 786 | if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST && |
| 787 | eap_get_type(in_decrypted) == EAP_TYPE_TLV) { |
| 788 | skip_change = 1; |
| 789 | } |
| 790 | |
| 791 | if (data->peap_version == 0 && !skip_change) { |
| 792 | struct eap_hdr *nhdr; |
| 793 | struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) + |
| 794 | wpabuf_len(in_decrypted)); |
| 795 | if (nmsg == NULL) { |
| 796 | wpabuf_free(in_decrypted); |
| 797 | return 0; |
| 798 | } |
| 799 | nhdr = wpabuf_put(nmsg, sizeof(*nhdr)); |
| 800 | wpabuf_put_buf(nmsg, in_decrypted); |
| 801 | nhdr->code = req->code; |
| 802 | nhdr->identifier = req->identifier; |
| 803 | nhdr->length = host_to_be16(sizeof(struct eap_hdr) + |
| 804 | wpabuf_len(in_decrypted)); |
| 805 | |
| 806 | wpabuf_free(in_decrypted); |
| 807 | in_decrypted = nmsg; |
| 808 | } |
| 809 | |
| 810 | hdr = wpabuf_mhead(in_decrypted); |
| 811 | if (wpabuf_len(in_decrypted) < sizeof(*hdr)) { |
| 812 | wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 " |
| 813 | "EAP frame (len=%lu)", |
| 814 | (unsigned long) wpabuf_len(in_decrypted)); |
| 815 | wpabuf_free(in_decrypted); |
| 816 | return 0; |
| 817 | } |
| 818 | len = be_to_host16(hdr->length); |
| 819 | if (len > wpabuf_len(in_decrypted)) { |
| 820 | wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in " |
| 821 | "Phase 2 EAP frame (len=%lu hdr->length=%lu)", |
| 822 | (unsigned long) wpabuf_len(in_decrypted), |
| 823 | (unsigned long) len); |
| 824 | wpabuf_free(in_decrypted); |
| 825 | return 0; |
| 826 | } |
| 827 | if (len < wpabuf_len(in_decrypted)) { |
| 828 | wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has " |
| 829 | "shorter length than full decrypted data " |
| 830 | "(%lu < %lu)", |
| 831 | (unsigned long) len, |
| 832 | (unsigned long) wpabuf_len(in_decrypted)); |
| 833 | } |
| 834 | wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d " |
| 835 | "identifier=%d length=%lu", hdr->code, hdr->identifier, |
| 836 | (unsigned long) len); |
| 837 | switch (hdr->code) { |
| 838 | case EAP_CODE_REQUEST: |
| 839 | if (eap_peap_phase2_request(sm, data, ret, in_decrypted, |
| 840 | &resp)) { |
| 841 | wpabuf_free(in_decrypted); |
| 842 | wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request " |
| 843 | "processing failed"); |
| 844 | return 0; |
| 845 | } |
| 846 | break; |
| 847 | case EAP_CODE_SUCCESS: |
| 848 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success"); |
| 849 | if (data->peap_version == 1) { |
| 850 | /* EAP-Success within TLS tunnel is used to indicate |
| 851 | * shutdown of the TLS channel. The authentication has |
| 852 | * been completed. */ |
| 853 | if (data->phase2_eap_started && |
| 854 | !data->phase2_eap_success) { |
| 855 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " |
| 856 | "Success used to indicate success, " |
| 857 | "but Phase 2 EAP was not yet " |
| 858 | "completed successfully"); |
| 859 | ret->methodState = METHOD_DONE; |
| 860 | ret->decision = DECISION_FAIL; |
| 861 | wpabuf_free(in_decrypted); |
| 862 | return 0; |
| 863 | } |
| 864 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - " |
| 865 | "EAP-Success within TLS tunnel - " |
| 866 | "authentication completed"); |
| 867 | ret->decision = DECISION_UNCOND_SUCC; |
| 868 | ret->methodState = METHOD_DONE; |
| 869 | data->phase2_success = 1; |
| 870 | if (data->peap_outer_success == 2) { |
| 871 | wpabuf_free(in_decrypted); |
| 872 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK " |
| 873 | "to finish authentication"); |
| 874 | return 1; |
| 875 | } else if (data->peap_outer_success == 1) { |
| 876 | /* Reply with EAP-Success within the TLS |
| 877 | * channel to complete the authentication. */ |
| 878 | resp = wpabuf_alloc(sizeof(struct eap_hdr)); |
| 879 | if (resp) { |
| 880 | rhdr = wpabuf_put(resp, sizeof(*rhdr)); |
| 881 | rhdr->code = EAP_CODE_SUCCESS; |
| 882 | rhdr->identifier = hdr->identifier; |
| 883 | rhdr->length = |
| 884 | host_to_be16(sizeof(*rhdr)); |
| 885 | } |
| 886 | } else { |
| 887 | /* No EAP-Success expected for Phase 1 (outer, |
| 888 | * unencrypted auth), so force EAP state |
| 889 | * machine to SUCCESS state. */ |
| 890 | sm->peap_done = TRUE; |
| 891 | } |
| 892 | } else { |
| 893 | /* FIX: ? */ |
| 894 | } |
| 895 | break; |
| 896 | case EAP_CODE_FAILURE: |
| 897 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure"); |
| 898 | ret->decision = DECISION_FAIL; |
| 899 | ret->methodState = METHOD_MAY_CONT; |
| 900 | ret->allowNotifications = FALSE; |
| 901 | /* Reply with EAP-Failure within the TLS channel to complete |
| 902 | * failure reporting. */ |
| 903 | resp = wpabuf_alloc(sizeof(struct eap_hdr)); |
| 904 | if (resp) { |
| 905 | rhdr = wpabuf_put(resp, sizeof(*rhdr)); |
| 906 | rhdr->code = EAP_CODE_FAILURE; |
| 907 | rhdr->identifier = hdr->identifier; |
| 908 | rhdr->length = host_to_be16(sizeof(*rhdr)); |
| 909 | } |
| 910 | break; |
| 911 | default: |
| 912 | wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in " |
| 913 | "Phase 2 EAP header", hdr->code); |
| 914 | break; |
| 915 | } |
| 916 | |
| 917 | wpabuf_free(in_decrypted); |
| 918 | |
| 919 | if (resp) { |
| 920 | int skip_change2 = 0; |
| 921 | struct wpabuf *rmsg, buf; |
| 922 | |
| 923 | wpa_hexdump_buf_key(MSG_DEBUG, |
| 924 | "EAP-PEAP: Encrypting Phase 2 data", resp); |
| 925 | /* PEAP version changes */ |
| 926 | if (wpabuf_len(resp) >= 5 && |
| 927 | wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE && |
| 928 | eap_get_type(resp) == EAP_TYPE_TLV) |
| 929 | skip_change2 = 1; |
| 930 | rmsg = resp; |
| 931 | if (data->peap_version == 0 && !skip_change2) { |
| 932 | wpabuf_set(&buf, wpabuf_head_u8(resp) + |
| 933 | sizeof(struct eap_hdr), |
| 934 | wpabuf_len(resp) - sizeof(struct eap_hdr)); |
| 935 | rmsg = &buf; |
| 936 | } |
| 937 | |
| 938 | if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, |
| 939 | data->peap_version, req->identifier, |
| 940 | rmsg, out_data)) { |
| 941 | wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt " |
| 942 | "a Phase 2 frame"); |
| 943 | } |
| 944 | wpabuf_free(resp); |
| 945 | } |
| 946 | |
| 947 | return 0; |
| 948 | } |
| 949 | |
| 950 | |
| 951 | static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, |
| 952 | struct eap_method_ret *ret, |
| 953 | const struct wpabuf *reqData) |
| 954 | { |
| 955 | const struct eap_hdr *req; |
| 956 | size_t left; |
| 957 | int res; |
| 958 | u8 flags, id; |
| 959 | struct wpabuf *resp; |
| 960 | const u8 *pos; |
| 961 | struct eap_peap_data *data = priv; |
| 962 | |
| 963 | pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, |
| 964 | reqData, &left, &flags); |
| 965 | if (pos == NULL) |
| 966 | return NULL; |
| 967 | req = wpabuf_head(reqData); |
| 968 | id = req->identifier; |
| 969 | |
| 970 | if (flags & EAP_TLS_FLAGS_START) { |
| 971 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own " |
| 972 | "ver=%d)", flags & EAP_TLS_VERSION_MASK, |
| 973 | data->peap_version); |
| 974 | if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) |
| 975 | data->peap_version = flags & EAP_TLS_VERSION_MASK; |
| 976 | if (data->force_peap_version >= 0 && |
| 977 | data->force_peap_version != data->peap_version) { |
| 978 | wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select " |
| 979 | "forced PEAP version %d", |
| 980 | data->force_peap_version); |
| 981 | ret->methodState = METHOD_DONE; |
| 982 | ret->decision = DECISION_FAIL; |
| 983 | ret->allowNotifications = FALSE; |
| 984 | return NULL; |
| 985 | } |
| 986 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d", |
| 987 | data->peap_version); |
| 988 | left = 0; /* make sure that this frame is empty, even though it |
| 989 | * should always be, anyway */ |
| 990 | } |
| 991 | |
| 992 | resp = NULL; |
| 993 | if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && |
| 994 | !data->resuming) { |
| 995 | struct wpabuf msg; |
| 996 | wpabuf_set(&msg, pos, left); |
| 997 | res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); |
| 998 | } else { |
| 999 | res = eap_peer_tls_process_helper(sm, &data->ssl, |
| 1000 | EAP_TYPE_PEAP, |
| 1001 | data->peap_version, id, pos, |
| 1002 | left, &resp); |
| 1003 | |
| 1004 | if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { |
| 1005 | char *label; |
| 1006 | wpa_printf(MSG_DEBUG, |
| 1007 | "EAP-PEAP: TLS done, proceed to Phase 2"); |
| 1008 | os_free(data->key_data); |
| 1009 | /* draft-josefsson-ppext-eap-tls-eap-05.txt |
| 1010 | * specifies that PEAPv1 would use "client PEAP |
| 1011 | * encryption" as the label. However, most existing |
| 1012 | * PEAPv1 implementations seem to be using the old |
| 1013 | * label, "client EAP encryption", instead. Use the old |
| 1014 | * label by default, but allow it to be configured with |
| 1015 | * phase1 parameter peaplabel=1. */ |
| 1016 | if (data->force_new_label) |
| 1017 | label = "client PEAP encryption"; |
| 1018 | else |
| 1019 | label = "client EAP encryption"; |
| 1020 | wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in " |
| 1021 | "key derivation", label); |
| 1022 | data->key_data = |
| 1023 | eap_peer_tls_derive_key(sm, &data->ssl, label, |
| 1024 | EAP_TLS_KEY_LEN); |
| 1025 | if (data->key_data) { |
| 1026 | wpa_hexdump_key(MSG_DEBUG, |
| 1027 | "EAP-PEAP: Derived key", |
| 1028 | data->key_data, |
| 1029 | EAP_TLS_KEY_LEN); |
| 1030 | } else { |
| 1031 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " |
| 1032 | "derive key"); |
| 1033 | } |
| 1034 | |
| 1035 | os_free(data->session_id); |
| 1036 | data->session_id = |
| 1037 | eap_peer_tls_derive_session_id(sm, &data->ssl, |
| 1038 | EAP_TYPE_PEAP, |
| 1039 | &data->id_len); |
| 1040 | if (data->session_id) { |
| 1041 | wpa_hexdump(MSG_DEBUG, |
| 1042 | "EAP-PEAP: Derived Session-Id", |
| 1043 | data->session_id, data->id_len); |
| 1044 | } else { |
| 1045 | wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to " |
| 1046 | "derive Session-Id"); |
| 1047 | } |
| 1048 | |
| 1049 | if (sm->workaround && data->resuming) { |
| 1050 | /* |
| 1051 | * At least few RADIUS servers (Aegis v1.1.6; |
| 1052 | * but not v1.1.4; and Cisco ACS) seem to be |
| 1053 | * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco |
| 1054 | * ACS) session resumption with outer |
| 1055 | * EAP-Success. This does not seem to follow |
| 1056 | * draft-josefsson-pppext-eap-tls-eap-05.txt |
| 1057 | * section 4.2, so only allow this if EAP |
| 1058 | * workarounds are enabled. |
| 1059 | */ |
| 1060 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " |
| 1061 | "allow outer EAP-Success to " |
| 1062 | "terminate PEAP resumption"); |
| 1063 | ret->decision = DECISION_COND_SUCC; |
| 1064 | data->phase2_success = 1; |
| 1065 | } |
| 1066 | |
| 1067 | data->resuming = 0; |
| 1068 | } |
| 1069 | |
| 1070 | if (res == 2) { |
| 1071 | struct wpabuf msg; |
| 1072 | /* |
| 1073 | * Application data included in the handshake message. |
| 1074 | */ |
| 1075 | wpabuf_free(data->pending_phase2_req); |
| 1076 | data->pending_phase2_req = resp; |
| 1077 | resp = NULL; |
| 1078 | wpabuf_set(&msg, pos, left); |
| 1079 | res = eap_peap_decrypt(sm, data, ret, req, &msg, |
| 1080 | &resp); |
| 1081 | } |
| 1082 | } |
| 1083 | |
| 1084 | if (ret->methodState == METHOD_DONE) { |
| 1085 | ret->allowNotifications = FALSE; |
| 1086 | } |
| 1087 | |
| 1088 | if (res == 1) { |
| 1089 | wpabuf_free(resp); |
| 1090 | return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP, |
| 1091 | data->peap_version); |
| 1092 | } |
| 1093 | |
| 1094 | return resp; |
| 1095 | } |
| 1096 | |
| 1097 | |
| 1098 | static Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) |
| 1099 | { |
| 1100 | struct eap_peap_data *data = priv; |
| 1101 | return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && |
| 1102 | data->phase2_success; |
| 1103 | } |
| 1104 | |
| 1105 | |
| 1106 | static void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv) |
| 1107 | { |
| 1108 | struct eap_peap_data *data = priv; |
| 1109 | wpabuf_free(data->pending_phase2_req); |
| 1110 | data->pending_phase2_req = NULL; |
| 1111 | data->crypto_binding_used = 0; |
| 1112 | } |
| 1113 | |
| 1114 | |
| 1115 | static void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv) |
| 1116 | { |
| 1117 | struct eap_peap_data *data = priv; |
| 1118 | os_free(data->key_data); |
| 1119 | data->key_data = NULL; |
| 1120 | os_free(data->session_id); |
| 1121 | data->session_id = NULL; |
| 1122 | if (eap_peer_tls_reauth_init(sm, &data->ssl)) { |
| 1123 | os_free(data); |
| 1124 | return NULL; |
| 1125 | } |
| 1126 | if (data->phase2_priv && data->phase2_method && |
| 1127 | data->phase2_method->init_for_reauth) |
| 1128 | data->phase2_method->init_for_reauth(sm, data->phase2_priv); |
| 1129 | data->phase2_success = 0; |
| 1130 | data->phase2_eap_success = 0; |
| 1131 | data->phase2_eap_started = 0; |
| 1132 | data->resuming = 1; |
| 1133 | data->reauth = 1; |
| 1134 | sm->peap_done = FALSE; |
| 1135 | return priv; |
| 1136 | } |
| 1137 | |
| 1138 | |
| 1139 | static int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf, |
| 1140 | size_t buflen, int verbose) |
| 1141 | { |
| 1142 | struct eap_peap_data *data = priv; |
| 1143 | int len, ret; |
| 1144 | |
| 1145 | len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); |
| 1146 | if (data->phase2_method) { |
| 1147 | ret = os_snprintf(buf + len, buflen - len, |
| 1148 | "EAP-PEAPv%d Phase2 method=%s\n", |
| 1149 | data->peap_version, |
| 1150 | data->phase2_method->name); |
| 1151 | if (ret < 0 || (size_t) ret >= buflen - len) |
| 1152 | return len; |
| 1153 | len += ret; |
| 1154 | } |
| 1155 | return len; |
| 1156 | } |
| 1157 | |
| 1158 | |
| 1159 | static Boolean eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv) |
| 1160 | { |
| 1161 | struct eap_peap_data *data = priv; |
| 1162 | return data->key_data != NULL && data->phase2_success; |
| 1163 | } |
| 1164 | |
| 1165 | |
| 1166 | static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) |
| 1167 | { |
| 1168 | struct eap_peap_data *data = priv; |
| 1169 | u8 *key; |
| 1170 | |
| 1171 | if (data->key_data == NULL || !data->phase2_success) |
| 1172 | return NULL; |
| 1173 | |
| 1174 | key = os_malloc(EAP_TLS_KEY_LEN); |
| 1175 | if (key == NULL) |
| 1176 | return NULL; |
| 1177 | |
| 1178 | *len = EAP_TLS_KEY_LEN; |
| 1179 | |
| 1180 | if (data->crypto_binding_used) { |
| 1181 | u8 csk[128]; |
| 1182 | /* |
| 1183 | * Note: It looks like Microsoft implementation requires null |
| 1184 | * termination for this label while the one used for deriving |
| 1185 | * IPMK|CMK did not use null termination. |
| 1186 | */ |
| 1187 | if (peap_prfplus(data->peap_version, data->ipmk, 40, |
| 1188 | "Session Key Generating Function", |
| 1189 | (u8 *) "\00", 1, csk, sizeof(csk)) < 0) { |
| 1190 | os_free(key); |
| 1191 | return NULL; |
| 1192 | } |
| 1193 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk)); |
| 1194 | os_memcpy(key, csk, EAP_TLS_KEY_LEN); |
| 1195 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", |
| 1196 | key, EAP_TLS_KEY_LEN); |
| 1197 | } else |
| 1198 | os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); |
| 1199 | |
| 1200 | return key; |
| 1201 | } |
| 1202 | |
| 1203 | |
| 1204 | static u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len) |
| 1205 | { |
| 1206 | struct eap_peap_data *data = priv; |
| 1207 | u8 *id; |
| 1208 | |
| 1209 | if (data->session_id == NULL || !data->phase2_success) |
| 1210 | return NULL; |
| 1211 | |
| 1212 | id = os_malloc(data->id_len); |
| 1213 | if (id == NULL) |
| 1214 | return NULL; |
| 1215 | |
| 1216 | *len = data->id_len; |
| 1217 | os_memcpy(id, data->session_id, data->id_len); |
| 1218 | |
| 1219 | return id; |
| 1220 | } |
| 1221 | |
| 1222 | |
| 1223 | int eap_peer_peap_register(void) |
| 1224 | { |
| 1225 | struct eap_method *eap; |
| 1226 | int ret; |
| 1227 | |
| 1228 | eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, |
| 1229 | EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP"); |
| 1230 | if (eap == NULL) |
| 1231 | return -1; |
| 1232 | |
| 1233 | eap->init = eap_peap_init; |
| 1234 | eap->deinit = eap_peap_deinit; |
| 1235 | eap->process = eap_peap_process; |
| 1236 | eap->isKeyAvailable = eap_peap_isKeyAvailable; |
| 1237 | eap->getKey = eap_peap_getKey; |
| 1238 | eap->get_status = eap_peap_get_status; |
| 1239 | eap->has_reauth_data = eap_peap_has_reauth_data; |
| 1240 | eap->deinit_for_reauth = eap_peap_deinit_for_reauth; |
| 1241 | eap->init_for_reauth = eap_peap_init_for_reauth; |
| 1242 | eap->getSessionId = eap_peap_get_session_id; |
| 1243 | |
| 1244 | ret = eap_peer_method_register(eap); |
| 1245 | if (ret) |
| 1246 | eap_peer_method_free(eap); |
| 1247 | return ret; |
| 1248 | } |