2 * WPA Supplicant / EAP-TTLS (draft-ietf-pppext-eap-ttls-03.txt)
3 * Copyright (c) 2004-2005, Jouni Malinen <jkmaline@cc.hut.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
21 #include "eap_tls_common.h"
22 #include "wpa_supplicant.h"
23 #include "config_ssid.h"
30 static void eap_ttls_deinit(struct eap_sm *sm, void *priv);
33 struct eap_ttls_data {
34 struct eap_ssl_data ssl;
36 const struct eap_method *phase2_method;
43 EAP_TTLS_PHASE2_MSCHAPV2,
44 EAP_TTLS_PHASE2_MSCHAP,
50 size_t num_phase2_eap_types;
53 int auth_response_valid;
55 int resuming; /* starting a resumed session */
56 int reauth; /* reauthentication */
59 u8 *pending_phase2_req;
60 size_t pending_phase2_req_len;
64 static void * eap_ttls_init(struct eap_sm *sm)
66 struct eap_ttls_data *data;
67 struct wpa_ssid *config = eap_get_config(sm);
70 data = malloc(sizeof(*data));
73 memset(data, 0, sizeof(*data));
75 data->phase2_type = EAP_TTLS_PHASE2_EAP;
76 if (config && config->phase2) {
77 if (strstr(config->phase2, "autheap=")) {
79 data->phase2_type = EAP_TTLS_PHASE2_EAP;
80 } else if (strstr(config->phase2, "auth=MSCHAPV2")) {
81 selected = "MSCHAPV2";
82 data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2;
83 } else if (strstr(config->phase2, "auth=MSCHAP")) {
85 data->phase2_type = EAP_TTLS_PHASE2_MSCHAP;
86 } else if (strstr(config->phase2, "auth=PAP")) {
88 data->phase2_type = EAP_TTLS_PHASE2_PAP;
89 } else if (strstr(config->phase2, "auth=CHAP")) {
91 data->phase2_type = EAP_TTLS_PHASE2_CHAP;
94 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected);
96 if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {
97 if (config && config->phase2) {
98 char *start, *pos, *buf;
99 u8 method, *methods = NULL, *_methods;
100 size_t num_methods = 0;
101 start = buf = strdup(config->phase2);
103 eap_ttls_deinit(sm, data);
106 while (start && *start != '\0') {
107 pos = strstr(start, "autheap=");
110 if (start != pos && *(pos - 1) != ' ') {
116 pos = strchr(start, ' ');
119 method = eap_get_phase2_type(start);
120 if (method == EAP_TYPE_NONE) {
121 wpa_printf(MSG_ERROR, "EAP-TTLS: "
122 "Unsupported Phase2 EAP "
123 "method '%s'", start);
126 _methods = realloc(methods,
128 if (_methods == NULL) {
131 eap_ttls_deinit(sm, data);
135 methods[num_methods - 1] = method;
141 data->phase2_eap_types = methods;
142 data->num_phase2_eap_types = num_methods;
144 if (data->phase2_eap_types == NULL) {
145 data->phase2_eap_types = eap_get_phase2_types(
146 config, &data->num_phase2_eap_types);
148 if (data->phase2_eap_types == NULL) {
149 wpa_printf(MSG_ERROR, "EAP-TTLS: No Phase2 EAP method "
151 eap_ttls_deinit(sm, data);
154 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase2 EAP types",
155 data->phase2_eap_types,
156 data->num_phase2_eap_types);
157 data->phase2_eap_type = EAP_TYPE_NONE;
161 if (eap_tls_ssl_init(sm, &data->ssl, config)) {
162 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
163 eap_ttls_deinit(sm, data);
171 static void eap_ttls_deinit(struct eap_sm *sm, void *priv)
173 struct eap_ttls_data *data = priv;
176 if (data->phase2_priv && data->phase2_method)
177 data->phase2_method->deinit(sm, data->phase2_priv);
178 free(data->phase2_eap_types);
179 eap_tls_ssl_deinit(sm, &data->ssl);
180 free(data->key_data);
181 free(data->pending_phase2_req);
186 static int eap_ttls_encrypt(struct eap_sm *sm, struct eap_ttls_data *data,
187 int id, const u8 *plain, size_t plain_len,
188 u8 **out_data, size_t *out_len)
192 struct eap_hdr *resp;
194 /* TODO: add support for fragmentation, if needed. This will need to
195 * add TLS Message Length field, if the frame is fragmented. */
196 resp = malloc(sizeof(struct eap_hdr) + 2 + data->ssl.tls_out_limit);
200 resp->code = EAP_CODE_RESPONSE;
201 resp->identifier = id;
203 pos = (u8 *) (resp + 1);
204 *pos++ = EAP_TYPE_TTLS;
207 res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
209 pos, data->ssl.tls_out_limit);
211 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt Phase 2 "
217 *out_len = sizeof(struct eap_hdr) + 2 + res;
218 resp->length = host_to_be16(*out_len);
219 *out_data = (u8 *) resp;
224 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
225 int mandatory, size_t len)
227 struct ttls_avp_vendor *avp;
231 avp = (struct ttls_avp_vendor *) avphdr;
232 flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
234 flags |= AVP_FLAGS_VENDOR;
235 hdrlen = sizeof(*avp);
236 avp->vendor_id = host_to_be32(vendor_id);
238 hdrlen = sizeof(struct ttls_avp);
241 avp->avp_code = host_to_be32(avp_code);
242 avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len));
244 return avphdr + hdrlen;
248 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code,
249 u32 vendor_id, int mandatory,
250 u8 *data, size_t len)
253 pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len);
254 memcpy(pos, data, len);
261 static int eap_ttls_avp_encapsulate(u8 **resp, size_t *resp_len, u32 avp_code,
266 avp = malloc(sizeof(struct ttls_avp) + *resp_len + 4);
274 pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, *resp_len);
275 memcpy(pos, *resp, *resp_len);
280 *resp_len = pos - avp;
285 static int eap_ttls_phase2_nak(struct eap_sm *sm,
286 struct eap_ttls_data *data,
288 u8 **resp, size_t *resp_len)
290 struct eap_hdr *resp_hdr;
291 u8 *pos = (u8 *) (hdr + 1);
293 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 Request: Nak type=%d", *pos);
294 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Allowed Phase2 EAP types",
295 data->phase2_eap_types, data->num_phase2_eap_types);
296 *resp_len = sizeof(struct eap_hdr) + 1 + data->num_phase2_eap_types;
297 *resp = malloc(*resp_len);
301 resp_hdr = (struct eap_hdr *) (*resp);
302 resp_hdr->code = EAP_CODE_RESPONSE;
303 resp_hdr->identifier = hdr->identifier;
304 resp_hdr->length = host_to_be16(*resp_len);
305 pos = (u8 *) (resp_hdr + 1);
306 *pos++ = EAP_TYPE_NAK;
307 memcpy(pos, data->phase2_eap_types, data->num_phase2_eap_types);
313 static int eap_ttls_phase2_request_eap(struct eap_sm *sm,
314 struct eap_ttls_data *data,
315 struct eap_method_ret *ret,
316 const struct eap_hdr *req,
318 u8 **resp, size_t *resp_len)
320 size_t len = be_to_host16(hdr->length);
322 struct eap_method_ret iret;
323 struct wpa_ssid *config = eap_get_config(sm);
325 if (len <= sizeof(struct eap_hdr)) {
326 wpa_printf(MSG_INFO, "EAP-TTLS: too short "
327 "Phase 2 request (len=%lu)", (unsigned long) len);
330 pos = (u8 *) (hdr + 1);
331 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos);
333 case EAP_TYPE_IDENTITY:
334 *resp = eap_sm_buildIdentity(sm, req->identifier, resp_len, 1);
337 if (data->phase2_eap_type == EAP_TYPE_NONE) {
339 for (i = 0; i < data->num_phase2_eap_types; i++) {
340 if (data->phase2_eap_types[i] != *pos)
343 data->phase2_eap_type = *pos;
344 wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
345 "Phase 2 EAP method %d",
346 data->phase2_eap_type);
350 if (*pos != data->phase2_eap_type || *pos == EAP_TYPE_NONE) {
351 if (eap_ttls_phase2_nak(sm, data, hdr, resp, resp_len))
356 if (data->phase2_priv == NULL) {
357 data->phase2_method = eap_sm_get_eap_methods(*pos);
358 if (data->phase2_method) {
361 data->phase2_method->init(sm);
365 if (data->phase2_priv == NULL || data->phase2_method == NULL) {
366 wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize "
367 "Phase 2 EAP method %d", *pos);
370 memset(&iret, 0, sizeof(iret));
371 *resp = data->phase2_method->process(sm, data->phase2_priv,
372 &iret, (u8 *) hdr, len,
374 if ((iret.methodState == METHOD_DONE ||
375 iret.methodState == METHOD_MAY_CONT) &&
376 (iret.decision == DECISION_UNCOND_SUCC ||
377 iret.decision == DECISION_COND_SUCC ||
378 iret.decision == DECISION_FAIL)) {
379 ret->methodState = iret.methodState;
380 ret->decision = iret.decision;
386 (config->pending_req_identity || config->pending_req_password ||
387 config->pending_req_otp)) {
394 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response",
396 return eap_ttls_avp_encapsulate(resp, resp_len,
397 RADIUS_ATTR_EAP_MESSAGE, 1);
401 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
402 struct eap_ttls_data *data,
403 struct eap_method_ret *ret,
404 const struct eap_hdr *req,
406 u8 **resp, size_t *resp_len)
408 struct wpa_ssid *config = eap_get_config(sm);
409 u8 *buf, *pos, *challenge, *username, *peer_challenge;
413 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
415 /* MSCHAPv2 does not include optional domain name in the
416 * challenge-response calculation, so remove domain prefix
418 username = config->identity;
419 username_len = config->identity_len;
421 for (i = 0; i < username_len; i++) {
422 if (username[i] == '\\') {
423 username_len -= i + 1;
429 pos = buf = malloc(config->identity_len + 1000);
431 wpa_printf(MSG_ERROR,
432 "EAP-TTLS/MSCHAPV2: Failed to allocate memory");
437 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
438 config->identity, config->identity_len);
440 /* MS-CHAP-Challenge */
441 challenge = eap_tls_derive_key(sm, &data->ssl, "ttls challenge",
442 EAP_TTLS_MSCHAPV2_CHALLENGE_LEN * 2 +
444 if (challenge == NULL) {
446 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
447 "implicit challenge");
450 peer_challenge = challenge + 1 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
452 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
453 RADIUS_VENDOR_ID_MICROSOFT, 1,
454 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
456 /* MS-CHAP2-Response */
457 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
458 RADIUS_VENDOR_ID_MICROSOFT, 1,
459 EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
460 data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
461 *pos++ = data->ident;
462 *pos++ = 0; /* Flags */
463 memcpy(pos, peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
464 pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
465 memset(pos, 0, 8); /* Reserved, must be zero */
467 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: implicit auth_challenge",
468 challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
469 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: peer_challenge",
470 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
471 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 username",
472 username, username_len);
473 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 password",
474 config->password, config->password_len);
475 generate_nt_response(challenge, peer_challenge,
476 username, username_len,
477 config->password, config->password_len,
479 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 response", pos, 24);
480 generate_authenticator_response(config->password, config->password_len,
481 peer_challenge, challenge,
482 username, username_len,
483 pos, data->auth_response);
484 data->auth_response_valid = 1;
491 *resp_len = pos - buf;
493 if (sm->workaround) {
494 /* At least FreeRADIUS seems to be terminating
495 * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success
497 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - "
498 "allow success without tunneled response");
499 ret->methodState = METHOD_MAY_CONT;
500 ret->decision = DECISION_COND_SUCC;
507 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
508 struct eap_ttls_data *data,
509 struct eap_method_ret *ret,
510 const struct eap_hdr *req,
512 u8 **resp, size_t *resp_len)
514 struct wpa_ssid *config = eap_get_config(sm);
515 u8 *buf, *pos, *challenge;
517 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
519 pos = buf = malloc(config->identity_len + 1000);
521 wpa_printf(MSG_ERROR,
522 "EAP-TTLS/MSCHAP: Failed to allocate memory");
527 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
528 config->identity, config->identity_len);
530 /* MS-CHAP-Challenge */
531 challenge = eap_tls_derive_key(sm, &data->ssl, "ttls challenge",
533 if (challenge == NULL) {
535 wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
536 "implicit challenge");
540 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
541 RADIUS_VENDOR_ID_MICROSOFT, 1,
542 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
544 /* MS-CHAP-Response */
545 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
546 RADIUS_VENDOR_ID_MICROSOFT, 1,
547 EAP_TTLS_MSCHAP_RESPONSE_LEN);
548 data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
549 *pos++ = data->ident;
550 *pos++ = 1; /* Flags: Use NT style passwords */
551 memset(pos, 0, 24); /* LM-Response */
553 nt_challenge_response(challenge,
554 config->password, config->password_len,
555 pos); /* NT-Response */
556 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
557 config->password, config->password_len);
558 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
559 challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
560 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
566 *resp_len = pos - buf;
568 /* EAP-TTLS/MSCHAP does not provide tunneled success notification, so
569 * assume that Phase2 succeeds. */
570 ret->methodState = METHOD_DONE;
571 ret->decision = DECISION_COND_SUCC;
577 static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
578 struct eap_ttls_data *data,
579 struct eap_method_ret *ret,
580 const struct eap_hdr *req,
582 u8 **resp, size_t *resp_len)
584 struct wpa_ssid *config = eap_get_config(sm);
588 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request");
590 pos = buf = malloc(config->identity_len + config->password_len + 100);
592 wpa_printf(MSG_ERROR,
593 "EAP-TTLS/PAP: Failed to allocate memory");
598 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
599 config->identity, config->identity_len);
601 /* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
602 * the data, so no separate encryption is used in the AVP itself.
603 * However, the password is padded to obfuscate its length. */
604 pad = (16 - (config->password_len & 15)) & 15;
605 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
606 config->password_len + pad);
607 memcpy(pos, config->password, config->password_len);
608 pos += config->password_len;
614 *resp_len = pos - buf;
616 /* EAP-TTLS/PAP does not provide tunneled success notification, so
617 * assume that Phase2 succeeds. */
618 ret->methodState = METHOD_DONE;
619 ret->decision = DECISION_COND_SUCC;
625 static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
626 struct eap_ttls_data *data,
627 struct eap_method_ret *ret,
628 const struct eap_hdr *req,
630 u8 **resp, size_t *resp_len)
632 struct wpa_ssid *config = eap_get_config(sm);
633 u8 *buf, *pos, *challenge;
637 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
639 pos = buf = malloc(config->identity_len + 1000);
641 wpa_printf(MSG_ERROR,
642 "EAP-TTLS/CHAP: Failed to allocate memory");
647 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
648 config->identity, config->identity_len);
651 challenge = eap_tls_derive_key(sm, &data->ssl, "ttls challenge",
653 if (challenge == NULL) {
655 wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
656 "implicit challenge");
660 pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
661 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
664 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
665 1 + EAP_TTLS_CHAP_PASSWORD_LEN);
666 data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
667 *pos++ = data->ident;
669 /* MD5(Ident + Password + Challenge) */
670 addr[0] = &data->ident;
672 addr[1] = config->password;
673 len[1] = config->password_len;
675 len[2] = EAP_TTLS_CHAP_CHALLENGE_LEN;
676 md5_vector(3, addr, len, pos);
678 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
679 config->identity, config->identity_len);
680 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
681 config->password, config->password_len);
682 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
683 challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
684 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
685 pos, EAP_TTLS_CHAP_PASSWORD_LEN);
686 pos += EAP_TTLS_CHAP_PASSWORD_LEN;
691 *resp_len = pos - buf;
693 /* EAP-TTLS/CHAP does not provide tunneled success notification, so
694 * assume that Phase2 succeeds. */
695 ret->methodState = METHOD_DONE;
696 ret->decision = DECISION_COND_SUCC;
702 static int eap_ttls_phase2_request(struct eap_sm *sm,
703 struct eap_ttls_data *data,
704 struct eap_method_ret *ret,
705 const struct eap_hdr *req,
707 u8 **resp, size_t *resp_len)
709 struct wpa_ssid *config = eap_get_config(sm);
712 if (data->phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
713 data->phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
714 data->phase2_type == EAP_TTLS_PHASE2_PAP ||
715 data->phase2_type == EAP_TTLS_PHASE2_CHAP) {
716 if (config->identity == NULL) {
718 "EAP-TTLS: Identity not configured");
719 eap_sm_request_identity(sm, config);
720 if (config->password == NULL)
721 eap_sm_request_password(sm, config);
725 if (config->password == NULL) {
727 "EAP-TTLS: Password not configured");
728 eap_sm_request_password(sm, config);
733 switch (data->phase2_type) {
734 case EAP_TTLS_PHASE2_EAP:
735 res = eap_ttls_phase2_request_eap(sm, data, ret, req, hdr,
738 case EAP_TTLS_PHASE2_MSCHAPV2:
739 res = eap_ttls_phase2_request_mschapv2(sm, data, ret, req, hdr,
742 case EAP_TTLS_PHASE2_MSCHAP:
743 res = eap_ttls_phase2_request_mschap(sm, data, ret, req, hdr,
746 case EAP_TTLS_PHASE2_PAP:
747 res = eap_ttls_phase2_request_pap(sm, data, ret, req, hdr,
750 case EAP_TTLS_PHASE2_CHAP:
751 res = eap_ttls_phase2_request_chap(sm, data, ret, req, hdr,
755 wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
761 ret->methodState = METHOD_DONE;
762 ret->decision = DECISION_FAIL;
769 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
770 struct eap_method_ret *ret,
771 const struct eap_hdr *req,
772 const u8 *in_data, size_t in_len,
773 u8 **out_data, size_t *out_len)
775 u8 *in_decrypted = NULL, *pos;
776 int buf_len, len_decrypted = 0, len, left, retval = 0;
777 struct eap_hdr *hdr = NULL;
778 u8 *resp = NULL, *mschapv2 = NULL, *eapdata = NULL;
779 size_t resp_len, eap_len = 0;
780 struct ttls_avp *avp;
781 u8 recv_response[20];
782 int mschapv2_error = 0;
783 struct wpa_ssid *config = eap_get_config(sm);
788 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
789 " Phase 2", (unsigned long) in_len);
791 if (data->pending_phase2_req) {
792 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - "
793 "skip decryption and use old data");
794 /* Clear TLS reassembly state. */
795 free(data->ssl.tls_in);
796 data->ssl.tls_in = NULL;
797 data->ssl.tls_in_len = 0;
798 data->ssl.tls_in_left = 0;
799 data->ssl.tls_in_total = 0;
801 in_decrypted = data->pending_phase2_req;
802 data->pending_phase2_req = NULL;
803 len_decrypted = data->pending_phase2_req_len;
804 if (data->pending_phase2_req_len == 0) {
807 goto fake_req_identity;
812 if (in_len == 0 && data->phase2_start) {
813 data->phase2_start = 0;
814 /* EAP-TTLS does not use Phase2 on fast re-auth; this must be
815 * done only if TLS part was indeed resuming a previous
816 * session. Most Authentication Servers terminate EAP-TTLS
817 * before reaching this point, but some do not. Make
818 * wpa_supplicant stop phase 2 here, if needed. */
820 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
821 wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - "
823 *out_data = eap_tls_build_ack(&data->ssl, out_len,
826 ret->methodState = METHOD_DONE;
827 ret->decision = DECISION_UNCOND_SUCC;
828 data->phase2_success = 1;
832 wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of "
833 "Phase 2 - use fake EAP-Request Identity");
834 buf_len = sizeof(*hdr) + 1;
835 in_decrypted = malloc(buf_len);
836 if (in_decrypted == NULL) {
837 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate "
838 "memory for fake EAP-Identity Request");
842 hdr = (struct eap_hdr *) in_decrypted;
843 hdr->code = EAP_CODE_REQUEST;
845 hdr->length = host_to_be16(sizeof(*hdr) + 1);
846 in_decrypted[sizeof(*hdr)] = EAP_TYPE_IDENTITY;
850 msg = eap_tls_data_reassemble(sm, &data->ssl, in_data, in_len,
851 &msg_len, &need_more_input);
853 return need_more_input ? 1 : -1;
856 if (data->ssl.tls_in_total > buf_len)
857 buf_len = data->ssl.tls_in_total;
858 in_decrypted = malloc(buf_len);
859 if (in_decrypted == NULL) {
860 free(data->ssl.tls_in);
861 data->ssl.tls_in = NULL;
862 data->ssl.tls_in_len = 0;
863 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory "
869 len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
871 in_decrypted, buf_len);
872 free(data->ssl.tls_in);
873 data->ssl.tls_in = NULL;
874 data->ssl.tls_in_len = 0;
875 if (len_decrypted < 0) {
876 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
883 data->phase2_start = 0;
885 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs",
886 in_decrypted, len_decrypted);
887 if (len_decrypted < sizeof(struct ttls_avp)) {
888 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame"
889 " len=%d expected %lu or more - dropped",
891 (unsigned long) sizeof(struct ttls_avp));
898 left = len_decrypted;
902 u32 avp_code, avp_length, vendor_id = 0;
905 avp = (struct ttls_avp *) pos;
906 avp_code = be_to_host32(avp->avp_code);
907 avp_length = be_to_host32(avp->avp_length);
908 avp_flags = (avp_length >> 24) & 0xff;
909 avp_length &= 0xffffff;
910 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
911 "length=%d", (int) avp_code, avp_flags,
913 if (avp_length > left) {
914 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
915 "(len=%d, left=%d) - dropped",
916 (int) avp_length, left);
920 dpos = (u8 *) (avp + 1);
921 dlen = avp_length - sizeof(*avp);
922 if (avp_flags & AVP_FLAGS_VENDOR) {
924 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
929 vendor_id = be_to_host32(* (u32 *) dpos);
930 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
936 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
938 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
939 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
940 if (eapdata == NULL) {
941 eapdata = malloc(dlen);
942 if (eapdata == NULL) {
944 wpa_printf(MSG_WARNING, "EAP-TTLS: "
945 "failed to allocate memory "
946 "for Phase 2 EAP data");
949 memcpy(eapdata, dpos, dlen);
952 u8 *neweap = realloc(eapdata, eap_len + dlen);
953 if (neweap == NULL) {
955 wpa_printf(MSG_WARNING, "EAP-TTLS: "
956 "failed to allocate memory "
957 "for Phase 2 EAP data");
960 memcpy(neweap + eap_len, dpos, dlen);
964 } else if (vendor_id == 0 &&
965 avp_code == RADIUS_ATTR_REPLY_MESSAGE) {
966 /* This is an optional message that can be displayed to
968 wpa_hexdump_ascii(MSG_DEBUG,
969 "EAP-TTLS: AVP - Reply-Message",
971 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
972 avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) {
973 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: "
974 "MS-CHAP2-Success", dpos, dlen);
976 wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected "
977 "MS-CHAP2-Success length "
978 "(len=%lu, expected 43)",
979 (unsigned long) dlen);
984 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
985 avp_code == RADIUS_ATTR_MS_CHAP_ERROR) {
986 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: "
987 "MS-CHAP-Error", dpos, dlen);
989 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
990 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
991 "mandatory AVP code %d vendor_id %d - "
992 "dropped", (int) avp_code, (int) vendor_id);
996 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
997 "AVP code %d vendor_id %d",
998 (int) avp_code, (int) vendor_id);
1001 pad = (4 - (avp_length & 3)) & 3;
1002 pos += avp_length + pad;
1003 left -= avp_length + pad;
1006 switch (data->phase2_type) {
1007 case EAP_TTLS_PHASE2_EAP:
1008 if (eapdata == NULL) {
1009 wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in "
1010 "the packet - dropped");
1015 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP",
1017 hdr = (struct eap_hdr *) eapdata;
1019 if (eap_len < sizeof(*hdr)) {
1020 wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 "
1021 "EAP frame (len=%lu, expected %lu or more) "
1022 "- dropped", (unsigned long) eap_len,
1023 (unsigned long) sizeof(*hdr));
1027 len = be_to_host16(hdr->length);
1028 if (len > eap_len) {
1029 wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in "
1030 "Phase 2 EAP frame (EAP hdr len=%d, EAP "
1031 "data len in AVP=%lu)", len,
1032 (unsigned long) eap_len);
1036 wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d "
1037 "identifier=%d length=%d",
1038 hdr->code, hdr->identifier, len);
1040 switch (hdr->code) {
1041 case EAP_CODE_REQUEST:
1042 if (eap_ttls_phase2_request(sm, data, ret, req, hdr,
1043 &resp, &resp_len)) {
1044 wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 "
1045 "Request processing failed");
1051 wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in "
1052 "Phase 2 EAP header", hdr->code);
1057 case EAP_TTLS_PHASE2_MSCHAPV2:
1058 if (mschapv2_error) {
1059 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received "
1060 "MS-CHAP-Error - failed");
1061 ret->methodState = METHOD_DONE;
1062 ret->decision = DECISION_FAIL;
1063 *out_data = eap_tls_build_ack(&data->ssl, out_len,
1069 if (mschapv2 == NULL) {
1070 wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success"
1071 " AVP received for Phase2 MSCHAPV2");
1075 if (mschapv2[0] != data->ident) {
1076 wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch "
1077 "for Phase 2 MSCHAPV2 (received Ident "
1078 "0x%02x, expected 0x%02x)",
1079 mschapv2[0], data->ident);
1083 if (!data->auth_response_valid ||
1084 mschapv2[1] != 'S' || mschapv2[2] != '=' ||
1085 hexstr2bin((char *) (mschapv2 + 3), recv_response, 20) ||
1086 memcmp(data->auth_response, recv_response, 20) != 0) {
1087 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid "
1088 "authenticator response in Phase 2 "
1089 "MSCHAPV2 success request");
1094 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 "
1095 "authentication succeeded");
1096 ret->methodState = METHOD_DONE;
1097 ret->decision = DECISION_UNCOND_SUCC;
1098 data->phase2_success = 1;
1100 /* Reply with empty data; authentication server will reply
1101 * with EAP-Success after this. */
1104 case EAP_TTLS_PHASE2_MSCHAP:
1105 case EAP_TTLS_PHASE2_PAP:
1106 case EAP_TTLS_PHASE2_CHAP:
1107 /* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled
1108 * requests to the supplicant */
1109 wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected "
1116 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data",
1119 if (eap_ttls_encrypt(sm, data, req->identifier,
1120 resp, resp_len, out_data, out_len)) {
1121 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt "
1125 } else if (config->pending_req_identity ||
1126 config->pending_req_password ||
1127 config->pending_req_otp ||
1128 config->pending_req_new_password) {
1129 free(data->pending_phase2_req);
1130 data->pending_phase2_req = malloc(len_decrypted);
1131 if (data->pending_phase2_req) {
1132 memcpy(data->pending_phase2_req, in_decrypted,
1134 data->pending_phase2_req_len = len_decrypted;
1143 ret->methodState = METHOD_DONE;
1144 ret->decision = DECISION_FAIL;
1151 static u8 * eap_ttls_process(struct eap_sm *sm, void *priv,
1152 struct eap_method_ret *ret,
1153 const u8 *reqData, size_t reqDataLen,
1154 size_t *respDataLen)
1156 const struct eap_hdr *req;
1159 u8 flags, *resp, id;
1161 struct eap_ttls_data *data = priv;
1163 pos = eap_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret,
1164 reqData, reqDataLen, &left, &flags);
1167 req = (const struct eap_hdr *) reqData;
1168 id = req->identifier;
1170 if (flags & EAP_TLS_FLAGS_START) {
1171 wpa_printf(MSG_DEBUG, "EAP-TTLS: Start");
1172 /* draft-ietf-pppext-eap-ttls-03.txt, Ch. 8.1:
1173 * EAP-TTLS Start packet may, in a future specification, be
1174 * allowed to contain data. Client based on this draft version
1175 * must ignore such data but must not reject the Start packet.
1181 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1183 res = eap_ttls_decrypt(sm, data, ret, req, pos, left,
1184 &resp, respDataLen);
1186 res = eap_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS, 0,
1188 &resp, respDataLen);
1190 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1191 wpa_printf(MSG_DEBUG,
1192 "EAP-TTLS: TLS done, proceed to Phase 2");
1193 if (data->resuming) {
1194 wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth -"
1195 " may skip Phase 2");
1196 ret->decision = DECISION_COND_SUCC;
1197 ret->methodState = METHOD_MAY_CONT;
1199 data->phase2_start = 1;
1200 free(data->key_data);
1202 eap_tls_derive_key(sm, &data->ssl,
1203 "ttls keying material",
1205 if (data->key_data) {
1206 wpa_hexdump_key(MSG_DEBUG,
1207 "EAP-TTLS: Derived key",
1211 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to "
1215 if (*respDataLen == 0) {
1216 if (eap_ttls_decrypt(sm, data, ret, req, NULL,
1217 0, &resp, respDataLen)) {
1218 wpa_printf(MSG_WARNING, "EAP-TTLS: "
1219 "failed to process early "
1220 "start for Phase 2");
1228 if (ret->methodState == METHOD_DONE) {
1229 ret->allowNotifications = FALSE;
1230 if (ret->decision == DECISION_UNCOND_SUCC ||
1231 ret->decision == DECISION_COND_SUCC) {
1232 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1233 "completed successfully");
1234 data->phase2_success = 1;
1236 } else if (sm->workaround && ret->methodState == METHOD_MAY_CONT &&
1237 (ret->decision == DECISION_UNCOND_SUCC ||
1238 ret->decision == DECISION_COND_SUCC)) {
1239 wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1240 "completed successfully (EAP workaround)");
1241 data->phase2_success = 1;
1245 return eap_tls_build_ack(&data->ssl, respDataLen, id,
1252 static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
1254 struct eap_ttls_data *data = priv;
1255 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1256 data->phase2_success;
1260 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv)
1262 struct eap_ttls_data *data = priv;
1263 free(data->pending_phase2_req);
1264 data->pending_phase2_req = NULL;
1268 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv)
1270 struct eap_ttls_data *data = priv;
1271 free(data->key_data);
1272 data->key_data = NULL;
1273 if (eap_tls_reauth_init(sm, &data->ssl)) {
1277 data->phase2_start = 0;
1278 data->phase2_success = 0;
1285 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf,
1286 size_t buflen, int verbose)
1288 struct eap_ttls_data *data = priv;
1291 len = eap_tls_status(sm, &data->ssl, buf, buflen, verbose);
1292 switch (data->phase2_type) {
1293 case EAP_TTLS_PHASE2_EAP:
1294 len += snprintf(buf + len, buflen - len,
1295 "EAP-TTLS Phase2 method=EAP-%s\n",
1296 data->phase2_method ? data->phase2_method->name
1299 case EAP_TTLS_PHASE2_MSCHAPV2:
1300 len += snprintf(buf + len, buflen - len,
1301 "EAP-TTLS Phase2 method=MSCHAPV2\n");
1303 case EAP_TTLS_PHASE2_MSCHAP:
1304 len += snprintf(buf + len, buflen - len,
1305 "EAP-TTLS Phase2 method=MSCHAP\n");
1307 case EAP_TTLS_PHASE2_PAP:
1308 len += snprintf(buf + len, buflen - len,
1309 "EAP-TTLS Phase2 method=PAP\n");
1311 case EAP_TTLS_PHASE2_CHAP:
1312 len += snprintf(buf + len, buflen - len,
1313 "EAP-TTLS Phase2 method=CHAP\n");
1321 static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv)
1323 struct eap_ttls_data *data = priv;
1324 return data->key_data != NULL && data->phase2_success;
1328 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1330 struct eap_ttls_data *data = priv;
1333 if (data->key_data == NULL || !data->phase2_success)
1336 key = malloc(EAP_TLS_KEY_LEN);
1340 *len = EAP_TLS_KEY_LEN;
1341 memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
1347 const struct eap_method eap_method_ttls =
1349 .method = EAP_TYPE_TTLS,
1351 .init = eap_ttls_init,
1352 .deinit = eap_ttls_deinit,
1353 .process = eap_ttls_process,
1354 .isKeyAvailable = eap_ttls_isKeyAvailable,
1355 .getKey = eap_ttls_getKey,
1356 .get_status = eap_ttls_get_status,
1357 .has_reauth_data = eap_ttls_has_reauth_data,
1358 .deinit_for_reauth = eap_ttls_deinit_for_reauth,
1359 .init_for_reauth = eap_ttls_init_for_reauth,