2 * hostapd / EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt)
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "crypto/random.h"
16 #include "eap_tls_common.h"
17 #include "eap_common/eap_tlv_common.h"
18 #include "eap_common/eap_peap_common.h"
22 /* Maximum supported PEAP version
23 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
24 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
26 #define EAP_PEAP_VERSION 1
29 static void eap_peap_reset(struct eap_sm *sm, void *priv);
32 struct eap_peap_data {
33 struct eap_ssl_data ssl;
35 START, PHASE1, PHASE1_ID2, PHASE2_START, PHASE2_ID,
36 PHASE2_METHOD, PHASE2_SOH,
37 PHASE2_TLV, SUCCESS_REQ, FAILURE_REQ, SUCCESS, FAILURE
42 const struct eap_method *phase2_method;
45 struct wpabuf *pending_phase2_resp;
46 enum { TLV_REQ_NONE, TLV_REQ_SUCCESS, TLV_REQ_FAILURE } tlv_request;
47 int crypto_binding_sent;
48 int crypto_binding_used;
49 enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding;
54 size_t phase2_key_len;
55 struct wpabuf *soh_response;
59 static const char * eap_peap_state_txt(int state)
69 return "PHASE2_START";
73 return "PHASE2_METHOD";
92 static void eap_peap_state(struct eap_peap_data *data, int state)
94 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s -> %s",
95 eap_peap_state_txt(data->state),
96 eap_peap_state_txt(state));
101 static void eap_peap_req_success(struct eap_sm *sm,
102 struct eap_peap_data *data)
104 if (data->state == FAILURE || data->state == FAILURE_REQ) {
105 eap_peap_state(data, FAILURE);
109 if (data->peap_version == 0) {
110 data->tlv_request = TLV_REQ_SUCCESS;
111 eap_peap_state(data, PHASE2_TLV);
113 eap_peap_state(data, SUCCESS_REQ);
118 static void eap_peap_req_failure(struct eap_sm *sm,
119 struct eap_peap_data *data)
121 if (data->state == FAILURE || data->state == FAILURE_REQ ||
122 data->state == SUCCESS_REQ || data->tlv_request != TLV_REQ_NONE) {
123 eap_peap_state(data, FAILURE);
127 if (data->peap_version == 0) {
128 data->tlv_request = TLV_REQ_FAILURE;
129 eap_peap_state(data, PHASE2_TLV);
131 eap_peap_state(data, FAILURE_REQ);
136 static void * eap_peap_init(struct eap_sm *sm)
138 struct eap_peap_data *data;
140 data = os_zalloc(sizeof(*data));
143 data->peap_version = EAP_PEAP_VERSION;
144 data->force_version = -1;
145 if (sm->user && sm->user->force_version >= 0) {
146 data->force_version = sm->user->force_version;
147 wpa_printf(MSG_DEBUG, "EAP-PEAP: forcing version %d",
148 data->force_version);
149 data->peap_version = data->force_version;
152 data->crypto_binding = OPTIONAL_BINDING;
154 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
155 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
156 eap_peap_reset(sm, data);
164 static void eap_peap_reset(struct eap_sm *sm, void *priv)
166 struct eap_peap_data *data = priv;
169 if (data->phase2_priv && data->phase2_method)
170 data->phase2_method->reset(sm, data->phase2_priv);
171 eap_server_tls_ssl_deinit(sm, &data->ssl);
172 wpabuf_free(data->pending_phase2_resp);
173 os_free(data->phase2_key);
174 wpabuf_free(data->soh_response);
179 static struct wpabuf * eap_peap_build_start(struct eap_sm *sm,
180 struct eap_peap_data *data, u8 id)
184 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PEAP, 1,
185 EAP_CODE_REQUEST, id);
187 wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to allocate memory for"
189 eap_peap_state(data, FAILURE);
193 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->peap_version);
195 eap_peap_state(data, PHASE1);
201 static struct wpabuf * eap_peap_build_phase2_req(struct eap_sm *sm,
202 struct eap_peap_data *data,
205 struct wpabuf *buf, *encr_req, msgbuf;
209 if (data->phase2_method == NULL || data->phase2_priv == NULL) {
210 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 method not ready");
213 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
217 req = wpabuf_head(buf);
218 req_len = wpabuf_len(buf);
219 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
222 if (data->peap_version == 0 &&
223 data->phase2_method->method != EAP_TYPE_TLV) {
224 req += sizeof(struct eap_hdr);
225 req_len -= sizeof(struct eap_hdr);
228 wpabuf_set(&msgbuf, req, req_len);
229 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
236 #ifdef EAP_SERVER_TNC
237 static struct wpabuf * eap_peap_build_phase2_soh(struct eap_sm *sm,
238 struct eap_peap_data *data,
241 struct wpabuf *buf1, *buf, *encr_req, msgbuf;
245 buf1 = tncs_build_soh_request();
249 buf = eap_msg_alloc(EAP_VENDOR_MICROSOFT, 0x21, wpabuf_len(buf1),
250 EAP_CODE_REQUEST, id);
255 wpabuf_put_buf(buf, buf1);
258 req = wpabuf_head(buf);
259 req_len = wpabuf_len(buf);
261 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 SOH data",
264 req += sizeof(struct eap_hdr);
265 req_len -= sizeof(struct eap_hdr);
266 wpabuf_set(&msgbuf, req, req_len);
268 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
273 #endif /* EAP_SERVER_TNC */
276 static void eap_peap_get_isk(struct eap_peap_data *data,
277 u8 *isk, size_t isk_len)
281 os_memset(isk, 0, isk_len);
282 if (data->phase2_key == NULL)
285 key_len = data->phase2_key_len;
286 if (key_len > isk_len)
288 os_memcpy(isk, data->phase2_key, key_len);
292 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
295 u8 isk[32], imck[60];
298 * Tunnel key (TK) is the first 60 octets of the key generated by
299 * phase 1 of PEAP (based on TLS).
301 tk = eap_server_tls_derive_key(sm, &data->ssl, "client EAP encryption",
305 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
307 eap_peap_get_isk(data, isk, sizeof(isk));
308 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk));
311 * IPMK Seed = "Inner Methods Compound Keys" | ISK
312 * TempKey = First 40 octets of TK
313 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60)
314 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space
315 * in the end of the label just before ISK; is that just a typo?)
317 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40);
318 if (peap_prfplus(data->peap_version, tk, 40,
319 "Inner Methods Compound Keys",
320 isk, sizeof(isk), imck, sizeof(imck)) < 0) {
324 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
329 /* TODO: fast-connect: IPMK|CMK = TK */
330 os_memcpy(data->ipmk, imck, 40);
331 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
332 os_memcpy(data->cmk, imck + 40, 20);
333 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20);
339 static struct wpabuf * eap_peap_build_phase2_tlv(struct eap_sm *sm,
340 struct eap_peap_data *data,
343 struct wpabuf *buf, *encr_req;
346 mlen = 6; /* Result TLV */
347 if (data->crypto_binding != NO_BINDING)
348 mlen += 60; /* Cryptobinding TLV */
349 #ifdef EAP_SERVER_TNC
350 if (data->soh_response)
351 mlen += wpabuf_len(data->soh_response);
352 #endif /* EAP_SERVER_TNC */
354 buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, mlen,
355 EAP_CODE_REQUEST, id);
359 wpabuf_put_u8(buf, 0x80); /* Mandatory */
360 wpabuf_put_u8(buf, EAP_TLV_RESULT_TLV);
362 wpabuf_put_be16(buf, 2);
364 wpabuf_put_be16(buf, data->tlv_request == TLV_REQ_SUCCESS ?
365 EAP_TLV_RESULT_SUCCESS : EAP_TLV_RESULT_FAILURE);
367 if (data->peap_version == 0 && data->tlv_request == TLV_REQ_SUCCESS &&
368 data->crypto_binding != NO_BINDING) {
370 u8 eap_type = EAP_TYPE_PEAP;
375 #ifdef EAP_SERVER_TNC
376 if (data->soh_response) {
377 wpa_printf(MSG_DEBUG, "EAP-PEAP: Adding MS-SOH "
379 wpabuf_put_buf(buf, data->soh_response);
380 wpabuf_free(data->soh_response);
381 data->soh_response = NULL;
383 #endif /* EAP_SERVER_TNC */
385 if (eap_peap_derive_cmk(sm, data) < 0 ||
386 random_get_bytes(data->binding_nonce, 32)) {
391 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
392 addr[0] = wpabuf_put(buf, 0);
397 tlv_type = EAP_TLV_CRYPTO_BINDING_TLV;
398 wpabuf_put_be16(buf, tlv_type);
399 wpabuf_put_be16(buf, 56);
401 wpabuf_put_u8(buf, 0); /* Reserved */
402 wpabuf_put_u8(buf, data->peap_version); /* Version */
403 wpabuf_put_u8(buf, data->recv_version); /* RecvVersion */
404 wpabuf_put_u8(buf, 0); /* SubType: 0 = Request, 1 = Response */
405 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */
406 mac = wpabuf_put(buf, 20); /* Compound_MAC */
407 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK",
409 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1",
411 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2",
413 hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac);
414 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC",
416 data->crypto_binding_sent = 1;
419 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 TLV data",
422 encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
429 static struct wpabuf * eap_peap_build_phase2_term(struct eap_sm *sm,
430 struct eap_peap_data *data,
433 struct wpabuf *encr_req, msgbuf;
437 req_len = sizeof(*hdr);
438 hdr = os_zalloc(req_len);
442 hdr->code = success ? EAP_CODE_SUCCESS : EAP_CODE_FAILURE;
443 hdr->identifier = id;
444 hdr->length = host_to_be16(req_len);
446 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
447 (u8 *) hdr, req_len);
449 wpabuf_set(&msgbuf, hdr, req_len);
450 encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
457 static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
459 struct eap_peap_data *data = priv;
461 if (data->ssl.state == FRAG_ACK) {
462 return eap_server_tls_build_ack(id, EAP_TYPE_PEAP,
466 if (data->ssl.state == WAIT_FRAG_ACK) {
467 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
468 data->peap_version, id);
471 switch (data->state) {
473 return eap_peap_build_start(sm, data, id);
476 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
477 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, "
479 eap_peap_state(data, PHASE2_START);
484 wpabuf_free(data->ssl.tls_out);
485 data->ssl.tls_out_pos = 0;
486 data->ssl.tls_out = eap_peap_build_phase2_req(sm, data, id);
488 #ifdef EAP_SERVER_TNC
490 wpabuf_free(data->ssl.tls_out);
491 data->ssl.tls_out_pos = 0;
492 data->ssl.tls_out = eap_peap_build_phase2_soh(sm, data, id);
494 #endif /* EAP_SERVER_TNC */
496 wpabuf_free(data->ssl.tls_out);
497 data->ssl.tls_out_pos = 0;
498 data->ssl.tls_out = eap_peap_build_phase2_tlv(sm, data, id);
501 wpabuf_free(data->ssl.tls_out);
502 data->ssl.tls_out_pos = 0;
503 data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
507 wpabuf_free(data->ssl.tls_out);
508 data->ssl.tls_out_pos = 0;
509 data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
513 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
514 __func__, data->state);
518 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
519 data->peap_version, id);
523 static Boolean eap_peap_check(struct eap_sm *sm, void *priv,
524 struct wpabuf *respData)
529 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData, &len);
530 if (pos == NULL || len < 1) {
531 wpa_printf(MSG_INFO, "EAP-PEAP: Invalid frame");
539 static int eap_peap_phase2_init(struct eap_sm *sm, struct eap_peap_data *data,
542 if (data->phase2_priv && data->phase2_method) {
543 data->phase2_method->reset(sm, data->phase2_priv);
544 data->phase2_method = NULL;
545 data->phase2_priv = NULL;
547 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
549 if (!data->phase2_method)
553 data->phase2_priv = data->phase2_method->init(sm);
559 static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
560 struct eap_peap_data *data,
561 const u8 *crypto_tlv,
562 size_t crypto_tlv_len)
564 u8 buf[61], mac[SHA1_MAC_LEN];
567 if (crypto_tlv_len != 4 + 56) {
568 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV "
569 "length %d", (int) crypto_tlv_len);
574 pos += 4; /* TLV header */
575 if (pos[1] != data->peap_version) {
576 wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version "
577 "mismatch (was %d; expected %d)",
578 pos[1], data->peap_version);
583 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV "
584 "SubType %d", pos[3]);
588 pos += 32; /* Nonce */
590 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
591 os_memcpy(buf, crypto_tlv, 60);
592 os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */
593 buf[60] = EAP_TYPE_PEAP;
594 hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac);
596 if (os_memcmp(mac, pos, SHA1_MAC_LEN) != 0) {
597 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in "
598 "cryptobinding TLV");
599 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK", data->cmk, 20);
600 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding seed data",
605 wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received");
611 static void eap_peap_process_phase2_tlv(struct eap_sm *sm,
612 struct eap_peap_data *data,
613 struct wpabuf *in_data)
617 const u8 *result_tlv = NULL, *crypto_tlv = NULL;
618 size_t result_tlv_len = 0, crypto_tlv_len = 0;
619 int tlv_type, mandatory, tlv_len;
621 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, in_data, &left);
623 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid EAP-TLV header");
628 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs", pos, left);
630 mandatory = !!(pos[0] & 0x80);
631 tlv_type = pos[0] & 0x3f;
632 tlv_type = (tlv_type << 8) | pos[1];
633 tlv_len = ((int) pos[2] << 8) | pos[3];
636 if ((size_t) tlv_len > left) {
637 wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
638 "(tlv_len=%d left=%lu)", tlv_len,
639 (unsigned long) left);
640 eap_peap_state(data, FAILURE);
644 case EAP_TLV_RESULT_TLV:
646 result_tlv_len = tlv_len;
648 case EAP_TLV_CRYPTO_BINDING_TLV:
650 crypto_tlv_len = tlv_len;
653 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
655 mandatory ? " (mandatory)" : "");
657 eap_peap_state(data, FAILURE);
660 /* Ignore this TLV, but process other TLVs */
668 wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
669 "Request (left=%lu)", (unsigned long) left);
670 eap_peap_state(data, FAILURE);
674 /* Process supported TLVs */
675 if (crypto_tlv && data->crypto_binding_sent) {
676 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV",
677 crypto_tlv, crypto_tlv_len);
678 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4,
679 crypto_tlv_len + 4) < 0) {
680 eap_peap_state(data, FAILURE);
683 data->crypto_binding_used = 1;
684 } else if (!crypto_tlv && data->crypto_binding_sent &&
685 data->crypto_binding == REQUIRE_BINDING) {
686 wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV");
687 eap_peap_state(data, FAILURE);
693 const char *requested;
695 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Result TLV",
696 result_tlv, result_tlv_len);
697 if (result_tlv_len < 2) {
698 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Result TLV "
700 (unsigned long) result_tlv_len);
701 eap_peap_state(data, FAILURE);
704 requested = data->tlv_request == TLV_REQ_SUCCESS ? "Success" :
706 status = WPA_GET_BE16(result_tlv);
707 if (status == EAP_TLV_RESULT_SUCCESS) {
708 wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Success "
709 "- requested %s", requested);
710 if (data->tlv_request == TLV_REQ_SUCCESS)
711 eap_peap_state(data, SUCCESS);
713 eap_peap_state(data, FAILURE);
715 } else if (status == EAP_TLV_RESULT_FAILURE) {
716 wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Failure "
717 "- requested %s", requested);
718 eap_peap_state(data, FAILURE);
720 wpa_printf(MSG_INFO, "EAP-PEAP: Unknown TLV Result "
721 "Status %d", status);
722 eap_peap_state(data, FAILURE);
728 #ifdef EAP_SERVER_TNC
729 static void eap_peap_process_phase2_soh(struct eap_sm *sm,
730 struct eap_peap_data *data,
731 struct wpabuf *in_data)
733 const u8 *pos, *vpos;
735 const u8 *soh_tlv = NULL;
736 size_t soh_tlv_len = 0;
737 int tlv_type, mandatory, tlv_len, vtlv_len;
741 pos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, in_data, &left);
743 wpa_printf(MSG_DEBUG, "EAP-PEAP: Not a valid SoH EAP "
744 "Extensions Method header - skip TNC");
749 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs (SoH)", pos, left);
751 mandatory = !!(pos[0] & 0x80);
752 tlv_type = pos[0] & 0x3f;
753 tlv_type = (tlv_type << 8) | pos[1];
754 tlv_len = ((int) pos[2] << 8) | pos[3];
757 if ((size_t) tlv_len > left) {
758 wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
759 "(tlv_len=%d left=%lu)", tlv_len,
760 (unsigned long) left);
761 eap_peap_state(data, FAILURE);
765 case EAP_TLV_VENDOR_SPECIFIC_TLV:
767 wpa_printf(MSG_DEBUG, "EAP-PEAP: Too short "
768 "vendor specific TLV (len=%d)",
770 eap_peap_state(data, FAILURE);
774 vendor_id = WPA_GET_BE32(pos);
775 if (vendor_id != EAP_VENDOR_MICROSOFT) {
777 eap_peap_state(data, FAILURE);
784 mandatory = !!(vpos[0] & 0x80);
785 tlv_type = vpos[0] & 0x3f;
786 tlv_type = (tlv_type << 8) | vpos[1];
787 vtlv_len = ((int) vpos[2] << 8) | vpos[3];
789 if (vpos + vtlv_len > pos + left) {
790 wpa_printf(MSG_DEBUG, "EAP-PEAP: Vendor TLV "
792 eap_peap_state(data, FAILURE);
798 soh_tlv_len = vtlv_len;
802 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported MS-TLV "
803 "Type %d%s", tlv_type,
804 mandatory ? " (mandatory)" : "");
806 eap_peap_state(data, FAILURE);
809 /* Ignore this TLV, but process other TLVs */
812 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
814 mandatory ? " (mandatory)" : "");
816 eap_peap_state(data, FAILURE);
819 /* Ignore this TLV, but process other TLVs */
827 wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
828 "Request (left=%lu)", (unsigned long) left);
829 eap_peap_state(data, FAILURE);
833 /* Process supported TLVs */
836 wpabuf_free(data->soh_response);
837 data->soh_response = tncs_process_soh(soh_tlv, soh_tlv_len,
840 eap_peap_state(data, FAILURE);
844 wpa_printf(MSG_DEBUG, "EAP-PEAP: No SoH TLV received");
845 eap_peap_state(data, FAILURE);
850 eap_peap_state(data, PHASE2_METHOD);
851 next_type = sm->user->methods[0].method;
852 sm->user_eap_method_index = 1;
853 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d", next_type);
854 eap_peap_phase2_init(sm, data, next_type);
856 #endif /* EAP_SERVER_TNC */
859 static void eap_peap_process_phase2_response(struct eap_sm *sm,
860 struct eap_peap_data *data,
861 struct wpabuf *in_data)
863 u8 next_type = EAP_TYPE_NONE;
864 const struct eap_hdr *hdr;
868 if (data->state == PHASE2_TLV) {
869 eap_peap_process_phase2_tlv(sm, data, in_data);
873 #ifdef EAP_SERVER_TNC
874 if (data->state == PHASE2_SOH) {
875 eap_peap_process_phase2_soh(sm, data, in_data);
878 #endif /* EAP_SERVER_TNC */
880 if (data->phase2_priv == NULL) {
881 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - Phase2 not "
882 "initialized?!", __func__);
886 hdr = wpabuf_head(in_data);
887 pos = (const u8 *) (hdr + 1);
889 if (wpabuf_len(in_data) > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
890 left = wpabuf_len(in_data) - sizeof(*hdr);
891 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Phase2 type Nak'ed; "
892 "allowed types", pos + 1, left - 1);
893 eap_sm_process_nak(sm, pos + 1, left - 1);
894 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
895 sm->user->methods[sm->user_eap_method_index].method !=
897 next_type = sm->user->methods[
898 sm->user_eap_method_index++].method;
899 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d",
902 eap_peap_req_failure(sm, data);
903 next_type = EAP_TYPE_NONE;
905 eap_peap_phase2_init(sm, data, next_type);
909 if (data->phase2_method->check(sm, data->phase2_priv, in_data)) {
910 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 check() asked to "
911 "ignore the packet");
915 data->phase2_method->process(sm, data->phase2_priv, in_data);
917 if (sm->method_pending == METHOD_PENDING_WAIT) {
918 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method is in "
919 "pending wait state - save decrypted response");
920 wpabuf_free(data->pending_phase2_resp);
921 data->pending_phase2_resp = wpabuf_dup(in_data);
924 if (!data->phase2_method->isDone(sm, data->phase2_priv))
927 if (!data->phase2_method->isSuccess(sm, data->phase2_priv)) {
928 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method failed");
929 eap_peap_req_failure(sm, data);
930 next_type = EAP_TYPE_NONE;
931 eap_peap_phase2_init(sm, data, next_type);
935 os_free(data->phase2_key);
936 if (data->phase2_method->getKey) {
937 data->phase2_key = data->phase2_method->getKey(
938 sm, data->phase2_priv, &data->phase2_key_len);
939 if (data->phase2_key == NULL) {
940 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 getKey "
942 eap_peap_req_failure(sm, data);
943 eap_peap_phase2_init(sm, data, EAP_TYPE_NONE);
948 switch (data->state) {
952 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
953 wpa_hexdump_ascii(MSG_DEBUG, "EAP_PEAP: Phase2 "
954 "Identity not found in the user "
956 sm->identity, sm->identity_len);
957 eap_peap_req_failure(sm, data);
958 next_type = EAP_TYPE_NONE;
962 #ifdef EAP_SERVER_TNC
963 if (data->state != PHASE2_SOH && sm->tnc &&
964 data->peap_version == 0) {
965 eap_peap_state(data, PHASE2_SOH);
966 wpa_printf(MSG_DEBUG, "EAP-PEAP: Try to initialize "
968 next_type = EAP_TYPE_NONE;
971 #endif /* EAP_SERVER_TNC */
973 eap_peap_state(data, PHASE2_METHOD);
974 next_type = sm->user->methods[0].method;
975 sm->user_eap_method_index = 1;
976 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d", next_type);
979 eap_peap_req_success(sm, data);
980 next_type = EAP_TYPE_NONE;
985 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
986 __func__, data->state);
990 eap_peap_phase2_init(sm, data, next_type);
994 static void eap_peap_process_phase2(struct eap_sm *sm,
995 struct eap_peap_data *data,
996 const struct wpabuf *respData,
997 struct wpabuf *in_buf)
999 struct wpabuf *in_decrypted;
1000 const struct eap_hdr *hdr;
1003 wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
1004 " Phase 2", (unsigned long) wpabuf_len(in_buf));
1006 if (data->pending_phase2_resp) {
1007 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
1008 "skip decryption and use old data");
1009 eap_peap_process_phase2_response(sm, data,
1010 data->pending_phase2_resp);
1011 wpabuf_free(data->pending_phase2_resp);
1012 data->pending_phase2_resp = NULL;
1016 in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1018 if (in_decrypted == NULL) {
1019 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
1021 eap_peap_state(data, FAILURE);
1025 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
1028 if (data->peap_version == 0 && data->state != PHASE2_TLV) {
1029 const struct eap_hdr *resp;
1030 struct eap_hdr *nhdr;
1031 struct wpabuf *nbuf =
1032 wpabuf_alloc(sizeof(struct eap_hdr) +
1033 wpabuf_len(in_decrypted));
1035 wpabuf_free(in_decrypted);
1039 resp = wpabuf_head(respData);
1040 nhdr = wpabuf_put(nbuf, sizeof(*nhdr));
1041 nhdr->code = resp->code;
1042 nhdr->identifier = resp->identifier;
1043 nhdr->length = host_to_be16(sizeof(struct eap_hdr) +
1044 wpabuf_len(in_decrypted));
1045 wpabuf_put_buf(nbuf, in_decrypted);
1046 wpabuf_free(in_decrypted);
1048 in_decrypted = nbuf;
1051 hdr = wpabuf_head(in_decrypted);
1052 if (wpabuf_len(in_decrypted) < (int) sizeof(*hdr)) {
1053 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 "
1054 "EAP frame (len=%lu)",
1055 (unsigned long) wpabuf_len(in_decrypted));
1056 wpabuf_free(in_decrypted);
1057 eap_peap_req_failure(sm, data);
1060 len = be_to_host16(hdr->length);
1061 if (len > wpabuf_len(in_decrypted)) {
1062 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in "
1063 "Phase 2 EAP frame (len=%lu hdr->length=%lu)",
1064 (unsigned long) wpabuf_len(in_decrypted),
1065 (unsigned long) len);
1066 wpabuf_free(in_decrypted);
1067 eap_peap_req_failure(sm, data);
1070 wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d "
1071 "identifier=%d length=%lu", hdr->code, hdr->identifier,
1072 (unsigned long) len);
1073 switch (hdr->code) {
1074 case EAP_CODE_RESPONSE:
1075 eap_peap_process_phase2_response(sm, data, in_decrypted);
1077 case EAP_CODE_SUCCESS:
1078 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success");
1079 if (data->state == SUCCESS_REQ) {
1080 eap_peap_state(data, SUCCESS);
1083 case EAP_CODE_FAILURE:
1084 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure");
1085 eap_peap_state(data, FAILURE);
1088 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in "
1089 "Phase 2 EAP header", hdr->code);
1093 wpabuf_free(in_decrypted);
1097 static int eap_peap_process_version(struct eap_sm *sm, void *priv,
1100 struct eap_peap_data *data = priv;
1102 data->recv_version = peer_version;
1103 if (data->force_version >= 0 && peer_version != data->force_version) {
1104 wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
1105 " version (forced=%d peer=%d) - reject",
1106 data->force_version, peer_version);
1109 if (peer_version < data->peap_version) {
1110 wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; "
1112 peer_version, data->peap_version, peer_version);
1113 data->peap_version = peer_version;
1120 static void eap_peap_process_msg(struct eap_sm *sm, void *priv,
1121 const struct wpabuf *respData)
1123 struct eap_peap_data *data = priv;
1125 switch (data->state) {
1127 if (eap_server_tls_phase1(sm, &data->ssl) < 0) {
1128 eap_peap_state(data, FAILURE);
1133 eap_peap_state(data, PHASE2_ID);
1134 eap_peap_phase2_init(sm, data, EAP_TYPE_IDENTITY);
1141 eap_peap_process_phase2(sm, data, respData, data->ssl.tls_in);
1144 eap_peap_state(data, SUCCESS);
1147 eap_peap_state(data, FAILURE);
1150 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected state %d in %s",
1151 data->state, __func__);
1157 static void eap_peap_process(struct eap_sm *sm, void *priv,
1158 struct wpabuf *respData)
1160 struct eap_peap_data *data = priv;
1161 if (eap_server_tls_process(sm, &data->ssl, respData, data,
1162 EAP_TYPE_PEAP, eap_peap_process_version,
1163 eap_peap_process_msg) < 0)
1164 eap_peap_state(data, FAILURE);
1168 static Boolean eap_peap_isDone(struct eap_sm *sm, void *priv)
1170 struct eap_peap_data *data = priv;
1171 return data->state == SUCCESS || data->state == FAILURE;
1175 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
1177 struct eap_peap_data *data = priv;
1180 if (data->state != SUCCESS)
1183 if (data->crypto_binding_used) {
1186 * Note: It looks like Microsoft implementation requires null
1187 * termination for this label while the one used for deriving
1188 * IPMK|CMK did not use null termination.
1190 if (peap_prfplus(data->peap_version, data->ipmk, 40,
1191 "Session Key Generating Function",
1192 (u8 *) "\00", 1, csk, sizeof(csk)) < 0)
1194 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
1195 eapKeyData = os_malloc(EAP_TLS_KEY_LEN);
1197 os_memcpy(eapKeyData, csk, EAP_TLS_KEY_LEN);
1198 *len = EAP_TLS_KEY_LEN;
1199 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1200 eapKeyData, EAP_TLS_KEY_LEN);
1202 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive "
1209 /* TODO: PEAPv1 - different label in some cases */
1210 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1211 "client EAP encryption",
1214 *len = EAP_TLS_KEY_LEN;
1215 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1216 eapKeyData, EAP_TLS_KEY_LEN);
1218 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive key");
1225 static Boolean eap_peap_isSuccess(struct eap_sm *sm, void *priv)
1227 struct eap_peap_data *data = priv;
1228 return data->state == SUCCESS;
1232 int eap_server_peap_register(void)
1234 struct eap_method *eap;
1237 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1238 EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP");
1242 eap->init = eap_peap_init;
1243 eap->reset = eap_peap_reset;
1244 eap->buildReq = eap_peap_buildReq;
1245 eap->check = eap_peap_check;
1246 eap->process = eap_peap_process;
1247 eap->isDone = eap_peap_isDone;
1248 eap->getKey = eap_peap_getKey;
1249 eap->isSuccess = eap_peap_isSuccess;
1251 ret = eap_server_method_register(eap);
1253 eap_server_method_free(eap);