2 * hostapd / EAP-TTLS (draft-ietf-pppext-eap-ttls-05.txt)
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "eap_server/eap_i.h"
19 #include "eap_server/eap_tls_common.h"
22 #include "eap_common/chap.h"
24 #include "eap_common/eap_ttls.h"
27 /* Maximum supported TTLS version
28 * 0 = draft-ietf-pppext-eap-ttls-03.txt / draft-funk-eap-ttls-v0-00.txt
29 * 1 = draft-funk-eap-ttls-v1-00.txt
31 #ifndef EAP_TTLS_VERSION
32 #define EAP_TTLS_VERSION 0 /* TTLSv1 implementation is not yet complete */
33 #endif /* EAP_TTLS_VERSION */
36 #define MSCHAPV2_KEY_LEN 16
39 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
42 struct eap_ttls_data {
43 struct eap_ssl_data ssl;
45 START, PHASE1, PHASE2_START, PHASE2_METHOD,
46 PHASE2_MSCHAPV2_RESP, PHASE_FINISHED, SUCCESS, FAILURE
51 const struct eap_method *phase2_method;
54 u8 mschapv2_auth_response[20];
56 int tls_ia_configured;
57 struct wpabuf *pending_phase2_eap_resp;
61 static const char * eap_ttls_state_txt(int state)
69 return "PHASE2_START";
71 return "PHASE2_METHOD";
72 case PHASE2_MSCHAPV2_RESP:
73 return "PHASE2_MSCHAPV2_RESP";
75 return "PHASE_FINISHED";
86 static void eap_ttls_state(struct eap_ttls_data *data, int state)
88 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
89 eap_ttls_state_txt(data->state),
90 eap_ttls_state_txt(state));
95 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
96 int mandatory, size_t len)
98 struct ttls_avp_vendor *avp;
102 avp = (struct ttls_avp_vendor *) avphdr;
103 flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
105 flags |= AVP_FLAGS_VENDOR;
106 hdrlen = sizeof(*avp);
107 avp->vendor_id = host_to_be32(vendor_id);
109 hdrlen = sizeof(struct ttls_avp);
112 avp->avp_code = host_to_be32(avp_code);
113 avp->avp_length = host_to_be32((flags << 24) | (hdrlen + len));
115 return avphdr + hdrlen;
119 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
120 u32 avp_code, int mandatory)
125 avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
131 pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
133 os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
134 pos += wpabuf_len(resp);
135 AVP_PAD((const u8 *) wpabuf_head(avp), pos);
137 wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
142 struct eap_ttls_avp {
143 /* Note: eap is allocated memory; caller is responsible for freeing
144 * it. All the other pointers are pointing to the packet data, i.e.,
145 * they must not be freed separately. */
149 size_t user_name_len;
151 size_t user_password_len;
153 size_t chap_challenge_len;
155 size_t chap_password_len;
156 u8 *mschap_challenge;
157 size_t mschap_challenge_len;
159 size_t mschap_response_len;
160 u8 *mschap2_response;
161 size_t mschap2_response_len;
165 static int eap_ttls_avp_parse(u8 *buf, size_t len, struct eap_ttls_avp *parse)
167 struct ttls_avp *avp;
173 os_memset(parse, 0, sizeof(*parse));
176 u32 avp_code, avp_length, vendor_id = 0;
179 avp = (struct ttls_avp *) pos;
180 avp_code = be_to_host32(avp->avp_code);
181 avp_length = be_to_host32(avp->avp_length);
182 avp_flags = (avp_length >> 24) & 0xff;
183 avp_length &= 0xffffff;
184 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
185 "length=%d", (int) avp_code, avp_flags,
187 if ((int) avp_length > left) {
188 wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
189 "(len=%d, left=%d) - dropped",
190 (int) avp_length, left);
193 if (avp_length < sizeof(*avp)) {
194 wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
198 dpos = (u8 *) (avp + 1);
199 dlen = avp_length - sizeof(*avp);
200 if (avp_flags & AVP_FLAGS_VENDOR) {
202 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
206 vendor_id = be_to_host32(* (be32 *) dpos);
207 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
213 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
215 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
216 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
217 if (parse->eap == NULL) {
218 parse->eap = os_malloc(dlen);
219 if (parse->eap == NULL) {
220 wpa_printf(MSG_WARNING, "EAP-TTLS: "
221 "failed to allocate memory "
222 "for Phase 2 EAP data");
225 os_memcpy(parse->eap, dpos, dlen);
226 parse->eap_len = dlen;
228 u8 *neweap = os_realloc(parse->eap,
229 parse->eap_len + dlen);
230 if (neweap == NULL) {
231 wpa_printf(MSG_WARNING, "EAP-TTLS: "
232 "failed to allocate memory "
233 "for Phase 2 EAP data");
236 os_memcpy(neweap + parse->eap_len, dpos, dlen);
238 parse->eap_len += dlen;
240 } else if (vendor_id == 0 &&
241 avp_code == RADIUS_ATTR_USER_NAME) {
242 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
244 parse->user_name = dpos;
245 parse->user_name_len = dlen;
246 } else if (vendor_id == 0 &&
247 avp_code == RADIUS_ATTR_USER_PASSWORD) {
249 size_t password_len = dlen;
250 while (password_len > 0 &&
251 password[password_len - 1] == '\0') {
254 wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
255 "User-Password (PAP)",
256 password, password_len);
257 parse->user_password = password;
258 parse->user_password_len = password_len;
259 } else if (vendor_id == 0 &&
260 avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
261 wpa_hexdump(MSG_DEBUG,
262 "EAP-TTLS: CHAP-Challenge (CHAP)",
264 parse->chap_challenge = dpos;
265 parse->chap_challenge_len = dlen;
266 } else if (vendor_id == 0 &&
267 avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
268 wpa_hexdump(MSG_DEBUG,
269 "EAP-TTLS: CHAP-Password (CHAP)",
271 parse->chap_password = dpos;
272 parse->chap_password_len = dlen;
273 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
274 avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
275 wpa_hexdump(MSG_DEBUG,
276 "EAP-TTLS: MS-CHAP-Challenge",
278 parse->mschap_challenge = dpos;
279 parse->mschap_challenge_len = dlen;
280 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
281 avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
282 wpa_hexdump(MSG_DEBUG,
283 "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
285 parse->mschap_response = dpos;
286 parse->mschap_response_len = dlen;
287 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
288 avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
289 wpa_hexdump(MSG_DEBUG,
290 "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
292 parse->mschap2_response = dpos;
293 parse->mschap2_response_len = dlen;
294 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
295 wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
296 "mandatory AVP code %d vendor_id %d - "
297 "dropped", (int) avp_code, (int) vendor_id);
300 wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
301 "AVP code %d vendor_id %d",
302 (int) avp_code, (int) vendor_id);
305 pad = (4 - (avp_length & 3)) & 3;
306 pos += avp_length + pad;
307 left -= avp_length + pad;
319 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
320 struct eap_ttls_data *data, size_t len)
322 struct tls_keys keys;
325 if (data->ttls_version == 0) {
326 return eap_server_tls_derive_key(sm, &data->ssl,
327 "ttls challenge", len);
330 os_memset(&keys, 0, sizeof(keys));
331 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
332 keys.client_random == NULL || keys.server_random == NULL ||
333 keys.inner_secret == NULL) {
334 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
335 "client random, or server random to derive "
336 "implicit challenge");
340 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
341 challenge = os_malloc(len);
342 if (rnd == NULL || challenge == NULL) {
343 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for implicit "
344 "challenge derivation");
349 os_memcpy(rnd, keys.server_random, keys.server_random_len);
350 os_memcpy(rnd + keys.server_random_len, keys.client_random,
351 keys.client_random_len);
353 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
354 "inner application challenge", rnd,
355 keys.client_random_len + keys.server_random_len,
357 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive implicit "
366 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived implicit challenge",
373 static void * eap_ttls_init(struct eap_sm *sm)
375 struct eap_ttls_data *data;
377 data = os_zalloc(sizeof(*data));
380 data->ttls_version = EAP_TTLS_VERSION;
381 data->force_version = -1;
382 if (sm->user && sm->user->force_version >= 0) {
383 data->force_version = sm->user->force_version;
384 wpa_printf(MSG_DEBUG, "EAP-TTLS: forcing version %d",
385 data->force_version);
386 data->ttls_version = data->force_version;
390 if (!(tls_capabilities(sm->ssl_ctx) & TLS_CAPABILITY_IA) &&
391 data->ttls_version > 0) {
392 if (data->force_version > 0) {
393 wpa_printf(MSG_INFO, "EAP-TTLS: Forced TTLSv%d and "
394 "TLS library does not support TLS/IA.",
395 data->force_version);
396 eap_ttls_reset(sm, data);
399 data->ttls_version = 0;
402 if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
403 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
404 eap_ttls_reset(sm, data);
412 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
414 struct eap_ttls_data *data = priv;
417 if (data->phase2_priv && data->phase2_method)
418 data->phase2_method->reset(sm, data->phase2_priv);
419 eap_server_tls_ssl_deinit(sm, &data->ssl);
420 wpabuf_free(data->pending_phase2_eap_resp);
425 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
426 struct eap_ttls_data *data, u8 id)
430 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
431 EAP_CODE_REQUEST, id);
433 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
435 eap_ttls_state(data, FAILURE);
439 wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
441 eap_ttls_state(data, PHASE1);
447 static struct wpabuf * eap_ttls_build_req(struct eap_sm *sm,
448 struct eap_ttls_data *data, u8 id)
453 res = eap_server_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_TTLS,
454 data->ttls_version, id, &req);
456 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
457 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, starting "
459 eap_ttls_state(data, PHASE2_START);
463 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
469 static struct wpabuf * eap_ttls_encrypt(struct eap_sm *sm,
470 struct eap_ttls_data *data,
471 u8 id, u8 *plain, size_t plain_len)
476 /* TODO: add support for fragmentation, if needed. This will need to
477 * add TLS Message Length field, if the frame is fragmented. */
478 buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS,
479 1 + data->ssl.tls_out_limit,
480 EAP_CODE_REQUEST, id);
484 wpabuf_put_u8(buf, data->ttls_version);
486 res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
487 plain, plain_len, wpabuf_put(buf, 0),
488 data->ssl.tls_out_limit);
490 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt Phase 2 "
496 wpabuf_put(buf, res);
503 static struct wpabuf * eap_ttls_build_phase2_eap_req(
504 struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
506 struct wpabuf *buf, *encr_req;
511 buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
515 wpa_hexdump_buf_key(MSG_DEBUG,
516 "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
518 buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
520 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
525 req = wpabuf_mhead(buf);
526 req_len = wpabuf_len(buf);
527 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated Phase "
528 "2 data", req, req_len);
530 encr_req = eap_ttls_encrypt(sm, data, id, req, req_len);
537 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
538 struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
540 struct wpabuf *encr_req;
545 pos = req = os_malloc(100);
550 if (data->mschapv2_resp_ok) {
551 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
552 RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
553 *pos++ = data->mschapv2_ident;
554 ret = os_snprintf((char *) pos, end - pos, "S=");
555 if (ret >= 0 && ret < end - pos)
557 pos += wpa_snprintf_hex_uppercase(
558 (char *) pos, end - pos, data->mschapv2_auth_response,
559 sizeof(data->mschapv2_auth_response));
561 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
562 RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
563 os_memcpy(pos, "Failed", 6);
569 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
570 "data", req, req_len);
572 encr_req = eap_ttls_encrypt(sm, data, id, req, req_len);
579 static struct wpabuf * eap_ttls_build_phase_finished(
580 struct eap_sm *sm, struct eap_ttls_data *data, u8 id, int final)
584 const int max_len = 300;
587 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, len,
588 EAP_CODE_REQUEST, id);
592 wpabuf_put_u8(req, data->ttls_version);
594 len = tls_connection_ia_send_phase_finished(sm->ssl_ctx,
595 data->ssl.conn, final,
602 wpabuf_put(req, len);
609 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
611 struct eap_ttls_data *data = priv;
613 switch (data->state) {
615 return eap_ttls_build_start(sm, data, id);
617 return eap_ttls_build_req(sm, data, id);
619 return eap_ttls_build_phase2_eap_req(sm, data, id);
620 case PHASE2_MSCHAPV2_RESP:
621 return eap_ttls_build_phase2_mschapv2(sm, data, id);
623 return eap_ttls_build_phase_finished(sm, data, id, 1);
625 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
626 __func__, data->state);
632 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
633 struct wpabuf *respData)
638 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
639 if (pos == NULL || len < 1) {
640 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
648 static int eap_ttls_ia_permute_inner_secret(struct eap_sm *sm,
649 struct eap_ttls_data *data,
650 const u8 *key, size_t key_len)
657 buf_len = 2 + key_len;
658 buf = os_malloc(buf_len);
661 WPA_PUT_BE16(buf, key_len);
662 os_memcpy(buf + 2, key, key_len);
668 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Session keys for TLS/IA inner "
669 "secret permutation", buf, buf_len);
670 ret = tls_connection_ia_permute_inner_secret(sm->ssl_ctx,
679 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
680 struct eap_ttls_data *data,
681 const u8 *user_password,
682 size_t user_password_len)
684 if (!sm->user || !sm->user->password || sm->user->password_hash ||
685 !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
686 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
687 "password configured");
688 eap_ttls_state(data, FAILURE);
692 if (sm->user->password_len != user_password_len ||
693 os_memcmp(sm->user->password, user_password, user_password_len) !=
695 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
696 eap_ttls_state(data, FAILURE);
700 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
701 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
706 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
707 struct eap_ttls_data *data,
709 size_t challenge_len,
713 u8 *chal, hash[CHAP_MD5_LEN];
715 if (challenge == NULL || password == NULL ||
716 challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
717 password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
718 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
719 "(challenge len %lu password len %lu)",
720 (unsigned long) challenge_len,
721 (unsigned long) password_len);
722 eap_ttls_state(data, FAILURE);
726 if (!sm->user || !sm->user->password || sm->user->password_hash ||
727 !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
728 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
729 "password configured");
730 eap_ttls_state(data, FAILURE);
734 chal = eap_ttls_implicit_challenge(sm, data,
735 EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
737 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
738 "challenge from TLS data");
739 eap_ttls_state(data, FAILURE);
743 if (os_memcmp(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN) != 0 ||
744 password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
745 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
747 eap_ttls_state(data, FAILURE);
752 /* MD5(Ident + Password + Challenge) */
753 chap_md5(password[0], sm->user->password, sm->user->password_len,
754 challenge, challenge_len, hash);
756 if (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0) {
757 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
758 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
761 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
762 eap_ttls_state(data, FAILURE);
767 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
768 struct eap_ttls_data *data,
769 u8 *challenge, size_t challenge_len,
770 u8 *response, size_t response_len)
772 u8 *chal, nt_response[24];
774 if (challenge == NULL || response == NULL ||
775 challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
776 response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
777 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
778 "attributes (challenge len %lu response len %lu)",
779 (unsigned long) challenge_len,
780 (unsigned long) response_len);
781 eap_ttls_state(data, FAILURE);
785 if (!sm->user || !sm->user->password ||
786 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
787 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
789 eap_ttls_state(data, FAILURE);
793 chal = eap_ttls_implicit_challenge(sm, data,
794 EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
796 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
797 "challenge from TLS data");
798 eap_ttls_state(data, FAILURE);
802 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN) != 0 ||
803 response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
804 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
806 eap_ttls_state(data, FAILURE);
811 if (sm->user->password_hash)
812 challenge_response(challenge, sm->user->password, nt_response);
814 nt_challenge_response(challenge, sm->user->password,
815 sm->user->password_len, nt_response);
817 if (os_memcmp(nt_response, response + 2 + 24, 24) == 0) {
818 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
819 eap_ttls_state(data, data->ttls_version > 0 ? PHASE_FINISHED :
822 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
823 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
824 response + 2 + 24, 24);
825 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
827 eap_ttls_state(data, FAILURE);
832 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
833 struct eap_ttls_data *data,
835 size_t challenge_len,
836 u8 *response, size_t response_len)
838 u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
840 size_t username_len, i;
842 if (challenge == NULL || response == NULL ||
843 challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
844 response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
845 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
846 "attributes (challenge len %lu response len %lu)",
847 (unsigned long) challenge_len,
848 (unsigned long) response_len);
849 eap_ttls_state(data, FAILURE);
853 if (!sm->user || !sm->user->password ||
854 !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
855 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
857 eap_ttls_state(data, FAILURE);
861 /* MSCHAPv2 does not include optional domain name in the
862 * challenge-response calculation, so remove domain prefix
864 username = sm->identity;
865 username_len = sm->identity_len;
866 for (i = 0; i < username_len; i++) {
867 if (username[i] == '\\') {
868 username_len -= i + 1;
874 chal = eap_ttls_implicit_challenge(
875 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
877 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
878 "challenge from TLS data");
879 eap_ttls_state(data, FAILURE);
883 if (os_memcmp(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) != 0 ||
884 response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
885 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
887 eap_ttls_state(data, FAILURE);
892 auth_challenge = challenge;
893 peer_challenge = response + 2;
895 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
896 username, username_len);
897 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
898 auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
899 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
900 peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
902 if (sm->user->password_hash) {
903 generate_nt_response_pwhash(auth_challenge, peer_challenge,
904 username, username_len,
908 generate_nt_response(auth_challenge, peer_challenge,
909 username, username_len,
911 sm->user->password_len,
915 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
916 if (os_memcmp(nt_response, rx_resp, 24) == 0) {
917 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
919 data->mschapv2_resp_ok = 1;
920 if (data->ttls_version > 0) {
922 u8 pw_hash_buf[16], pw_hash_hash[16], master_key[16];
923 u8 session_key[2 * MSCHAPV2_KEY_LEN];
925 if (sm->user->password_hash)
926 pw_hash = sm->user->password;
928 nt_password_hash(sm->user->password,
929 sm->user->password_len,
931 pw_hash = pw_hash_buf;
933 hash_nt_password_hash(pw_hash, pw_hash_hash);
934 get_master_key(pw_hash_hash, nt_response, master_key);
935 get_asymetric_start_key(master_key, session_key,
936 MSCHAPV2_KEY_LEN, 0, 0);
937 get_asymetric_start_key(master_key,
938 session_key + MSCHAPV2_KEY_LEN,
939 MSCHAPV2_KEY_LEN, 1, 0);
940 eap_ttls_ia_permute_inner_secret(sm, data,
942 sizeof(session_key));
945 if (sm->user->password_hash) {
946 generate_authenticator_response_pwhash(
948 peer_challenge, auth_challenge,
949 username, username_len, nt_response,
950 data->mschapv2_auth_response);
952 generate_authenticator_response(
953 sm->user->password, sm->user->password_len,
954 peer_challenge, auth_challenge,
955 username, username_len, nt_response,
956 data->mschapv2_auth_response);
959 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
961 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
963 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
965 data->mschapv2_resp_ok = 0;
967 eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
968 data->mschapv2_ident = response[0];
972 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
973 struct eap_ttls_data *data,
976 if (data->phase2_priv && data->phase2_method) {
977 data->phase2_method->reset(sm, data->phase2_priv);
978 data->phase2_method = NULL;
979 data->phase2_priv = NULL;
981 data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
983 if (!data->phase2_method)
987 data->phase2_priv = data->phase2_method->init(sm);
993 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
994 struct eap_ttls_data *data,
995 u8 *in_data, size_t in_len)
997 u8 next_type = EAP_TYPE_NONE;
1002 const struct eap_method *m = data->phase2_method;
1003 void *priv = data->phase2_priv;
1006 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
1007 "initialized?!", __func__);
1011 hdr = (struct eap_hdr *) in_data;
1012 pos = (u8 *) (hdr + 1);
1014 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
1015 left = in_len - sizeof(*hdr);
1016 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
1017 "allowed types", pos + 1, left - 1);
1018 eap_sm_process_nak(sm, pos + 1, left - 1);
1019 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
1020 sm->user->methods[sm->user_eap_method_index].method !=
1022 next_type = sm->user->methods[
1023 sm->user_eap_method_index++].method;
1024 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
1026 eap_ttls_phase2_eap_init(sm, data, next_type);
1028 eap_ttls_state(data, FAILURE);
1033 wpabuf_set(&buf, in_data, in_len);
1035 if (m->check(sm, priv, &buf)) {
1036 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
1037 "ignore the packet");
1041 m->process(sm, priv, &buf);
1043 if (sm->method_pending == METHOD_PENDING_WAIT) {
1044 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
1045 "pending wait state - save decrypted response");
1046 wpabuf_free(data->pending_phase2_eap_resp);
1047 data->pending_phase2_eap_resp = wpabuf_dup(&buf);
1050 if (!m->isDone(sm, priv))
1053 if (!m->isSuccess(sm, priv)) {
1054 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
1055 eap_ttls_state(data, FAILURE);
1059 switch (data->state) {
1061 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1062 wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
1063 "Identity not found in the user "
1065 sm->identity, sm->identity_len);
1066 eap_ttls_state(data, FAILURE);
1070 eap_ttls_state(data, PHASE2_METHOD);
1071 next_type = sm->user->methods[0].method;
1072 sm->user_eap_method_index = 1;
1073 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
1076 if (data->ttls_version > 0) {
1080 key = m->getKey(sm, priv, &key_len);
1081 eap_ttls_ia_permute_inner_secret(sm, data,
1084 eap_ttls_state(data, PHASE_FINISHED);
1086 eap_ttls_state(data, SUCCESS);
1091 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
1092 __func__, data->state);
1096 eap_ttls_phase2_eap_init(sm, data, next_type);
1100 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
1101 struct eap_ttls_data *data,
1102 const u8 *eap, size_t eap_len)
1104 struct eap_hdr *hdr;
1107 if (data->state == PHASE2_START) {
1108 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
1109 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
1111 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
1112 "initialize EAP-Identity");
1117 if (eap_len < sizeof(*hdr)) {
1118 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
1119 "packet (len=%lu)", (unsigned long) eap_len);
1123 hdr = (struct eap_hdr *) eap;
1124 len = be_to_host16(hdr->length);
1125 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
1126 "identifier=%d length=%lu", hdr->code, hdr->identifier,
1127 (unsigned long) len);
1128 if (len > eap_len) {
1129 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
1130 " EAP frame (hdr len=%lu, data len in AVP=%lu)",
1131 (unsigned long) len, (unsigned long) eap_len);
1135 switch (hdr->code) {
1136 case EAP_CODE_RESPONSE:
1137 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
1141 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
1142 "Phase 2 EAP header", hdr->code);
1148 static void eap_ttls_process_phase2(struct eap_sm *sm,
1149 struct eap_ttls_data *data,
1150 u8 *in_data, size_t in_len)
1153 int len_decrypted, res;
1154 struct eap_ttls_avp parse;
1157 wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1158 " Phase 2", (unsigned long) in_len);
1160 if (data->pending_phase2_eap_resp) {
1161 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
1162 "- skip decryption and use old data");
1163 eap_ttls_process_phase2_eap(
1164 sm, data, wpabuf_head(data->pending_phase2_eap_resp),
1165 wpabuf_len(data->pending_phase2_eap_resp));
1166 wpabuf_free(data->pending_phase2_eap_resp);
1167 data->pending_phase2_eap_resp = NULL;
1171 res = eap_server_tls_data_reassemble(sm, &data->ssl, &in_data,
1173 if (res < 0 || res == 1)
1177 if (data->ssl.tls_in_total > buf_len)
1178 buf_len = data->ssl.tls_in_total;
1179 in_decrypted = os_malloc(buf_len);
1180 if (in_decrypted == NULL) {
1181 os_free(data->ssl.tls_in);
1182 data->ssl.tls_in = NULL;
1183 data->ssl.tls_in_len = 0;
1184 wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory "
1189 len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1191 in_decrypted, buf_len);
1192 os_free(data->ssl.tls_in);
1193 data->ssl.tls_in = NULL;
1194 data->ssl.tls_in_len = 0;
1195 if (len_decrypted < 0) {
1196 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1198 os_free(in_decrypted);
1199 eap_ttls_state(data, FAILURE);
1203 if (data->state == PHASE_FINISHED) {
1204 if (len_decrypted == 0 &&
1205 tls_connection_ia_final_phase_finished(sm->ssl_ctx,
1207 wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished "
1209 eap_ttls_state(data, SUCCESS);
1211 wpa_printf(MSG_INFO, "EAP-TTLS: Did not receive valid "
1212 "FinalPhaseFinished");
1213 eap_ttls_state(data, FAILURE);
1216 os_free(in_decrypted);
1220 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
1221 in_decrypted, len_decrypted);
1223 if (eap_ttls_avp_parse(in_decrypted, len_decrypted, &parse) < 0) {
1224 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
1225 os_free(in_decrypted);
1226 eap_ttls_state(data, FAILURE);
1230 if (parse.user_name) {
1231 os_free(sm->identity);
1232 sm->identity = os_malloc(parse.user_name_len);
1234 os_memcpy(sm->identity, parse.user_name,
1235 parse.user_name_len);
1236 sm->identity_len = parse.user_name_len;
1238 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1240 wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1241 "found in the user database");
1242 eap_ttls_state(data, FAILURE);
1248 eap_ttls_process_phase2_eap(sm, data, parse.eap,
1250 } else if (parse.user_password) {
1251 eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1252 parse.user_password_len);
1253 } else if (parse.chap_password) {
1254 eap_ttls_process_phase2_chap(sm, data,
1255 parse.chap_challenge,
1256 parse.chap_challenge_len,
1257 parse.chap_password,
1258 parse.chap_password_len);
1259 } else if (parse.mschap_response) {
1260 eap_ttls_process_phase2_mschap(sm, data,
1261 parse.mschap_challenge,
1262 parse.mschap_challenge_len,
1263 parse.mschap_response,
1264 parse.mschap_response_len);
1265 } else if (parse.mschap2_response) {
1266 eap_ttls_process_phase2_mschapv2(sm, data,
1267 parse.mschap_challenge,
1268 parse.mschap_challenge_len,
1269 parse.mschap2_response,
1270 parse.mschap2_response_len);
1274 os_free(in_decrypted);
1279 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1280 struct wpabuf *respData)
1282 struct eap_ttls_data *data = priv;
1286 unsigned int tls_msg_len;
1289 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData,
1291 if (pos == NULL || left < 1)
1295 wpa_printf(MSG_DEBUG, "EAP-TTLS: Received packet(len=%lu) - "
1296 "Flags 0x%02x", (unsigned long) wpabuf_len(respData),
1298 peer_version = flags & EAP_PEAP_VERSION_MASK;
1299 if (peer_version < data->ttls_version) {
1300 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1302 peer_version, data->ttls_version, peer_version);
1303 data->ttls_version = peer_version;
1306 if (data->ttls_version > 0 && !data->tls_ia_configured) {
1307 if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) {
1308 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable "
1310 eap_ttls_state(data, FAILURE);
1313 data->tls_ia_configured = 1;
1316 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
1318 wpa_printf(MSG_INFO, "EAP-TTLS: Short frame with TLS "
1320 eap_ttls_state(data, FAILURE);
1323 tls_msg_len = WPA_GET_BE32(pos);
1324 wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS Message Length: %d",
1326 if (data->ssl.tls_in_left == 0) {
1327 data->ssl.tls_in_total = tls_msg_len;
1328 data->ssl.tls_in_left = tls_msg_len;
1329 os_free(data->ssl.tls_in);
1330 data->ssl.tls_in = NULL;
1331 data->ssl.tls_in_len = 0;
1337 switch (data->state) {
1339 if (eap_server_tls_process_helper(sm, &data->ssl, pos, left) <
1341 wpa_printf(MSG_INFO, "EAP-TTLS: TLS processing "
1343 eap_ttls_state(data, FAILURE);
1348 case PHASE_FINISHED:
1349 /* FIX: get rid of const->non-const typecast */
1350 eap_ttls_process_phase2(sm, data, (u8 *) pos, left);
1352 case PHASE2_MSCHAPV2_RESP:
1353 if (data->mschapv2_resp_ok && left == 0) {
1354 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1355 "acknowledged response");
1356 eap_ttls_state(data, data->ttls_version > 0 ?
1357 PHASE_FINISHED : SUCCESS);
1358 } else if (!data->mschapv2_resp_ok) {
1359 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1360 "acknowledged error");
1361 eap_ttls_state(data, FAILURE);
1363 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1364 "frame from peer (payload len %lu, "
1365 "expected empty frame)",
1366 (unsigned long) left);
1367 eap_ttls_state(data, FAILURE);
1371 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1372 data->state, __func__);
1376 if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
1377 wpa_printf(MSG_INFO, "EAP-TTLS: Locally detected fatal error "
1378 "in TLS processing");
1379 eap_ttls_state(data, FAILURE);
1384 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1386 struct eap_ttls_data *data = priv;
1387 return data->state == SUCCESS || data->state == FAILURE;
1391 static u8 * eap_ttls_v1_derive_key(struct eap_sm *sm,
1392 struct eap_ttls_data *data)
1394 struct tls_keys keys;
1397 os_memset(&keys, 0, sizeof(keys));
1398 if (tls_connection_get_keys(sm->ssl_ctx, data->ssl.conn, &keys) ||
1399 keys.client_random == NULL || keys.server_random == NULL ||
1400 keys.inner_secret == NULL) {
1401 wpa_printf(MSG_INFO, "EAP-TTLS: Could not get inner secret, "
1402 "client random, or server random to derive keying "
1407 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
1408 key = os_malloc(EAP_TLS_KEY_LEN);
1409 if (rnd == NULL || key == NULL) {
1410 wpa_printf(MSG_INFO, "EAP-TTLS: No memory for key derivation");
1415 os_memcpy(rnd, keys.client_random, keys.client_random_len);
1416 os_memcpy(rnd + keys.client_random_len, keys.server_random,
1417 keys.server_random_len);
1419 if (tls_prf(keys.inner_secret, keys.inner_secret_len,
1420 "ttls v1 keying material", rnd, keys.client_random_len +
1421 keys.server_random_len, key, EAP_TLS_KEY_LEN)) {
1422 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1428 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: client/server random",
1429 rnd, keys.client_random_len + keys.server_random_len);
1430 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: TLS/IA inner secret",
1431 keys.inner_secret, keys.inner_secret_len);
1439 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1441 struct eap_ttls_data *data = priv;
1444 if (data->state != SUCCESS)
1447 if (data->ttls_version == 0) {
1448 eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1449 "ttls keying material",
1452 eapKeyData = eap_ttls_v1_derive_key(sm, data);
1456 *len = EAP_TLS_KEY_LEN;
1457 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1458 eapKeyData, EAP_TLS_KEY_LEN);
1460 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1467 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1469 struct eap_ttls_data *data = priv;
1470 return data->state == SUCCESS;
1474 int eap_server_ttls_register(void)
1476 struct eap_method *eap;
1479 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1480 EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1484 eap->init = eap_ttls_init;
1485 eap->reset = eap_ttls_reset;
1486 eap->buildReq = eap_ttls_buildReq;
1487 eap->check = eap_ttls_check;
1488 eap->process = eap_ttls_process;
1489 eap->isDone = eap_ttls_isDone;
1490 eap->getKey = eap_ttls_getKey;
1491 eap->isSuccess = eap_ttls_isSuccess;
1493 ret = eap_server_method_register(eap);
1495 eap_server_method_free(eap);