1189251Ssam/* 2189251Ssam * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt) 3189251Ssam * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4189251Ssam * 5252726Srpaulo * This software may be distributed under the terms of the BSD license. 6252726Srpaulo * See README for more details. 7189251Ssam */ 8189251Ssam 9189251Ssam#include "includes.h" 10189251Ssam 11189251Ssam#include "common.h" 12189251Ssam#include "crypto/sha1.h" 13214734Srpaulo#include "crypto/tls.h" 14214734Srpaulo#include "eap_common/eap_tlv_common.h" 15214734Srpaulo#include "eap_common/eap_peap_common.h" 16189251Ssam#include "eap_i.h" 17189251Ssam#include "eap_tls_common.h" 18189251Ssam#include "eap_config.h" 19189251Ssam#include "tncc.h" 20189251Ssam 21189251Ssam 22189251Ssam/* Maximum supported PEAP version 23189251Ssam * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt 24189251Ssam * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt 25189251Ssam * 2 = draft-josefsson-ppext-eap-tls-eap-10.txt 26189251Ssam */ 27189251Ssam#define EAP_PEAP_VERSION 1 28189251Ssam 29189251Ssam 30189251Ssamstatic void eap_peap_deinit(struct eap_sm *sm, void *priv); 31189251Ssam 32189251Ssam 33189251Ssamstruct eap_peap_data { 34189251Ssam struct eap_ssl_data ssl; 35189251Ssam 36189251Ssam int peap_version, force_peap_version, force_new_label; 37189251Ssam 38189251Ssam const struct eap_method *phase2_method; 39189251Ssam void *phase2_priv; 40189251Ssam int phase2_success; 41189251Ssam int phase2_eap_success; 42189251Ssam int phase2_eap_started; 43189251Ssam 44189251Ssam struct eap_method_type phase2_type; 45189251Ssam struct eap_method_type *phase2_types; 46189251Ssam size_t num_phase2_types; 47189251Ssam 48189251Ssam int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner 49189251Ssam * EAP-Success 50189251Ssam * 1 = reply with tunneled EAP-Success to inner 51189251Ssam * EAP-Success and expect AS to send outer 52189251Ssam * (unencrypted) EAP-Success after this 53189251Ssam * 2 = reply with PEAP/TLS ACK to inner 54189251Ssam * EAP-Success and expect AS to send outer 55189251Ssam * (unencrypted) EAP-Success after this */ 56189251Ssam int resuming; /* starting a resumed session */ 57189251Ssam int reauth; /* reauthentication */ 58189251Ssam u8 *key_data; 59189251Ssam 60189251Ssam struct wpabuf *pending_phase2_req; 61189251Ssam enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding; 62189251Ssam int crypto_binding_used; 63189251Ssam u8 binding_nonce[32]; 64189251Ssam u8 ipmk[40]; 65189251Ssam u8 cmk[20]; 66189251Ssam int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) 67189251Ssam * is enabled. */ 68189251Ssam}; 69189251Ssam 70189251Ssam 71189251Ssamstatic int eap_peap_parse_phase1(struct eap_peap_data *data, 72189251Ssam const char *phase1) 73189251Ssam{ 74189251Ssam const char *pos; 75189251Ssam 76189251Ssam pos = os_strstr(phase1, "peapver="); 77189251Ssam if (pos) { 78189251Ssam data->force_peap_version = atoi(pos + 8); 79189251Ssam data->peap_version = data->force_peap_version; 80189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d", 81189251Ssam data->force_peap_version); 82189251Ssam } 83189251Ssam 84189251Ssam if (os_strstr(phase1, "peaplabel=1")) { 85189251Ssam data->force_new_label = 1; 86189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key " 87189251Ssam "derivation"); 88189251Ssam } 89189251Ssam 90189251Ssam if (os_strstr(phase1, "peap_outer_success=0")) { 91189251Ssam data->peap_outer_success = 0; 92189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on " 93189251Ssam "tunneled EAP-Success"); 94189251Ssam } else if (os_strstr(phase1, "peap_outer_success=1")) { 95189251Ssam data->peap_outer_success = 1; 96189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success " 97189251Ssam "after receiving tunneled EAP-Success"); 98189251Ssam } else if (os_strstr(phase1, "peap_outer_success=2")) { 99189251Ssam data->peap_outer_success = 2; 100189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after " 101189251Ssam "receiving tunneled EAP-Success"); 102189251Ssam } 103189251Ssam 104189251Ssam if (os_strstr(phase1, "crypto_binding=0")) { 105189251Ssam data->crypto_binding = NO_BINDING; 106189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding"); 107189251Ssam } else if (os_strstr(phase1, "crypto_binding=1")) { 108189251Ssam data->crypto_binding = OPTIONAL_BINDING; 109189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding"); 110189251Ssam } else if (os_strstr(phase1, "crypto_binding=2")) { 111189251Ssam data->crypto_binding = REQUIRE_BINDING; 112189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); 113189251Ssam } 114189251Ssam 115189251Ssam#ifdef EAP_TNC 116189251Ssam if (os_strstr(phase1, "tnc=soh2")) { 117189251Ssam data->soh = 2; 118189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 119189251Ssam } else if (os_strstr(phase1, "tnc=soh1")) { 120189251Ssam data->soh = 1; 121189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled"); 122189251Ssam } else if (os_strstr(phase1, "tnc=soh")) { 123189251Ssam data->soh = 2; 124189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 125189251Ssam } 126189251Ssam#endif /* EAP_TNC */ 127189251Ssam 128189251Ssam return 0; 129189251Ssam} 130189251Ssam 131189251Ssam 132189251Ssamstatic void * eap_peap_init(struct eap_sm *sm) 133189251Ssam{ 134189251Ssam struct eap_peap_data *data; 135189251Ssam struct eap_peer_config *config = eap_get_config(sm); 136189251Ssam 137189251Ssam data = os_zalloc(sizeof(*data)); 138189251Ssam if (data == NULL) 139189251Ssam return NULL; 140189251Ssam sm->peap_done = FALSE; 141189251Ssam data->peap_version = EAP_PEAP_VERSION; 142189251Ssam data->force_peap_version = -1; 143189251Ssam data->peap_outer_success = 2; 144189251Ssam data->crypto_binding = OPTIONAL_BINDING; 145189251Ssam 146189251Ssam if (config && config->phase1 && 147189251Ssam eap_peap_parse_phase1(data, config->phase1) < 0) { 148189251Ssam eap_peap_deinit(sm, data); 149189251Ssam return NULL; 150189251Ssam } 151189251Ssam 152189251Ssam if (eap_peer_select_phase2_methods(config, "auth=", 153189251Ssam &data->phase2_types, 154189251Ssam &data->num_phase2_types) < 0) { 155189251Ssam eap_peap_deinit(sm, data); 156189251Ssam return NULL; 157189251Ssam } 158189251Ssam 159189251Ssam data->phase2_type.vendor = EAP_VENDOR_IETF; 160189251Ssam data->phase2_type.method = EAP_TYPE_NONE; 161189251Ssam 162252726Srpaulo if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) { 163189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); 164189251Ssam eap_peap_deinit(sm, data); 165189251Ssam return NULL; 166189251Ssam } 167189251Ssam 168189251Ssam return data; 169189251Ssam} 170189251Ssam 171189251Ssam 172189251Ssamstatic void eap_peap_deinit(struct eap_sm *sm, void *priv) 173189251Ssam{ 174189251Ssam struct eap_peap_data *data = priv; 175189251Ssam if (data == NULL) 176189251Ssam return; 177189251Ssam if (data->phase2_priv && data->phase2_method) 178189251Ssam data->phase2_method->deinit(sm, data->phase2_priv); 179189251Ssam os_free(data->phase2_types); 180189251Ssam eap_peer_tls_ssl_deinit(sm, &data->ssl); 181189251Ssam os_free(data->key_data); 182189251Ssam wpabuf_free(data->pending_phase2_req); 183189251Ssam os_free(data); 184189251Ssam} 185189251Ssam 186189251Ssam 187189251Ssam/** 188189251Ssam * eap_tlv_build_nak - Build EAP-TLV NAK message 189189251Ssam * @id: EAP identifier for the header 190189251Ssam * @nak_type: TLV type (EAP_TLV_*) 191189251Ssam * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure 192189251Ssam * 193252726Srpaulo * This function builds an EAP-TLV NAK message. The caller is responsible for 194189251Ssam * freeing the returned buffer. 195189251Ssam */ 196189251Ssamstatic struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type) 197189251Ssam{ 198189251Ssam struct wpabuf *msg; 199189251Ssam 200189251Ssam msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10, 201189251Ssam EAP_CODE_RESPONSE, id); 202189251Ssam if (msg == NULL) 203189251Ssam return NULL; 204189251Ssam 205189251Ssam wpabuf_put_u8(msg, 0x80); /* Mandatory */ 206189251Ssam wpabuf_put_u8(msg, EAP_TLV_NAK_TLV); 207189251Ssam wpabuf_put_be16(msg, 6); /* Length */ 208189251Ssam wpabuf_put_be32(msg, 0); /* Vendor-Id */ 209189251Ssam wpabuf_put_be16(msg, nak_type); /* NAK-Type */ 210189251Ssam 211189251Ssam return msg; 212189251Ssam} 213189251Ssam 214189251Ssam 215189251Ssamstatic int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, 216189251Ssam u8 *isk, size_t isk_len) 217189251Ssam{ 218189251Ssam u8 *key; 219189251Ssam size_t key_len; 220189251Ssam 221189251Ssam os_memset(isk, 0, isk_len); 222189251Ssam if (data->phase2_method == NULL || data->phase2_priv == NULL || 223189251Ssam data->phase2_method->isKeyAvailable == NULL || 224189251Ssam data->phase2_method->getKey == NULL) 225189251Ssam return 0; 226189251Ssam 227189251Ssam if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || 228189251Ssam (key = data->phase2_method->getKey(sm, data->phase2_priv, 229189251Ssam &key_len)) == NULL) { 230189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material " 231189251Ssam "from Phase 2"); 232189251Ssam return -1; 233189251Ssam } 234189251Ssam 235189251Ssam if (key_len > isk_len) 236189251Ssam key_len = isk_len; 237189251Ssam os_memcpy(isk, key, key_len); 238189251Ssam os_free(key); 239189251Ssam 240189251Ssam return 0; 241189251Ssam} 242189251Ssam 243189251Ssam 244189251Ssamstatic int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) 245189251Ssam{ 246189251Ssam u8 *tk; 247189251Ssam u8 isk[32], imck[60]; 248189251Ssam 249189251Ssam /* 250189251Ssam * Tunnel key (TK) is the first 60 octets of the key generated by 251189251Ssam * phase 1 of PEAP (based on TLS). 252189251Ssam */ 253189251Ssam tk = data->key_data; 254189251Ssam if (tk == NULL) 255189251Ssam return -1; 256189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); 257189251Ssam 258189251Ssam if (data->reauth && 259189251Ssam tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 260189251Ssam /* Fast-connect: IPMK|CMK = TK */ 261189251Ssam os_memcpy(data->ipmk, tk, 40); 262189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", 263189251Ssam data->ipmk, 40); 264189251Ssam os_memcpy(data->cmk, tk + 40, 20); 265189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK", 266189251Ssam data->cmk, 20); 267189251Ssam return 0; 268189251Ssam } 269189251Ssam 270189251Ssam if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) 271189251Ssam return -1; 272189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk)); 273189251Ssam 274189251Ssam /* 275189251Ssam * IPMK Seed = "Inner Methods Compound Keys" | ISK 276189251Ssam * TempKey = First 40 octets of TK 277189251Ssam * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60) 278189251Ssam * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space 279189251Ssam * in the end of the label just before ISK; is that just a typo?) 280189251Ssam */ 281189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40); 282252726Srpaulo if (peap_prfplus(data->peap_version, tk, 40, 283252726Srpaulo "Inner Methods Compound Keys", 284252726Srpaulo isk, sizeof(isk), imck, sizeof(imck)) < 0) 285252726Srpaulo return -1; 286189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", 287189251Ssam imck, sizeof(imck)); 288189251Ssam 289189251Ssam os_memcpy(data->ipmk, imck, 40); 290189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); 291189251Ssam os_memcpy(data->cmk, imck + 40, 20); 292189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); 293189251Ssam 294189251Ssam return 0; 295189251Ssam} 296189251Ssam 297189251Ssam 298189251Ssamstatic int eap_tlv_add_cryptobinding(struct eap_sm *sm, 299189251Ssam struct eap_peap_data *data, 300189251Ssam struct wpabuf *buf) 301189251Ssam{ 302189251Ssam u8 *mac; 303189251Ssam u8 eap_type = EAP_TYPE_PEAP; 304189251Ssam const u8 *addr[2]; 305189251Ssam size_t len[2]; 306189251Ssam u16 tlv_type; 307189251Ssam 308189251Ssam /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 309189251Ssam addr[0] = wpabuf_put(buf, 0); 310189251Ssam len[0] = 60; 311189251Ssam addr[1] = &eap_type; 312189251Ssam len[1] = 1; 313189251Ssam 314189251Ssam tlv_type = EAP_TLV_CRYPTO_BINDING_TLV; 315189251Ssam if (data->peap_version >= 2) 316189251Ssam tlv_type |= EAP_TLV_TYPE_MANDATORY; 317189251Ssam wpabuf_put_be16(buf, tlv_type); 318189251Ssam wpabuf_put_be16(buf, 56); 319189251Ssam 320189251Ssam wpabuf_put_u8(buf, 0); /* Reserved */ 321189251Ssam wpabuf_put_u8(buf, data->peap_version); /* Version */ 322189251Ssam wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ 323189251Ssam wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */ 324189251Ssam wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ 325189251Ssam mac = wpabuf_put(buf, 20); /* Compound_MAC */ 326189251Ssam wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); 327189251Ssam wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1", 328189251Ssam addr[0], len[0]); 329189251Ssam wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2", 330189251Ssam addr[1], len[1]); 331189251Ssam hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac); 332189251Ssam wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN); 333189251Ssam data->crypto_binding_used = 1; 334189251Ssam 335189251Ssam return 0; 336189251Ssam} 337189251Ssam 338189251Ssam 339189251Ssam/** 340189251Ssam * eap_tlv_build_result - Build EAP-TLV Result message 341189251Ssam * @id: EAP identifier for the header 342189251Ssam * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE) 343189251Ssam * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure 344189251Ssam * 345252726Srpaulo * This function builds an EAP-TLV Result message. The caller is responsible 346252726Srpaulo * for freeing the returned buffer. 347189251Ssam */ 348189251Ssamstatic struct wpabuf * eap_tlv_build_result(struct eap_sm *sm, 349189251Ssam struct eap_peap_data *data, 350189251Ssam int crypto_tlv_used, 351189251Ssam int id, u16 status) 352189251Ssam{ 353189251Ssam struct wpabuf *msg; 354189251Ssam size_t len; 355189251Ssam 356189251Ssam if (data->crypto_binding == NO_BINDING) 357189251Ssam crypto_tlv_used = 0; 358189251Ssam 359189251Ssam len = 6; 360189251Ssam if (crypto_tlv_used) 361189251Ssam len += 60; /* Cryptobinding TLV */ 362189251Ssam msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len, 363189251Ssam EAP_CODE_RESPONSE, id); 364189251Ssam if (msg == NULL) 365189251Ssam return NULL; 366189251Ssam 367189251Ssam wpabuf_put_u8(msg, 0x80); /* Mandatory */ 368189251Ssam wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV); 369189251Ssam wpabuf_put_be16(msg, 2); /* Length */ 370189251Ssam wpabuf_put_be16(msg, status); /* Status */ 371189251Ssam 372189251Ssam if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { 373189251Ssam wpabuf_free(msg); 374189251Ssam return NULL; 375189251Ssam } 376189251Ssam 377189251Ssam return msg; 378189251Ssam} 379189251Ssam 380189251Ssam 381189251Ssamstatic int eap_tlv_validate_cryptobinding(struct eap_sm *sm, 382189251Ssam struct eap_peap_data *data, 383189251Ssam const u8 *crypto_tlv, 384189251Ssam size_t crypto_tlv_len) 385189251Ssam{ 386189251Ssam u8 buf[61], mac[SHA1_MAC_LEN]; 387189251Ssam const u8 *pos; 388189251Ssam 389189251Ssam if (eap_peap_derive_cmk(sm, data) < 0) { 390189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK"); 391189251Ssam return -1; 392189251Ssam } 393189251Ssam 394189251Ssam if (crypto_tlv_len != 4 + 56) { 395189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV " 396189251Ssam "length %d", (int) crypto_tlv_len); 397189251Ssam return -1; 398189251Ssam } 399189251Ssam 400189251Ssam pos = crypto_tlv; 401189251Ssam pos += 4; /* TLV header */ 402189251Ssam if (pos[1] != data->peap_version) { 403189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version " 404189251Ssam "mismatch (was %d; expected %d)", 405189251Ssam pos[1], data->peap_version); 406189251Ssam return -1; 407189251Ssam } 408189251Ssam 409189251Ssam if (pos[3] != 0) { 410189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV " 411189251Ssam "SubType %d", pos[3]); 412189251Ssam return -1; 413189251Ssam } 414189251Ssam pos += 4; 415189251Ssam os_memcpy(data->binding_nonce, pos, 32); 416189251Ssam pos += 32; /* Nonce */ 417189251Ssam 418189251Ssam /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 419189251Ssam os_memcpy(buf, crypto_tlv, 60); 420189251Ssam os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */ 421189251Ssam buf[60] = EAP_TYPE_PEAP; 422189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data", 423189251Ssam buf, sizeof(buf)); 424189251Ssam hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); 425189251Ssam 426189251Ssam if (os_memcmp(mac, pos, SHA1_MAC_LEN) != 0) { 427189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in " 428189251Ssam "cryptobinding TLV"); 429189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC", 430189251Ssam pos, SHA1_MAC_LEN); 431189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC", 432189251Ssam mac, SHA1_MAC_LEN); 433189251Ssam return -1; 434189251Ssam } 435189251Ssam 436189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received"); 437189251Ssam 438189251Ssam return 0; 439189251Ssam} 440189251Ssam 441189251Ssam 442189251Ssam/** 443189251Ssam * eap_tlv_process - Process a received EAP-TLV message and generate a response 444189251Ssam * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 445189251Ssam * @ret: Return values from EAP request validation and processing 446189251Ssam * @req: EAP-TLV request to be processed. The caller must have validated that 447189251Ssam * the buffer is large enough to contain full request (hdr->length bytes) and 448189251Ssam * that the EAP type is EAP_TYPE_TLV. 449189251Ssam * @resp: Buffer to return a pointer to the allocated response message. This 450189251Ssam * field should be initialized to %NULL before the call. The value will be 451189251Ssam * updated if a response message is generated. The caller is responsible for 452189251Ssam * freeing the allocated message. 453189251Ssam * @force_failure: Force negotiation to fail 454189251Ssam * Returns: 0 on success, -1 on failure 455189251Ssam */ 456189251Ssamstatic int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, 457189251Ssam struct eap_method_ret *ret, 458189251Ssam const struct wpabuf *req, struct wpabuf **resp, 459189251Ssam int force_failure) 460189251Ssam{ 461189251Ssam size_t left, tlv_len; 462189251Ssam const u8 *pos; 463189251Ssam const u8 *result_tlv = NULL, *crypto_tlv = NULL; 464189251Ssam size_t result_tlv_len = 0, crypto_tlv_len = 0; 465189251Ssam int tlv_type, mandatory; 466189251Ssam 467189251Ssam /* Parse TLVs */ 468189251Ssam pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left); 469189251Ssam if (pos == NULL) 470189251Ssam return -1; 471189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left); 472189251Ssam while (left >= 4) { 473189251Ssam mandatory = !!(pos[0] & 0x80); 474189251Ssam tlv_type = WPA_GET_BE16(pos) & 0x3fff; 475189251Ssam pos += 2; 476189251Ssam tlv_len = WPA_GET_BE16(pos); 477189251Ssam pos += 2; 478189251Ssam left -= 4; 479189251Ssam if (tlv_len > left) { 480189251Ssam wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun " 481189251Ssam "(tlv_len=%lu left=%lu)", 482189251Ssam (unsigned long) tlv_len, 483189251Ssam (unsigned long) left); 484189251Ssam return -1; 485189251Ssam } 486189251Ssam switch (tlv_type) { 487189251Ssam case EAP_TLV_RESULT_TLV: 488189251Ssam result_tlv = pos; 489189251Ssam result_tlv_len = tlv_len; 490189251Ssam break; 491189251Ssam case EAP_TLV_CRYPTO_BINDING_TLV: 492189251Ssam crypto_tlv = pos; 493189251Ssam crypto_tlv_len = tlv_len; 494189251Ssam break; 495189251Ssam default: 496189251Ssam wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type " 497189251Ssam "%d%s", tlv_type, 498189251Ssam mandatory ? " (mandatory)" : ""); 499189251Ssam if (mandatory) { 500189251Ssam /* NAK TLV and ignore all TLVs in this packet. 501189251Ssam */ 502189251Ssam *resp = eap_tlv_build_nak(eap_get_id(req), 503189251Ssam tlv_type); 504189251Ssam return *resp == NULL ? -1 : 0; 505189251Ssam } 506189251Ssam /* Ignore this TLV, but process other TLVs */ 507189251Ssam break; 508189251Ssam } 509189251Ssam 510189251Ssam pos += tlv_len; 511189251Ssam left -= tlv_len; 512189251Ssam } 513189251Ssam if (left) { 514189251Ssam wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in " 515189251Ssam "Request (left=%lu)", (unsigned long) left); 516189251Ssam return -1; 517189251Ssam } 518189251Ssam 519189251Ssam /* Process supported TLVs */ 520189251Ssam if (crypto_tlv && data->crypto_binding != NO_BINDING) { 521189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV", 522189251Ssam crypto_tlv, crypto_tlv_len); 523189251Ssam if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, 524189251Ssam crypto_tlv_len + 4) < 0) { 525189251Ssam if (result_tlv == NULL) 526189251Ssam return -1; 527189251Ssam force_failure = 1; 528189251Ssam crypto_tlv = NULL; /* do not include Cryptobinding TLV 529189251Ssam * in response, if the received 530189251Ssam * cryptobinding was invalid. */ 531189251Ssam } 532189251Ssam } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { 533189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV"); 534189251Ssam return -1; 535189251Ssam } 536189251Ssam 537189251Ssam if (result_tlv) { 538189251Ssam int status, resp_status; 539189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV", 540189251Ssam result_tlv, result_tlv_len); 541189251Ssam if (result_tlv_len < 2) { 542189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV " 543189251Ssam "(len=%lu)", 544189251Ssam (unsigned long) result_tlv_len); 545189251Ssam return -1; 546189251Ssam } 547189251Ssam status = WPA_GET_BE16(result_tlv); 548189251Ssam if (status == EAP_TLV_RESULT_SUCCESS) { 549189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success " 550189251Ssam "- EAP-TLV/Phase2 Completed"); 551189251Ssam if (force_failure) { 552189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure" 553189251Ssam " - force failed Phase 2"); 554189251Ssam resp_status = EAP_TLV_RESULT_FAILURE; 555189251Ssam ret->decision = DECISION_FAIL; 556189251Ssam } else { 557189251Ssam resp_status = EAP_TLV_RESULT_SUCCESS; 558189251Ssam ret->decision = DECISION_UNCOND_SUCC; 559189251Ssam } 560189251Ssam } else if (status == EAP_TLV_RESULT_FAILURE) { 561189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure"); 562189251Ssam resp_status = EAP_TLV_RESULT_FAILURE; 563189251Ssam ret->decision = DECISION_FAIL; 564189251Ssam } else { 565189251Ssam wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result " 566189251Ssam "Status %d", status); 567189251Ssam resp_status = EAP_TLV_RESULT_FAILURE; 568189251Ssam ret->decision = DECISION_FAIL; 569189251Ssam } 570189251Ssam ret->methodState = METHOD_DONE; 571189251Ssam 572189251Ssam *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, 573189251Ssam eap_get_id(req), resp_status); 574189251Ssam } 575189251Ssam 576189251Ssam return 0; 577189251Ssam} 578189251Ssam 579189251Ssam 580189251Ssamstatic struct wpabuf * eap_peapv2_tlv_eap_payload(struct wpabuf *buf) 581189251Ssam{ 582189251Ssam struct wpabuf *e; 583189251Ssam struct eap_tlv_hdr *tlv; 584189251Ssam 585189251Ssam if (buf == NULL) 586189251Ssam return NULL; 587189251Ssam 588189251Ssam /* Encapsulate EAP packet in EAP-Payload TLV */ 589189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Add EAP-Payload TLV"); 590189251Ssam e = wpabuf_alloc(sizeof(*tlv) + wpabuf_len(buf)); 591189251Ssam if (e == NULL) { 592189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Failed to allocate memory " 593189251Ssam "for TLV encapsulation"); 594189251Ssam wpabuf_free(buf); 595189251Ssam return NULL; 596189251Ssam } 597189251Ssam tlv = wpabuf_put(e, sizeof(*tlv)); 598189251Ssam tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | 599189251Ssam EAP_TLV_EAP_PAYLOAD_TLV); 600189251Ssam tlv->length = host_to_be16(wpabuf_len(buf)); 601189251Ssam wpabuf_put_buf(e, buf); 602189251Ssam wpabuf_free(buf); 603189251Ssam return e; 604189251Ssam} 605189251Ssam 606189251Ssam 607189251Ssamstatic int eap_peap_phase2_request(struct eap_sm *sm, 608189251Ssam struct eap_peap_data *data, 609189251Ssam struct eap_method_ret *ret, 610189251Ssam struct wpabuf *req, 611189251Ssam struct wpabuf **resp) 612189251Ssam{ 613189251Ssam struct eap_hdr *hdr = wpabuf_mhead(req); 614189251Ssam size_t len = be_to_host16(hdr->length); 615189251Ssam u8 *pos; 616189251Ssam struct eap_method_ret iret; 617189251Ssam struct eap_peer_config *config = eap_get_config(sm); 618189251Ssam 619189251Ssam if (len <= sizeof(struct eap_hdr)) { 620189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: too short " 621189251Ssam "Phase 2 request (len=%lu)", (unsigned long) len); 622189251Ssam return -1; 623189251Ssam } 624189251Ssam pos = (u8 *) (hdr + 1); 625189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos); 626189251Ssam switch (*pos) { 627189251Ssam case EAP_TYPE_IDENTITY: 628189251Ssam *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 629189251Ssam break; 630189251Ssam case EAP_TYPE_TLV: 631189251Ssam os_memset(&iret, 0, sizeof(iret)); 632189251Ssam if (eap_tlv_process(sm, data, &iret, req, resp, 633189251Ssam data->phase2_eap_started && 634189251Ssam !data->phase2_eap_success)) { 635189251Ssam ret->methodState = METHOD_DONE; 636189251Ssam ret->decision = DECISION_FAIL; 637189251Ssam return -1; 638189251Ssam } 639189251Ssam if (iret.methodState == METHOD_DONE || 640189251Ssam iret.methodState == METHOD_MAY_CONT) { 641189251Ssam ret->methodState = iret.methodState; 642189251Ssam ret->decision = iret.decision; 643189251Ssam data->phase2_success = 1; 644189251Ssam } 645189251Ssam break; 646189251Ssam case EAP_TYPE_EXPANDED: 647189251Ssam#ifdef EAP_TNC 648189251Ssam if (data->soh) { 649189251Ssam const u8 *epos; 650189251Ssam size_t eleft; 651189251Ssam 652189251Ssam epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, 653189251Ssam req, &eleft); 654189251Ssam if (epos) { 655189251Ssam struct wpabuf *buf; 656189251Ssam wpa_printf(MSG_DEBUG, 657189251Ssam "EAP-PEAP: SoH EAP Extensions"); 658189251Ssam buf = tncc_process_soh_request(data->soh, 659189251Ssam epos, eleft); 660189251Ssam if (buf) { 661189251Ssam *resp = eap_msg_alloc( 662189251Ssam EAP_VENDOR_MICROSOFT, 0x21, 663189251Ssam wpabuf_len(buf), 664189251Ssam EAP_CODE_RESPONSE, 665189251Ssam hdr->identifier); 666189251Ssam if (*resp == NULL) { 667189251Ssam ret->methodState = METHOD_DONE; 668189251Ssam ret->decision = DECISION_FAIL; 669189251Ssam return -1; 670189251Ssam } 671189251Ssam wpabuf_put_buf(*resp, buf); 672189251Ssam wpabuf_free(buf); 673189251Ssam break; 674189251Ssam } 675189251Ssam } 676189251Ssam } 677189251Ssam#endif /* EAP_TNC */ 678189251Ssam /* fall through */ 679189251Ssam default: 680189251Ssam if (data->phase2_type.vendor == EAP_VENDOR_IETF && 681189251Ssam data->phase2_type.method == EAP_TYPE_NONE) { 682189251Ssam size_t i; 683189251Ssam for (i = 0; i < data->num_phase2_types; i++) { 684189251Ssam if (data->phase2_types[i].vendor != 685189251Ssam EAP_VENDOR_IETF || 686189251Ssam data->phase2_types[i].method != *pos) 687189251Ssam continue; 688189251Ssam 689189251Ssam data->phase2_type.vendor = 690189251Ssam data->phase2_types[i].vendor; 691189251Ssam data->phase2_type.method = 692189251Ssam data->phase2_types[i].method; 693189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected " 694189251Ssam "Phase 2 EAP vendor %d method %d", 695189251Ssam data->phase2_type.vendor, 696189251Ssam data->phase2_type.method); 697189251Ssam break; 698189251Ssam } 699189251Ssam } 700189251Ssam if (*pos != data->phase2_type.method || 701189251Ssam *pos == EAP_TYPE_NONE) { 702189251Ssam if (eap_peer_tls_phase2_nak(data->phase2_types, 703189251Ssam data->num_phase2_types, 704189251Ssam hdr, resp)) 705189251Ssam return -1; 706189251Ssam return 0; 707189251Ssam } 708189251Ssam 709189251Ssam if (data->phase2_priv == NULL) { 710189251Ssam data->phase2_method = eap_peer_get_eap_method( 711189251Ssam data->phase2_type.vendor, 712189251Ssam data->phase2_type.method); 713189251Ssam if (data->phase2_method) { 714189251Ssam sm->init_phase2 = 1; 715189251Ssam data->phase2_priv = 716189251Ssam data->phase2_method->init(sm); 717189251Ssam sm->init_phase2 = 0; 718189251Ssam } 719189251Ssam } 720189251Ssam if (data->phase2_priv == NULL || data->phase2_method == NULL) { 721189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize " 722189251Ssam "Phase 2 EAP method %d", *pos); 723189251Ssam ret->methodState = METHOD_DONE; 724189251Ssam ret->decision = DECISION_FAIL; 725189251Ssam return -1; 726189251Ssam } 727189251Ssam data->phase2_eap_started = 1; 728189251Ssam os_memset(&iret, 0, sizeof(iret)); 729189251Ssam *resp = data->phase2_method->process(sm, data->phase2_priv, 730189251Ssam &iret, req); 731189251Ssam if ((iret.methodState == METHOD_DONE || 732189251Ssam iret.methodState == METHOD_MAY_CONT) && 733189251Ssam (iret.decision == DECISION_UNCOND_SUCC || 734189251Ssam iret.decision == DECISION_COND_SUCC)) { 735189251Ssam data->phase2_eap_success = 1; 736189251Ssam data->phase2_success = 1; 737189251Ssam } 738189251Ssam break; 739189251Ssam } 740189251Ssam 741189251Ssam if (*resp == NULL && 742189251Ssam (config->pending_req_identity || config->pending_req_password || 743189251Ssam config->pending_req_otp || config->pending_req_new_password)) { 744189251Ssam wpabuf_free(data->pending_phase2_req); 745189251Ssam data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); 746189251Ssam } 747189251Ssam 748189251Ssam return 0; 749189251Ssam} 750189251Ssam 751189251Ssam 752189251Ssamstatic int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, 753189251Ssam struct eap_method_ret *ret, 754189251Ssam const struct eap_hdr *req, 755189251Ssam const struct wpabuf *in_data, 756189251Ssam struct wpabuf **out_data) 757189251Ssam{ 758189251Ssam struct wpabuf *in_decrypted = NULL; 759189251Ssam int res, skip_change = 0; 760189251Ssam struct eap_hdr *hdr, *rhdr; 761189251Ssam struct wpabuf *resp = NULL; 762189251Ssam size_t len; 763189251Ssam 764189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" 765189251Ssam " Phase 2", (unsigned long) wpabuf_len(in_data)); 766189251Ssam 767189251Ssam if (data->pending_phase2_req) { 768189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " 769189251Ssam "skip decryption and use old data"); 770189251Ssam /* Clear TLS reassembly state. */ 771189251Ssam eap_peer_tls_reset_input(&data->ssl); 772189251Ssam in_decrypted = data->pending_phase2_req; 773189251Ssam data->pending_phase2_req = NULL; 774189251Ssam skip_change = 1; 775189251Ssam goto continue_req; 776189251Ssam } 777189251Ssam 778189251Ssam if (wpabuf_len(in_data) == 0 && sm->workaround && 779189251Ssam data->phase2_success) { 780189251Ssam /* 781189251Ssam * Cisco ACS seems to be using TLS ACK to terminate 782189251Ssam * EAP-PEAPv0/GTC. Try to reply with TLS ACK. 783189251Ssam */ 784189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " 785189251Ssam "expected data - acknowledge with TLS ACK since " 786189251Ssam "Phase 2 has been completed"); 787189251Ssam ret->decision = DECISION_COND_SUCC; 788189251Ssam ret->methodState = METHOD_DONE; 789189251Ssam return 1; 790189251Ssam } else if (wpabuf_len(in_data) == 0) { 791189251Ssam /* Received TLS ACK - requesting more fragments */ 792189251Ssam return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 793189251Ssam data->peap_version, 794189251Ssam req->identifier, NULL, out_data); 795189251Ssam } 796189251Ssam 797189251Ssam res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 798189251Ssam if (res) 799189251Ssam return res; 800189251Ssam 801189251Ssamcontinue_req: 802189251Ssam wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", 803189251Ssam in_decrypted); 804189251Ssam 805189251Ssam hdr = wpabuf_mhead(in_decrypted); 806189251Ssam if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST && 807189251Ssam be_to_host16(hdr->length) == 5 && 808189251Ssam eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) { 809189251Ssam /* At least FreeRADIUS seems to send full EAP header with 810189251Ssam * EAP Request Identity */ 811189251Ssam skip_change = 1; 812189251Ssam } 813189251Ssam if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST && 814189251Ssam eap_get_type(in_decrypted) == EAP_TYPE_TLV) { 815189251Ssam skip_change = 1; 816189251Ssam } 817189251Ssam 818189251Ssam if (data->peap_version == 0 && !skip_change) { 819189251Ssam struct eap_hdr *nhdr; 820189251Ssam struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) + 821189251Ssam wpabuf_len(in_decrypted)); 822189251Ssam if (nmsg == NULL) { 823189251Ssam wpabuf_free(in_decrypted); 824189251Ssam return 0; 825189251Ssam } 826189251Ssam nhdr = wpabuf_put(nmsg, sizeof(*nhdr)); 827189251Ssam wpabuf_put_buf(nmsg, in_decrypted); 828189251Ssam nhdr->code = req->code; 829189251Ssam nhdr->identifier = req->identifier; 830189251Ssam nhdr->length = host_to_be16(sizeof(struct eap_hdr) + 831189251Ssam wpabuf_len(in_decrypted)); 832189251Ssam 833189251Ssam wpabuf_free(in_decrypted); 834189251Ssam in_decrypted = nmsg; 835189251Ssam } 836189251Ssam 837189251Ssam if (data->peap_version >= 2) { 838189251Ssam struct eap_tlv_hdr *tlv; 839189251Ssam struct wpabuf *nmsg; 840189251Ssam 841189251Ssam if (wpabuf_len(in_decrypted) < sizeof(*tlv) + sizeof(*hdr)) { 842189251Ssam wpa_printf(MSG_INFO, "EAP-PEAPv2: Too short Phase 2 " 843189251Ssam "EAP TLV"); 844189251Ssam wpabuf_free(in_decrypted); 845189251Ssam return 0; 846189251Ssam } 847189251Ssam tlv = wpabuf_mhead(in_decrypted); 848189251Ssam if ((be_to_host16(tlv->tlv_type) & 0x3fff) != 849189251Ssam EAP_TLV_EAP_PAYLOAD_TLV) { 850189251Ssam wpa_printf(MSG_INFO, "EAP-PEAPv2: Not an EAP TLV"); 851189251Ssam wpabuf_free(in_decrypted); 852189251Ssam return 0; 853189251Ssam } 854189251Ssam if (sizeof(*tlv) + be_to_host16(tlv->length) > 855189251Ssam wpabuf_len(in_decrypted)) { 856189251Ssam wpa_printf(MSG_INFO, "EAP-PEAPv2: Invalid EAP TLV " 857189251Ssam "length"); 858189251Ssam wpabuf_free(in_decrypted); 859189251Ssam return 0; 860189251Ssam } 861189251Ssam hdr = (struct eap_hdr *) (tlv + 1); 862189251Ssam if (be_to_host16(hdr->length) > be_to_host16(tlv->length)) { 863189251Ssam wpa_printf(MSG_INFO, "EAP-PEAPv2: No room for full " 864189251Ssam "EAP packet in EAP TLV"); 865189251Ssam wpabuf_free(in_decrypted); 866189251Ssam return 0; 867189251Ssam } 868189251Ssam 869189251Ssam nmsg = wpabuf_alloc(be_to_host16(hdr->length)); 870189251Ssam if (nmsg == NULL) { 871189251Ssam wpabuf_free(in_decrypted); 872189251Ssam return 0; 873189251Ssam } 874189251Ssam 875189251Ssam wpabuf_put_data(nmsg, hdr, be_to_host16(hdr->length)); 876189251Ssam wpabuf_free(in_decrypted); 877189251Ssam in_decrypted = nmsg; 878189251Ssam } 879189251Ssam 880189251Ssam hdr = wpabuf_mhead(in_decrypted); 881189251Ssam if (wpabuf_len(in_decrypted) < sizeof(*hdr)) { 882189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 " 883189251Ssam "EAP frame (len=%lu)", 884189251Ssam (unsigned long) wpabuf_len(in_decrypted)); 885189251Ssam wpabuf_free(in_decrypted); 886189251Ssam return 0; 887189251Ssam } 888189251Ssam len = be_to_host16(hdr->length); 889189251Ssam if (len > wpabuf_len(in_decrypted)) { 890189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in " 891189251Ssam "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 892189251Ssam (unsigned long) wpabuf_len(in_decrypted), 893189251Ssam (unsigned long) len); 894189251Ssam wpabuf_free(in_decrypted); 895189251Ssam return 0; 896189251Ssam } 897189251Ssam if (len < wpabuf_len(in_decrypted)) { 898189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has " 899189251Ssam "shorter length than full decrypted data " 900189251Ssam "(%lu < %lu)", 901189251Ssam (unsigned long) len, 902189251Ssam (unsigned long) wpabuf_len(in_decrypted)); 903189251Ssam } 904189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d " 905189251Ssam "identifier=%d length=%lu", hdr->code, hdr->identifier, 906189251Ssam (unsigned long) len); 907189251Ssam switch (hdr->code) { 908189251Ssam case EAP_CODE_REQUEST: 909189251Ssam if (eap_peap_phase2_request(sm, data, ret, in_decrypted, 910189251Ssam &resp)) { 911189251Ssam wpabuf_free(in_decrypted); 912189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request " 913189251Ssam "processing failed"); 914189251Ssam return 0; 915189251Ssam } 916189251Ssam break; 917189251Ssam case EAP_CODE_SUCCESS: 918189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success"); 919189251Ssam if (data->peap_version == 1) { 920189251Ssam /* EAP-Success within TLS tunnel is used to indicate 921189251Ssam * shutdown of the TLS channel. The authentication has 922189251Ssam * been completed. */ 923189251Ssam if (data->phase2_eap_started && 924189251Ssam !data->phase2_eap_success) { 925189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " 926189251Ssam "Success used to indicate success, " 927189251Ssam "but Phase 2 EAP was not yet " 928189251Ssam "completed successfully"); 929189251Ssam ret->methodState = METHOD_DONE; 930189251Ssam ret->decision = DECISION_FAIL; 931189251Ssam wpabuf_free(in_decrypted); 932189251Ssam return 0; 933189251Ssam } 934189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - " 935189251Ssam "EAP-Success within TLS tunnel - " 936189251Ssam "authentication completed"); 937189251Ssam ret->decision = DECISION_UNCOND_SUCC; 938189251Ssam ret->methodState = METHOD_DONE; 939189251Ssam data->phase2_success = 1; 940189251Ssam if (data->peap_outer_success == 2) { 941189251Ssam wpabuf_free(in_decrypted); 942189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK " 943189251Ssam "to finish authentication"); 944189251Ssam return 1; 945189251Ssam } else if (data->peap_outer_success == 1) { 946189251Ssam /* Reply with EAP-Success within the TLS 947189251Ssam * channel to complete the authentication. */ 948189251Ssam resp = wpabuf_alloc(sizeof(struct eap_hdr)); 949189251Ssam if (resp) { 950189251Ssam rhdr = wpabuf_put(resp, sizeof(*rhdr)); 951189251Ssam rhdr->code = EAP_CODE_SUCCESS; 952189251Ssam rhdr->identifier = hdr->identifier; 953189251Ssam rhdr->length = 954189251Ssam host_to_be16(sizeof(*rhdr)); 955189251Ssam } 956189251Ssam } else { 957189251Ssam /* No EAP-Success expected for Phase 1 (outer, 958189251Ssam * unencrypted auth), so force EAP state 959189251Ssam * machine to SUCCESS state. */ 960189251Ssam sm->peap_done = TRUE; 961189251Ssam } 962189251Ssam } else { 963189251Ssam /* FIX: ? */ 964189251Ssam } 965189251Ssam break; 966189251Ssam case EAP_CODE_FAILURE: 967189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure"); 968189251Ssam ret->decision = DECISION_FAIL; 969189251Ssam ret->methodState = METHOD_MAY_CONT; 970189251Ssam ret->allowNotifications = FALSE; 971189251Ssam /* Reply with EAP-Failure within the TLS channel to complete 972189251Ssam * failure reporting. */ 973189251Ssam resp = wpabuf_alloc(sizeof(struct eap_hdr)); 974189251Ssam if (resp) { 975189251Ssam rhdr = wpabuf_put(resp, sizeof(*rhdr)); 976189251Ssam rhdr->code = EAP_CODE_FAILURE; 977189251Ssam rhdr->identifier = hdr->identifier; 978189251Ssam rhdr->length = host_to_be16(sizeof(*rhdr)); 979189251Ssam } 980189251Ssam break; 981189251Ssam default: 982189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in " 983189251Ssam "Phase 2 EAP header", hdr->code); 984189251Ssam break; 985189251Ssam } 986189251Ssam 987189251Ssam wpabuf_free(in_decrypted); 988189251Ssam 989189251Ssam if (resp) { 990189251Ssam int skip_change2 = 0; 991189251Ssam struct wpabuf *rmsg, buf; 992189251Ssam 993189251Ssam wpa_hexdump_buf_key(MSG_DEBUG, 994189251Ssam "EAP-PEAP: Encrypting Phase 2 data", resp); 995189251Ssam /* PEAP version changes */ 996189251Ssam if (data->peap_version >= 2) { 997189251Ssam resp = eap_peapv2_tlv_eap_payload(resp); 998189251Ssam if (resp == NULL) 999189251Ssam return -1; 1000189251Ssam } 1001189251Ssam if (wpabuf_len(resp) >= 5 && 1002189251Ssam wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE && 1003189251Ssam eap_get_type(resp) == EAP_TYPE_TLV) 1004189251Ssam skip_change2 = 1; 1005189251Ssam rmsg = resp; 1006189251Ssam if (data->peap_version == 0 && !skip_change2) { 1007189251Ssam wpabuf_set(&buf, wpabuf_head_u8(resp) + 1008189251Ssam sizeof(struct eap_hdr), 1009189251Ssam wpabuf_len(resp) - sizeof(struct eap_hdr)); 1010189251Ssam rmsg = &buf; 1011189251Ssam } 1012189251Ssam 1013189251Ssam if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 1014189251Ssam data->peap_version, req->identifier, 1015189251Ssam rmsg, out_data)) { 1016189251Ssam wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt " 1017189251Ssam "a Phase 2 frame"); 1018189251Ssam } 1019189251Ssam wpabuf_free(resp); 1020189251Ssam } 1021189251Ssam 1022189251Ssam return 0; 1023189251Ssam} 1024189251Ssam 1025189251Ssam 1026189251Ssamstatic struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, 1027189251Ssam struct eap_method_ret *ret, 1028189251Ssam const struct wpabuf *reqData) 1029189251Ssam{ 1030189251Ssam const struct eap_hdr *req; 1031189251Ssam size_t left; 1032189251Ssam int res; 1033189251Ssam u8 flags, id; 1034189251Ssam struct wpabuf *resp; 1035189251Ssam const u8 *pos; 1036189251Ssam struct eap_peap_data *data = priv; 1037189251Ssam 1038189251Ssam pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, 1039189251Ssam reqData, &left, &flags); 1040189251Ssam if (pos == NULL) 1041189251Ssam return NULL; 1042189251Ssam req = wpabuf_head(reqData); 1043189251Ssam id = req->identifier; 1044189251Ssam 1045189251Ssam if (flags & EAP_TLS_FLAGS_START) { 1046189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own " 1047214734Srpaulo "ver=%d)", flags & EAP_TLS_VERSION_MASK, 1048189251Ssam data->peap_version); 1049214734Srpaulo if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) 1050214734Srpaulo data->peap_version = flags & EAP_TLS_VERSION_MASK; 1051189251Ssam if (data->force_peap_version >= 0 && 1052189251Ssam data->force_peap_version != data->peap_version) { 1053189251Ssam wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select " 1054189251Ssam "forced PEAP version %d", 1055189251Ssam data->force_peap_version); 1056189251Ssam ret->methodState = METHOD_DONE; 1057189251Ssam ret->decision = DECISION_FAIL; 1058189251Ssam ret->allowNotifications = FALSE; 1059189251Ssam return NULL; 1060189251Ssam } 1061189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d", 1062189251Ssam data->peap_version); 1063189251Ssam left = 0; /* make sure that this frame is empty, even though it 1064189251Ssam * should always be, anyway */ 1065189251Ssam } 1066189251Ssam 1067189251Ssam resp = NULL; 1068189251Ssam if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1069189251Ssam !data->resuming) { 1070189251Ssam struct wpabuf msg; 1071189251Ssam wpabuf_set(&msg, pos, left); 1072189251Ssam res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); 1073189251Ssam } else { 1074189251Ssam res = eap_peer_tls_process_helper(sm, &data->ssl, 1075189251Ssam EAP_TYPE_PEAP, 1076189251Ssam data->peap_version, id, pos, 1077189251Ssam left, &resp); 1078189251Ssam 1079189251Ssam if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1080189251Ssam char *label; 1081189251Ssam wpa_printf(MSG_DEBUG, 1082189251Ssam "EAP-PEAP: TLS done, proceed to Phase 2"); 1083189251Ssam os_free(data->key_data); 1084189251Ssam /* draft-josefsson-ppext-eap-tls-eap-05.txt 1085189251Ssam * specifies that PEAPv1 would use "client PEAP 1086189251Ssam * encryption" as the label. However, most existing 1087189251Ssam * PEAPv1 implementations seem to be using the old 1088189251Ssam * label, "client EAP encryption", instead. Use the old 1089189251Ssam * label by default, but allow it to be configured with 1090189251Ssam * phase1 parameter peaplabel=1. */ 1091189251Ssam if (data->peap_version > 1 || data->force_new_label) 1092189251Ssam label = "client PEAP encryption"; 1093189251Ssam else 1094189251Ssam label = "client EAP encryption"; 1095189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in " 1096189251Ssam "key derivation", label); 1097189251Ssam data->key_data = 1098189251Ssam eap_peer_tls_derive_key(sm, &data->ssl, label, 1099189251Ssam EAP_TLS_KEY_LEN); 1100189251Ssam if (data->key_data) { 1101189251Ssam wpa_hexdump_key(MSG_DEBUG, 1102189251Ssam "EAP-PEAP: Derived key", 1103189251Ssam data->key_data, 1104189251Ssam EAP_TLS_KEY_LEN); 1105189251Ssam } else { 1106189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " 1107189251Ssam "derive key"); 1108189251Ssam } 1109189251Ssam 1110189251Ssam if (sm->workaround && data->resuming) { 1111189251Ssam /* 1112189251Ssam * At least few RADIUS servers (Aegis v1.1.6; 1113189251Ssam * but not v1.1.4; and Cisco ACS) seem to be 1114189251Ssam * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco 1115189251Ssam * ACS) session resumption with outer 1116189251Ssam * EAP-Success. This does not seem to follow 1117189251Ssam * draft-josefsson-pppext-eap-tls-eap-05.txt 1118189251Ssam * section 4.2, so only allow this if EAP 1119189251Ssam * workarounds are enabled. 1120189251Ssam */ 1121189251Ssam wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " 1122189251Ssam "allow outer EAP-Success to " 1123189251Ssam "terminate PEAP resumption"); 1124189251Ssam ret->decision = DECISION_COND_SUCC; 1125189251Ssam data->phase2_success = 1; 1126189251Ssam } 1127189251Ssam 1128189251Ssam data->resuming = 0; 1129189251Ssam } 1130189251Ssam 1131189251Ssam if (res == 2) { 1132189251Ssam struct wpabuf msg; 1133189251Ssam /* 1134189251Ssam * Application data included in the handshake message. 1135189251Ssam */ 1136189251Ssam wpabuf_free(data->pending_phase2_req); 1137189251Ssam data->pending_phase2_req = resp; 1138189251Ssam resp = NULL; 1139189251Ssam wpabuf_set(&msg, pos, left); 1140189251Ssam res = eap_peap_decrypt(sm, data, ret, req, &msg, 1141189251Ssam &resp); 1142189251Ssam } 1143189251Ssam } 1144189251Ssam 1145189251Ssam if (ret->methodState == METHOD_DONE) { 1146189251Ssam ret->allowNotifications = FALSE; 1147189251Ssam } 1148189251Ssam 1149189251Ssam if (res == 1) { 1150189251Ssam wpabuf_free(resp); 1151189251Ssam return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP, 1152189251Ssam data->peap_version); 1153189251Ssam } 1154189251Ssam 1155189251Ssam return resp; 1156189251Ssam} 1157189251Ssam 1158189251Ssam 1159189251Ssamstatic Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) 1160189251Ssam{ 1161189251Ssam struct eap_peap_data *data = priv; 1162189251Ssam return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1163189251Ssam data->phase2_success; 1164189251Ssam} 1165189251Ssam 1166189251Ssam 1167189251Ssamstatic void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv) 1168189251Ssam{ 1169189251Ssam struct eap_peap_data *data = priv; 1170189251Ssam wpabuf_free(data->pending_phase2_req); 1171189251Ssam data->pending_phase2_req = NULL; 1172189251Ssam data->crypto_binding_used = 0; 1173189251Ssam} 1174189251Ssam 1175189251Ssam 1176189251Ssamstatic void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv) 1177189251Ssam{ 1178189251Ssam struct eap_peap_data *data = priv; 1179189251Ssam os_free(data->key_data); 1180189251Ssam data->key_data = NULL; 1181189251Ssam if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1182189251Ssam os_free(data); 1183189251Ssam return NULL; 1184189251Ssam } 1185189251Ssam if (data->phase2_priv && data->phase2_method && 1186189251Ssam data->phase2_method->init_for_reauth) 1187189251Ssam data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1188189251Ssam data->phase2_success = 0; 1189189251Ssam data->phase2_eap_success = 0; 1190189251Ssam data->phase2_eap_started = 0; 1191189251Ssam data->resuming = 1; 1192189251Ssam data->reauth = 1; 1193189251Ssam sm->peap_done = FALSE; 1194189251Ssam return priv; 1195189251Ssam} 1196189251Ssam 1197189251Ssam 1198189251Ssamstatic int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf, 1199189251Ssam size_t buflen, int verbose) 1200189251Ssam{ 1201189251Ssam struct eap_peap_data *data = priv; 1202189251Ssam int len, ret; 1203189251Ssam 1204189251Ssam len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1205189251Ssam if (data->phase2_method) { 1206189251Ssam ret = os_snprintf(buf + len, buflen - len, 1207189251Ssam "EAP-PEAPv%d Phase2 method=%s\n", 1208189251Ssam data->peap_version, 1209189251Ssam data->phase2_method->name); 1210189251Ssam if (ret < 0 || (size_t) ret >= buflen - len) 1211189251Ssam return len; 1212189251Ssam len += ret; 1213189251Ssam } 1214189251Ssam return len; 1215189251Ssam} 1216189251Ssam 1217189251Ssam 1218189251Ssamstatic Boolean eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv) 1219189251Ssam{ 1220189251Ssam struct eap_peap_data *data = priv; 1221189251Ssam return data->key_data != NULL && data->phase2_success; 1222189251Ssam} 1223189251Ssam 1224189251Ssam 1225189251Ssamstatic u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) 1226189251Ssam{ 1227189251Ssam struct eap_peap_data *data = priv; 1228189251Ssam u8 *key; 1229189251Ssam 1230189251Ssam if (data->key_data == NULL || !data->phase2_success) 1231189251Ssam return NULL; 1232189251Ssam 1233189251Ssam key = os_malloc(EAP_TLS_KEY_LEN); 1234189251Ssam if (key == NULL) 1235189251Ssam return NULL; 1236189251Ssam 1237189251Ssam *len = EAP_TLS_KEY_LEN; 1238189251Ssam 1239189251Ssam if (data->crypto_binding_used) { 1240189251Ssam u8 csk[128]; 1241189251Ssam /* 1242189251Ssam * Note: It looks like Microsoft implementation requires null 1243189251Ssam * termination for this label while the one used for deriving 1244189251Ssam * IPMK|CMK did not use null termination. 1245189251Ssam */ 1246252726Srpaulo if (peap_prfplus(data->peap_version, data->ipmk, 40, 1247252726Srpaulo "Session Key Generating Function", 1248252726Srpaulo (u8 *) "\00", 1, csk, sizeof(csk)) < 0) { 1249252726Srpaulo os_free(key); 1250252726Srpaulo return NULL; 1251252726Srpaulo } 1252189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk)); 1253189251Ssam os_memcpy(key, csk, EAP_TLS_KEY_LEN); 1254189251Ssam wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", 1255189251Ssam key, EAP_TLS_KEY_LEN); 1256189251Ssam } else 1257189251Ssam os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1258189251Ssam 1259189251Ssam return key; 1260189251Ssam} 1261189251Ssam 1262189251Ssam 1263189251Ssamint eap_peer_peap_register(void) 1264189251Ssam{ 1265189251Ssam struct eap_method *eap; 1266189251Ssam int ret; 1267189251Ssam 1268189251Ssam eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1269189251Ssam EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP"); 1270189251Ssam if (eap == NULL) 1271189251Ssam return -1; 1272189251Ssam 1273189251Ssam eap->init = eap_peap_init; 1274189251Ssam eap->deinit = eap_peap_deinit; 1275189251Ssam eap->process = eap_peap_process; 1276189251Ssam eap->isKeyAvailable = eap_peap_isKeyAvailable; 1277189251Ssam eap->getKey = eap_peap_getKey; 1278189251Ssam eap->get_status = eap_peap_get_status; 1279189251Ssam eap->has_reauth_data = eap_peap_has_reauth_data; 1280189251Ssam eap->deinit_for_reauth = eap_peap_deinit_for_reauth; 1281189251Ssam eap->init_for_reauth = eap_peap_init_for_reauth; 1282189251Ssam 1283189251Ssam ret = eap_peer_method_register(eap); 1284189251Ssam if (ret) 1285189251Ssam eap_peer_method_free(eap); 1286189251Ssam return ret; 1287189251Ssam} 1288