1 | #include <machine/rtems-bsd-user-space.h> |
---|
2 | |
---|
3 | /* |
---|
4 | * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt) |
---|
5 | * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> |
---|
6 | * |
---|
7 | * This software may be distributed under the terms of the BSD license. |
---|
8 | * See README for more details. |
---|
9 | */ |
---|
10 | |
---|
11 | #include "includes.h" |
---|
12 | |
---|
13 | #include "common.h" |
---|
14 | #include "crypto/sha1.h" |
---|
15 | #include "crypto/tls.h" |
---|
16 | #include "eap_common/eap_tlv_common.h" |
---|
17 | #include "eap_common/eap_peap_common.h" |
---|
18 | #include "eap_i.h" |
---|
19 | #include "eap_tls_common.h" |
---|
20 | #include "eap_config.h" |
---|
21 | #include "tncc.h" |
---|
22 | |
---|
23 | |
---|
24 | /* Maximum supported PEAP version |
---|
25 | * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt |
---|
26 | * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt |
---|
27 | */ |
---|
28 | #define EAP_PEAP_VERSION 1 |
---|
29 | |
---|
30 | |
---|
31 | static void eap_peap_deinit(struct eap_sm *sm, void *priv); |
---|
32 | |
---|
33 | |
---|
34 | struct eap_peap_data { |
---|
35 | struct eap_ssl_data ssl; |
---|
36 | |
---|
37 | int peap_version, force_peap_version, force_new_label; |
---|
38 | |
---|
39 | const struct eap_method *phase2_method; |
---|
40 | void *phase2_priv; |
---|
41 | int phase2_success; |
---|
42 | int phase2_eap_success; |
---|
43 | int phase2_eap_started; |
---|
44 | |
---|
45 | struct eap_method_type phase2_type; |
---|
46 | struct eap_method_type *phase2_types; |
---|
47 | size_t num_phase2_types; |
---|
48 | |
---|
49 | int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner |
---|
50 | * EAP-Success |
---|
51 | * 1 = reply with tunneled EAP-Success to inner |
---|
52 | * EAP-Success and expect AS to send outer |
---|
53 | * (unencrypted) EAP-Success after this |
---|
54 | * 2 = reply with PEAP/TLS ACK to inner |
---|
55 | * EAP-Success and expect AS to send outer |
---|
56 | * (unencrypted) EAP-Success after this */ |
---|
57 | int resuming; /* starting a resumed session */ |
---|
58 | int reauth; /* reauthentication */ |
---|
59 | u8 *key_data; |
---|
60 | u8 *session_id; |
---|
61 | size_t id_len; |
---|
62 | |
---|
63 | struct wpabuf *pending_phase2_req; |
---|
64 | enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding; |
---|
65 | int crypto_binding_used; |
---|
66 | u8 binding_nonce[32]; |
---|
67 | u8 ipmk[40]; |
---|
68 | u8 cmk[20]; |
---|
69 | int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) |
---|
70 | * is enabled. */ |
---|
71 | }; |
---|
72 | |
---|
73 | |
---|
74 | static int eap_peap_parse_phase1(struct eap_peap_data *data, |
---|
75 | const char *phase1) |
---|
76 | { |
---|
77 | const char *pos; |
---|
78 | |
---|
79 | pos = os_strstr(phase1, "peapver="); |
---|
80 | if (pos) { |
---|
81 | data->force_peap_version = atoi(pos + 8); |
---|
82 | data->peap_version = data->force_peap_version; |
---|
83 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d", |
---|
84 | data->force_peap_version); |
---|
85 | } |
---|
86 | |
---|
87 | if (os_strstr(phase1, "peaplabel=1")) { |
---|
88 | data->force_new_label = 1; |
---|
89 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key " |
---|
90 | "derivation"); |
---|
91 | } |
---|
92 | |
---|
93 | if (os_strstr(phase1, "peap_outer_success=0")) { |
---|
94 | data->peap_outer_success = 0; |
---|
95 | wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on " |
---|
96 | "tunneled EAP-Success"); |
---|
97 | } else if (os_strstr(phase1, "peap_outer_success=1")) { |
---|
98 | data->peap_outer_success = 1; |
---|
99 | wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success " |
---|
100 | "after receiving tunneled EAP-Success"); |
---|
101 | } else if (os_strstr(phase1, "peap_outer_success=2")) { |
---|
102 | data->peap_outer_success = 2; |
---|
103 | wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after " |
---|
104 | "receiving tunneled EAP-Success"); |
---|
105 | } |
---|
106 | |
---|
107 | if (os_strstr(phase1, "crypto_binding=0")) { |
---|
108 | data->crypto_binding = NO_BINDING; |
---|
109 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding"); |
---|
110 | } else if (os_strstr(phase1, "crypto_binding=1")) { |
---|
111 | data->crypto_binding = OPTIONAL_BINDING; |
---|
112 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding"); |
---|
113 | } else if (os_strstr(phase1, "crypto_binding=2")) { |
---|
114 | data->crypto_binding = REQUIRE_BINDING; |
---|
115 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); |
---|
116 | } |
---|
117 | |
---|
118 | #ifdef EAP_TNC |
---|
119 | if (os_strstr(phase1, "tnc=soh2")) { |
---|
120 | data->soh = 2; |
---|
121 | wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); |
---|
122 | } else if (os_strstr(phase1, "tnc=soh1")) { |
---|
123 | data->soh = 1; |
---|
124 | wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled"); |
---|
125 | } else if (os_strstr(phase1, "tnc=soh")) { |
---|
126 | data->soh = 2; |
---|
127 | wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); |
---|
128 | } |
---|
129 | #endif /* EAP_TNC */ |
---|
130 | |
---|
131 | return 0; |
---|
132 | } |
---|
133 | |
---|
134 | |
---|
135 | static void * eap_peap_init(struct eap_sm *sm) |
---|
136 | { |
---|
137 | struct eap_peap_data *data; |
---|
138 | struct eap_peer_config *config = eap_get_config(sm); |
---|
139 | |
---|
140 | data = os_zalloc(sizeof(*data)); |
---|
141 | if (data == NULL) |
---|
142 | return NULL; |
---|
143 | sm->peap_done = FALSE; |
---|
144 | data->peap_version = EAP_PEAP_VERSION; |
---|
145 | data->force_peap_version = -1; |
---|
146 | data->peap_outer_success = 2; |
---|
147 | data->crypto_binding = OPTIONAL_BINDING; |
---|
148 | |
---|
149 | if (config && config->phase1 && |
---|
150 | eap_peap_parse_phase1(data, config->phase1) < 0) { |
---|
151 | eap_peap_deinit(sm, data); |
---|
152 | return NULL; |
---|
153 | } |
---|
154 | |
---|
155 | if (eap_peer_select_phase2_methods(config, "auth=", |
---|
156 | &data->phase2_types, |
---|
157 | &data->num_phase2_types) < 0) { |
---|
158 | eap_peap_deinit(sm, data); |
---|
159 | return NULL; |
---|
160 | } |
---|
161 | |
---|
162 | data->phase2_type.vendor = EAP_VENDOR_IETF; |
---|
163 | data->phase2_type.method = EAP_TYPE_NONE; |
---|
164 | |
---|
165 | if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) { |
---|
166 | wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); |
---|
167 | eap_peap_deinit(sm, data); |
---|
168 | return NULL; |
---|
169 | } |
---|
170 | |
---|
171 | return data; |
---|
172 | } |
---|
173 | |
---|
174 | |
---|
175 | static void eap_peap_free_key(struct eap_peap_data *data) |
---|
176 | { |
---|
177 | if (data->key_data) { |
---|
178 | bin_clear_free(data->key_data, EAP_TLS_KEY_LEN); |
---|
179 | data->key_data = NULL; |
---|
180 | } |
---|
181 | } |
---|
182 | |
---|
183 | |
---|
184 | static void eap_peap_deinit(struct eap_sm *sm, void *priv) |
---|
185 | { |
---|
186 | struct eap_peap_data *data = priv; |
---|
187 | if (data == NULL) |
---|
188 | return; |
---|
189 | if (data->phase2_priv && data->phase2_method) |
---|
190 | data->phase2_method->deinit(sm, data->phase2_priv); |
---|
191 | os_free(data->phase2_types); |
---|
192 | eap_peer_tls_ssl_deinit(sm, &data->ssl); |
---|
193 | eap_peap_free_key(data); |
---|
194 | os_free(data->session_id); |
---|
195 | wpabuf_free(data->pending_phase2_req); |
---|
196 | os_free(data); |
---|
197 | } |
---|
198 | |
---|
199 | |
---|
200 | /** |
---|
201 | * eap_tlv_build_nak - Build EAP-TLV NAK message |
---|
202 | * @id: EAP identifier for the header |
---|
203 | * @nak_type: TLV type (EAP_TLV_*) |
---|
204 | * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure |
---|
205 | * |
---|
206 | * This function builds an EAP-TLV NAK message. The caller is responsible for |
---|
207 | * freeing the returned buffer. |
---|
208 | */ |
---|
209 | static struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type) |
---|
210 | { |
---|
211 | struct wpabuf *msg; |
---|
212 | |
---|
213 | msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10, |
---|
214 | EAP_CODE_RESPONSE, id); |
---|
215 | if (msg == NULL) |
---|
216 | return NULL; |
---|
217 | |
---|
218 | wpabuf_put_u8(msg, 0x80); /* Mandatory */ |
---|
219 | wpabuf_put_u8(msg, EAP_TLV_NAK_TLV); |
---|
220 | wpabuf_put_be16(msg, 6); /* Length */ |
---|
221 | wpabuf_put_be32(msg, 0); /* Vendor-Id */ |
---|
222 | wpabuf_put_be16(msg, nak_type); /* NAK-Type */ |
---|
223 | |
---|
224 | return msg; |
---|
225 | } |
---|
226 | |
---|
227 | |
---|
228 | static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, |
---|
229 | u8 *isk, size_t isk_len) |
---|
230 | { |
---|
231 | u8 *key; |
---|
232 | size_t key_len; |
---|
233 | |
---|
234 | os_memset(isk, 0, isk_len); |
---|
235 | if (data->phase2_method == NULL || data->phase2_priv == NULL || |
---|
236 | data->phase2_method->isKeyAvailable == NULL || |
---|
237 | data->phase2_method->getKey == NULL) |
---|
238 | return 0; |
---|
239 | |
---|
240 | if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || |
---|
241 | (key = data->phase2_method->getKey(sm, data->phase2_priv, |
---|
242 | &key_len)) == NULL) { |
---|
243 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material " |
---|
244 | "from Phase 2"); |
---|
245 | return -1; |
---|
246 | } |
---|
247 | |
---|
248 | if (key_len > isk_len) |
---|
249 | key_len = isk_len; |
---|
250 | os_memcpy(isk, key, key_len); |
---|
251 | os_free(key); |
---|
252 | |
---|
253 | return 0; |
---|
254 | } |
---|
255 | |
---|
256 | |
---|
257 | static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) |
---|
258 | { |
---|
259 | u8 *tk; |
---|
260 | u8 isk[32], imck[60]; |
---|
261 | |
---|
262 | /* |
---|
263 | * Tunnel key (TK) is the first 60 octets of the key generated by |
---|
264 | * phase 1 of PEAP (based on TLS). |
---|
265 | */ |
---|
266 | tk = data->key_data; |
---|
267 | if (tk == NULL) |
---|
268 | return -1; |
---|
269 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); |
---|
270 | |
---|
271 | if (data->reauth && |
---|
272 | tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { |
---|
273 | /* Fast-connect: IPMK|CMK = TK */ |
---|
274 | os_memcpy(data->ipmk, tk, 40); |
---|
275 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", |
---|
276 | data->ipmk, 40); |
---|
277 | os_memcpy(data->cmk, tk + 40, 20); |
---|
278 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK", |
---|
279 | data->cmk, 20); |
---|
280 | return 0; |
---|
281 | } |
---|
282 | |
---|
283 | if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) |
---|
284 | return -1; |
---|
285 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk)); |
---|
286 | |
---|
287 | /* |
---|
288 | * IPMK Seed = "Inner Methods Compound Keys" | ISK |
---|
289 | * TempKey = First 40 octets of TK |
---|
290 | * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60) |
---|
291 | * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space |
---|
292 | * in the end of the label just before ISK; is that just a typo?) |
---|
293 | */ |
---|
294 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40); |
---|
295 | if (peap_prfplus(data->peap_version, tk, 40, |
---|
296 | "Inner Methods Compound Keys", |
---|
297 | isk, sizeof(isk), imck, sizeof(imck)) < 0) |
---|
298 | return -1; |
---|
299 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", |
---|
300 | imck, sizeof(imck)); |
---|
301 | |
---|
302 | os_memcpy(data->ipmk, imck, 40); |
---|
303 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); |
---|
304 | os_memcpy(data->cmk, imck + 40, 20); |
---|
305 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); |
---|
306 | |
---|
307 | return 0; |
---|
308 | } |
---|
309 | |
---|
310 | |
---|
311 | static int eap_tlv_add_cryptobinding(struct eap_sm *sm, |
---|
312 | struct eap_peap_data *data, |
---|
313 | struct wpabuf *buf) |
---|
314 | { |
---|
315 | u8 *mac; |
---|
316 | u8 eap_type = EAP_TYPE_PEAP; |
---|
317 | const u8 *addr[2]; |
---|
318 | size_t len[2]; |
---|
319 | u16 tlv_type; |
---|
320 | |
---|
321 | /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ |
---|
322 | addr[0] = wpabuf_put(buf, 0); |
---|
323 | len[0] = 60; |
---|
324 | addr[1] = &eap_type; |
---|
325 | len[1] = 1; |
---|
326 | |
---|
327 | tlv_type = EAP_TLV_CRYPTO_BINDING_TLV; |
---|
328 | wpabuf_put_be16(buf, tlv_type); |
---|
329 | wpabuf_put_be16(buf, 56); |
---|
330 | |
---|
331 | wpabuf_put_u8(buf, 0); /* Reserved */ |
---|
332 | wpabuf_put_u8(buf, data->peap_version); /* Version */ |
---|
333 | wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ |
---|
334 | wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */ |
---|
335 | wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ |
---|
336 | mac = wpabuf_put(buf, 20); /* Compound_MAC */ |
---|
337 | wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); |
---|
338 | wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1", |
---|
339 | addr[0], len[0]); |
---|
340 | wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2", |
---|
341 | addr[1], len[1]); |
---|
342 | hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac); |
---|
343 | wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN); |
---|
344 | data->crypto_binding_used = 1; |
---|
345 | |
---|
346 | return 0; |
---|
347 | } |
---|
348 | |
---|
349 | |
---|
350 | /** |
---|
351 | * eap_tlv_build_result - Build EAP-TLV Result message |
---|
352 | * @id: EAP identifier for the header |
---|
353 | * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE) |
---|
354 | * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure |
---|
355 | * |
---|
356 | * This function builds an EAP-TLV Result message. The caller is responsible |
---|
357 | * for freeing the returned buffer. |
---|
358 | */ |
---|
359 | static struct wpabuf * eap_tlv_build_result(struct eap_sm *sm, |
---|
360 | struct eap_peap_data *data, |
---|
361 | int crypto_tlv_used, |
---|
362 | int id, u16 status) |
---|
363 | { |
---|
364 | struct wpabuf *msg; |
---|
365 | size_t len; |
---|
366 | |
---|
367 | if (data->crypto_binding == NO_BINDING) |
---|
368 | crypto_tlv_used = 0; |
---|
369 | |
---|
370 | len = 6; |
---|
371 | if (crypto_tlv_used) |
---|
372 | len += 60; /* Cryptobinding TLV */ |
---|
373 | msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len, |
---|
374 | EAP_CODE_RESPONSE, id); |
---|
375 | if (msg == NULL) |
---|
376 | return NULL; |
---|
377 | |
---|
378 | wpabuf_put_u8(msg, 0x80); /* Mandatory */ |
---|
379 | wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV); |
---|
380 | wpabuf_put_be16(msg, 2); /* Length */ |
---|
381 | wpabuf_put_be16(msg, status); /* Status */ |
---|
382 | |
---|
383 | if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { |
---|
384 | wpabuf_free(msg); |
---|
385 | return NULL; |
---|
386 | } |
---|
387 | |
---|
388 | return msg; |
---|
389 | } |
---|
390 | |
---|
391 | |
---|
392 | static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, |
---|
393 | struct eap_peap_data *data, |
---|
394 | const u8 *crypto_tlv, |
---|
395 | size_t crypto_tlv_len) |
---|
396 | { |
---|
397 | u8 buf[61], mac[SHA1_MAC_LEN]; |
---|
398 | const u8 *pos; |
---|
399 | |
---|
400 | if (eap_peap_derive_cmk(sm, data) < 0) { |
---|
401 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK"); |
---|
402 | return -1; |
---|
403 | } |
---|
404 | |
---|
405 | if (crypto_tlv_len != 4 + 56) { |
---|
406 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV " |
---|
407 | "length %d", (int) crypto_tlv_len); |
---|
408 | return -1; |
---|
409 | } |
---|
410 | |
---|
411 | pos = crypto_tlv; |
---|
412 | pos += 4; /* TLV header */ |
---|
413 | if (pos[1] != data->peap_version) { |
---|
414 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version " |
---|
415 | "mismatch (was %d; expected %d)", |
---|
416 | pos[1], data->peap_version); |
---|
417 | return -1; |
---|
418 | } |
---|
419 | |
---|
420 | if (pos[3] != 0) { |
---|
421 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV " |
---|
422 | "SubType %d", pos[3]); |
---|
423 | return -1; |
---|
424 | } |
---|
425 | pos += 4; |
---|
426 | os_memcpy(data->binding_nonce, pos, 32); |
---|
427 | pos += 32; /* Nonce */ |
---|
428 | |
---|
429 | /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ |
---|
430 | os_memcpy(buf, crypto_tlv, 60); |
---|
431 | os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */ |
---|
432 | buf[60] = EAP_TYPE_PEAP; |
---|
433 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data", |
---|
434 | buf, sizeof(buf)); |
---|
435 | hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); |
---|
436 | |
---|
437 | if (os_memcmp_const(mac, pos, SHA1_MAC_LEN) != 0) { |
---|
438 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in " |
---|
439 | "cryptobinding TLV"); |
---|
440 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC", |
---|
441 | pos, SHA1_MAC_LEN); |
---|
442 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC", |
---|
443 | mac, SHA1_MAC_LEN); |
---|
444 | return -1; |
---|
445 | } |
---|
446 | |
---|
447 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received"); |
---|
448 | |
---|
449 | return 0; |
---|
450 | } |
---|
451 | |
---|
452 | |
---|
453 | /** |
---|
454 | * eap_tlv_process - Process a received EAP-TLV message and generate a response |
---|
455 | * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() |
---|
456 | * @ret: Return values from EAP request validation and processing |
---|
457 | * @req: EAP-TLV request to be processed. The caller must have validated that |
---|
458 | * the buffer is large enough to contain full request (hdr->length bytes) and |
---|
459 | * that the EAP type is EAP_TYPE_TLV. |
---|
460 | * @resp: Buffer to return a pointer to the allocated response message. This |
---|
461 | * field should be initialized to %NULL before the call. The value will be |
---|
462 | * updated if a response message is generated. The caller is responsible for |
---|
463 | * freeing the allocated message. |
---|
464 | * @force_failure: Force negotiation to fail |
---|
465 | * Returns: 0 on success, -1 on failure |
---|
466 | */ |
---|
467 | static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, |
---|
468 | struct eap_method_ret *ret, |
---|
469 | const struct wpabuf *req, struct wpabuf **resp, |
---|
470 | int force_failure) |
---|
471 | { |
---|
472 | size_t left, tlv_len; |
---|
473 | const u8 *pos; |
---|
474 | const u8 *result_tlv = NULL, *crypto_tlv = NULL; |
---|
475 | size_t result_tlv_len = 0, crypto_tlv_len = 0; |
---|
476 | int tlv_type, mandatory; |
---|
477 | |
---|
478 | /* Parse TLVs */ |
---|
479 | pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left); |
---|
480 | if (pos == NULL) |
---|
481 | return -1; |
---|
482 | wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left); |
---|
483 | while (left >= 4) { |
---|
484 | mandatory = !!(pos[0] & 0x80); |
---|
485 | tlv_type = WPA_GET_BE16(pos) & 0x3fff; |
---|
486 | pos += 2; |
---|
487 | tlv_len = WPA_GET_BE16(pos); |
---|
488 | pos += 2; |
---|
489 | left -= 4; |
---|
490 | if (tlv_len > left) { |
---|
491 | wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun " |
---|
492 | "(tlv_len=%lu left=%lu)", |
---|
493 | (unsigned long) tlv_len, |
---|
494 | (unsigned long) left); |
---|
495 | return -1; |
---|
496 | } |
---|
497 | switch (tlv_type) { |
---|
498 | case EAP_TLV_RESULT_TLV: |
---|
499 | result_tlv = pos; |
---|
500 | result_tlv_len = tlv_len; |
---|
501 | break; |
---|
502 | case EAP_TLV_CRYPTO_BINDING_TLV: |
---|
503 | crypto_tlv = pos; |
---|
504 | crypto_tlv_len = tlv_len; |
---|
505 | break; |
---|
506 | default: |
---|
507 | wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type " |
---|
508 | "%d%s", tlv_type, |
---|
509 | mandatory ? " (mandatory)" : ""); |
---|
510 | if (mandatory) { |
---|
511 | /* NAK TLV and ignore all TLVs in this packet. |
---|
512 | */ |
---|
513 | *resp = eap_tlv_build_nak(eap_get_id(req), |
---|
514 | tlv_type); |
---|
515 | return *resp == NULL ? -1 : 0; |
---|
516 | } |
---|
517 | /* Ignore this TLV, but process other TLVs */ |
---|
518 | break; |
---|
519 | } |
---|
520 | |
---|
521 | pos += tlv_len; |
---|
522 | left -= tlv_len; |
---|
523 | } |
---|
524 | if (left) { |
---|
525 | wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in " |
---|
526 | "Request (left=%lu)", (unsigned long) left); |
---|
527 | return -1; |
---|
528 | } |
---|
529 | |
---|
530 | /* Process supported TLVs */ |
---|
531 | if (crypto_tlv && data->crypto_binding != NO_BINDING) { |
---|
532 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV", |
---|
533 | crypto_tlv, crypto_tlv_len); |
---|
534 | if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, |
---|
535 | crypto_tlv_len + 4) < 0) { |
---|
536 | if (result_tlv == NULL) |
---|
537 | return -1; |
---|
538 | force_failure = 1; |
---|
539 | crypto_tlv = NULL; /* do not include Cryptobinding TLV |
---|
540 | * in response, if the received |
---|
541 | * cryptobinding was invalid. */ |
---|
542 | } |
---|
543 | } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { |
---|
544 | wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV"); |
---|
545 | return -1; |
---|
546 | } |
---|
547 | |
---|
548 | if (result_tlv) { |
---|
549 | int status, resp_status; |
---|
550 | wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV", |
---|
551 | result_tlv, result_tlv_len); |
---|
552 | if (result_tlv_len < 2) { |
---|
553 | wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV " |
---|
554 | "(len=%lu)", |
---|
555 | (unsigned long) result_tlv_len); |
---|
556 | return -1; |
---|
557 | } |
---|
558 | status = WPA_GET_BE16(result_tlv); |
---|
559 | if (status == EAP_TLV_RESULT_SUCCESS) { |
---|
560 | wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success " |
---|
561 | "- EAP-TLV/Phase2 Completed"); |
---|
562 | if (force_failure) { |
---|
563 | wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure" |
---|
564 | " - force failed Phase 2"); |
---|
565 | resp_status = EAP_TLV_RESULT_FAILURE; |
---|
566 | ret->decision = DECISION_FAIL; |
---|
567 | } else { |
---|
568 | resp_status = EAP_TLV_RESULT_SUCCESS; |
---|
569 | ret->decision = DECISION_UNCOND_SUCC; |
---|
570 | } |
---|
571 | } else if (status == EAP_TLV_RESULT_FAILURE) { |
---|
572 | wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure"); |
---|
573 | resp_status = EAP_TLV_RESULT_FAILURE; |
---|
574 | ret->decision = DECISION_FAIL; |
---|
575 | } else { |
---|
576 | wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result " |
---|
577 | "Status %d", status); |
---|
578 | resp_status = EAP_TLV_RESULT_FAILURE; |
---|
579 | ret->decision = DECISION_FAIL; |
---|
580 | } |
---|
581 | ret->methodState = METHOD_DONE; |
---|
582 | |
---|
583 | *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, |
---|
584 | eap_get_id(req), resp_status); |
---|
585 | } |
---|
586 | |
---|
587 | return 0; |
---|
588 | } |
---|
589 | |
---|
590 | |
---|
591 | static int eap_peap_phase2_request(struct eap_sm *sm, |
---|
592 | struct eap_peap_data *data, |
---|
593 | struct eap_method_ret *ret, |
---|
594 | struct wpabuf *req, |
---|
595 | struct wpabuf **resp) |
---|
596 | { |
---|
597 | struct eap_hdr *hdr = wpabuf_mhead(req); |
---|
598 | size_t len = be_to_host16(hdr->length); |
---|
599 | u8 *pos; |
---|
600 | struct eap_method_ret iret; |
---|
601 | struct eap_peer_config *config = eap_get_config(sm); |
---|
602 | |
---|
603 | if (len <= sizeof(struct eap_hdr)) { |
---|
604 | wpa_printf(MSG_INFO, "EAP-PEAP: too short " |
---|
605 | "Phase 2 request (len=%lu)", (unsigned long) len); |
---|
606 | return -1; |
---|
607 | } |
---|
608 | pos = (u8 *) (hdr + 1); |
---|
609 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos); |
---|
610 | switch (*pos) { |
---|
611 | case EAP_TYPE_IDENTITY: |
---|
612 | *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); |
---|
613 | break; |
---|
614 | case EAP_TYPE_TLV: |
---|
615 | os_memset(&iret, 0, sizeof(iret)); |
---|
616 | if (eap_tlv_process(sm, data, &iret, req, resp, |
---|
617 | data->phase2_eap_started && |
---|
618 | !data->phase2_eap_success)) { |
---|
619 | ret->methodState = METHOD_DONE; |
---|
620 | ret->decision = DECISION_FAIL; |
---|
621 | return -1; |
---|
622 | } |
---|
623 | if (iret.methodState == METHOD_DONE || |
---|
624 | iret.methodState == METHOD_MAY_CONT) { |
---|
625 | ret->methodState = iret.methodState; |
---|
626 | ret->decision = iret.decision; |
---|
627 | data->phase2_success = 1; |
---|
628 | } |
---|
629 | break; |
---|
630 | case EAP_TYPE_EXPANDED: |
---|
631 | #ifdef EAP_TNC |
---|
632 | if (data->soh) { |
---|
633 | const u8 *epos; |
---|
634 | size_t eleft; |
---|
635 | |
---|
636 | epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, |
---|
637 | req, &eleft); |
---|
638 | if (epos) { |
---|
639 | struct wpabuf *buf; |
---|
640 | wpa_printf(MSG_DEBUG, |
---|
641 | "EAP-PEAP: SoH EAP Extensions"); |
---|
642 | buf = tncc_process_soh_request(data->soh, |
---|
643 | epos, eleft); |
---|
644 | if (buf) { |
---|
645 | *resp = eap_msg_alloc( |
---|
646 | EAP_VENDOR_MICROSOFT, 0x21, |
---|
647 | wpabuf_len(buf), |
---|
648 | EAP_CODE_RESPONSE, |
---|
649 | hdr->identifier); |
---|
650 | if (*resp == NULL) { |
---|
651 | ret->methodState = METHOD_DONE; |
---|
652 | ret->decision = DECISION_FAIL; |
---|
653 | return -1; |
---|
654 | } |
---|
655 | wpabuf_put_buf(*resp, buf); |
---|
656 | wpabuf_free(buf); |
---|
657 | break; |
---|
658 | } |
---|
659 | } |
---|
660 | } |
---|
661 | #endif /* EAP_TNC */ |
---|
662 | /* fall through */ |
---|
663 | default: |
---|
664 | if (data->phase2_type.vendor == EAP_VENDOR_IETF && |
---|
665 | data->phase2_type.method == EAP_TYPE_NONE) { |
---|
666 | size_t i; |
---|
667 | for (i = 0; i < data->num_phase2_types; i++) { |
---|
668 | if (data->phase2_types[i].vendor != |
---|
669 | EAP_VENDOR_IETF || |
---|
670 | data->phase2_types[i].method != *pos) |
---|
671 | continue; |
---|
672 | |
---|
673 | data->phase2_type.vendor = |
---|
674 | data->phase2_types[i].vendor; |
---|
675 | data->phase2_type.method = |
---|
676 | data->phase2_types[i].method; |
---|
677 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected " |
---|
678 | "Phase 2 EAP vendor %d method %d", |
---|
679 | data->phase2_type.vendor, |
---|
680 | data->phase2_type.method); |
---|
681 | break; |
---|
682 | } |
---|
683 | } |
---|
684 | if (*pos != data->phase2_type.method || |
---|
685 | *pos == EAP_TYPE_NONE) { |
---|
686 | if (eap_peer_tls_phase2_nak(data->phase2_types, |
---|
687 | data->num_phase2_types, |
---|
688 | hdr, resp)) |
---|
689 | return -1; |
---|
690 | return 0; |
---|
691 | } |
---|
692 | |
---|
693 | if (data->phase2_priv == NULL) { |
---|
694 | data->phase2_method = eap_peer_get_eap_method( |
---|
695 | data->phase2_type.vendor, |
---|
696 | data->phase2_type.method); |
---|
697 | if (data->phase2_method) { |
---|
698 | sm->init_phase2 = 1; |
---|
699 | data->phase2_priv = |
---|
700 | data->phase2_method->init(sm); |
---|
701 | sm->init_phase2 = 0; |
---|
702 | } |
---|
703 | } |
---|
704 | if (data->phase2_priv == NULL || data->phase2_method == NULL) { |
---|
705 | wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize " |
---|
706 | "Phase 2 EAP method %d", *pos); |
---|
707 | ret->methodState = METHOD_DONE; |
---|
708 | ret->decision = DECISION_FAIL; |
---|
709 | return -1; |
---|
710 | } |
---|
711 | data->phase2_eap_started = 1; |
---|
712 | os_memset(&iret, 0, sizeof(iret)); |
---|
713 | *resp = data->phase2_method->process(sm, data->phase2_priv, |
---|
714 | &iret, req); |
---|
715 | if ((iret.methodState == METHOD_DONE || |
---|
716 | iret.methodState == METHOD_MAY_CONT) && |
---|
717 | (iret.decision == DECISION_UNCOND_SUCC || |
---|
718 | iret.decision == DECISION_COND_SUCC)) { |
---|
719 | data->phase2_eap_success = 1; |
---|
720 | data->phase2_success = 1; |
---|
721 | } |
---|
722 | break; |
---|
723 | } |
---|
724 | |
---|
725 | if (*resp == NULL && |
---|
726 | (config->pending_req_identity || config->pending_req_password || |
---|
727 | config->pending_req_otp || config->pending_req_new_password)) { |
---|
728 | wpabuf_free(data->pending_phase2_req); |
---|
729 | data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); |
---|
730 | } |
---|
731 | |
---|
732 | return 0; |
---|
733 | } |
---|
734 | |
---|
735 | |
---|
736 | static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, |
---|
737 | struct eap_method_ret *ret, |
---|
738 | const struct eap_hdr *req, |
---|
739 | const struct wpabuf *in_data, |
---|
740 | struct wpabuf **out_data) |
---|
741 | { |
---|
742 | struct wpabuf *in_decrypted = NULL; |
---|
743 | int res, skip_change = 0; |
---|
744 | struct eap_hdr *hdr, *rhdr; |
---|
745 | struct wpabuf *resp = NULL; |
---|
746 | size_t len; |
---|
747 | |
---|
748 | wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" |
---|
749 | " Phase 2", (unsigned long) wpabuf_len(in_data)); |
---|
750 | |
---|
751 | if (data->pending_phase2_req) { |
---|
752 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " |
---|
753 | "skip decryption and use old data"); |
---|
754 | /* Clear TLS reassembly state. */ |
---|
755 | eap_peer_tls_reset_input(&data->ssl); |
---|
756 | in_decrypted = data->pending_phase2_req; |
---|
757 | data->pending_phase2_req = NULL; |
---|
758 | skip_change = 1; |
---|
759 | goto continue_req; |
---|
760 | } |
---|
761 | |
---|
762 | if (wpabuf_len(in_data) == 0 && sm->workaround && |
---|
763 | data->phase2_success) { |
---|
764 | /* |
---|
765 | * Cisco ACS seems to be using TLS ACK to terminate |
---|
766 | * EAP-PEAPv0/GTC. Try to reply with TLS ACK. |
---|
767 | */ |
---|
768 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " |
---|
769 | "expected data - acknowledge with TLS ACK since " |
---|
770 | "Phase 2 has been completed"); |
---|
771 | ret->decision = DECISION_COND_SUCC; |
---|
772 | ret->methodState = METHOD_DONE; |
---|
773 | return 1; |
---|
774 | } else if (wpabuf_len(in_data) == 0) { |
---|
775 | /* Received TLS ACK - requesting more fragments */ |
---|
776 | return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, |
---|
777 | data->peap_version, |
---|
778 | req->identifier, NULL, out_data); |
---|
779 | } |
---|
780 | |
---|
781 | res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); |
---|
782 | if (res) |
---|
783 | return res; |
---|
784 | |
---|
785 | continue_req: |
---|
786 | wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", |
---|
787 | in_decrypted); |
---|
788 | |
---|
789 | hdr = wpabuf_mhead(in_decrypted); |
---|
790 | if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST && |
---|
791 | be_to_host16(hdr->length) == 5 && |
---|
792 | eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) { |
---|
793 | /* At least FreeRADIUS seems to send full EAP header with |
---|
794 | * EAP Request Identity */ |
---|
795 | skip_change = 1; |
---|
796 | } |
---|
797 | if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST && |
---|
798 | eap_get_type(in_decrypted) == EAP_TYPE_TLV) { |
---|
799 | skip_change = 1; |
---|
800 | } |
---|
801 | |
---|
802 | if (data->peap_version == 0 && !skip_change) { |
---|
803 | struct eap_hdr *nhdr; |
---|
804 | struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) + |
---|
805 | wpabuf_len(in_decrypted)); |
---|
806 | if (nmsg == NULL) { |
---|
807 | wpabuf_free(in_decrypted); |
---|
808 | return 0; |
---|
809 | } |
---|
810 | nhdr = wpabuf_put(nmsg, sizeof(*nhdr)); |
---|
811 | wpabuf_put_buf(nmsg, in_decrypted); |
---|
812 | nhdr->code = req->code; |
---|
813 | nhdr->identifier = req->identifier; |
---|
814 | nhdr->length = host_to_be16(sizeof(struct eap_hdr) + |
---|
815 | wpabuf_len(in_decrypted)); |
---|
816 | |
---|
817 | wpabuf_free(in_decrypted); |
---|
818 | in_decrypted = nmsg; |
---|
819 | } |
---|
820 | |
---|
821 | hdr = wpabuf_mhead(in_decrypted); |
---|
822 | if (wpabuf_len(in_decrypted) < sizeof(*hdr)) { |
---|
823 | wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 " |
---|
824 | "EAP frame (len=%lu)", |
---|
825 | (unsigned long) wpabuf_len(in_decrypted)); |
---|
826 | wpabuf_free(in_decrypted); |
---|
827 | return 0; |
---|
828 | } |
---|
829 | len = be_to_host16(hdr->length); |
---|
830 | if (len > wpabuf_len(in_decrypted)) { |
---|
831 | wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in " |
---|
832 | "Phase 2 EAP frame (len=%lu hdr->length=%lu)", |
---|
833 | (unsigned long) wpabuf_len(in_decrypted), |
---|
834 | (unsigned long) len); |
---|
835 | wpabuf_free(in_decrypted); |
---|
836 | return 0; |
---|
837 | } |
---|
838 | if (len < wpabuf_len(in_decrypted)) { |
---|
839 | wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has " |
---|
840 | "shorter length than full decrypted data " |
---|
841 | "(%lu < %lu)", |
---|
842 | (unsigned long) len, |
---|
843 | (unsigned long) wpabuf_len(in_decrypted)); |
---|
844 | } |
---|
845 | wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d " |
---|
846 | "identifier=%d length=%lu", hdr->code, hdr->identifier, |
---|
847 | (unsigned long) len); |
---|
848 | switch (hdr->code) { |
---|
849 | case EAP_CODE_REQUEST: |
---|
850 | if (eap_peap_phase2_request(sm, data, ret, in_decrypted, |
---|
851 | &resp)) { |
---|
852 | wpabuf_free(in_decrypted); |
---|
853 | wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request " |
---|
854 | "processing failed"); |
---|
855 | return 0; |
---|
856 | } |
---|
857 | break; |
---|
858 | case EAP_CODE_SUCCESS: |
---|
859 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success"); |
---|
860 | if (data->peap_version == 1) { |
---|
861 | /* EAP-Success within TLS tunnel is used to indicate |
---|
862 | * shutdown of the TLS channel. The authentication has |
---|
863 | * been completed. */ |
---|
864 | if (data->phase2_eap_started && |
---|
865 | !data->phase2_eap_success) { |
---|
866 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " |
---|
867 | "Success used to indicate success, " |
---|
868 | "but Phase 2 EAP was not yet " |
---|
869 | "completed successfully"); |
---|
870 | ret->methodState = METHOD_DONE; |
---|
871 | ret->decision = DECISION_FAIL; |
---|
872 | wpabuf_free(in_decrypted); |
---|
873 | return 0; |
---|
874 | } |
---|
875 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - " |
---|
876 | "EAP-Success within TLS tunnel - " |
---|
877 | "authentication completed"); |
---|
878 | ret->decision = DECISION_UNCOND_SUCC; |
---|
879 | ret->methodState = METHOD_DONE; |
---|
880 | data->phase2_success = 1; |
---|
881 | if (data->peap_outer_success == 2) { |
---|
882 | wpabuf_free(in_decrypted); |
---|
883 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK " |
---|
884 | "to finish authentication"); |
---|
885 | return 1; |
---|
886 | } else if (data->peap_outer_success == 1) { |
---|
887 | /* Reply with EAP-Success within the TLS |
---|
888 | * channel to complete the authentication. */ |
---|
889 | resp = wpabuf_alloc(sizeof(struct eap_hdr)); |
---|
890 | if (resp) { |
---|
891 | rhdr = wpabuf_put(resp, sizeof(*rhdr)); |
---|
892 | rhdr->code = EAP_CODE_SUCCESS; |
---|
893 | rhdr->identifier = hdr->identifier; |
---|
894 | rhdr->length = |
---|
895 | host_to_be16(sizeof(*rhdr)); |
---|
896 | } |
---|
897 | } else { |
---|
898 | /* No EAP-Success expected for Phase 1 (outer, |
---|
899 | * unencrypted auth), so force EAP state |
---|
900 | * machine to SUCCESS state. */ |
---|
901 | sm->peap_done = TRUE; |
---|
902 | } |
---|
903 | } else { |
---|
904 | /* FIX: ? */ |
---|
905 | } |
---|
906 | break; |
---|
907 | case EAP_CODE_FAILURE: |
---|
908 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure"); |
---|
909 | ret->decision = DECISION_FAIL; |
---|
910 | ret->methodState = METHOD_MAY_CONT; |
---|
911 | ret->allowNotifications = FALSE; |
---|
912 | /* Reply with EAP-Failure within the TLS channel to complete |
---|
913 | * failure reporting. */ |
---|
914 | resp = wpabuf_alloc(sizeof(struct eap_hdr)); |
---|
915 | if (resp) { |
---|
916 | rhdr = wpabuf_put(resp, sizeof(*rhdr)); |
---|
917 | rhdr->code = EAP_CODE_FAILURE; |
---|
918 | rhdr->identifier = hdr->identifier; |
---|
919 | rhdr->length = host_to_be16(sizeof(*rhdr)); |
---|
920 | } |
---|
921 | break; |
---|
922 | default: |
---|
923 | wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in " |
---|
924 | "Phase 2 EAP header", hdr->code); |
---|
925 | break; |
---|
926 | } |
---|
927 | |
---|
928 | wpabuf_free(in_decrypted); |
---|
929 | |
---|
930 | if (resp) { |
---|
931 | int skip_change2 = 0; |
---|
932 | struct wpabuf *rmsg, buf; |
---|
933 | |
---|
934 | wpa_hexdump_buf_key(MSG_DEBUG, |
---|
935 | "EAP-PEAP: Encrypting Phase 2 data", resp); |
---|
936 | /* PEAP version changes */ |
---|
937 | if (wpabuf_len(resp) >= 5 && |
---|
938 | wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE && |
---|
939 | eap_get_type(resp) == EAP_TYPE_TLV) |
---|
940 | skip_change2 = 1; |
---|
941 | rmsg = resp; |
---|
942 | if (data->peap_version == 0 && !skip_change2) { |
---|
943 | wpabuf_set(&buf, wpabuf_head_u8(resp) + |
---|
944 | sizeof(struct eap_hdr), |
---|
945 | wpabuf_len(resp) - sizeof(struct eap_hdr)); |
---|
946 | rmsg = &buf; |
---|
947 | } |
---|
948 | |
---|
949 | if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, |
---|
950 | data->peap_version, req->identifier, |
---|
951 | rmsg, out_data)) { |
---|
952 | wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt " |
---|
953 | "a Phase 2 frame"); |
---|
954 | } |
---|
955 | wpabuf_free(resp); |
---|
956 | } |
---|
957 | |
---|
958 | return 0; |
---|
959 | } |
---|
960 | |
---|
961 | |
---|
962 | static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, |
---|
963 | struct eap_method_ret *ret, |
---|
964 | const struct wpabuf *reqData) |
---|
965 | { |
---|
966 | const struct eap_hdr *req; |
---|
967 | size_t left; |
---|
968 | int res; |
---|
969 | u8 flags, id; |
---|
970 | struct wpabuf *resp; |
---|
971 | const u8 *pos; |
---|
972 | struct eap_peap_data *data = priv; |
---|
973 | struct wpabuf msg; |
---|
974 | |
---|
975 | pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, |
---|
976 | reqData, &left, &flags); |
---|
977 | if (pos == NULL) |
---|
978 | return NULL; |
---|
979 | req = wpabuf_head(reqData); |
---|
980 | id = req->identifier; |
---|
981 | |
---|
982 | if (flags & EAP_TLS_FLAGS_START) { |
---|
983 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own " |
---|
984 | "ver=%d)", flags & EAP_TLS_VERSION_MASK, |
---|
985 | data->peap_version); |
---|
986 | if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) |
---|
987 | data->peap_version = flags & EAP_TLS_VERSION_MASK; |
---|
988 | if (data->force_peap_version >= 0 && |
---|
989 | data->force_peap_version != data->peap_version) { |
---|
990 | wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select " |
---|
991 | "forced PEAP version %d", |
---|
992 | data->force_peap_version); |
---|
993 | ret->methodState = METHOD_DONE; |
---|
994 | ret->decision = DECISION_FAIL; |
---|
995 | ret->allowNotifications = FALSE; |
---|
996 | return NULL; |
---|
997 | } |
---|
998 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d", |
---|
999 | data->peap_version); |
---|
1000 | left = 0; /* make sure that this frame is empty, even though it |
---|
1001 | * should always be, anyway */ |
---|
1002 | } |
---|
1003 | |
---|
1004 | wpabuf_set(&msg, pos, left); |
---|
1005 | |
---|
1006 | resp = NULL; |
---|
1007 | if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && |
---|
1008 | !data->resuming) { |
---|
1009 | res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); |
---|
1010 | } else { |
---|
1011 | res = eap_peer_tls_process_helper(sm, &data->ssl, |
---|
1012 | EAP_TYPE_PEAP, |
---|
1013 | data->peap_version, id, &msg, |
---|
1014 | &resp); |
---|
1015 | |
---|
1016 | if (res < 0) { |
---|
1017 | wpa_printf(MSG_DEBUG, |
---|
1018 | "EAP-PEAP: TLS processing failed"); |
---|
1019 | ret->methodState = METHOD_DONE; |
---|
1020 | ret->decision = DECISION_FAIL; |
---|
1021 | return resp; |
---|
1022 | } |
---|
1023 | if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { |
---|
1024 | char *label; |
---|
1025 | wpa_printf(MSG_DEBUG, |
---|
1026 | "EAP-PEAP: TLS done, proceed to Phase 2"); |
---|
1027 | eap_peap_free_key(data); |
---|
1028 | /* draft-josefsson-ppext-eap-tls-eap-05.txt |
---|
1029 | * specifies that PEAPv1 would use "client PEAP |
---|
1030 | * encryption" as the label. However, most existing |
---|
1031 | * PEAPv1 implementations seem to be using the old |
---|
1032 | * label, "client EAP encryption", instead. Use the old |
---|
1033 | * label by default, but allow it to be configured with |
---|
1034 | * phase1 parameter peaplabel=1. */ |
---|
1035 | if (data->force_new_label) |
---|
1036 | label = "client PEAP encryption"; |
---|
1037 | else |
---|
1038 | label = "client EAP encryption"; |
---|
1039 | wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in " |
---|
1040 | "key derivation", label); |
---|
1041 | data->key_data = |
---|
1042 | eap_peer_tls_derive_key(sm, &data->ssl, label, |
---|
1043 | EAP_TLS_KEY_LEN); |
---|
1044 | if (data->key_data) { |
---|
1045 | wpa_hexdump_key(MSG_DEBUG, |
---|
1046 | "EAP-PEAP: Derived key", |
---|
1047 | data->key_data, |
---|
1048 | EAP_TLS_KEY_LEN); |
---|
1049 | } else { |
---|
1050 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " |
---|
1051 | "derive key"); |
---|
1052 | } |
---|
1053 | |
---|
1054 | os_free(data->session_id); |
---|
1055 | data->session_id = |
---|
1056 | eap_peer_tls_derive_session_id(sm, &data->ssl, |
---|
1057 | EAP_TYPE_PEAP, |
---|
1058 | &data->id_len); |
---|
1059 | if (data->session_id) { |
---|
1060 | wpa_hexdump(MSG_DEBUG, |
---|
1061 | "EAP-PEAP: Derived Session-Id", |
---|
1062 | data->session_id, data->id_len); |
---|
1063 | } else { |
---|
1064 | wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to " |
---|
1065 | "derive Session-Id"); |
---|
1066 | } |
---|
1067 | |
---|
1068 | if (sm->workaround && data->resuming) { |
---|
1069 | /* |
---|
1070 | * At least few RADIUS servers (Aegis v1.1.6; |
---|
1071 | * but not v1.1.4; and Cisco ACS) seem to be |
---|
1072 | * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco |
---|
1073 | * ACS) session resumption with outer |
---|
1074 | * EAP-Success. This does not seem to follow |
---|
1075 | * draft-josefsson-pppext-eap-tls-eap-05.txt |
---|
1076 | * section 4.2, so only allow this if EAP |
---|
1077 | * workarounds are enabled. |
---|
1078 | */ |
---|
1079 | wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " |
---|
1080 | "allow outer EAP-Success to " |
---|
1081 | "terminate PEAP resumption"); |
---|
1082 | ret->decision = DECISION_COND_SUCC; |
---|
1083 | data->phase2_success = 1; |
---|
1084 | } |
---|
1085 | |
---|
1086 | data->resuming = 0; |
---|
1087 | } |
---|
1088 | |
---|
1089 | if (res == 2) { |
---|
1090 | /* |
---|
1091 | * Application data included in the handshake message. |
---|
1092 | */ |
---|
1093 | wpabuf_free(data->pending_phase2_req); |
---|
1094 | data->pending_phase2_req = resp; |
---|
1095 | resp = NULL; |
---|
1096 | res = eap_peap_decrypt(sm, data, ret, req, &msg, |
---|
1097 | &resp); |
---|
1098 | } |
---|
1099 | } |
---|
1100 | |
---|
1101 | if (ret->methodState == METHOD_DONE) { |
---|
1102 | ret->allowNotifications = FALSE; |
---|
1103 | } |
---|
1104 | |
---|
1105 | if (res == 1) { |
---|
1106 | wpabuf_free(resp); |
---|
1107 | return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP, |
---|
1108 | data->peap_version); |
---|
1109 | } |
---|
1110 | |
---|
1111 | return resp; |
---|
1112 | } |
---|
1113 | |
---|
1114 | |
---|
1115 | static Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) |
---|
1116 | { |
---|
1117 | struct eap_peap_data *data = priv; |
---|
1118 | return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && |
---|
1119 | data->phase2_success; |
---|
1120 | } |
---|
1121 | |
---|
1122 | |
---|
1123 | static void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv) |
---|
1124 | { |
---|
1125 | struct eap_peap_data *data = priv; |
---|
1126 | wpabuf_free(data->pending_phase2_req); |
---|
1127 | data->pending_phase2_req = NULL; |
---|
1128 | data->crypto_binding_used = 0; |
---|
1129 | } |
---|
1130 | |
---|
1131 | |
---|
1132 | static void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv) |
---|
1133 | { |
---|
1134 | struct eap_peap_data *data = priv; |
---|
1135 | eap_peap_free_key(data); |
---|
1136 | os_free(data->session_id); |
---|
1137 | data->session_id = NULL; |
---|
1138 | if (eap_peer_tls_reauth_init(sm, &data->ssl)) { |
---|
1139 | os_free(data); |
---|
1140 | return NULL; |
---|
1141 | } |
---|
1142 | if (data->phase2_priv && data->phase2_method && |
---|
1143 | data->phase2_method->init_for_reauth) |
---|
1144 | data->phase2_method->init_for_reauth(sm, data->phase2_priv); |
---|
1145 | data->phase2_success = 0; |
---|
1146 | data->phase2_eap_success = 0; |
---|
1147 | data->phase2_eap_started = 0; |
---|
1148 | data->resuming = 1; |
---|
1149 | data->reauth = 1; |
---|
1150 | sm->peap_done = FALSE; |
---|
1151 | return priv; |
---|
1152 | } |
---|
1153 | |
---|
1154 | |
---|
1155 | static int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf, |
---|
1156 | size_t buflen, int verbose) |
---|
1157 | { |
---|
1158 | struct eap_peap_data *data = priv; |
---|
1159 | int len, ret; |
---|
1160 | |
---|
1161 | len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); |
---|
1162 | if (data->phase2_method) { |
---|
1163 | ret = os_snprintf(buf + len, buflen - len, |
---|
1164 | "EAP-PEAPv%d Phase2 method=%s\n", |
---|
1165 | data->peap_version, |
---|
1166 | data->phase2_method->name); |
---|
1167 | if (os_snprintf_error(buflen - len, ret)) |
---|
1168 | return len; |
---|
1169 | len += ret; |
---|
1170 | } |
---|
1171 | return len; |
---|
1172 | } |
---|
1173 | |
---|
1174 | |
---|
1175 | static Boolean eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv) |
---|
1176 | { |
---|
1177 | struct eap_peap_data *data = priv; |
---|
1178 | return data->key_data != NULL && data->phase2_success; |
---|
1179 | } |
---|
1180 | |
---|
1181 | |
---|
1182 | static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) |
---|
1183 | { |
---|
1184 | struct eap_peap_data *data = priv; |
---|
1185 | u8 *key; |
---|
1186 | |
---|
1187 | if (data->key_data == NULL || !data->phase2_success) |
---|
1188 | return NULL; |
---|
1189 | |
---|
1190 | key = os_malloc(EAP_TLS_KEY_LEN); |
---|
1191 | if (key == NULL) |
---|
1192 | return NULL; |
---|
1193 | |
---|
1194 | *len = EAP_TLS_KEY_LEN; |
---|
1195 | |
---|
1196 | if (data->crypto_binding_used) { |
---|
1197 | u8 csk[128]; |
---|
1198 | /* |
---|
1199 | * Note: It looks like Microsoft implementation requires null |
---|
1200 | * termination for this label while the one used for deriving |
---|
1201 | * IPMK|CMK did not use null termination. |
---|
1202 | */ |
---|
1203 | if (peap_prfplus(data->peap_version, data->ipmk, 40, |
---|
1204 | "Session Key Generating Function", |
---|
1205 | (u8 *) "\00", 1, csk, sizeof(csk)) < 0) { |
---|
1206 | os_free(key); |
---|
1207 | return NULL; |
---|
1208 | } |
---|
1209 | wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk)); |
---|
1210 | os_memcpy(key, csk, EAP_TLS_KEY_LEN); |
---|
1211 | wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", |
---|
1212 | key, EAP_TLS_KEY_LEN); |
---|
1213 | } else |
---|
1214 | os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); |
---|
1215 | |
---|
1216 | return key; |
---|
1217 | } |
---|
1218 | |
---|
1219 | |
---|
1220 | static u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len) |
---|
1221 | { |
---|
1222 | struct eap_peap_data *data = priv; |
---|
1223 | u8 *id; |
---|
1224 | |
---|
1225 | if (data->session_id == NULL || !data->phase2_success) |
---|
1226 | return NULL; |
---|
1227 | |
---|
1228 | id = os_malloc(data->id_len); |
---|
1229 | if (id == NULL) |
---|
1230 | return NULL; |
---|
1231 | |
---|
1232 | *len = data->id_len; |
---|
1233 | os_memcpy(id, data->session_id, data->id_len); |
---|
1234 | |
---|
1235 | return id; |
---|
1236 | } |
---|
1237 | |
---|
1238 | |
---|
1239 | int eap_peer_peap_register(void) |
---|
1240 | { |
---|
1241 | struct eap_method *eap; |
---|
1242 | int ret; |
---|
1243 | |
---|
1244 | eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, |
---|
1245 | EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP"); |
---|
1246 | if (eap == NULL) |
---|
1247 | return -1; |
---|
1248 | |
---|
1249 | eap->init = eap_peap_init; |
---|
1250 | eap->deinit = eap_peap_deinit; |
---|
1251 | eap->process = eap_peap_process; |
---|
1252 | eap->isKeyAvailable = eap_peap_isKeyAvailable; |
---|
1253 | eap->getKey = eap_peap_getKey; |
---|
1254 | eap->get_status = eap_peap_get_status; |
---|
1255 | eap->has_reauth_data = eap_peap_has_reauth_data; |
---|
1256 | eap->deinit_for_reauth = eap_peap_deinit_for_reauth; |
---|
1257 | eap->init_for_reauth = eap_peap_init_for_reauth; |
---|
1258 | eap->getSessionId = eap_peap_get_session_id; |
---|
1259 | |
---|
1260 | ret = eap_peer_method_register(eap); |
---|
1261 | if (ret) |
---|
1262 | eap_peer_method_free(eap); |
---|
1263 | return ret; |
---|
1264 | } |
---|