2 * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt)
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "crypto/sha1.h"
20 #include "eap_tls_common.h"
21 #include "eap_config.h"
23 #include "eap_common/eap_tlv_common.h"
27 /* Maximum supported PEAP version
28 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
29 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
30 * 2 = draft-josefsson-ppext-eap-tls-eap-10.txt
32 #define EAP_PEAP_VERSION 1
35 static void eap_peap_deinit(struct eap_sm
*sm
, void *priv
);
38 struct eap_peap_data
{
39 struct eap_ssl_data ssl
;
41 int peap_version
, force_peap_version
, force_new_label
;
43 const struct eap_method
*phase2_method
;
46 int phase2_eap_success
;
47 int phase2_eap_started
;
49 struct eap_method_type phase2_type
;
50 struct eap_method_type
*phase2_types
;
51 size_t num_phase2_types
;
53 int peap_outer_success
; /* 0 = PEAP terminated on Phase 2 inner
55 * 1 = reply with tunneled EAP-Success to inner
56 * EAP-Success and expect AS to send outer
57 * (unencrypted) EAP-Success after this
58 * 2 = reply with PEAP/TLS ACK to inner
59 * EAP-Success and expect AS to send outer
60 * (unencrypted) EAP-Success after this */
61 int resuming
; /* starting a resumed session */
64 struct wpabuf
*pending_phase2_req
;
65 enum { NO_BINDING
, OPTIONAL_BINDING
, REQUIRE_BINDING
} crypto_binding
;
66 int crypto_binding_used
;
69 int soh
; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
74 static int eap_peap_parse_phase1(struct eap_peap_data
*data
,
79 pos
= os_strstr(phase1
, "peapver=");
81 data
->force_peap_version
= atoi(pos
+ 8);
82 data
->peap_version
= data
->force_peap_version
;
83 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Forced PEAP version %d",
84 data
->force_peap_version
);
87 if (os_strstr(phase1
, "peaplabel=1")) {
88 data
->force_new_label
= 1;
89 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Force new label for key "
93 if (os_strstr(phase1
, "peap_outer_success=0")) {
94 data
->peap_outer_success
= 0;
95 wpa_printf(MSG_DEBUG
, "EAP-PEAP: terminate authentication on "
96 "tunneled EAP-Success");
97 } else if (os_strstr(phase1
, "peap_outer_success=1")) {
98 data
->peap_outer_success
= 1;
99 wpa_printf(MSG_DEBUG
, "EAP-PEAP: send tunneled EAP-Success "
100 "after receiving tunneled EAP-Success");
101 } else if (os_strstr(phase1
, "peap_outer_success=2")) {
102 data
->peap_outer_success
= 2;
103 wpa_printf(MSG_DEBUG
, "EAP-PEAP: send PEAP/TLS ACK after "
104 "receiving tunneled EAP-Success");
107 if (os_strstr(phase1
, "crypto_binding=0")) {
108 data
->crypto_binding
= NO_BINDING
;
109 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Do not use cryptobinding");
110 } else if (os_strstr(phase1
, "crypto_binding=1")) {
111 data
->crypto_binding
= OPTIONAL_BINDING
;
112 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Optional cryptobinding");
113 } else if (os_strstr(phase1
, "crypto_binding=2")) {
114 data
->crypto_binding
= REQUIRE_BINDING
;
115 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Require cryptobinding");
119 if (os_strstr(phase1
, "tnc=soh")) {
121 wpa_printf(MSG_DEBUG
, "EAP-PEAP: SoH enabled");
129 static void * eap_peap_init(struct eap_sm
*sm
)
131 struct eap_peap_data
*data
;
132 struct eap_peer_config
*config
= eap_get_config(sm
);
134 data
= os_zalloc(sizeof(*data
));
137 sm
->peap_done
= FALSE
;
138 data
->peap_version
= EAP_PEAP_VERSION
;
139 data
->force_peap_version
= -1;
140 data
->peap_outer_success
= 2;
141 data
->crypto_binding
= OPTIONAL_BINDING
;
143 if (config
&& config
->phase1
&&
144 eap_peap_parse_phase1(data
, config
->phase1
) < 0) {
145 eap_peap_deinit(sm
, data
);
149 if (eap_peer_select_phase2_methods(config
, "auth=",
151 &data
->num_phase2_types
) < 0) {
152 eap_peap_deinit(sm
, data
);
156 data
->phase2_type
.vendor
= EAP_VENDOR_IETF
;
157 data
->phase2_type
.method
= EAP_TYPE_NONE
;
159 if (eap_peer_tls_ssl_init(sm
, &data
->ssl
, config
)) {
160 wpa_printf(MSG_INFO
, "EAP-PEAP: Failed to initialize SSL.");
161 eap_peap_deinit(sm
, data
);
169 static void eap_peap_deinit(struct eap_sm
*sm
, void *priv
)
171 struct eap_peap_data
*data
= priv
;
174 if (data
->phase2_priv
&& data
->phase2_method
)
175 data
->phase2_method
->deinit(sm
, data
->phase2_priv
);
176 os_free(data
->phase2_types
);
177 eap_peer_tls_ssl_deinit(sm
, &data
->ssl
);
178 os_free(data
->key_data
);
179 wpabuf_free(data
->pending_phase2_req
);
185 * eap_tlv_build_nak - Build EAP-TLV NAK message
186 * @id: EAP identifier for the header
187 * @nak_type: TLV type (EAP_TLV_*)
188 * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure
190 * This funtion builds an EAP-TLV NAK message. The caller is responsible for
191 * freeing the returned buffer.
193 static struct wpabuf
* eap_tlv_build_nak(int id
, u16 nak_type
)
197 msg
= eap_msg_alloc(EAP_VENDOR_IETF
, EAP_TYPE_TLV
, 10,
198 EAP_CODE_RESPONSE
, id
);
202 wpabuf_put_u8(msg
, 0x80); /* Mandatory */
203 wpabuf_put_u8(msg
, EAP_TLV_NAK_TLV
);
204 wpabuf_put_be16(msg
, 6); /* Length */
205 wpabuf_put_be32(msg
, 0); /* Vendor-Id */
206 wpabuf_put_be16(msg
, nak_type
); /* NAK-Type */
212 static int eap_peap_get_isk(struct eap_sm
*sm
, struct eap_peap_data
*data
,
213 u8
*isk
, size_t isk_len
)
218 os_memset(isk
, 0, isk_len
);
219 if (data
->phase2_method
== NULL
|| data
->phase2_priv
== NULL
||
220 data
->phase2_method
->isKeyAvailable
== NULL
||
221 data
->phase2_method
->getKey
== NULL
)
224 if (!data
->phase2_method
->isKeyAvailable(sm
, data
->phase2_priv
) ||
225 (key
= data
->phase2_method
->getKey(sm
, data
->phase2_priv
,
226 &key_len
)) == NULL
) {
227 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Could not get key material "
233 data
->phase2_method
->vendor
== EAP_VENDOR_IETF
&&
234 data
->phase2_method
->method
== EAP_TYPE_MSCHAPV2
) {
236 * Microsoft uses reverse order for MS-MPPE keys in
237 * EAP-PEAP when compared to EAP-FAST derivation of
238 * ISK. Swap the keys here to get the correct ISK for
239 * EAP-PEAPv0 cryptobinding.
242 os_memcpy(tmp
, key
, 16);
243 os_memcpy(key
, key
+ 16, 16);
244 os_memcpy(key
+ 16, tmp
, 16);
247 if (key_len
> isk_len
)
249 os_memcpy(isk
, key
, key_len
);
256 void peap_prfplus(int version
, const u8
*key
, size_t key_len
,
257 const char *label
, const u8
*seed
, size_t seed_len
,
258 u8
*buf
, size_t buf_len
)
260 unsigned char counter
= 0;
262 u8 hash
[SHA1_MAC_LEN
];
263 size_t label_len
= os_strlen(label
);
265 const unsigned char *addr
[5];
270 addr
[1] = (unsigned char *) label
;
277 * PRF+(K, S, LEN) = T1 | T2 | ... | Tn
278 * T1 = HMAC-SHA1(K, S | 0x01 | 0x00 | 0x00)
279 * T2 = HMAC-SHA1(K, T1 | S | 0x02 | 0x00 | 0x00)
281 * Tn = HMAC-SHA1(K, Tn-1 | S | n | 0x00 | 0x00)
293 * PRF (K,S,LEN) = T1 | T2 | T3 | T4 | ... where:
294 * T1 = HMAC-SHA1(K, S | LEN | 0x01)
295 * T2 = HMAC-SHA1 (K, T1 | S | LEN | 0x02)
296 * T3 = HMAC-SHA1 (K, T2 | S | LEN | 0x03)
297 * T4 = HMAC-SHA1 (K, T3 | S | LEN | 0x04)
301 extra
[0] = buf_len
& 0xff;
310 while (pos
< buf_len
) {
312 plen
= buf_len
- pos
;
313 hmac_sha1_vector(key
, key_len
, 5, addr
, len
, hash
);
314 if (plen
>= SHA1_MAC_LEN
) {
315 os_memcpy(&buf
[pos
], hash
, SHA1_MAC_LEN
);
318 os_memcpy(&buf
[pos
], hash
, plen
);
321 len
[0] = SHA1_MAC_LEN
;
326 static int eap_peap_derive_cmk(struct eap_sm
*sm
, struct eap_peap_data
*data
)
329 u8 isk
[32], imck
[60];
332 * Tunnel key (TK) is the first 60 octets of the key generated by
333 * phase 1 of PEAP (based on TLS).
338 wpa_hexdump_key(MSG_DEBUG
, "EAP-PEAP: TK", tk
, 60);
340 if (eap_peap_get_isk(sm
, data
, isk
, sizeof(isk
)) < 0)
342 wpa_hexdump_key(MSG_DEBUG
, "EAP-PEAP: ISK", isk
, sizeof(isk
));
345 * IPMK Seed = "Inner Methods Compound Keys" | ISK
346 * TempKey = First 40 octets of TK
347 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60)
348 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space
349 * in the end of the label just before ISK; is that just a typo?)
351 wpa_hexdump_key(MSG_DEBUG
, "EAP-PEAP: TempKey", tk
, 40);
352 peap_prfplus(data
->peap_version
, tk
, 40, "Inner Methods Compound Keys",
353 isk
, sizeof(isk
), imck
, sizeof(imck
));
354 wpa_hexdump_key(MSG_DEBUG
, "EAP-PEAP: IMCK (IPMKj)",
357 /* TODO: fast-connect: IPMK|CMK = TK */
358 os_memcpy(data
->ipmk
, imck
, 40);
359 wpa_hexdump_key(MSG_DEBUG
, "EAP-PEAP: IPMK (S-IPMKj)", data
->ipmk
, 40);
360 os_memcpy(data
->cmk
, imck
+ 40, 20);
361 wpa_hexdump_key(MSG_DEBUG
, "EAP-PEAP: CMK (CMKj)", data
->cmk
, 20);
367 static int eap_tlv_add_cryptobinding(struct eap_sm
*sm
,
368 struct eap_peap_data
*data
,
372 u8 eap_type
= EAP_TYPE_PEAP
;
376 u8 binding_nonce
[32];
378 /* FIX: should binding_nonce be copied from request? */
379 if (os_get_random(binding_nonce
, 32))
382 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
383 addr
[0] = wpabuf_put(buf
, 0);
388 tlv_type
= EAP_TLV_CRYPTO_BINDING_TLV
;
389 if (data
->peap_version
>= 2)
390 tlv_type
|= EAP_TLV_TYPE_MANDATORY
;
391 wpabuf_put_be16(buf
, tlv_type
);
392 wpabuf_put_be16(buf
, 56);
394 wpabuf_put_u8(buf
, 0); /* Reserved */
395 wpabuf_put_u8(buf
, data
->peap_version
); /* Version */
396 wpabuf_put_u8(buf
, data
->peap_version
); /* RecvVersion */
397 wpabuf_put_u8(buf
, 1); /* SubType: 0 = Request, 1 = Response */
398 wpabuf_put_data(buf
, binding_nonce
, 32); /* Nonce */
399 mac
= wpabuf_put(buf
, 20); /* Compound_MAC */
400 wpa_hexdump(MSG_MSGDUMP
, "EAP-PEAP: Compound_MAC CMK", data
->cmk
, 20);
401 wpa_hexdump(MSG_MSGDUMP
, "EAP-PEAP: Compound_MAC data 1",
403 wpa_hexdump(MSG_MSGDUMP
, "EAP-PEAP: Compound_MAC data 2",
405 hmac_sha1_vector(data
->cmk
, 20, 2, addr
, len
, mac
);
406 wpa_hexdump(MSG_MSGDUMP
, "EAP-PEAP: Compound_MAC", mac
, SHA1_MAC_LEN
);
407 data
->crypto_binding_used
= 1;
414 * eap_tlv_build_result - Build EAP-TLV Result message
415 * @id: EAP identifier for the header
416 * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE)
417 * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure
419 * This funtion builds an EAP-TLV Result message. The caller is responsible for
420 * freeing the returned buffer.
422 static struct wpabuf
* eap_tlv_build_result(struct eap_sm
*sm
,
423 struct eap_peap_data
*data
,
430 if (data
->crypto_binding
== NO_BINDING
)
435 len
+= 60; /* Cryptobinding TLV */
436 msg
= eap_msg_alloc(EAP_VENDOR_IETF
, EAP_TYPE_TLV
, len
,
437 EAP_CODE_RESPONSE
, id
);
441 wpabuf_put_u8(msg
, 0x80); /* Mandatory */
442 wpabuf_put_u8(msg
, EAP_TLV_RESULT_TLV
);
443 wpabuf_put_be16(msg
, 2); /* Length */
444 wpabuf_put_be16(msg
, status
); /* Status */
446 if (crypto_tlv_used
&& eap_tlv_add_cryptobinding(sm
, data
, msg
)) {
455 static int eap_tlv_validate_cryptobinding(struct eap_sm
*sm
,
456 struct eap_peap_data
*data
,
457 const u8
*crypto_tlv
,
458 size_t crypto_tlv_len
)
460 u8 buf
[61], mac
[SHA1_MAC_LEN
];
463 if (eap_peap_derive_cmk(sm
, data
) < 0) {
464 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Could not derive CMK");
468 if (crypto_tlv_len
!= 4 + 56) {
469 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Invalid cryptobinding TLV "
470 "length %d", (int) crypto_tlv_len
);
475 pos
+= 4; /* TLV header */
476 if (pos
[1] != data
->peap_version
) {
477 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Cryptobinding TLV Version "
478 "mismatch (was %d; expected %d)",
479 pos
[1], data
->peap_version
);
484 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Unexpected Cryptobinding TLV "
485 "SubType %d", pos
[3]);
489 pos
+= 32; /* Nonce */
491 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
492 os_memcpy(buf
, crypto_tlv
, 60);
493 os_memset(buf
+ 4 + 4 + 32, 0, 20); /* Compound_MAC */
494 buf
[60] = EAP_TYPE_PEAP
;
495 hmac_sha1(data
->cmk
, 20, buf
, sizeof(buf
), mac
);
497 if (os_memcmp(mac
, pos
, SHA1_MAC_LEN
) != 0) {
498 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Invalid Compound_MAC in "
499 "cryptobinding TLV");
503 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Valid cryptobinding TLV received");
510 * eap_tlv_process - Process a received EAP-TLV message and generate a response
511 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
512 * @ret: Return values from EAP request validation and processing
513 * @req: EAP-TLV request to be processed. The caller must have validated that
514 * the buffer is large enough to contain full request (hdr->length bytes) and
515 * that the EAP type is EAP_TYPE_TLV.
516 * @resp: Buffer to return a pointer to the allocated response message. This
517 * field should be initialized to %NULL before the call. The value will be
518 * updated if a response message is generated. The caller is responsible for
519 * freeing the allocated message.
520 * @force_failure: Force negotiation to fail
521 * Returns: 0 on success, -1 on failure
523 static int eap_tlv_process(struct eap_sm
*sm
, struct eap_peap_data
*data
,
524 struct eap_method_ret
*ret
,
525 const struct wpabuf
*req
, struct wpabuf
**resp
,
528 size_t left
, tlv_len
;
530 const u8
*result_tlv
= NULL
, *crypto_tlv
= NULL
;
531 size_t result_tlv_len
= 0, crypto_tlv_len
= 0;
532 int tlv_type
, mandatory
;
535 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, EAP_TYPE_TLV
, req
, &left
);
538 wpa_hexdump(MSG_DEBUG
, "EAP-TLV: Received TLVs", pos
, left
);
540 mandatory
= !!(pos
[0] & 0x80);
541 tlv_type
= WPA_GET_BE16(pos
) & 0x3fff;
543 tlv_len
= WPA_GET_BE16(pos
);
546 if (tlv_len
> left
) {
547 wpa_printf(MSG_DEBUG
, "EAP-TLV: TLV underrun "
548 "(tlv_len=%lu left=%lu)",
549 (unsigned long) tlv_len
,
550 (unsigned long) left
);
554 case EAP_TLV_RESULT_TLV
:
556 result_tlv_len
= tlv_len
;
558 case EAP_TLV_CRYPTO_BINDING_TLV
:
560 crypto_tlv_len
= tlv_len
;
563 wpa_printf(MSG_DEBUG
, "EAP-TLV: Unsupported TLV Type "
565 mandatory
? " (mandatory)" : "");
567 /* NAK TLV and ignore all TLVs in this packet.
569 *resp
= eap_tlv_build_nak(eap_get_id(req
),
571 return *resp
== NULL
? -1 : 0;
573 /* Ignore this TLV, but process other TLVs */
581 wpa_printf(MSG_DEBUG
, "EAP-TLV: Last TLV too short in "
582 "Request (left=%lu)", (unsigned long) left
);
586 /* Process supported TLVs */
587 if (crypto_tlv
&& data
->crypto_binding
!= NO_BINDING
) {
588 wpa_hexdump(MSG_DEBUG
, "EAP-PEAP: Cryptobinding TLV",
589 crypto_tlv
, crypto_tlv_len
);
590 if (eap_tlv_validate_cryptobinding(sm
, data
, crypto_tlv
- 4,
591 crypto_tlv_len
+ 4) < 0) {
592 if (result_tlv
== NULL
)
596 } else if (!crypto_tlv
&& data
->crypto_binding
== REQUIRE_BINDING
) {
597 wpa_printf(MSG_DEBUG
, "EAP-PEAP: No cryptobinding TLV");
602 int status
, resp_status
;
603 wpa_hexdump(MSG_DEBUG
, "EAP-TLV: Result TLV",
604 result_tlv
, result_tlv_len
);
605 if (result_tlv_len
< 2) {
606 wpa_printf(MSG_INFO
, "EAP-TLV: Too short Result TLV "
608 (unsigned long) result_tlv_len
);
611 status
= WPA_GET_BE16(result_tlv
);
612 if (status
== EAP_TLV_RESULT_SUCCESS
) {
613 wpa_printf(MSG_INFO
, "EAP-TLV: TLV Result - Success "
614 "- EAP-TLV/Phase2 Completed");
616 wpa_printf(MSG_INFO
, "EAP-TLV: Earlier failure"
617 " - force failed Phase 2");
618 resp_status
= EAP_TLV_RESULT_FAILURE
;
619 ret
->decision
= DECISION_FAIL
;
621 resp_status
= EAP_TLV_RESULT_SUCCESS
;
622 ret
->decision
= DECISION_UNCOND_SUCC
;
624 } else if (status
== EAP_TLV_RESULT_FAILURE
) {
625 wpa_printf(MSG_INFO
, "EAP-TLV: TLV Result - Failure");
626 resp_status
= EAP_TLV_RESULT_FAILURE
;
627 ret
->decision
= DECISION_FAIL
;
629 wpa_printf(MSG_INFO
, "EAP-TLV: Unknown TLV Result "
630 "Status %d", status
);
631 resp_status
= EAP_TLV_RESULT_FAILURE
;
632 ret
->decision
= DECISION_FAIL
;
634 ret
->methodState
= METHOD_DONE
;
636 *resp
= eap_tlv_build_result(sm
, data
, crypto_tlv
!= NULL
,
637 eap_get_id(req
), resp_status
);
644 static struct wpabuf
* eap_peapv2_tlv_eap_payload(struct wpabuf
*buf
)
647 struct eap_tlv_hdr
*tlv
;
652 /* Encapsulate EAP packet in EAP-Payload TLV */
653 wpa_printf(MSG_DEBUG
, "EAP-PEAPv2: Add EAP-Payload TLV");
654 e
= wpabuf_alloc(sizeof(*tlv
) + wpabuf_len(buf
));
656 wpa_printf(MSG_DEBUG
, "EAP-PEAPv2: Failed to allocate memory "
657 "for TLV encapsulation");
661 tlv
= wpabuf_put(e
, sizeof(*tlv
));
662 tlv
->tlv_type
= host_to_be16(EAP_TLV_TYPE_MANDATORY
|
663 EAP_TLV_EAP_PAYLOAD_TLV
);
664 tlv
->length
= host_to_be16(wpabuf_len(buf
));
665 wpabuf_put_buf(e
, buf
);
671 static int eap_peap_phase2_request(struct eap_sm
*sm
,
672 struct eap_peap_data
*data
,
673 struct eap_method_ret
*ret
,
675 struct wpabuf
**resp
)
677 struct eap_hdr
*hdr
= wpabuf_mhead(req
);
678 size_t len
= be_to_host16(hdr
->length
);
680 struct eap_method_ret iret
;
681 struct eap_peer_config
*config
= eap_get_config(sm
);
683 if (len
<= sizeof(struct eap_hdr
)) {
684 wpa_printf(MSG_INFO
, "EAP-PEAP: too short "
685 "Phase 2 request (len=%lu)", (unsigned long) len
);
688 pos
= (u8
*) (hdr
+ 1);
689 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Phase 2 Request: type=%d", *pos
);
691 case EAP_TYPE_IDENTITY
:
692 *resp
= eap_sm_buildIdentity(sm
, hdr
->identifier
, 1);
695 os_memset(&iret
, 0, sizeof(iret
));
696 if (eap_tlv_process(sm
, data
, &iret
, req
, resp
,
697 data
->phase2_eap_started
&&
698 !data
->phase2_eap_success
)) {
699 ret
->methodState
= METHOD_DONE
;
700 ret
->decision
= DECISION_FAIL
;
703 if (iret
.methodState
== METHOD_DONE
||
704 iret
.methodState
== METHOD_MAY_CONT
) {
705 ret
->methodState
= iret
.methodState
;
706 ret
->decision
= iret
.decision
;
707 data
->phase2_success
= 1;
710 case EAP_TYPE_EXPANDED
:
716 epos
= eap_hdr_validate(EAP_VENDOR_MICROSOFT
, 0x21,
720 wpa_printf(MSG_DEBUG
,
721 "EAP-PEAP: SoH EAP Extensions");
722 buf
= tncc_process_soh_request(epos
, eleft
);
724 *resp
= eap_msg_alloc(
725 EAP_VENDOR_MICROSOFT
, 0x21,
730 ret
->methodState
= METHOD_DONE
;
731 ret
->decision
= DECISION_FAIL
;
734 wpabuf_put_buf(*resp
, buf
);
743 if (data
->phase2_type
.vendor
== EAP_VENDOR_IETF
&&
744 data
->phase2_type
.method
== EAP_TYPE_NONE
) {
746 for (i
= 0; i
< data
->num_phase2_types
; i
++) {
747 if (data
->phase2_types
[i
].vendor
!=
749 data
->phase2_types
[i
].method
!= *pos
)
752 data
->phase2_type
.vendor
=
753 data
->phase2_types
[i
].vendor
;
754 data
->phase2_type
.method
=
755 data
->phase2_types
[i
].method
;
756 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Selected "
757 "Phase 2 EAP vendor %d method %d",
758 data
->phase2_type
.vendor
,
759 data
->phase2_type
.method
);
763 if (*pos
!= data
->phase2_type
.method
||
764 *pos
== EAP_TYPE_NONE
) {
765 if (eap_peer_tls_phase2_nak(data
->phase2_types
,
766 data
->num_phase2_types
,
772 if (data
->phase2_priv
== NULL
) {
773 data
->phase2_method
= eap_peer_get_eap_method(
774 data
->phase2_type
.vendor
,
775 data
->phase2_type
.method
);
776 if (data
->phase2_method
) {
778 sm
->mschapv2_full_key
= 1;
780 data
->phase2_method
->init(sm
);
782 sm
->mschapv2_full_key
= 0;
785 if (data
->phase2_priv
== NULL
|| data
->phase2_method
== NULL
) {
786 wpa_printf(MSG_INFO
, "EAP-PEAP: failed to initialize "
787 "Phase 2 EAP method %d", *pos
);
788 ret
->methodState
= METHOD_DONE
;
789 ret
->decision
= DECISION_FAIL
;
792 data
->phase2_eap_started
= 1;
793 os_memset(&iret
, 0, sizeof(iret
));
794 *resp
= data
->phase2_method
->process(sm
, data
->phase2_priv
,
796 if ((iret
.methodState
== METHOD_DONE
||
797 iret
.methodState
== METHOD_MAY_CONT
) &&
798 (iret
.decision
== DECISION_UNCOND_SUCC
||
799 iret
.decision
== DECISION_COND_SUCC
)) {
800 data
->phase2_eap_success
= 1;
801 data
->phase2_success
= 1;
807 (config
->pending_req_identity
|| config
->pending_req_password
||
808 config
->pending_req_otp
|| config
->pending_req_new_password
)) {
809 wpabuf_free(data
->pending_phase2_req
);
810 data
->pending_phase2_req
= wpabuf_alloc_copy(hdr
, len
);
817 static int eap_peap_decrypt(struct eap_sm
*sm
, struct eap_peap_data
*data
,
818 struct eap_method_ret
*ret
,
819 const struct eap_hdr
*req
,
820 const struct wpabuf
*in_data
,
821 struct wpabuf
**out_data
)
823 struct wpabuf
*in_decrypted
= NULL
;
824 int res
, skip_change
= 0;
825 struct eap_hdr
*hdr
, *rhdr
;
826 struct wpabuf
*resp
= NULL
;
829 wpa_printf(MSG_DEBUG
, "EAP-PEAP: received %lu bytes encrypted data for"
830 " Phase 2", (unsigned long) wpabuf_len(in_data
));
832 if (data
->pending_phase2_req
) {
833 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Pending Phase 2 request - "
834 "skip decryption and use old data");
835 /* Clear TLS reassembly state. */
836 eap_peer_tls_reset_input(&data
->ssl
);
837 in_decrypted
= data
->pending_phase2_req
;
838 data
->pending_phase2_req
= NULL
;
843 if (wpabuf_len(in_data
) == 0 && sm
->workaround
&&
844 data
->phase2_success
) {
846 * Cisco ACS seems to be using TLS ACK to terminate
847 * EAP-PEAPv0/GTC. Try to reply with TLS ACK.
849 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Received TLS ACK, but "
850 "expected data - acknowledge with TLS ACK since "
851 "Phase 2 has been completed");
852 ret
->decision
= DECISION_COND_SUCC
;
853 ret
->methodState
= METHOD_DONE
;
855 } else if (wpabuf_len(in_data
) == 0) {
856 /* Received TLS ACK - requesting more fragments */
857 return eap_peer_tls_encrypt(sm
, &data
->ssl
, EAP_TYPE_PEAP
,
859 req
->identifier
, NULL
, out_data
);
862 res
= eap_peer_tls_decrypt(sm
, &data
->ssl
, in_data
, &in_decrypted
);
867 wpa_hexdump_buf(MSG_DEBUG
, "EAP-PEAP: Decrypted Phase 2 EAP",
870 hdr
= wpabuf_mhead(in_decrypted
);
871 if (wpabuf_len(in_decrypted
) == 5 && hdr
->code
== EAP_CODE_REQUEST
&&
872 be_to_host16(hdr
->length
) == 5 &&
873 eap_get_type(in_decrypted
) == EAP_TYPE_IDENTITY
) {
874 /* At least FreeRADIUS seems to send full EAP header with
875 * EAP Request Identity */
878 if (wpabuf_len(in_decrypted
) >= 5 && hdr
->code
== EAP_CODE_REQUEST
&&
879 eap_get_type(in_decrypted
) == EAP_TYPE_TLV
) {
883 if (data
->peap_version
== 0 && !skip_change
) {
884 struct eap_hdr
*nhdr
;
885 struct wpabuf
*nmsg
= wpabuf_alloc(sizeof(struct eap_hdr
) +
886 wpabuf_len(in_decrypted
));
888 wpabuf_free(in_decrypted
);
891 nhdr
= wpabuf_put(nmsg
, sizeof(*nhdr
));
892 wpabuf_put_buf(nmsg
, in_decrypted
);
893 nhdr
->code
= req
->code
;
894 nhdr
->identifier
= req
->identifier
;
895 nhdr
->length
= host_to_be16(sizeof(struct eap_hdr
) +
896 wpabuf_len(in_decrypted
));
898 wpabuf_free(in_decrypted
);
902 if (data
->peap_version
>= 2) {
903 struct eap_tlv_hdr
*tlv
;
906 if (wpabuf_len(in_decrypted
) < sizeof(*tlv
) + sizeof(*hdr
)) {
907 wpa_printf(MSG_INFO
, "EAP-PEAPv2: Too short Phase 2 "
909 wpabuf_free(in_decrypted
);
912 tlv
= wpabuf_mhead(in_decrypted
);
913 if ((be_to_host16(tlv
->tlv_type
) & 0x3fff) !=
914 EAP_TLV_EAP_PAYLOAD_TLV
) {
915 wpa_printf(MSG_INFO
, "EAP-PEAPv2: Not an EAP TLV");
916 wpabuf_free(in_decrypted
);
919 if (sizeof(*tlv
) + be_to_host16(tlv
->length
) >
920 wpabuf_len(in_decrypted
)) {
921 wpa_printf(MSG_INFO
, "EAP-PEAPv2: Invalid EAP TLV "
923 wpabuf_free(in_decrypted
);
926 hdr
= (struct eap_hdr
*) (tlv
+ 1);
927 if (be_to_host16(hdr
->length
) > be_to_host16(tlv
->length
)) {
928 wpa_printf(MSG_INFO
, "EAP-PEAPv2: No room for full "
929 "EAP packet in EAP TLV");
930 wpabuf_free(in_decrypted
);
934 nmsg
= wpabuf_alloc(be_to_host16(hdr
->length
));
936 wpabuf_free(in_decrypted
);
940 wpabuf_put_data(nmsg
, hdr
, be_to_host16(hdr
->length
));
941 wpabuf_free(in_decrypted
);
945 hdr
= wpabuf_mhead(in_decrypted
);
946 if (wpabuf_len(in_decrypted
) < sizeof(*hdr
)) {
947 wpa_printf(MSG_INFO
, "EAP-PEAP: Too short Phase 2 "
948 "EAP frame (len=%lu)",
949 (unsigned long) wpabuf_len(in_decrypted
));
950 wpabuf_free(in_decrypted
);
953 len
= be_to_host16(hdr
->length
);
954 if (len
> wpabuf_len(in_decrypted
)) {
955 wpa_printf(MSG_INFO
, "EAP-PEAP: Length mismatch in "
956 "Phase 2 EAP frame (len=%lu hdr->length=%lu)",
957 (unsigned long) wpabuf_len(in_decrypted
),
958 (unsigned long) len
);
959 wpabuf_free(in_decrypted
);
962 if (len
< wpabuf_len(in_decrypted
)) {
963 wpa_printf(MSG_INFO
, "EAP-PEAP: Odd.. Phase 2 EAP header has "
964 "shorter length than full decrypted data "
967 (unsigned long) wpabuf_len(in_decrypted
));
969 wpa_printf(MSG_DEBUG
, "EAP-PEAP: received Phase 2: code=%d "
970 "identifier=%d length=%lu", hdr
->code
, hdr
->identifier
,
971 (unsigned long) len
);
973 case EAP_CODE_REQUEST
:
974 if (eap_peap_phase2_request(sm
, data
, ret
, in_decrypted
,
976 wpabuf_free(in_decrypted
);
977 wpa_printf(MSG_INFO
, "EAP-PEAP: Phase2 Request "
978 "processing failed");
982 case EAP_CODE_SUCCESS
:
983 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Phase 2 Success");
984 if (data
->peap_version
== 1) {
985 /* EAP-Success within TLS tunnel is used to indicate
986 * shutdown of the TLS channel. The authentication has
988 if (data
->phase2_eap_started
&&
989 !data
->phase2_eap_success
) {
990 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Phase 2 "
991 "Success used to indicate success, "
992 "but Phase 2 EAP was not yet "
993 "completed successfully");
994 ret
->methodState
= METHOD_DONE
;
995 ret
->decision
= DECISION_FAIL
;
996 wpabuf_free(in_decrypted
);
999 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Version 1 - "
1000 "EAP-Success within TLS tunnel - "
1001 "authentication completed");
1002 ret
->decision
= DECISION_UNCOND_SUCC
;
1003 ret
->methodState
= METHOD_DONE
;
1004 data
->phase2_success
= 1;
1005 if (data
->peap_outer_success
== 2) {
1006 wpabuf_free(in_decrypted
);
1007 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Use TLS ACK "
1008 "to finish authentication");
1010 } else if (data
->peap_outer_success
== 1) {
1011 /* Reply with EAP-Success within the TLS
1012 * channel to complete the authentication. */
1013 resp
= wpabuf_alloc(sizeof(struct eap_hdr
));
1015 rhdr
= wpabuf_put(resp
, sizeof(*rhdr
));
1016 rhdr
->code
= EAP_CODE_SUCCESS
;
1017 rhdr
->identifier
= hdr
->identifier
;
1019 host_to_be16(sizeof(*rhdr
));
1022 /* No EAP-Success expected for Phase 1 (outer,
1023 * unencrypted auth), so force EAP state
1024 * machine to SUCCESS state. */
1025 sm
->peap_done
= TRUE
;
1031 case EAP_CODE_FAILURE
:
1032 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Phase 2 Failure");
1033 ret
->decision
= DECISION_FAIL
;
1034 ret
->methodState
= METHOD_MAY_CONT
;
1035 ret
->allowNotifications
= FALSE
;
1036 /* Reply with EAP-Failure within the TLS channel to complete
1037 * failure reporting. */
1038 resp
= wpabuf_alloc(sizeof(struct eap_hdr
));
1040 rhdr
= wpabuf_put(resp
, sizeof(*rhdr
));
1041 rhdr
->code
= EAP_CODE_FAILURE
;
1042 rhdr
->identifier
= hdr
->identifier
;
1043 rhdr
->length
= host_to_be16(sizeof(*rhdr
));
1047 wpa_printf(MSG_INFO
, "EAP-PEAP: Unexpected code=%d in "
1048 "Phase 2 EAP header", hdr
->code
);
1052 wpabuf_free(in_decrypted
);
1055 int skip_change2
= 0;
1056 struct wpabuf
*rmsg
, buf
;
1058 wpa_hexdump_buf_key(MSG_DEBUG
,
1059 "EAP-PEAP: Encrypting Phase 2 data", resp
);
1060 /* PEAP version changes */
1061 if (data
->peap_version
>= 2) {
1062 resp
= eap_peapv2_tlv_eap_payload(resp
);
1066 if (wpabuf_len(resp
) >= 5 &&
1067 wpabuf_head_u8(resp
)[0] == EAP_CODE_RESPONSE
&&
1068 eap_get_type(resp
) == EAP_TYPE_TLV
)
1071 if (data
->peap_version
== 0 && !skip_change2
) {
1072 wpabuf_set(&buf
, wpabuf_head_u8(resp
) +
1073 sizeof(struct eap_hdr
),
1074 wpabuf_len(resp
) - sizeof(struct eap_hdr
));
1078 if (eap_peer_tls_encrypt(sm
, &data
->ssl
, EAP_TYPE_PEAP
,
1079 data
->peap_version
, req
->identifier
,
1081 wpa_printf(MSG_INFO
, "EAP-PEAP: Failed to encrypt "
1091 static struct wpabuf
* eap_peap_process(struct eap_sm
*sm
, void *priv
,
1092 struct eap_method_ret
*ret
,
1093 const struct wpabuf
*reqData
)
1095 const struct eap_hdr
*req
;
1099 struct wpabuf
*resp
;
1101 struct eap_peap_data
*data
= priv
;
1103 pos
= eap_peer_tls_process_init(sm
, &data
->ssl
, EAP_TYPE_PEAP
, ret
,
1104 reqData
, &left
, &flags
);
1107 req
= wpabuf_head(reqData
);
1108 id
= req
->identifier
;
1110 if (flags
& EAP_TLS_FLAGS_START
) {
1111 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Start (server ver=%d, own "
1112 "ver=%d)", flags
& EAP_PEAP_VERSION_MASK
,
1113 data
->peap_version
);
1114 if ((flags
& EAP_PEAP_VERSION_MASK
) < data
->peap_version
)
1115 data
->peap_version
= flags
& EAP_PEAP_VERSION_MASK
;
1116 if (data
->force_peap_version
>= 0 &&
1117 data
->force_peap_version
!= data
->peap_version
) {
1118 wpa_printf(MSG_WARNING
, "EAP-PEAP: Failed to select "
1119 "forced PEAP version %d",
1120 data
->force_peap_version
);
1121 ret
->methodState
= METHOD_DONE
;
1122 ret
->decision
= DECISION_FAIL
;
1123 ret
->allowNotifications
= FALSE
;
1126 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Using PEAP version %d",
1127 data
->peap_version
);
1128 left
= 0; /* make sure that this frame is empty, even though it
1129 * should always be, anyway */
1133 if (tls_connection_established(sm
->ssl_ctx
, data
->ssl
.conn
) &&
1136 wpabuf_set(&msg
, pos
, left
);
1137 res
= eap_peap_decrypt(sm
, data
, ret
, req
, &msg
, &resp
);
1139 res
= eap_peer_tls_process_helper(sm
, &data
->ssl
,
1141 data
->peap_version
, id
, pos
,
1144 if (tls_connection_established(sm
->ssl_ctx
, data
->ssl
.conn
)) {
1146 wpa_printf(MSG_DEBUG
,
1147 "EAP-PEAP: TLS done, proceed to Phase 2");
1148 os_free(data
->key_data
);
1149 /* draft-josefsson-ppext-eap-tls-eap-05.txt
1150 * specifies that PEAPv1 would use "client PEAP
1151 * encryption" as the label. However, most existing
1152 * PEAPv1 implementations seem to be using the old
1153 * label, "client EAP encryption", instead. Use the old
1154 * label by default, but allow it to be configured with
1155 * phase1 parameter peaplabel=1. */
1156 if (data
->peap_version
> 1 || data
->force_new_label
)
1157 label
= "client PEAP encryption";
1159 label
= "client EAP encryption";
1160 wpa_printf(MSG_DEBUG
, "EAP-PEAP: using label '%s' in "
1161 "key derivation", label
);
1163 eap_peer_tls_derive_key(sm
, &data
->ssl
, label
,
1165 if (data
->key_data
) {
1166 wpa_hexdump_key(MSG_DEBUG
,
1167 "EAP-PEAP: Derived key",
1171 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Failed to "
1175 if (sm
->workaround
&& data
->resuming
) {
1177 * At least few RADIUS servers (Aegis v1.1.6;
1178 * but not v1.1.4; and Cisco ACS) seem to be
1179 * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco
1180 * ACS) session resumption with outer
1181 * EAP-Success. This does not seem to follow
1182 * draft-josefsson-pppext-eap-tls-eap-05.txt
1183 * section 4.2, so only allow this if EAP
1184 * workarounds are enabled.
1186 wpa_printf(MSG_DEBUG
, "EAP-PEAP: Workaround - "
1187 "allow outer EAP-Success to "
1188 "terminate PEAP resumption");
1189 ret
->decision
= DECISION_COND_SUCC
;
1190 data
->phase2_success
= 1;
1199 * Application data included in the handshake message.
1201 wpabuf_free(data
->pending_phase2_req
);
1202 data
->pending_phase2_req
= resp
;
1204 wpabuf_set(&msg
, pos
, left
);
1205 res
= eap_peap_decrypt(sm
, data
, ret
, req
, &msg
,
1210 if (ret
->methodState
== METHOD_DONE
) {
1211 ret
->allowNotifications
= FALSE
;
1216 return eap_peer_tls_build_ack(id
, EAP_TYPE_PEAP
,
1217 data
->peap_version
);
1224 static Boolean
eap_peap_has_reauth_data(struct eap_sm
*sm
, void *priv
)
1226 struct eap_peap_data
*data
= priv
;
1227 return tls_connection_established(sm
->ssl_ctx
, data
->ssl
.conn
) &&
1228 data
->phase2_success
;
1232 static void eap_peap_deinit_for_reauth(struct eap_sm
*sm
, void *priv
)
1234 struct eap_peap_data
*data
= priv
;
1235 wpabuf_free(data
->pending_phase2_req
);
1236 data
->pending_phase2_req
= NULL
;
1237 data
->crypto_binding_used
= 0;
1241 static void * eap_peap_init_for_reauth(struct eap_sm
*sm
, void *priv
)
1243 struct eap_peap_data
*data
= priv
;
1244 os_free(data
->key_data
);
1245 data
->key_data
= NULL
;
1246 if (eap_peer_tls_reauth_init(sm
, &data
->ssl
)) {
1250 if (data
->phase2_priv
&& data
->phase2_method
&&
1251 data
->phase2_method
->init_for_reauth
)
1252 data
->phase2_method
->init_for_reauth(sm
, data
->phase2_priv
);
1253 data
->phase2_success
= 0;
1254 data
->phase2_eap_success
= 0;
1255 data
->phase2_eap_started
= 0;
1257 sm
->peap_done
= FALSE
;
1262 static int eap_peap_get_status(struct eap_sm
*sm
, void *priv
, char *buf
,
1263 size_t buflen
, int verbose
)
1265 struct eap_peap_data
*data
= priv
;
1268 len
= eap_peer_tls_status(sm
, &data
->ssl
, buf
, buflen
, verbose
);
1269 if (data
->phase2_method
) {
1270 ret
= os_snprintf(buf
+ len
, buflen
- len
,
1271 "EAP-PEAPv%d Phase2 method=%s\n",
1273 data
->phase2_method
->name
);
1274 if (ret
< 0 || (size_t) ret
>= buflen
- len
)
1282 static Boolean
eap_peap_isKeyAvailable(struct eap_sm
*sm
, void *priv
)
1284 struct eap_peap_data
*data
= priv
;
1285 return data
->key_data
!= NULL
&& data
->phase2_success
;
1289 static u8
* eap_peap_getKey(struct eap_sm
*sm
, void *priv
, size_t *len
)
1291 struct eap_peap_data
*data
= priv
;
1294 if (data
->key_data
== NULL
|| !data
->phase2_success
)
1297 key
= os_malloc(EAP_TLS_KEY_LEN
);
1301 *len
= EAP_TLS_KEY_LEN
;
1303 if (data
->crypto_binding_used
) {
1306 * Note: It looks like Microsoft implementation requires null
1307 * termination for this label while the one used for deriving
1308 * IPMK|CMK did not use null termination.
1310 peap_prfplus(data
->peap_version
, data
->ipmk
, 40,
1311 "Session Key Generating Function",
1312 (u8
*) "\00", 1, csk
, sizeof(csk
));
1313 wpa_hexdump_key(MSG_DEBUG
, "EAP-PEAP: CSK", csk
, sizeof(csk
));
1314 os_memcpy(key
, csk
, EAP_TLS_KEY_LEN
);
1315 wpa_hexdump(MSG_DEBUG
, "EAP-PEAP: Derived key",
1316 key
, EAP_TLS_KEY_LEN
);
1318 os_memcpy(key
, data
->key_data
, EAP_TLS_KEY_LEN
);
1324 int eap_peer_peap_register(void)
1326 struct eap_method
*eap
;
1329 eap
= eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION
,
1330 EAP_VENDOR_IETF
, EAP_TYPE_PEAP
, "PEAP");
1334 eap
->init
= eap_peap_init
;
1335 eap
->deinit
= eap_peap_deinit
;
1336 eap
->process
= eap_peap_process
;
1337 eap
->isKeyAvailable
= eap_peap_isKeyAvailable
;
1338 eap
->getKey
= eap_peap_getKey
;
1339 eap
->get_status
= eap_peap_get_status
;
1340 eap
->has_reauth_data
= eap_peap_has_reauth_data
;
1341 eap
->deinit_for_reauth
= eap_peap_deinit_for_reauth
;
1342 eap
->init_for_reauth
= eap_peap_init_for_reauth
;
1344 ret
= eap_peer_method_register(eap
);
1346 eap_peer_method_free(eap
);