static int eap_mschapv2_check_config(struct eap_sm *sm)
{
size_t len;
if (eap_get_config_identity(sm, &len) == NULL) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Identity not configured");
eap_sm_request_identity(sm);
return -1;
}
if (eap_get_config_password(sm, &len) == NULL) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Password not configured");
eap_sm_request_password(sm);
return -1;
}
return 0;
}
void eap_sm_notify_ctrl_attached(struct eap_sm *sm)
{
struct wpa_ssid *config = eap_get_config(sm);
if (config == NULL)
return;
/* Re-send any pending requests for user data since a new control
* interface was added. This handles cases where the EAP authentication
* starts immediately after system startup when the user interface is
* not yet running. */
if (config->pending_req_identity)
eap_sm_request_identity(sm, config);
if (config->pending_req_password)
eap_sm_request_password(sm, config);
if (config->pending_req_otp)
eap_sm_request_otp(sm, config, NULL, 0);
if (config->pending_req_pin)
eap_sm_request_pin(sm, config);
}
static u8 * eap_sim_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
u8 *reqData, size_t reqDataLen,
size_t *respDataLen)
{
struct eap_sim_data *data = priv;
struct wpa_ssid *config = eap_get_config(sm);
struct eap_hdr *req;
u8 *pos, subtype, *res;
struct eap_sim_attrs attr;
size_t len;
wpa_hexdump(MSG_DEBUG, "EAP-SIM: EAP data", reqData, reqDataLen);
if (config == NULL || config->identity == NULL) {
wpa_printf(MSG_INFO, "EAP-SIM: Identity not configured");
eap_sm_request_identity(sm, config);
ret->ignore = TRUE;
return NULL;
}
req = (struct eap_hdr *) reqData;
pos = (u8 *) (req + 1);
if (reqDataLen < sizeof(*req) + 4 || *pos != EAP_TYPE_SIM ||
(len = be_to_host16(req->length)) > reqDataLen) {
wpa_printf(MSG_INFO, "EAP-SIM: Invalid frame");
ret->ignore = TRUE;
return NULL;
}
ret->ignore = FALSE;
ret->methodState = METHOD_CONT;
ret->decision = DECISION_FAIL;
ret->allowNotifications = TRUE;
pos++;
subtype = *pos++;
wpa_printf(MSG_DEBUG, "EAP-SIM: Subtype=%d", subtype);
pos += 2; /* Reserved */
if (eap_sim_parse_attr(pos, reqData + len, &attr, 0, 0)) {
res = eap_sim_client_error(sm, data, req, respDataLen,
EAP_SIM_UNABLE_TO_PROCESS_PACKET);
goto done;
}
switch (subtype) {
case EAP_SIM_SUBTYPE_START:
res = eap_sim_process_start(sm, data, req, len,
respDataLen, &attr);
break;
case EAP_SIM_SUBTYPE_CHALLENGE:
res = eap_sim_process_challenge(sm, data, req, len,
respDataLen, &attr);
break;
case EAP_SIM_SUBTYPE_NOTIFICATION:
res = eap_sim_process_notification(sm, data, req, len,
respDataLen, &attr);
break;
case EAP_SIM_SUBTYPE_REAUTHENTICATION:
res = eap_sim_process_reauthentication(sm, data, req, len,
respDataLen, &attr);
break;
case EAP_SIM_SUBTYPE_CLIENT_ERROR:
wpa_printf(MSG_DEBUG, "EAP-SIM: subtype Client-Error");
res = eap_sim_client_error(sm, data, req, respDataLen,
EAP_SIM_UNABLE_TO_PROCESS_PACKET);
break;
default:
wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown subtype=%d", subtype);
res = eap_sim_client_error(sm, data, req, respDataLen,
EAP_SIM_UNABLE_TO_PROCESS_PACKET);
break;
}
done:
if (data->state == FAILURE) {
ret->decision = DECISION_FAIL;
ret->methodState = METHOD_DONE;
} else if (data->state == SUCCESS) {
ret->decision = DECISION_UNCOND_SUCC;
ret->methodState = METHOD_DONE;
}
if (ret->methodState == METHOD_DONE) {
ret->allowNotifications = FALSE;
}
return res;
}
static struct wpabuf * eap_aka_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
const struct wpabuf *reqData)
{
struct eap_aka_data *data = priv;
const struct eap_hdr *req;
u8 subtype, id;
struct wpabuf *res;
const u8 *pos;
struct eap_sim_attrs attr;
size_t len;
wpa_hexdump_buf(MSG_DEBUG, "EAP-AKA: EAP data", reqData);
if (eap_get_config_identity(sm, &len) == NULL) {
wpa_printf(MSG_INFO, "EAP-AKA: Identity not configured");
eap_sm_request_identity(sm);
ret->ignore = TRUE;
return NULL;
}
pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, reqData,
&len);
if (pos == NULL || len < 1) {
ret->ignore = TRUE;
return NULL;
}
req = wpabuf_head(reqData);
id = req->identifier;
len = be_to_host16(req->length);
ret->ignore = FALSE;
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_FAIL;
ret->allowNotifications = TRUE;
subtype = *pos++;
wpa_printf(MSG_DEBUG, "EAP-AKA: Subtype=%d", subtype);
pos += 2; /* Reserved */
if (eap_sim_parse_attr(pos, wpabuf_head_u8(reqData) + len, &attr,
data->eap_method == EAP_TYPE_AKA_PRIME ? 2 : 1,
0)) {
res = eap_aka_client_error(data, id,
EAP_AKA_UNABLE_TO_PROCESS_PACKET);
goto done;
}
switch (subtype) {
case EAP_AKA_SUBTYPE_IDENTITY:
res = eap_aka_process_identity(sm, data, id, reqData, &attr);
break;
case EAP_AKA_SUBTYPE_CHALLENGE:
res = eap_aka_process_challenge(sm, data, id, reqData, &attr);
break;
case EAP_AKA_SUBTYPE_NOTIFICATION:
res = eap_aka_process_notification(sm, data, id, reqData,
&attr);
break;
case EAP_AKA_SUBTYPE_REAUTHENTICATION:
res = eap_aka_process_reauthentication(sm, data, id, reqData,
&attr);
break;
case EAP_AKA_SUBTYPE_CLIENT_ERROR:
wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Client-Error");
res = eap_aka_client_error(data, id,
EAP_AKA_UNABLE_TO_PROCESS_PACKET);
break;
default:
wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown subtype=%d", subtype);
res = eap_aka_client_error(data, id,
EAP_AKA_UNABLE_TO_PROCESS_PACKET);
break;
}
done:
if (data->state == FAILURE) {
ret->decision = DECISION_FAIL;
ret->methodState = METHOD_DONE;
} else if (data->state == SUCCESS) {
ret->decision = data->use_result_ind ?
DECISION_UNCOND_SUCC : DECISION_COND_SUCC;
/*
* It is possible for the server to reply with AKA
* Notification, so we must allow the method to continue and
* not only accept EAP-Success at this point.
*/
ret->methodState = data->use_result_ind ?
METHOD_DONE : METHOD_MAY_CONT;
} else if (data->state == RESULT_FAILURE)
ret->methodState = METHOD_CONT;
else if (data->state == RESULT_SUCCESS)
ret->methodState = METHOD_CONT;
if (ret->methodState == METHOD_DONE) {
ret->allowNotifications = FALSE;
}
return res;
}
u8 *eap_sm_buildIdentity(struct eap_sm *sm, int id, size_t *len,
int encrypted)
{
struct wpa_ssid *config = eap_get_config(sm);
struct eap_hdr *resp;
u8 *pos;
const u8 *identity;
size_t identity_len;
if (config == NULL) {
wpa_printf(MSG_WARNING, "EAP: buildIdentity: configuration "
"was not available");
return NULL;
}
if (sm->m && sm->m->get_identity &&
(identity = sm->m->get_identity(sm, sm->eap_method_priv,
&identity_len)) != NULL) {
wpa_hexdump_ascii(MSG_DEBUG, "EAP: using method re-auth "
"identity", identity, identity_len);
} else if (!encrypted && config->anonymous_identity) {
identity = config->anonymous_identity;
identity_len = config->anonymous_identity_len;
wpa_hexdump_ascii(MSG_DEBUG, "EAP: using anonymous identity",
identity, identity_len);
} else {
identity = config->identity;
identity_len = config->identity_len;
wpa_hexdump_ascii(MSG_DEBUG, "EAP: using real identity",
identity, identity_len);
}
if (identity == NULL) {
wpa_printf(MSG_WARNING, "EAP: buildIdentity: identity "
"configuration was not available");
if (config->pcsc) {
if (eap_sm_get_scard_identity(sm, config) < 0)
return NULL;
identity = config->identity;
identity_len = config->identity_len;
wpa_hexdump_ascii(MSG_DEBUG, "permanent identity from "
"IMSI", identity, identity_len);
} else {
eap_sm_request_identity(sm, config);
return NULL;
}
}
*len = sizeof(struct eap_hdr) + 1 + identity_len;
resp = malloc(*len);
if (resp == NULL)
return NULL;
resp->code = EAP_CODE_RESPONSE;
resp->identifier = id;
resp->length = host_to_be16(*len);
pos = (u8 *) (resp + 1);
*pos++ = EAP_TYPE_IDENTITY;
memcpy(pos, identity, identity_len);
return (u8 *) resp;
}
static u8 * eap_mschapv2_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
const u8 *reqData, size_t reqDataLen,
size_t *respDataLen)
{
struct eap_mschapv2_data *data = priv;
struct wpa_ssid *config = eap_get_config(sm);
const struct eap_mschapv2_hdr *req;
int using_prev_challenge = 0;
const u8 *pos;
size_t ms_len, len;
if (eap_get_config_identity(sm, &len) == NULL) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Identity not configured");
eap_sm_request_identity(sm);
ret->ignore = TRUE;
return NULL;
}
if (eap_get_config_password(sm, &len) == NULL) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Password not configured");
eap_sm_request_password(sm);
ret->ignore = TRUE;
return NULL;
}
if (config->mschapv2_retry && data->prev_challenge &&
data->prev_error == ERROR_AUTHENTICATION_FAILURE) {
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Replacing pending packet "
"with the previous challenge");
reqData = data->prev_challenge;
reqDataLen = data->prev_challenge_len;
using_prev_challenge = 1;
config->mschapv2_retry = 0;
}
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2,
reqData, reqDataLen, &len);
if (pos == NULL || len < 5) {
ret->ignore = TRUE;
return NULL;
}
req = (const struct eap_mschapv2_hdr *) reqData;
len = be_to_host16(req->length);
ms_len = WPA_GET_BE16(req->ms_length);
if (ms_len != len - 5) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Invalid header: len=%lu "
"ms_len=%lu", (unsigned long) len,
(unsigned long) ms_len);
if (sm->workaround) {
/* Some authentication servers use invalid ms_len,
* ignore it for interoperability. */
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: workaround, ignore"
" invalid ms_len");
} else {
ret->ignore = TRUE;
return NULL;
}
}
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: RX identifier %d mschapv2_id %d",
req->identifier, req->mschapv2_id);
switch (req->op_code) {
case MSCHAPV2_OP_CHALLENGE:
if (!using_prev_challenge) {
free(data->prev_challenge);
data->prev_challenge = malloc(len);
if (data->prev_challenge) {
data->prev_challenge_len = len;
memcpy(data->prev_challenge, reqData, len);
}
}
return eap_mschapv2_challenge(sm, data, ret, req, respDataLen);
case MSCHAPV2_OP_SUCCESS:
return eap_mschapv2_success(sm, data, ret, req, respDataLen);
case MSCHAPV2_OP_FAILURE:
return eap_mschapv2_failure(sm, data, ret, req, respDataLen);
default:
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Unknown op %d - ignored",
req->op_code);
ret->ignore = TRUE;
return NULL;
}
}
static int eap_mschapv2_failure_txt(struct eap_sm *sm,
struct eap_mschapv2_data *data, char *txt)
{
char *pos, *msg = "";
int retry = 1;
struct wpa_ssid *config = eap_get_config(sm);
/* For example:
* E=691 R=1 C=<32 octets hex challenge> V=3 M=Authentication Failure
*/
pos = txt;
if (pos && strncmp(pos, "E=", 2) == 0) {
pos += 2;
data->prev_error = atoi(pos);
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: error %d",
data->prev_error);
pos = strchr(pos, ' ');
if (pos)
pos++;
}
if (pos && strncmp(pos, "R=", 2) == 0) {
pos += 2;
retry = atoi(pos);
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: retry is %sallowed",
retry == 1 ? "" : "not ");
pos = strchr(pos, ' ');
if (pos)
pos++;
}
if (pos && strncmp(pos, "C=", 2) == 0) {
int hex_len;
pos += 2;
hex_len = strchr(pos, ' ') - (char *) pos;
if (hex_len == PASSWD_CHANGE_CHAL_LEN * 2) {
if (hexstr2bin(pos, data->passwd_change_challenge,
PASSWD_CHANGE_CHAL_LEN)) {
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: invalid "
"failure challenge");
} else {
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: failure "
"challenge",
data->passwd_change_challenge,
PASSWD_CHANGE_CHAL_LEN);
data->passwd_change_challenge_valid = 1;
}
} else {
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: invalid failure "
"challenge len %d", hex_len);
}
pos = strchr(pos, ' ');
if (pos)
pos++;
} else {
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: required challenge field "
"was not present in failure message");
}
if (pos && strncmp(pos, "V=", 2) == 0) {
pos += 2;
data->passwd_change_version = atoi(pos);
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: password changing "
"protocol version %d", data->passwd_change_version);
pos = strchr(pos, ' ');
if (pos)
pos++;
}
if (pos && strncmp(pos, "M=", 2) == 0) {
pos += 2;
msg = pos;
}
wpa_msg(sm->msg_ctx, MSG_WARNING,
"EAP-MSCHAPV2: failure message: '%s' (retry %sallowed, error "
"%d)",
msg, retry == 1 ? "" : "not ", data->prev_error);
if (data->prev_error == ERROR_PASSWD_EXPIRED &&
data->passwd_change_version == 3 && config) {
if (config->new_password == NULL) {
wpa_msg(sm->msg_ctx, MSG_INFO,
"EAP-MSCHAPV2: Password expired - password "
"change required");
eap_sm_request_new_password(sm);
}
} else if (retry == 1 && config) {
/* TODO: could prevent the current password from being used
* again at least for some period of time */
if (!config->mschapv2_retry)
eap_sm_request_identity(sm);
eap_sm_request_password(sm);
config->mschapv2_retry = 1;
} else if (config) {
/* TODO: prevent retries using same username/password */
config->mschapv2_retry = 0;
}
return retry == 1;
}
static u8 * eap_mschapv2_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
u8 *reqData, size_t reqDataLen,
size_t *respDataLen)
{
struct eap_mschapv2_data *data = priv;
struct wpa_ssid *config = eap_get_config(sm);
struct eap_mschapv2_hdr *req;
int ms_len, len;
if (config == NULL || config->identity == NULL) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Identity not configured");
eap_sm_request_identity(sm, config);
ret->ignore = TRUE;
return NULL;
}
if (config->password == NULL) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Password not configured");
eap_sm_request_password(sm, config);
ret->ignore = TRUE;
return NULL;
}
req = (struct eap_mschapv2_hdr *) reqData;
len = be_to_host16(req->length);
if (len < sizeof(*req) + 2 || req->type != EAP_TYPE_MSCHAPV2) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Invalid frame");
ret->ignore = TRUE;
return NULL;
}
ms_len = ((int) req->ms_length[0] << 8) | req->ms_length[1];
if (ms_len != len - 5) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Invalid header: len=%d "
"ms_len=%d", len, ms_len);
if (sm->workaround) {
/* Some authentication servers use invalid ms_len,
* ignore it for interoperability. */
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: workaround, ignore"
" invalid ms_len");
} else {
ret->ignore = TRUE;
return NULL;
}
}
switch (req->op_code) {
case MSCHAPV2_OP_CHALLENGE:
return eap_mschapv2_challenge(sm, data, ret, req, respDataLen);
case MSCHAPV2_OP_SUCCESS:
return eap_mschapv2_success(sm, data, ret, req, respDataLen);
case MSCHAPV2_OP_FAILURE:
return eap_mschapv2_failure(sm, data, ret, req, respDataLen);
default:
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Unknown op %d - ignored",
req->op_code);
ret->ignore = TRUE;
return NULL;
}
}
static int eap_ttls_phase2_request(struct eap_sm *sm,
struct eap_ttls_data *data,
struct eap_method_ret *ret,
const struct eap_hdr *req,
struct eap_hdr *hdr,
u8 **resp, size_t *resp_len)
{
int res = 0;
size_t len;
if (data->phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
data->phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
data->phase2_type == EAP_TTLS_PHASE2_PAP ||
data->phase2_type == EAP_TTLS_PHASE2_CHAP) {
if (eap_get_config_identity(sm, &len) == NULL) {
wpa_printf(MSG_INFO,
"EAP-TTLS: Identity not configured");
eap_sm_request_identity(sm);
if (eap_get_config_password(sm, &len) == NULL)
eap_sm_request_password(sm);
return 0;
}
if (eap_get_config_password(sm, &len) == NULL) {
wpa_printf(MSG_INFO,
"EAP-TTLS: Password not configured");
eap_sm_request_password(sm);
return 0;
}
}
switch (data->phase2_type) {
case EAP_TTLS_PHASE2_EAP:
res = eap_ttls_phase2_request_eap(sm, data, ret, hdr,
resp, resp_len);
break;
case EAP_TTLS_PHASE2_MSCHAPV2:
res = eap_ttls_phase2_request_mschapv2(sm, data, ret,
resp, resp_len);
break;
case EAP_TTLS_PHASE2_MSCHAP:
res = eap_ttls_phase2_request_mschap(sm, data, ret,
resp, resp_len);
break;
case EAP_TTLS_PHASE2_PAP:
res = eap_ttls_phase2_request_pap(sm, data, ret,
resp, resp_len);
break;
case EAP_TTLS_PHASE2_CHAP:
res = eap_ttls_phase2_request_chap(sm, data, ret,
resp, resp_len);
break;
default:
wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
res = -1;
break;
}
if (res < 0) {
ret->methodState = METHOD_DONE;
ret->decision = DECISION_FAIL;
}
return res;
}
