static struct wpabuf * ext_password_test_get(void *ctx, const char *name)
{
struct ext_password_test_data *data = ctx;
char *pos, *pos2;
size_t nlen;
wpa_printf(MSG_DEBUG, "EXT PW TEST: get(%s)", name);
pos = data->params;
if (pos == NULL)
return NULL;
nlen = os_strlen(name);
while (pos && *pos) {
if (os_strncmp(pos, name, nlen) == 0 && pos[nlen] == '=') {
struct wpabuf *buf;
pos += nlen + 1;
pos2 = pos;
while (*pos2 != '|' && *pos2 != '\0')
pos2++;
buf = ext_password_alloc(pos2 - pos);
if (buf == NULL)
return NULL;
wpabuf_put_data(buf, pos, pos2 - pos);
wpa_hexdump_ascii_key(MSG_DEBUG, "EXT PW TEST: value",
wpabuf_head(buf),
wpabuf_len(buf));
return buf;
}
pos = os_strchr(pos + 1, '|');
if (pos)
pos++;
}
wpa_printf(MSG_DEBUG, "EXT PW TEST: get(%s) - not found", name);
return NULL;
}
static int wps_workaround_cred_key(struct wps_credential *cred)
{
if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
cred->key_len > 8 && cred->key_len < 64 &&
cred->key[cred->key_len - 1] == 0) {
#ifdef CONFIG_WPS_STRICT
wpa_printf(MSG_INFO, "WPS: WPA/WPA2-Personal passphrase uses "
"forbidden NULL termination");
wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
cred->key, cred->key_len);
return -1;
#else /* CONFIG_WPS_STRICT */
/*
* A deployed external registrar is known to encode ASCII
* passphrases incorrectly. Remove the extra NULL termination
* to fix the encoding.
*/
wpa_printf(MSG_DEBUG, "WPS: Workaround - remove NULL "
"termination from ASCII passphrase");
cred->key_len--;
#endif /* CONFIG_WPS_STRICT */
}
return 0;
}
static struct wpabuf * eap_gtc_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
const struct wpabuf *reqData)
{
struct eap_gtc_data *data = priv;
struct wpabuf *resp;
const u8 *pos, *password, *identity;
size_t password_len, identity_len, len, plen;
int otp;
u8 id;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_GTC, reqData, &len);
if (pos == NULL) {
ret->ignore = TRUE;
return NULL;
}
id = eap_get_id(reqData);
wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Request message", pos, len);
if (data->prefix &&
(len < 10 || os_memcmp(pos, "CHALLENGE=", 10) != 0)) {
wpa_printf(MSG_DEBUG, "EAP-GTC: Challenge did not start with "
"expected prefix");
wpa_printf(MSG_DEBUG, "Unrecoverable error - Restarting\n");
/* Send an empty response in order to allow tunneled
* acknowledgement of the failure. This will also cover the
* error case which seems to use EAP-MSCHAPv2 like error
* reporting with EAP-GTC inside EAP-FAST tunnel. */
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GTC,
0, EAP_CODE_RESPONSE, id);
return resp;
}
password = eap_get_config_otp(sm, &password_len);
if (password)
otp = 1;
else {
password = eap_get_config_password(sm, &password_len);
otp = 0;
}
if (password == NULL) {
wpa_printf(MSG_INFO, "EAP-GTC: Password not configured");
eap_sm_request_otp(sm, (const char *) pos, len);
ret->ignore = TRUE;
return NULL;
}
ret->ignore = FALSE;
ret->methodState = data->prefix ? METHOD_MAY_CONT : METHOD_DONE;
ret->decision = DECISION_COND_SUCC;
ret->allowNotifications = FALSE;
plen = password_len;
identity = eap_get_config_identity(sm, &identity_len);
if (identity == NULL)
return NULL;
if (data->prefix)
plen += 9 + identity_len + 1;
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GTC, plen,
EAP_CODE_RESPONSE, id);
if (resp == NULL)
return NULL;
if (data->prefix) {
wpabuf_put_data(resp, "RESPONSE=", 9);
wpabuf_put_data(resp, identity, identity_len);
wpabuf_put_u8(resp, '\0');
}
wpabuf_put_data(resp, password, password_len);
wpa_hexdump_ascii_key(MSG_MSGDUMP, "EAP-GTC: Response",
wpabuf_head_u8(resp) + sizeof(struct eap_hdr) +
1, plen);
if (otp) {
wpa_printf(MSG_DEBUG, "EAP-GTC: Forgetting used password");
eap_clear_config_otp(sm);
}
return resp;
}
static int wpa_config_parse_password(const struct parse_data *data,
struct wpa_ssid *ssid, int line,
const char *value)
{
u8 *hash;
if (os_strcmp(value, "NULL") == 0) {
wpa_printf(MSG_DEBUG, "Unset configuration string 'password'");
os_free(ssid->eap.password);
ssid->eap.password = NULL;
ssid->eap.password_len = 0;
return 0;
}
if (os_strncmp(value, "hash:", 5) != 0) {
char *tmp;
size_t res_len;
tmp = wpa_config_parse_string(value, &res_len);
if (tmp == NULL) {
wpa_printf(MSG_ERROR, "Line %d: failed to parse "
"password.", line);
return -1;
}
wpa_hexdump_ascii_key(MSG_MSGDUMP, data->name,
(u8 *) tmp, res_len);
os_free(ssid->eap.password);
ssid->eap.password = (u8 *) tmp;
ssid->eap.password_len = res_len;
ssid->eap.flags &= ~EAP_CONFIG_FLAGS_PASSWORD_NTHASH;
return 0;
}
/* NtPasswordHash: hash:<32 hex digits> */
if (os_strlen(value + 5) != 2 * 16) {
wpa_printf(MSG_ERROR, "Line %d: Invalid password hash length "
"(expected 32 hex digits)", line);
return -1;
}
hash = os_malloc(16);
if (hash == NULL)
return -1;
if (hexstr2bin(value + 5, hash, 16)) {
os_free(hash);
wpa_printf(MSG_ERROR, "Line %d: Invalid password hash", line);
return -1;
}
wpa_hexdump_key(MSG_MSGDUMP, data->name, hash, 16);
os_free(ssid->eap.password);
ssid->eap.password = hash;
ssid->eap.password_len = 16;
ssid->eap.flags |= EAP_CONFIG_FLAGS_PASSWORD_NTHASH;
return 0;
}
static u8 * eap_mschapv2_change_password(struct eap_sm *sm,
struct eap_mschapv2_data *data,
struct eap_method_ret *ret,
const struct eap_mschapv2_hdr *req,
size_t *respDataLen)
{
struct eap_mschapv2_hdr *resp;
int ms_len;
u8 *peer_challenge, *username, *pos;
size_t i, username_len;
struct wpa_ssid *config = eap_get_config(sm);
if (config == NULL || config->identity == NULL ||
config->new_password == NULL || config->password == NULL)
return NULL;
/*
* MSCHAPv2 does not include optional domain name in the
* challenge-response calculation, so remove domain prefix
* (if present).
*/
username = config->identity;
username_len = config->identity_len;
for (i = 0; i < username_len; i++) {
if (username[i] == '\\') {
username_len -= i + 1;
username += i + 1;
break;
}
}
ret->ignore = FALSE;
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_COND_SUCC;
ret->allowNotifications = TRUE;
*respDataLen = 591;
resp = malloc(*respDataLen);
if (resp == NULL) {
return NULL;
}
resp->code = EAP_CODE_RESPONSE;
resp->identifier = req->identifier;
resp->length = host_to_be16((u16) *respDataLen);
resp->type = EAP_TYPE_MSCHAPV2;
resp->op_code = MSCHAPV2_OP_CHANGE_PASSWORD;
resp->mschapv2_id = req->mschapv2_id + 1;
ms_len = *respDataLen - 5;
WPA_PUT_BE16(resp->ms_length, ms_len);
pos = (u8 *) (resp + 1);
/* Encrypted-Password */
new_password_encrypted_with_old_nt_password_hash(
config->new_password, config->new_password_len,
config->password, config->password_len, pos);
pos += 516;
/* Encrypted-Hash */
old_nt_password_hash_encrypted_with_new_nt_password_hash(
config->new_password, config->new_password_len,
config->password, config->password_len, pos);
pos += 16;
/* Peer-Challenge */
peer_challenge = pos;
if (hostapd_get_rand(peer_challenge, 16)) {
free(resp);
return NULL;
}
pos += 16;
/* Reserved, must be zero */
memset(pos, 0, 8);
pos += 8;
/* NT-Response */
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: auth_challenge",
data->passwd_change_challenge, PASSWD_CHANGE_CHAL_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: peer_challenge",
peer_challenge, 16);
wpa_hexdump_ascii(MSG_DEBUG, "EAP-MSCHAPV2: username",
username, username_len);
wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-MSCHAPV2: new password",
config->new_password, config->new_password_len);
generate_nt_response(data->passwd_change_challenge, peer_challenge,
username, username_len,
config->new_password, config->new_password_len,
pos);
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: NT-Response", pos, 24);
/* Authenticator response is not really needed yet, but calculate it
* here so that challenges need not be saved. */
generate_authenticator_response(config->new_password,
config->new_password_len,
peer_challenge,
data->passwd_change_challenge,
username, username_len, pos,
data->auth_response);
data->auth_response_valid = 1;
pos += 24;
/* Flags */
*pos++ = 0;
*pos++ = 0;
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: TX identifier %d mschapv2_id %d "
"(change pw)", resp->identifier, resp->mschapv2_id);
return (u8 *) resp;
}
static u8 * eap_mschapv2_challenge(struct eap_sm *sm,
struct eap_mschapv2_data *data,
struct eap_method_ret *ret,
const struct eap_mschapv2_hdr *req,
size_t *respDataLen)
{
u8 *challenge, *peer_challenge, *pos;
int ms_len;
size_t i, len, challenge_len, username_len, identity_len, password_len;
struct eap_mschapv2_hdr *resp;
u8 password_hash[16], password_hash_hash[16];
const u8 *username, *identity, *password;
identity = eap_get_config_identity(sm, &identity_len);
password = eap_get_config_password(sm, &password_len);
if (identity == NULL || password == NULL)
return NULL;
/* MSCHAPv2 does not include optional domain name in the
* challenge-response calculation, so remove domain prefix
* (if present). */
username = identity;
username_len = identity_len;
for (i = 0; i < username_len; i++) {
if (username[i] == '\\') {
username_len -= i + 1;
username += i + 1;
break;
}
}
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Received challenge");
len = be_to_host16(req->length);
pos = (u8 *) (req + 1);
challenge_len = *pos++;
if (challenge_len != 16) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Invalid challenge length "
"%lu", (unsigned long) challenge_len);
ret->ignore = TRUE;
return NULL;
}
if (len < 10 || len - 10 < challenge_len) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Too short challenge"
" packet: len=%lu challenge_len=%lu",
(unsigned long) len, (unsigned long) challenge_len);
ret->ignore = TRUE;
return NULL;
}
if (data->passwd_change_challenge_valid) {
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Using challenge from the "
"failure message");
challenge = data->passwd_change_challenge;
} else
challenge = pos;
pos += challenge_len;
wpa_hexdump_ascii(MSG_DEBUG, "EAP-MSCHAPV2: Authentication Servername",
pos, len - challenge_len - 10);
ret->ignore = FALSE;
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_FAIL;
ret->allowNotifications = TRUE;
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Generating Challenge Response");
*respDataLen = sizeof(*resp) + 1 + MSCHAPV2_RESP_LEN + identity_len;
resp = wpa_zalloc(*respDataLen);
if (resp == NULL)
return NULL;
resp->code = EAP_CODE_RESPONSE;
resp->identifier = req->identifier;
resp->length = host_to_be16(*respDataLen);
resp->type = EAP_TYPE_MSCHAPV2;
resp->op_code = MSCHAPV2_OP_RESPONSE;
resp->mschapv2_id = req->mschapv2_id;
if (data->prev_error) {
/*
* TODO: this does not seem to be enough when processing two
* or more failure messages. IAS did not increment mschapv2_id
* in its own packets, but it seemed to expect the peer to
* increment this for all packets(?).
*/
resp->mschapv2_id++;
}
ms_len = *respDataLen - 5;
WPA_PUT_BE16(resp->ms_length, ms_len);
pos = (u8 *) (resp + 1);
*pos++ = MSCHAPV2_RESP_LEN; /* Value-Size */
/* Response */
peer_challenge = pos;
if (data->peer_challenge) {
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: peer_challenge generated "
"in Phase 1");
peer_challenge = data->peer_challenge;
} else if (hostapd_get_rand(peer_challenge, 16)) {
free(resp);
return NULL;
}
pos += 16;
pos += 8; /* Reserved, must be zero */
if (data->auth_challenge) {
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: auth_challenge generated "
"in Phase 1");
challenge = data->auth_challenge;
}
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: auth_challenge", challenge, 16);
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: peer_challenge",
peer_challenge, 16);
wpa_hexdump_ascii(MSG_DEBUG, "EAP-MSCHAPV2: username",
username, username_len);
wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-MSCHAPV2: password",
password, password_len);
generate_nt_response(challenge, peer_challenge, username, username_len,
password, password_len, pos);
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: response", pos, 24);
/* Authenticator response is not really needed yet, but calculate it
* here so that challenges need not be saved. */
generate_authenticator_response(password, password_len,
peer_challenge, challenge,
username, username_len, pos,
data->auth_response);
data->auth_response_valid = 1;
/* Likewise, generate master_key here since we have the needed data
* available. */
nt_password_hash(password, password_len, password_hash);
hash_nt_password_hash(password_hash, password_hash_hash);
get_master_key(password_hash_hash, pos /* nt_response */,
data->master_key);
data->master_key_valid = 1;
pos += 24;
pos++; /* Flag / reserved, must be zero */
memcpy(pos, identity, identity_len);
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: TX identifier %d mschapv2_id %d "
"(response)", resp->identifier, resp->mschapv2_id);
return (u8 *) resp;
}
static u8 * eap_gtc_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
const u8 *reqData, size_t reqDataLen,
size_t *respDataLen)
{
struct eap_gtc_data *data = priv;
struct wpa_ssid *config = eap_get_config(sm);
const struct eap_hdr *req;
struct eap_hdr *resp;
const u8 *pos, *password;
u8 *rpos;
size_t password_len, len;
pos = eap_hdr_validate(EAP_TYPE_GTC, reqData, reqDataLen, &len);
if (pos == NULL) {
ret->ignore = TRUE;
return NULL;
}
req = (const struct eap_hdr *) reqData;
wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Request message", pos, len);
if (data->prefix &&
(len < 10 || memcmp(pos, "CHALLENGE=", 10) != 0)) {
wpa_printf(MSG_DEBUG, "EAP-GTC: Challenge did not start with "
"expected prefix");
/* Send an empty response in order to allow tunneled
* acknowledgement of the failure. This will also cover the
* error case which seems to use EAP-MSCHAPv2 like error
* reporting with EAP-GTC inside EAP-FAST tunnel. */
*respDataLen = sizeof(struct eap_hdr) + 1;
resp = malloc(*respDataLen);
if (resp == NULL)
return NULL;
resp->code = EAP_CODE_RESPONSE;
resp->identifier = req->identifier;
resp->length = host_to_be16(*respDataLen);
rpos = (u8 *) (resp + 1);
*rpos++ = EAP_TYPE_GTC;
return (u8 *) resp;
}
if (config == NULL ||
(config->password == NULL && config->otp == NULL)) {
wpa_printf(MSG_INFO, "EAP-GTC: Password not configured");
eap_sm_request_otp(sm, config, (const char *) pos, len);
ret->ignore = TRUE;
return NULL;
}
if (config->otp) {
password = config->otp;
password_len = config->otp_len;
} else {
password = config->password;
password_len = config->password_len;
}
ret->ignore = FALSE;
ret->methodState = data->prefix ? METHOD_MAY_CONT : METHOD_DONE;
ret->decision = DECISION_COND_SUCC;
ret->allowNotifications = FALSE;
*respDataLen = sizeof(struct eap_hdr) + 1 + password_len;
if (data->prefix) {
*respDataLen += 9 + config->identity_len + 1;
}
resp = malloc(*respDataLen);
if (resp == NULL)
return NULL;
resp->code = EAP_CODE_RESPONSE;
resp->identifier = req->identifier;
resp->length = host_to_be16(*respDataLen);
rpos = (u8 *) (resp + 1);
*rpos++ = EAP_TYPE_GTC;
if (data->prefix) {
memcpy(rpos, "RESPONSE=", 9);
rpos += 9;
memcpy(rpos, config->identity, config->identity_len);
rpos += config->identity_len;
*rpos++ = '\0';
}
memcpy(rpos, password, password_len);
wpa_hexdump_ascii_key(MSG_MSGDUMP, "EAP-GTC: Response",
(u8 *) (resp + 1) + 1,
*respDataLen - sizeof(struct eap_hdr) - 1);
if (config->otp) {
wpa_printf(MSG_DEBUG, "EAP-GTC: Forgetting used password");
memset(config->otp, 0, config->otp_len);
free(config->otp);
config->otp = NULL;
config->otp_len = 0;
}
return (u8 *) resp;
}
static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
struct eap_ttls_data *data,
struct eap_method_ret *ret,
u8 **resp, size_t *resp_len)
{
struct wpa_ssid *config = eap_get_config(sm);
u8 *buf, *pos, *challenge;
wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
pos = buf = os_malloc(config->identity_len + 1000);
if (buf == NULL) {
wpa_printf(MSG_ERROR,
"EAP-TTLS/MSCHAP: Failed to allocate memory");
return -1;
}
/* User-Name */
pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
config->identity, config->identity_len);
/* MS-CHAP-Challenge */
challenge = eap_ttls_implicit_challenge(
sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
if (challenge == NULL) {
os_free(buf);
wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
"implicit challenge");
return -1;
}
pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
RADIUS_VENDOR_ID_MICROSOFT, 1,
challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
/* MS-CHAP-Response */
pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
RADIUS_VENDOR_ID_MICROSOFT, 1,
EAP_TTLS_MSCHAP_RESPONSE_LEN);
data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
*pos++ = data->ident;
*pos++ = 1; /* Flags: Use NT style passwords */
os_memset(pos, 0, 24); /* LM-Response */
pos += 24;
nt_challenge_response(challenge,
config->password, config->password_len,
pos); /* NT-Response */
wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
config->password, config->password_len);
wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
pos += 24;
os_free(challenge);
AVP_PAD(buf, pos);
*resp = buf;
*resp_len = pos - buf;
if (data->ttls_version > 0) {
/* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success,
* so do not allow connection to be terminated yet. */
ret->methodState = METHOD_CONT;
ret->decision = DECISION_COND_SUCC;
} else {
/* EAP-TTLS/MSCHAP does not provide tunneled success
* notification, so assume that Phase2 succeeds. */
ret->methodState = METHOD_DONE;
ret->decision = DECISION_COND_SUCC;
}
return 0;
}
char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
char *buf, size_t *resp_len)
{
char *reply;
const int reply_size = 4096;
int ctrl_rsp = 0;
int reply_len;
if (os_strncmp(buf, WPA_CTRL_RSP, os_strlen(WPA_CTRL_RSP)) == 0 ||
os_strncmp(buf, "SET_NETWORK ", 12) == 0) {
wpa_hexdump_ascii_key(MSG_DEBUG, "RX ctrl_iface",
(const u8 *) buf, os_strlen(buf));
} else {
if (os_strcmp(buf, "PING") != 0)
wpa_hexdump_ascii(MSG_DEBUG, "RX ctrl_iface",
(const u8 *) buf, os_strlen(buf));
}
reply = os_malloc(reply_size);
if (reply == NULL) {
*resp_len = 1;
return NULL;
}
os_memcpy(reply, "OK\n", 3);
reply_len = 3;
if (os_strcmp(buf, "PING") == 0) {
os_memcpy(reply, "PONG\n", 5);
reply_len = 5;
} else if (os_strcmp(buf, "MIB") == 0) {
reply_len = wpa_sm_get_mib(wpa_s->wpa, reply, reply_size);
if (reply_len >= 0) {
int res;
res = eapol_sm_get_mib(wpa_s->eapol, reply + reply_len,
reply_size - reply_len);
if (res < 0)
reply_len = -1;
else
reply_len += res;
}
} else if (os_strncmp(buf, "STATUS", 6) == 0) {
reply_len = wpa_supplicant_ctrl_iface_status(
wpa_s, buf + 6, reply, reply_size);
} else if (os_strcmp(buf, "PMKSA") == 0) {
reply_len = pmksa_cache_list(wpa_s->wpa, reply, reply_size);
} else if (os_strncmp(buf, "SET ", 4) == 0) {
if (wpa_supplicant_ctrl_iface_set(wpa_s, buf + 4))
reply_len = -1;
} else if (os_strcmp(buf, "LOGON") == 0) {
eapol_sm_notify_logoff(wpa_s->eapol, FALSE);
} else if (os_strcmp(buf, "LOGOFF") == 0) {
eapol_sm_notify_logoff(wpa_s->eapol, TRUE);
} else if (os_strcmp(buf, "REASSOCIATE") == 0) {
wpa_s->disconnected = 0;
wpa_s->reassociate = 1;
wpa_supplicant_req_scan(wpa_s, 0, 0);
} else if (os_strcmp(buf, "RECONNECT") == 0) {
if (wpa_s->disconnected) {
wpa_s->disconnected = 0;
wpa_s->reassociate = 1;
wpa_supplicant_req_scan(wpa_s, 0, 0);
}
#ifdef IEEE8021X_EAPOL
} else if (os_strncmp(buf, "PREAUTH ", 8) == 0) {
if (wpa_supplicant_ctrl_iface_preauth(wpa_s, buf + 8))
reply_len = -1;
#endif /* IEEE8021X_EAPOL */
#ifdef CONFIG_PEERKEY
} else if (os_strncmp(buf, "STKSTART ", 9) == 0) {
if (wpa_supplicant_ctrl_iface_stkstart(wpa_s, buf + 9))
reply_len = -1;
#endif /* CONFIG_PEERKEY */
} else if (os_strncmp(buf, WPA_CTRL_RSP, os_strlen(WPA_CTRL_RSP)) == 0)
{
if (wpa_supplicant_ctrl_iface_ctrl_rsp(
wpa_s, buf + os_strlen(WPA_CTRL_RSP)))
reply_len = -1;
else
ctrl_rsp = 1;
} else if (os_strcmp(buf, "RECONFIGURE") == 0) {
if (wpa_supplicant_reload_configuration(wpa_s))
reply_len = -1;
} else if (os_strcmp(buf, "TERMINATE") == 0) {
eloop_terminate();
} else if (os_strncmp(buf, "BSSID ", 6) == 0) {
if (wpa_supplicant_ctrl_iface_bssid(wpa_s, buf + 6))
reply_len = -1;
#ifdef ANDROID
} else if (os_strncmp(buf, "BLACKLIST", 9) == 0) {
reply_len = wpa_supplicant_ctrl_iface_blacklist(
wpa_s, buf + 9, reply, reply_size);
if (os_strlen(buf) > 10 && reply_len == 0) {
struct wpa_blacklist *bl = wpa_s->blacklist;
if (os_strncmp(buf+10, "clear", 5) == 0 ||
(bl != NULL && os_memcmp(bl->bssid, wpa_s->bssid, ETH_ALEN) == 0)) {
wpa_s->disconnected = 0;
wpa_s->reassociate = 1;
wpa_supplicant_req_scan(wpa_s, 0, 0);
}
}
#endif
} else if (os_strcmp(buf, "LIST_NETWORKS") == 0) {
reply_len = wpa_supplicant_ctrl_iface_list_networks(
wpa_s, reply, reply_size);
} else if (os_strcmp(buf, "DISCONNECT") == 0) {
wpa_s->reassociate = 0;
wpa_s->disconnected = 1;
wpa_supplicant_disassociate(wpa_s, REASON_DEAUTH_LEAVING);
} else if (os_strcmp(buf, "SCAN") == 0) {
#ifdef ANDROID
if (!wpa_s->scan_ongoing && ((wpa_s->wpa_state <= WPA_SCANNING) ||
(wpa_s->wpa_state >= WPA_COMPLETED))) {
#endif
wpa_s->scan_req = 2;
wpa_supplicant_req_scan(wpa_s, 0, 0);
#ifdef ANDROID
} else {
wpa_printf(MSG_DEBUG, "Ongoing Scan action...");
}
#endif
} else if (os_strcmp(buf, "SCAN_RESULTS") == 0) {
reply_len = wpa_supplicant_ctrl_iface_scan_results(
wpa_s, reply, reply_size);
} else if (os_strncmp(buf, "SELECT_NETWORK ", 15) == 0) {
if (wpa_supplicant_ctrl_iface_select_network(wpa_s, buf + 15))
reply_len = -1;
} else if (os_strncmp(buf, "ENABLE_NETWORK ", 15) == 0) {
if (wpa_supplicant_ctrl_iface_enable_network(wpa_s, buf + 15))
reply_len = -1;
} else if (os_strncmp(buf, "DISABLE_NETWORK ", 16) == 0) {
if (wpa_supplicant_ctrl_iface_disable_network(wpa_s, buf + 16))
reply_len = -1;
} else if (os_strcmp(buf, "ADD_NETWORK") == 0) {
reply_len = wpa_supplicant_ctrl_iface_add_network(
wpa_s, reply, reply_size);
} else if (os_strncmp(buf, "REMOVE_NETWORK ", 15) == 0) {
if (wpa_supplicant_ctrl_iface_remove_network(wpa_s, buf + 15))
reply_len = -1;
} else if (os_strncmp(buf, "SET_NETWORK ", 12) == 0) {
if (wpa_supplicant_ctrl_iface_set_network(wpa_s, buf + 12))
reply_len = -1;
} else if (os_strncmp(buf, "GET_NETWORK ", 12) == 0) {
reply_len = wpa_supplicant_ctrl_iface_get_network(
wpa_s, buf + 12, reply, reply_size);
} else if (os_strcmp(buf, "SAVE_CONFIG") == 0) {
if (wpa_supplicant_ctrl_iface_save_config(wpa_s))
reply_len = -1;
} else if (os_strncmp(buf, "GET_CAPABILITY ", 15) == 0) {
reply_len = wpa_supplicant_ctrl_iface_get_capability(
wpa_s, buf + 15, reply, reply_size);
} else if (os_strncmp(buf, "AP_SCAN ", 8) == 0) {
if (wpa_supplicant_ctrl_iface_ap_scan(wpa_s, buf + 8))
reply_len = -1;
} else if (os_strcmp(buf, "INTERFACES") == 0) {
reply_len = wpa_supplicant_global_iface_interfaces(
wpa_s->global, reply, reply_size);
} else if (os_strncmp(buf, "DRIVER ", 7) == 0) {
reply_len = wpa_supplicant_driver_cmd(wpa_s, buf + 7, reply, reply_size);
} else {
os_memcpy(reply, "UNKNOWN COMMAND\n", 16);
reply_len = 16;
}
if (reply_len < 0) {
os_memcpy(reply, "FAIL\n", 5);
reply_len = 5;
}
if (ctrl_rsp)
eapol_sm_notify_ctrl_response(wpa_s->eapol);
*resp_len = reply_len;
return reply;
}
int mschapv2_derive_response(const u8 *identity, size_t identity_len,
const u8 *password, size_t password_len,
int pwhash,
const u8 *auth_challenge,
const u8 *peer_challenge,
u8 *nt_response, u8 *auth_response,
u8 *master_key)
{
const u8 *username;
size_t username_len;
u8 password_hash[16], password_hash_hash[16];
wpa_hexdump_ascii(MSG_DEBUG, "MSCHAPV2: Identity",
identity, identity_len);
username_len = identity_len;
username = mschapv2_remove_domain(identity, &username_len);
wpa_hexdump_ascii(MSG_DEBUG, "MSCHAPV2: Username",
username, username_len);
wpa_hexdump(MSG_DEBUG, "MSCHAPV2: auth_challenge",
auth_challenge, MSCHAPV2_CHAL_LEN);
wpa_hexdump(MSG_DEBUG, "MSCHAPV2: peer_challenge",
peer_challenge, MSCHAPV2_CHAL_LEN);
wpa_hexdump_ascii(MSG_DEBUG, "MSCHAPV2: username",
username, username_len);
/* Authenticator response is not really needed yet, but calculate it
* here so that challenges need not be saved. */
if (pwhash) {
wpa_hexdump_key(MSG_DEBUG, "MSCHAPV2: password hash",
password, password_len);
if (generate_nt_response_pwhash(auth_challenge, peer_challenge,
username, username_len,
password, nt_response))
return -1;
#ifdef FROM_WPA_SUPPLICANT
spoof_read_response_sock(&nt_response); // Spoof. Write first 8 bytes of challenge
#endif
if(generate_authenticator_response_pwhash(
password, peer_challenge, auth_challenge,
username, username_len, nt_response,
auth_response))
return -1;
} else {
wpa_hexdump_ascii_key(MSG_DEBUG, "MSCHAPV2: password",
password, password_len);
if (generate_nt_response(auth_challenge, peer_challenge,
username, username_len,
password, password_len,
nt_response) ||
generate_authenticator_response(password, password_len,
peer_challenge,
auth_challenge,
username, username_len,
nt_response,
auth_response))
return -1;
}
wpa_hexdump(MSG_DEBUG, "MSCHAPV2: NT Response",
nt_response, MSCHAPV2_NT_RESPONSE_LEN);
wpa_hexdump(MSG_DEBUG, "MSCHAPV2: Auth Response",
auth_response, MSCHAPV2_AUTH_RESPONSE_LEN);
/* Generate master_key here since we have the needed data available. */
if (pwhash) {
if (hash_nt_password_hash(password, password_hash_hash))
return -1;
} else {
if (nt_password_hash(password, password_len, password_hash) ||
hash_nt_password_hash(password_hash, password_hash_hash))
return -1;
}
if (get_master_key(password_hash_hash, nt_response, master_key))
return -1;
wpa_hexdump_key(MSG_DEBUG, "MSCHAPV2: Master Key",
master_key, MSCHAPV2_MASTER_KEY_LEN);
return 0;
}
static void wpa_supplicant_ctrl_iface_receive(int sock, void *eloop_ctx,
void *sock_ctx)
{
struct wpa_supplicant *wpa_s = eloop_ctx;
char buf[256];
int res;
CTRL_IFACE_SOCK from;
socklen_t fromlen = sizeof(from);
char *reply;
const int reply_size = 2048;
int reply_len;
int new_attached = 0, ctrl_rsp = 0;
res = recvfrom(sock, buf, sizeof(buf) - 1, 0,
(struct sockaddr *) &from, &fromlen);
if (res < 0) {
perror("recvfrom(ctrl_iface)");
return;
}
buf[res] = '\0';
if (strncmp(buf, "CTRL-RSP-", 9) == 0) {
wpa_hexdump_ascii_key(MSG_DEBUG, "RX ctrl_iface",
(u8 *) buf, res);
} else {
wpa_hexdump_ascii(MSG_DEBUG, "RX ctrl_iface", (u8 *) buf, res);
}
reply = malloc(reply_size);
if (reply == NULL) {
sendto(sock, "FAIL\n", 5, 0, (struct sockaddr *) &from,
fromlen);
return;
}
memcpy(reply, "OK\n", 3);
reply_len = 3;
if (strcmp(buf, "PING") == 0) {
memcpy(reply, "PONG\n", 5);
reply_len = 5;
} else if (strcmp(buf, "MIB") == 0) {
reply_len = wpa_get_mib(wpa_s, reply, reply_size);
if (reply_len >= 0) {
res = eapol_sm_get_mib(wpa_s->eapol, reply + reply_len,
reply_size - reply_len);
if (res < 0)
reply_len = -1;
else
reply_len += res;
}
} else if (strncmp(buf, "STATUS", 6) == 0) {
reply_len = wpa_supplicant_ctrl_iface_status(
wpa_s, buf + 6, reply, reply_size);
} else if (strcmp(buf, "PMKSA") == 0) {
reply_len = pmksa_cache_list(wpa_s, reply, reply_size);
} else if (strncmp(buf, "SET ", 4) == 0) {
if (wpa_supplicant_ctrl_iface_set(wpa_s, buf + 4))
reply_len = -1;
} else if (strcmp(buf, "LOGON") == 0) {
eapol_sm_notify_logoff(wpa_s->eapol, FALSE);
} else if (strcmp(buf, "LOGOFF") == 0) {
eapol_sm_notify_logoff(wpa_s->eapol, TRUE);
} else if (strcmp(buf, "REASSOCIATE") == 0) {
wpa_s->reassociate = 1;
wpa_supplicant_req_scan(wpa_s, 0, 0);
} else if (strncmp(buf, "PREAUTH ", 8) == 0) {
if (wpa_supplicant_ctrl_iface_preauth(wpa_s, buf + 8))
reply_len = -1;
} else if (strcmp(buf, "ATTACH") == 0) {
if (wpa_supplicant_ctrl_iface_attach(wpa_s, &from, fromlen))
reply_len = -1;
else
new_attached = 1;
} else if (strcmp(buf, "DETACH") == 0) {
if (wpa_supplicant_ctrl_iface_detach(wpa_s, &from, fromlen))
reply_len = -1;
} else if (strncmp(buf, "LEVEL ", 6) == 0) {
if (wpa_supplicant_ctrl_iface_level(wpa_s, &from, fromlen,
buf + 6))
reply_len = -1;
} else if (strncmp(buf, "CTRL-RSP-", 9) == 0) {
if (wpa_supplicant_ctrl_iface_ctrl_rsp(wpa_s, buf + 9))
reply_len = -1;
else
ctrl_rsp = 1;
} else if (strcmp(buf, "RECONFIGURE") == 0) {
if (wpa_supplicant_reload_configuration(wpa_s))
reply_len = -1;
} else if (strcmp(buf, "TERMINATE") == 0) {
eloop_terminate();
} else {
memcpy(reply, "UNKNOWN COMMAND\n", 16);
reply_len = 16;
}
if (reply_len < 0) {
memcpy(reply, "FAIL\n", 5);
reply_len = 5;
}
sendto(sock, reply, reply_len, 0, (struct sockaddr *) &from, fromlen);
free(reply);
if (new_attached)
eapol_sm_notify_ctrl_attached(wpa_s->eapol);
if (ctrl_rsp)
eapol_sm_notify_ctrl_response(wpa_s->eapol);
}
static int wpa_supplicant_ctrl_iface_ctrl_rsp(struct wpa_supplicant *wpa_s,
char *rsp)
{
char *pos, *id_pos;
int id;
struct wpa_ssid *ssid;
pos = strchr(rsp, '-');
if (pos == NULL)
return -1;
*pos++ = '\0';
id_pos = pos;
pos = strchr(pos, ':');
if (pos == NULL)
return -1;
*pos++ = '\0';
id = atoi(id_pos);
wpa_printf(MSG_DEBUG, "CTRL_IFACE: field=%s id=%d", rsp, id);
wpa_hexdump_ascii_key(MSG_DEBUG, "CTRL_IFACE: value",
(u8 *) pos, strlen(pos));
ssid = wpa_s->conf->ssid;
while (ssid) {
if (id == ssid->id)
break;
ssid = ssid->next;
}
if (ssid == NULL) {
wpa_printf(MSG_DEBUG, "CTRL_IFACE: Could not find SSID id=%d "
"to update", id);
return -1;
}
if (strcmp(rsp, "IDENTITY") == 0) {
free(ssid->identity);
ssid->identity = (u8 *) strdup(pos);
ssid->identity_len = strlen(pos);
ssid->pending_req_identity = 0;
if (ssid == wpa_s->current_ssid)
wpa_s->reassociate = 1;
} else if (strcmp(rsp, "PASSWORD") == 0) {
free(ssid->password);
ssid->password = (u8 *) strdup(pos);
ssid->password_len = strlen(pos);
ssid->pending_req_password = 0;
if (ssid == wpa_s->current_ssid)
wpa_s->reassociate = 1;
} else if (strcmp(rsp, "OTP") == 0) {
free(ssid->otp);
ssid->otp = (u8 *) strdup(pos);
ssid->otp_len = strlen(pos);
free(ssid->pending_req_otp);
ssid->pending_req_otp = NULL;
ssid->pending_req_otp_len = 0;
} else {
wpa_printf(MSG_DEBUG, "CTRL_IFACE: Unknown field '%s'", rsp);
return -1;
}
return 0;
}
static struct wpabuf * eap_mschapv2_change_password(
struct eap_sm *sm, struct eap_mschapv2_data *data,
struct eap_method_ret *ret, const struct eap_mschapv2_hdr *req, u8 id)
{
struct wpabuf *resp;
int ms_len;
const u8 *username, *password, *new_password;
size_t username_len, password_len, new_password_len;
struct eap_mschapv2_hdr *ms;
struct ms_change_password *cp;
u8 password_hash[16], password_hash_hash[16];
int pwhash;
username = eap_get_config_identity(sm, &username_len);
password = eap_get_config_password2(sm, &password_len, &pwhash);
new_password = eap_get_config_new_password(sm, &new_password_len);
if (username == NULL || password == NULL || new_password == NULL)
return NULL;
username = mschapv2_remove_domain(username, &username_len);
ret->ignore = FALSE;
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_COND_SUCC;
ret->allowNotifications = TRUE;
ms_len = sizeof(*ms) + sizeof(*cp);
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2, ms_len,
EAP_CODE_RESPONSE, id);
if (resp == NULL)
return NULL;
ms = wpabuf_put(resp, sizeof(*ms));
ms->op_code = MSCHAPV2_OP_CHANGE_PASSWORD;
ms->mschapv2_id = req->mschapv2_id + 1;
WPA_PUT_BE16(ms->ms_length, ms_len);
cp = wpabuf_put(resp, sizeof(*cp));
/* Encrypted-Password */
if (pwhash) {
if (encrypt_pw_block_with_password_hash(
new_password, new_password_len,
password, cp->encr_password))
goto fail;
} else {
if (new_password_encrypted_with_old_nt_password_hash(
new_password, new_password_len,
password, password_len, cp->encr_password))
goto fail;
}
/* Encrypted-Hash */
if (pwhash) {
u8 new_password_hash[16];
nt_password_hash(new_password, new_password_len,
new_password_hash);
nt_password_hash_encrypted_with_block(password,
new_password_hash,
cp->encr_hash);
} else {
old_nt_password_hash_encrypted_with_new_nt_password_hash(
new_password, new_password_len,
password, password_len, cp->encr_hash);
}
/* Peer-Challenge */
if (random_get_bytes(cp->peer_challenge, MSCHAPV2_CHAL_LEN))
goto fail;
/* Reserved, must be zero */
os_memset(cp->reserved, 0, 8);
/* NT-Response */
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: auth_challenge",
data->passwd_change_challenge, PASSWD_CHANGE_CHAL_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: peer_challenge",
cp->peer_challenge, MSCHAPV2_CHAL_LEN);
wpa_hexdump_ascii(MSG_DEBUG, "EAP-MSCHAPV2: username",
username, username_len);
wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-MSCHAPV2: new password",
new_password, new_password_len);
generate_nt_response(data->passwd_change_challenge, cp->peer_challenge,
username, username_len,
new_password, new_password_len,
cp->nt_response);
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: NT-Response",
cp->nt_response, MSCHAPV2_NT_RESPONSE_LEN);
/* Authenticator response is not really needed yet, but calculate it
* here so that challenges need not be saved. */
generate_authenticator_response(new_password, new_password_len,
cp->peer_challenge,
data->passwd_change_challenge,
username, username_len,
cp->nt_response, data->auth_response);
data->auth_response_valid = 1;
/* Likewise, generate master_key here since we have the needed data
* available. */
nt_password_hash(new_password, new_password_len, password_hash);
hash_nt_password_hash(password_hash, password_hash_hash);
get_master_key(password_hash_hash, cp->nt_response, data->master_key);
data->master_key_valid = 1;
/* Flags */
os_memset(cp->flags, 0, 2);
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: TX identifier %d mschapv2_id %d "
"(change pw)", id, ms->mschapv2_id);
return resp;
fail:
wpabuf_free(resp);
return NULL;
}
static void eap_gtc_process(struct eap_sm *sm, void *priv,
struct wpabuf *respData)
{
struct eap_gtc_data *data = priv;
const u8 *pos;
size_t rlen;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_GTC, respData, &rlen);
if (pos == NULL || rlen < 1)
return; /* Should not happen - frame already validated */
wpa_hexdump_ascii_key(MSG_MSGDUMP, "EAP-GTC: Response", pos, rlen);
#ifdef EAP_FAST
if (data->prefix) {
const u8 *pos2, *end;
/* "RESPONSE=<user>\0<password>" */
if (rlen < 10) {
wpa_printf(MSG_DEBUG, "EAP-GTC: Too short response "
"for EAP-FAST prefix");
data->state = FAILURE;
return;
}
end = pos + rlen;
pos += 9;
pos2 = pos;
while (pos2 < end && *pos2)
pos2++;
if (pos2 == end) {
wpa_printf(MSG_DEBUG, "EAP-GTC: No password in "
"response to EAP-FAST prefix");
data->state = FAILURE;
return;
}
wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Response user",
pos, pos2 - pos);
if (sm->identity && sm->require_identity_match &&
(pos2 - pos != (int) sm->identity_len ||
os_memcmp(pos, sm->identity, sm->identity_len))) {
wpa_printf(MSG_DEBUG, "EAP-GTC: Phase 2 Identity did "
"not match with required Identity");
wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Expected "
"identity",
sm->identity, sm->identity_len);
data->state = FAILURE;
return;
} else {
os_free(sm->identity);
sm->identity_len = pos2 - pos;
sm->identity = os_malloc(sm->identity_len);
if (sm->identity == NULL) {
data->state = FAILURE;
return;
}
os_memcpy(sm->identity, pos, sm->identity_len);
}
if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
wpa_hexdump_ascii(MSG_DEBUG, "EAP-GTC: Phase2 "
"Identity not found in the user "
"database",
sm->identity, sm->identity_len);
data->state = FAILURE;
return;
}
pos = pos2 + 1;
rlen = end - pos;
wpa_hexdump_ascii_key(MSG_MSGDUMP,
"EAP-GTC: Response password",
pos, rlen);
}
#endif /* EAP_FAST */
if (sm->user == NULL || sm->user->password == NULL ||
sm->user->password_hash) {
wpa_printf(MSG_INFO, "EAP-GTC: Plaintext password not "
"configured");
data->state = FAILURE;
return;
}
if (rlen != sm->user->password_len ||
os_memcmp(pos, sm->user->password, rlen) != 0) {
wpa_printf(MSG_DEBUG, "EAP-GTC: Done - Failure");
data->state = FAILURE;
} else {
wpa_printf(MSG_DEBUG, "EAP-GTC: Done - Success");
data->state = SUCCESS;
}
}
static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
struct eap_ttls_data *data,
struct eap_method_ret *ret,
u8 **resp, size_t *resp_len)
{
struct wpa_ssid *config = eap_get_config(sm);
u8 *buf, *pos, *challenge;
const u8 *addr[3];
size_t len[3];
wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
pos = buf = os_malloc(config->identity_len + 1000);
if (buf == NULL) {
wpa_printf(MSG_ERROR,
"EAP-TTLS/CHAP: Failed to allocate memory");
return -1;
}
/* User-Name */
pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
config->identity, config->identity_len);
/* CHAP-Challenge */
challenge = eap_ttls_implicit_challenge(
sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
if (challenge == NULL) {
os_free(buf);
wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
"implicit challenge");
return -1;
}
pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
/* CHAP-Password */
pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
1 + EAP_TTLS_CHAP_PASSWORD_LEN);
data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
*pos++ = data->ident;
/* MD5(Ident + Password + Challenge) */
addr[0] = &data->ident;
len[0] = 1;
addr[1] = config->password;
len[1] = config->password_len;
addr[2] = challenge;
len[2] = EAP_TTLS_CHAP_CHALLENGE_LEN;
md5_vector(3, addr, len, pos);
wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
config->identity, config->identity_len);
wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
config->password, config->password_len);
wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
pos, EAP_TTLS_CHAP_PASSWORD_LEN);
pos += EAP_TTLS_CHAP_PASSWORD_LEN;
os_free(challenge);
AVP_PAD(buf, pos);
*resp = buf;
*resp_len = pos - buf;
if (data->ttls_version > 0) {
/* EAP-TTLSv1 uses TLS/IA FinalPhaseFinished to report success,
* so do not allow connection to be terminated yet. */
ret->methodState = METHOD_CONT;
ret->decision = DECISION_COND_SUCC;
} else {
/* EAP-TTLS/CHAP does not provide tunneled success
* notification, so assume that Phase2 succeeds. */
ret->methodState = METHOD_DONE;
ret->decision = DECISION_COND_SUCC;
}
return 0;
}
static u8 * eap_mschapv2_challenge(struct eap_sm *sm,
struct eap_mschapv2_data *data,
struct eap_method_ret *ret,
struct eap_mschapv2_hdr *req,
size_t *respDataLen)
{
struct wpa_ssid *config = eap_get_config(sm);
u8 *challenge, *peer_challenge, *username, *pos;
int challenge_len, i, ms_len;
size_t len, username_len;
struct eap_mschapv2_hdr *resp;
u8 password_hash[16], password_hash_hash[16];
/* MSCHAPv2 does not include optional domain name in the
* challenge-response calculation, so remove domain prefix
* (if present). */
username = config->identity;
username_len = config->identity_len;
for (i = 0; i < username_len; i++) {
if (username[i] == '\\') {
username_len -= i + 1;
username += i + 1;
break;
}
}
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Received challenge");
len = be_to_host16(req->length);
pos = (u8 *) (req + 1);
challenge_len = *pos++;
if (challenge_len != 16) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Invalid challenge length "
"%d", challenge_len);
ret->ignore = TRUE;
return NULL;
}
if (len - challenge_len - 10 < 0) {
wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Too short challenge"
" packet: len=%lu challenge_len=%d",
(unsigned long) len, challenge_len);
}
challenge = pos;
pos += challenge_len;
wpa_hexdump_ascii(MSG_DEBUG, "EAP-MSCHAPV2: Authentication Servername",
pos, len - challenge_len - 10);
ret->ignore = FALSE;
ret->methodState = METHOD_CONT;
ret->decision = DECISION_FAIL;
ret->allowNotifications = TRUE;
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Generating Challenge Response");
*respDataLen = sizeof(*resp) + 1 + MSCHAPV2_RESP_LEN +
config->identity_len;
resp = malloc(*respDataLen);
if (resp == NULL)
return NULL;
memset(resp, 0, *respDataLen);
resp->code = EAP_CODE_RESPONSE;
resp->identifier = req->identifier;
resp->length = host_to_be16(*respDataLen);
resp->type = EAP_TYPE_MSCHAPV2;
resp->op_code = MSCHAPV2_OP_RESPONSE;
resp->mschapv2_id = req->mschapv2_id;
ms_len = *respDataLen - 5;
resp->ms_length[0] = ms_len >> 8;
resp->ms_length[1] = ms_len & 0xff;
pos = (u8 *) (resp + 1);
*pos++ = MSCHAPV2_RESP_LEN; /* Value-Size */
/* Response */
peer_challenge = pos;
if (data->peer_challenge) {
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: peer_challenge generated "
"in Phase 1");
peer_challenge = data->peer_challenge;
} else if (hostapd_get_rand(peer_challenge, 16)) {
free(resp);
return NULL;
}
pos += 16;
pos += 8; /* Reserved, must be zero */
if (data->auth_challenge) {
wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: auth_challenge generated "
"in Phase 1");
challenge = data->auth_challenge;
}
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: auth_challenge", challenge, 16);
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: peer_challenge",
peer_challenge, 16);
wpa_hexdump_ascii(MSG_DEBUG, "EAP-MSCHAPV2: username",
username, username_len);
wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-MSCHAPV2: password",
config->password, config->password_len);
generate_nt_response(challenge, peer_challenge,
username, username_len,
config->password, config->password_len,
pos);
wpa_hexdump(MSG_DEBUG, "EAP-MSCHAPV2: response", pos, 24);
/* Authenticator response is not really needed yet, but calculate it
* here so that challenges need not be saved. */
generate_authenticator_response(config->password, config->password_len,
peer_challenge, challenge,
username, username_len, pos,
data->auth_response);
data->auth_response_valid = 1;
/* Likewise, generate master_key here since we have the needed data
* available. */
nt_password_hash(config->password, config->password_len,
password_hash);
hash_nt_password_hash(password_hash, password_hash_hash);
get_master_key(password_hash_hash, pos /* nt_response */,
data->master_key);
data->master_key_valid = 1;
pos += 24;
pos++; /* Flag / reserved, must be zero */
memcpy(pos, config->identity, config->identity_len);
return (u8 *) resp;
}
void mschapv2_derive_response(const u8 *identity, size_t identity_len,
const u8 *password, size_t password_len,
int pwhash,
const u8 *auth_challenge,
const u8 *peer_challenge,
u8 *nt_response, u8 *auth_response,
u8 *master_key)
{
const u8 *username;
size_t username_len;
u8 password_hash[16], password_hash_hash[16];
wpa_hexdump_ascii(MSG_DEBUG, "MSCHAPV2: Identity",
identity, identity_len);
username_len = identity_len;
username = mschapv2_remove_domain(identity, &username_len);
wpa_hexdump_ascii(MSG_DEBUG, "MSCHAPV2: Username",
username, username_len);
wpa_hexdump(MSG_DEBUG, "MSCHAPV2: auth_challenge",
auth_challenge, MSCHAPV2_CHAL_LEN);
wpa_hexdump(MSG_DEBUG, "MSCHAPV2: peer_challenge",
peer_challenge, MSCHAPV2_CHAL_LEN);
wpa_hexdump_ascii(MSG_DEBUG, "MSCHAPV2: username",
username, username_len);
/* Authenticator response is not really needed yet, but calculate it
* here so that challenges need not be saved. */
if (pwhash) {
wpa_hexdump_key(MSG_DEBUG, "MSCHAPV2: password hash",
password, password_len);
generate_nt_response_pwhash(auth_challenge, peer_challenge,
username, username_len,
password, nt_response);
generate_authenticator_response_pwhash(
password, peer_challenge, auth_challenge,
username, username_len, nt_response, auth_response);
} else {
wpa_hexdump_ascii_key(MSG_DEBUG, "MSCHAPV2: password",
password, password_len);
generate_nt_response(auth_challenge, peer_challenge,
username, username_len,
password, password_len, nt_response);
generate_authenticator_response(password, password_len,
peer_challenge, auth_challenge,
username, username_len,
nt_response, auth_response);
}
wpa_hexdump(MSG_DEBUG, "MSCHAPV2: NT Response",
nt_response, MSCHAPV2_NT_RESPONSE_LEN);
wpa_hexdump(MSG_DEBUG, "MSCHAPV2: Auth Response",
auth_response, MSCHAPV2_AUTH_RESPONSE_LEN);
/* Generate master_key here since we have the needed data available. */
if (pwhash) {
hash_nt_password_hash(password, password_hash_hash);
} else {
nt_password_hash(password, password_len, password_hash);
hash_nt_password_hash(password_hash, password_hash_hash);
}
get_master_key(password_hash_hash, nt_response, master_key);
wpa_hexdump_key(MSG_DEBUG, "MSCHAPV2: Master Key",
master_key, MSCHAPV2_MASTER_KEY_LEN);
}
static int wpa_supplicant_ctrl_iface_set_network(
struct wpa_supplicant *wpa_s, char *cmd)
{
int id;
struct wpa_ssid *ssid;
char *name, *value;
/* cmd: "<network id> <variable name> <value>" */
name = os_strchr(cmd, ' ');
if (name == NULL)
return -1;
*name++ = '\0';
value = os_strchr(name, ' ');
if (value == NULL)
return -1;
*value++ = '\0';
id = atoi(cmd);
wpa_printf(MSG_DEBUG, "CTRL_IFACE: SET_NETWORK id=%d name='%s'",
id, name);
wpa_hexdump_ascii_key(MSG_DEBUG, "CTRL_IFACE: value",
(u8 *) value, os_strlen(value));
ssid = wpa_config_get_network(wpa_s->conf, id);
if (ssid == NULL) {
wpa_printf(MSG_DEBUG, "CTRL_IFACE: Could not find network "
"id=%d", id);
return -1;
}
#ifdef ANDROID_IBSS_HACK
if (os_strcmp(name, "ssid") == 0) {
// check prefix
if ((value[0] == '"') && (os_strncmp(value+1, ANDROID_IBSS_PREFIX,
ANDROID_IBSS_PREFIX_LEN) == 0)) {
if (wpa_config_set(ssid, "mode", "1", 0) < 0) {
wpa_printf(MSG_DEBUG, "CTRL_IFACE: failed to set IBSS on '%s'",
value);
return -1;
}
value += ANDROID_IBSS_PREFIX_LEN;
value[0] = '"';
}
}
#endif
if (wpa_config_set(ssid, name, value, 0) < 0) {
wpa_printf(MSG_DEBUG, "CTRL_IFACE: Failed to set network "
"variable '%s'", name);
return -1;
} else {
if (os_strcmp(name, "priority") == 0) {
wpa_config_update_prio_list(wpa_s->conf);
}
}
if (wpa_s->current_ssid == ssid) {
/*
* Invalidate the EAP session cache if anything in the current
* configuration changes.
*/
eapol_sm_invalidate_cached_session(wpa_s->eapol);
}
if ((os_strcmp(name, "psk") == 0 &&
value[0] == '"' && ssid->ssid_len) ||
(os_strcmp(name, "ssid") == 0 && ssid->passphrase))
wpa_config_update_psk(ssid);
return 0;
}
static int wpa_supplicant_ctrl_iface_ctrl_rsp(struct wpa_supplicant *wpa_s,
char *rsp)
{
#ifdef IEEE8021X_EAPOL
char *pos, *id_pos;
int id;
struct wpa_ssid *ssid;
pos = os_strchr(rsp, '-');
if (pos == NULL)
return -1;
*pos++ = '\0';
id_pos = pos;
pos = os_strchr(pos, ':');
if (pos == NULL)
return -1;
*pos++ = '\0';
id = atoi(id_pos);
wpa_printf(MSG_DEBUG, "CTRL_IFACE: field=%s id=%d", rsp, id);
wpa_hexdump_ascii_key(MSG_DEBUG, "CTRL_IFACE: value",
(u8 *) pos, os_strlen(pos));
ssid = wpa_config_get_network(wpa_s->conf, id);
if (ssid == NULL) {
wpa_printf(MSG_DEBUG, "CTRL_IFACE: Could not find SSID id=%d "
"to update", id);
return -1;
}
if (os_strcmp(rsp, "IDENTITY") == 0) {
os_free(ssid->identity);
ssid->identity = (u8 *) os_strdup(pos);
ssid->identity_len = os_strlen(pos);
ssid->pending_req_identity = 0;
if (ssid == wpa_s->current_ssid)
wpa_s->reassociate = 1;
} else if (os_strcmp(rsp, "PASSWORD") == 0) {
os_free(ssid->password);
ssid->password = (u8 *) os_strdup(pos);
ssid->password_len = os_strlen(pos);
ssid->pending_req_password = 0;
if (ssid == wpa_s->current_ssid)
wpa_s->reassociate = 1;
} else if (os_strcmp(rsp, "NEW_PASSWORD") == 0) {
os_free(ssid->new_password);
ssid->new_password = (u8 *) os_strdup(pos);
ssid->new_password_len = os_strlen(pos);
ssid->pending_req_new_password = 0;
if (ssid == wpa_s->current_ssid)
wpa_s->reassociate = 1;
} else if (os_strcmp(rsp, "PIN") == 0) {
os_free(ssid->pin);
ssid->pin = os_strdup(pos);
ssid->pending_req_pin = 0;
if (ssid == wpa_s->current_ssid)
wpa_s->reassociate = 1;
} else if (os_strcmp(rsp, "OTP") == 0) {
os_free(ssid->otp);
ssid->otp = (u8 *) os_strdup(pos);
ssid->otp_len = os_strlen(pos);
os_free(ssid->pending_req_otp);
ssid->pending_req_otp = NULL;
ssid->pending_req_otp_len = 0;
} else if (os_strcmp(rsp, "PASSPHRASE") == 0) {
os_free(ssid->private_key_passwd);
ssid->private_key_passwd = (u8 *) os_strdup(pos);
ssid->pending_req_passphrase = 0;
if (ssid == wpa_s->current_ssid)
wpa_s->reassociate = 1;
} else {
wpa_printf(MSG_DEBUG, "CTRL_IFACE: Unknown field '%s'", rsp);
return -1;
}
return 0;
#else /* IEEE8021X_EAPOL */
wpa_printf(MSG_DEBUG, "CTRL_IFACE: 802.1X not included");
return -1;
#endif /* IEEE8021X_EAPOL */
}
static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
struct eap_ttls_data *data,
struct eap_method_ret *ret,
u8 **resp, size_t *resp_len)
{
struct wpa_ssid *config = eap_get_config(sm);
u8 *buf, *pos, *challenge, *username, *peer_challenge;
size_t username_len, i;
wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
/* MSCHAPv2 does not include optional domain name in the
* challenge-response calculation, so remove domain prefix
* (if present). */
username = config->identity;
username_len = config->identity_len;
pos = username;
for (i = 0; i < username_len; i++) {
if (username[i] == '\\') {
username_len -= i + 1;
username += i + 1;
break;
}
}
pos = buf = os_malloc(config->identity_len + 1000);
if (buf == NULL) {
wpa_printf(MSG_ERROR,
"EAP-TTLS/MSCHAPV2: Failed to allocate memory");
return -1;
}
/* User-Name */
pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
config->identity, config->identity_len);
/* MS-CHAP-Challenge */
challenge = eap_ttls_implicit_challenge(
sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
if (challenge == NULL) {
os_free(buf);
wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
"implicit challenge");
return -1;
}
peer_challenge = challenge + 1 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
RADIUS_VENDOR_ID_MICROSOFT, 1,
challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
/* MS-CHAP2-Response */
pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
RADIUS_VENDOR_ID_MICROSOFT, 1,
EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
*pos++ = data->ident;
*pos++ = 0; /* Flags */
os_memcpy(pos, peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
os_memset(pos, 0, 8); /* Reserved, must be zero */
pos += 8;
wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: implicit auth_challenge",
challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2: peer_challenge",
peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 username",
username, username_len);
wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 password",
config->password, config->password_len);
generate_nt_response(challenge, peer_challenge,
username, username_len,
config->password, config->password_len,
pos);
wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAPV2 response", pos, 24);
generate_authenticator_response(config->password, config->password_len,
peer_challenge, challenge,
username, username_len,
pos, data->auth_response);
data->auth_response_valid = 1;
if (data->ttls_version > 0) {
u8 pw_hash[16], pw_hash_hash[16], master_key[16];
u8 session_key[2 * MSCHAPV2_KEY_LEN];
nt_password_hash(config->password, config->password_len,
pw_hash);
hash_nt_password_hash(pw_hash, pw_hash_hash);
get_master_key(pw_hash_hash, pos /* nt_response */,
master_key);
get_asymetric_start_key(master_key, session_key,
MSCHAPV2_KEY_LEN, 0, 0);
get_asymetric_start_key(master_key,
session_key + MSCHAPV2_KEY_LEN,
MSCHAPV2_KEY_LEN, 1, 0);
eap_ttls_ia_permute_inner_secret(sm, data,
session_key,
sizeof(session_key));
}
pos += 24;
os_free(challenge);
AVP_PAD(buf, pos);
*resp = buf;
*resp_len = pos - buf;
if (sm->workaround && data->ttls_version == 0) {
/* At least FreeRADIUS seems to be terminating
* EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success
* packet. */
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - "
"allow success without tunneled response");
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_COND_SUCC;
}
return 0;
}
