|
1 /* |
|
2 * Copyright (c) 2001-2006 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: EAP and WLAN authentication protocols. |
|
15 * |
|
16 */ |
|
17 |
|
18 |
|
19 // This is enumeration of EAPOL source code. |
|
20 #if defined(USE_EAP_MINIMUM_RELEASE_TRACES) |
|
21 #undef EAP_FILE_NUMBER_ENUM |
|
22 #define EAP_FILE_NUMBER_ENUM 94 |
|
23 #undef EAP_FILE_NUMBER_DATE |
|
24 #define EAP_FILE_NUMBER_DATE 1127594498 |
|
25 #endif //#if defined(USE_EAP_MINIMUM_RELEASE_TRACES) |
|
26 |
|
27 |
|
28 |
|
29 #include "eap_am_memory.h" |
|
30 #include "eap_base_type.h" |
|
31 #include "eap_state_notification.h" |
|
32 #include "eap_type_mschapv2.h" |
|
33 #include "eap_am_type_mschapv2.h" |
|
34 #include "eap_buffer.h" |
|
35 #include "eap_master_session_key.h" |
|
36 #include "eap_network_id_selector.h" |
|
37 #include "eap_tlv_message_data.h" |
|
38 #include "eap_config.h" |
|
39 |
|
40 |
|
41 eap_status_e eap_type_mschapv2_c::client_packet_process( |
|
42 eap_header_wr_c * const received_eap, |
|
43 const u32_t eap_packet_length) |
|
44 { |
|
45 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
46 |
|
47 EAP_TRACE_DEBUG( |
|
48 m_am_tools, |
|
49 TRACE_FLAGS_DEFAULT, |
|
50 (EAPL("eap_type_mschapv2_c::client_packet_process(): this = 0x%08x, m_session.get_state()=%d\n"), |
|
51 this, |
|
52 m_session.get_state())); |
|
53 |
|
54 eap_status_e status = eap_status_drop_packet_quietly; |
|
55 |
|
56 m_identifier = received_eap->get_identifier(); |
|
57 |
|
58 if (received_eap->get_type() == eap_type_identity) |
|
59 { |
|
60 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
61 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
62 } |
|
63 |
|
64 if (received_eap->get_code() == eap_code_failure) |
|
65 { |
|
66 if (m_session.is_valid_state(eap_type_mschapv2_state_failure) == false) |
|
67 { |
|
68 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
69 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
70 } |
|
71 |
|
72 status = finish_unsuccessful_authentication(false); |
|
73 |
|
74 m_session.set_state(eap_type_mschapv2_state_failure); |
|
75 } |
|
76 else if (received_eap->get_code() == eap_code_success) |
|
77 { |
|
78 if (m_session.is_valid_state(eap_type_mschapv2_state_success) == false) |
|
79 { |
|
80 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
81 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
82 } |
|
83 |
|
84 eap_master_session_key_c key( |
|
85 m_am_tools, |
|
86 eap_type_mschapv2); |
|
87 if (key.get_is_valid() == false) |
|
88 { |
|
89 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
90 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
91 } |
|
92 |
|
93 status = generate_session_key(&key); |
|
94 if (status != eap_status_ok) |
|
95 { |
|
96 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
97 return EAP_STATUS_RETURN(m_am_tools, status); |
|
98 } |
|
99 |
|
100 status = get_type_partner()->packet_data_crypto_keys(&m_send_network_id, &key); |
|
101 if (status != eap_status_ok) |
|
102 { |
|
103 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
104 return EAP_STATUS_RETURN(m_am_tools, status); |
|
105 } |
|
106 |
|
107 // Check wait for eap success |
|
108 |
|
109 status = finish_successful_authentication(); |
|
110 |
|
111 m_session.set_state(eap_type_mschapv2_state_success); |
|
112 } |
|
113 else if (received_eap->get_code() == eap_code_request) // Request |
|
114 { |
|
115 // MsChapV2 |
|
116 if (received_eap->get_type() == eap_type_mschapv2) |
|
117 { |
|
118 status = client_mschapv2_packet_process( |
|
119 received_eap, |
|
120 eap_packet_length); |
|
121 } |
|
122 } |
|
123 |
|
124 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
125 return EAP_STATUS_RETURN(m_am_tools, status); |
|
126 } |
|
127 |
|
128 eap_status_e eap_type_mschapv2_c::client_mschapv2_packet_process( |
|
129 eap_header_wr_c * const received_eap, |
|
130 const u32_t eap_packet_length) |
|
131 { |
|
132 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
133 |
|
134 EAP_TRACE_DEBUG( |
|
135 m_am_tools, |
|
136 TRACE_FLAGS_DEFAULT, |
|
137 (EAPL("eap_type_mschapv2_c::client_mschapv2_packet_process(): this = 0x%08x\n"), |
|
138 this)); |
|
139 |
|
140 eap_status_e status = eap_status_drop_packet_quietly; |
|
141 |
|
142 if (eap_packet_length <= eap_header_base_c::get_header_length()) |
|
143 { |
|
144 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
145 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
146 } |
|
147 else if (eap_packet_length == received_eap->get_data_length()) |
|
148 { |
|
149 // MsChapV2 packet without any data, unspecified packet? |
|
150 // lets finish unsuccesfully? |
|
151 if (m_session.is_valid_state(eap_type_mschapv2_state_failure) == true) |
|
152 { |
|
153 status = finish_unsuccessful_authentication(false); |
|
154 } |
|
155 |
|
156 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
157 return EAP_STATUS_RETURN(m_am_tools, status); |
|
158 } |
|
159 |
|
160 const u32_t type_data_length = received_eap->get_type_data_length(); |
|
161 |
|
162 if (received_eap->get_type_data_offset(0, type_data_length) == 0) |
|
163 { |
|
164 // Not enough data. |
|
165 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
166 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
167 } |
|
168 |
|
169 mschapv2_header_c mschapv2_header( |
|
170 m_am_tools, |
|
171 received_eap->get_type_data_offset(0, type_data_length), |
|
172 type_data_length); |
|
173 |
|
174 if (mschapv2_header.check_header() != eap_status_ok) |
|
175 { |
|
176 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
177 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
178 } |
|
179 |
|
180 switch (mschapv2_header.get_opcode()) |
|
181 { |
|
182 case mschapv2_opcode_challenge: |
|
183 if (m_session.is_valid_state(eap_type_mschapv2_state_challenge_request) == false) |
|
184 { |
|
185 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
186 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
187 } |
|
188 status = client_handle_challenge_request(mschapv2_header); |
|
189 break; |
|
190 |
|
191 case mschapv2_opcode_success: |
|
192 if (m_session.is_valid_state(eap_type_mschapv2_state_success_request) == false) |
|
193 { |
|
194 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
195 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
196 } |
|
197 status = client_handle_success_request(mschapv2_header); |
|
198 break; |
|
199 |
|
200 case mschapv2_opcode_failure: |
|
201 if (m_session.is_valid_state(eap_type_mschapv2_state_failure_request) == false) |
|
202 { |
|
203 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
204 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
205 } |
|
206 status = client_handle_failure_request(mschapv2_header); |
|
207 break; |
|
208 |
|
209 default: |
|
210 break; |
|
211 } |
|
212 |
|
213 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
214 return EAP_STATUS_RETURN(m_am_tools, status); |
|
215 } |
|
216 |
|
217 eap_status_e eap_type_mschapv2_c::client_handle_challenge_request(mschapv2_header_c &challenge_request) |
|
218 { |
|
219 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
220 |
|
221 EAP_TRACE_DEBUG( |
|
222 m_am_tools, |
|
223 TRACE_FLAGS_DEFAULT, |
|
224 (EAPL("eap_type_mschapv2_c::client_handle_challenge_request(): this = 0x%08x\n"), |
|
225 this)); |
|
226 |
|
227 eap_status_e status = eap_status_drop_packet_quietly; |
|
228 |
|
229 if (challenge_request.get_data_length() < mschapv2_challenge_c::get_header_minimum_size()) |
|
230 { |
|
231 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
232 return EAP_STATUS_RETURN(m_am_tools, status); |
|
233 } |
|
234 |
|
235 m_mschapv2id = challenge_request.get_mschapv2_id(); |
|
236 |
|
237 mschapv2_challenge_c challenge_payload( |
|
238 m_am_tools, |
|
239 challenge_request.get_data(), |
|
240 challenge_request.get_data_length()); |
|
241 |
|
242 if (challenge_payload.check_header() != eap_status_ok) |
|
243 { |
|
244 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
245 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
246 } |
|
247 |
|
248 EAP_TRACE_DATA_DEBUG( |
|
249 m_am_tools, |
|
250 TRACE_FLAGS_DEFAULT, |
|
251 (EAPL("client_handle_challenge_request(): mschapv2id"), |
|
252 &m_mschapv2id, |
|
253 sizeof(m_mschapv2id))); |
|
254 |
|
255 EAP_TRACE_DATA_DEBUG( |
|
256 m_am_tools, |
|
257 TRACE_FLAGS_DEFAULT, |
|
258 (EAPL("client_handle_challenge_request(): m_authenticator_challenge"), |
|
259 challenge_payload.get_challenge(), |
|
260 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE)); |
|
261 |
|
262 m_am_tools->memmove( |
|
263 m_authenticator_challenge, |
|
264 challenge_payload.get_challenge(), |
|
265 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE); |
|
266 |
|
267 #if defined(USE_FAST_EAP_TYPE) |
|
268 if (m_use_EAP_FAST_challenge == true) |
|
269 { |
|
270 // Note the received authenticator challenge is zero bytes in EAP-FAST. |
|
271 if (m_server_EAP_FAST_challenge.get_is_valid_data() == false |
|
272 || m_server_EAP_FAST_challenge.get_data_length() != EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE) |
|
273 { |
|
274 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
275 return EAP_STATUS_RETURN(m_am_tools, eap_status_authentication_failure); |
|
276 } |
|
277 |
|
278 m_am_tools->memmove( |
|
279 m_authenticator_challenge, |
|
280 m_server_EAP_FAST_challenge.get_data(), |
|
281 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE); |
|
282 |
|
283 EAP_TRACE_DATA_DEBUG( |
|
284 m_am_tools, |
|
285 TRACE_FLAGS_DEFAULT, |
|
286 (EAPL("client_handle_challenge_request(): EAP-FAST m_authenticator_challenge"), |
|
287 m_authenticator_challenge, |
|
288 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE)); |
|
289 } |
|
290 #endif //#if defined(USE_FAST_EAP_TYPE) |
|
291 |
|
292 // If no identity, ask it |
|
293 if (!m_identity_asked |
|
294 && (m_password_prompt_enabled |
|
295 || m_username_utf8.get_is_valid_data() == false)) |
|
296 { |
|
297 // Prefill username with identity if it is possible |
|
298 if (m_username_utf8.get_is_valid_data() == false) |
|
299 { |
|
300 status = get_type_partner()->get_saved_eap_identity(&m_username_utf8); |
|
301 } |
|
302 |
|
303 // Open username/password dialog |
|
304 status = m_am_type_mschapv2->show_username_password_dialog( |
|
305 m_username_utf8, |
|
306 m_password_utf8, |
|
307 m_password_prompt_enabled, |
|
308 false); |
|
309 } |
|
310 else |
|
311 { |
|
312 status = client_send_challenge_response(); |
|
313 } |
|
314 |
|
315 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
316 return EAP_STATUS_RETURN(m_am_tools, status); |
|
317 } |
|
318 |
|
319 eap_status_e eap_type_mschapv2_c::client_send_challenge_response() |
|
320 { |
|
321 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
322 |
|
323 EAP_TRACE_DEBUG( |
|
324 m_am_tools, |
|
325 TRACE_FLAGS_DEFAULT, |
|
326 (EAPL("eap_type_mschapv2_c::client_send_challenge_response(): this = 0x%08x\n"), |
|
327 this)); |
|
328 |
|
329 eap_status_e status = m_rand.add_rand_seed_hw_ticks(); |
|
330 if (status != eap_status_ok) |
|
331 { |
|
332 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
333 return EAP_STATUS_RETURN(m_am_tools, status); |
|
334 } |
|
335 |
|
336 #if defined(USE_FAST_EAP_TYPE) |
|
337 if (m_use_EAP_FAST_challenge == true |
|
338 && m_client_EAP_FAST_challenge.get_is_valid_data() == true |
|
339 && m_client_EAP_FAST_challenge.get_data_length() == EAP_MSCHAPV2_PEER_CHALLENGE_SIZE) |
|
340 { |
|
341 m_am_tools->memmove( |
|
342 m_peer_challenge, |
|
343 m_client_EAP_FAST_challenge.get_data(), |
|
344 EAP_MSCHAPV2_PEER_CHALLENGE_SIZE); |
|
345 } |
|
346 else |
|
347 #endif //#if defined(USE_FAST_EAP_TYPE) |
|
348 { |
|
349 status = m_rand.get_rand_bytes(m_peer_challenge, EAP_MSCHAPV2_PEER_CHALLENGE_SIZE); |
|
350 if (status != eap_status_ok) |
|
351 { |
|
352 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
353 return EAP_STATUS_RETURN(m_am_tools, status); |
|
354 } |
|
355 } |
|
356 |
|
357 crypto_nt_hash_c nt_hash(m_am_tools); |
|
358 if (nt_hash.get_is_valid() == false) |
|
359 { |
|
360 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
361 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
362 } |
|
363 |
|
364 if (m_do_wrong_password_tests == true) |
|
365 { |
|
366 u8_t crap_from_stack; |
|
367 status = m_password_utf8.add_data(&crap_from_stack, sizeof(crap_from_stack)); |
|
368 if (status != eap_status_ok) |
|
369 { |
|
370 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
371 return EAP_STATUS_RETURN(m_am_tools, status); |
|
372 } |
|
373 } |
|
374 |
|
375 status = nt_hash.nt_password_hash( |
|
376 &m_password_utf8, |
|
377 &m_password_hash, |
|
378 EAP_MSCHAPV2_MD4_DIGEST_SIZE); |
|
379 if (status != eap_status_ok) |
|
380 { |
|
381 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
382 return EAP_STATUS_RETURN(m_am_tools, status); |
|
383 } |
|
384 |
|
385 status = nt_hash.hash_nt_password_hash( |
|
386 &m_password_hash, |
|
387 &m_password_hash_hash, |
|
388 EAP_MSCHAPV2_MD4_DIGEST_SIZE); |
|
389 if (status != eap_status_ok) |
|
390 { |
|
391 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
392 return EAP_STATUS_RETURN(m_am_tools, status); |
|
393 } |
|
394 |
|
395 EAP_TRACE_DATA_DEBUG( |
|
396 m_am_tools, |
|
397 TRACE_FLAGS_DEFAULT, |
|
398 (EAPL("EAP_type_MSCHAPV2: client_send_challenge_response(), m_password_utf8"), |
|
399 m_password_utf8.get_data(), |
|
400 m_password_utf8.get_data_length())); |
|
401 |
|
402 EAP_TRACE_DATA_DEBUG( |
|
403 m_am_tools, |
|
404 TRACE_FLAGS_DEFAULT, |
|
405 (EAPL("EAP_type_MSCHAPV2: client_send_challenge_response(), m_authenticator_challenge"), |
|
406 m_authenticator_challenge, |
|
407 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE)); |
|
408 |
|
409 EAP_TRACE_DATA_DEBUG( |
|
410 m_am_tools, |
|
411 TRACE_FLAGS_DEFAULT, |
|
412 (EAPL("EAP_type_MSCHAPV2: client_send_challenge_response(), m_peer_challenge"), |
|
413 m_peer_challenge, |
|
414 EAP_MSCHAPV2_PEER_CHALLENGE_SIZE)); |
|
415 |
|
416 EAP_TRACE_DATA_DEBUG( |
|
417 m_am_tools, |
|
418 TRACE_FLAGS_DEFAULT, |
|
419 (EAPL("EAP_type_MSCHAPV2: client_send_challenge_response(), m_password_hash"), |
|
420 m_password_hash.get_data(), |
|
421 m_password_hash.get_data_length())); |
|
422 |
|
423 EAP_TRACE_DATA_DEBUG( |
|
424 m_am_tools, |
|
425 TRACE_FLAGS_DEFAULT, |
|
426 (EAPL("EAP_type_MSCHAPV2: client_send_challenge_response(), m_username_utf8"), |
|
427 m_username_utf8.get_data(), |
|
428 m_username_utf8.get_data_length())); |
|
429 |
|
430 EAP_TRACE_DATA_DEBUG( |
|
431 m_am_tools, |
|
432 TRACE_FLAGS_DEFAULT, |
|
433 (EAPL("EAP_type_MSCHAPV2: client_send_challenge_response(): m_authenticator_challenge"), |
|
434 m_authenticator_challenge, |
|
435 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE)); |
|
436 |
|
437 status = generate_nt_response( |
|
438 m_authenticator_challenge, |
|
439 m_peer_challenge, |
|
440 m_username_utf8.get_data(), |
|
441 m_username_utf8.get_data_length(), |
|
442 &m_password_hash, |
|
443 m_nt_response); |
|
444 if (status != eap_status_ok) |
|
445 { |
|
446 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
447 return EAP_STATUS_RETURN(m_am_tools, status); |
|
448 } |
|
449 |
|
450 EAP_TRACE_DATA_DEBUG( |
|
451 m_am_tools, |
|
452 TRACE_FLAGS_DEFAULT, |
|
453 (EAPL("EAP_type_MSCHAPV2: client_send_challenge_response(), m_nt_response:"), |
|
454 m_nt_response, |
|
455 EAP_MSCHAPV2_NT_RESPONSE_SIZE)); |
|
456 |
|
457 // Send response |
|
458 |
|
459 const u32_t type_data_length = EAP_MSCHAPV2_HEADER_SIZE // OpCode, MS-CHAPv2-ID and MS-Length |
|
460 + mschapv2_response_c::get_header_minimum_size() |
|
461 + m_username_utf8.get_data_length(); |
|
462 |
|
463 const u32_t packet_length |
|
464 = eap_header_base_c::get_type_data_start_offset(m_use_eap_expanded_type) |
|
465 + type_data_length; |
|
466 |
|
467 eap_buf_chain_wr_c * packet = create_send_packet(packet_length); |
|
468 if (!packet) |
|
469 { |
|
470 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
471 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
472 } |
|
473 |
|
474 eap_header_base_c eap_header( |
|
475 m_am_tools, |
|
476 packet->get_data_offset(m_offset, packet_length), |
|
477 packet_length); |
|
478 if (eap_header.get_is_valid() == false) |
|
479 { |
|
480 delete packet; |
|
481 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
482 return EAP_STATUS_RETURN(m_am_tools, eap_status_illegal_parameter); |
|
483 } |
|
484 eap_header.set_code(eap_code_response); |
|
485 eap_header.set_identifier(m_identifier); |
|
486 eap_header.set_length( |
|
487 static_cast<u16_t>(packet_length), |
|
488 m_use_eap_expanded_type); |
|
489 eap_header.set_type( |
|
490 eap_type_mschapv2, |
|
491 m_use_eap_expanded_type); |
|
492 |
|
493 mschapv2_header_c mschapv2_header( |
|
494 m_am_tools, |
|
495 eap_header.get_type_data_offset(0, eap_header.get_type_data_length()), |
|
496 eap_header.get_type_data_length()); |
|
497 |
|
498 mschapv2_header.set_opcode(mschapv2_opcode_response); |
|
499 mschapv2_header.set_mschapv2_id(m_mschapv2id); |
|
500 mschapv2_header.set_ms_length(static_cast<u16_t>(type_data_length)); |
|
501 |
|
502 mschapv2_response_c response( |
|
503 m_am_tools, |
|
504 mschapv2_header.get_data(), |
|
505 mschapv2_header.get_data_length()); |
|
506 if (response.get_is_valid() == false) |
|
507 { |
|
508 delete packet; |
|
509 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
510 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
511 } |
|
512 |
|
513 status = response.set_constants(); |
|
514 if (status != eap_status_ok) |
|
515 { |
|
516 delete packet; |
|
517 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
518 return EAP_STATUS_RETURN(m_am_tools, status); |
|
519 } |
|
520 |
|
521 |
|
522 #if defined(USE_FAST_EAP_TYPE) |
|
523 if (m_use_EAP_FAST_challenge == true) |
|
524 { |
|
525 // EAP-FAST sends peer challenge containing only zeroes. |
|
526 response.set_peer_challenge(EAP_MSCHAPV2_ZERO_CHALLENGE); |
|
527 } |
|
528 else |
|
529 #endif //#if defined(USE_FAST_EAP_TYPE) |
|
530 { |
|
531 response.set_peer_challenge(m_peer_challenge); |
|
532 } |
|
533 |
|
534 response.set_nt_response(m_nt_response); |
|
535 |
|
536 // Copy username to end of response packet |
|
537 u32_t username_ascii_size = m_username_utf8.get_data_length(); |
|
538 response.set_name(m_username_utf8.get_data(username_ascii_size)); |
|
539 |
|
540 // Send |
|
541 status = packet_send(packet, packet_length); |
|
542 |
|
543 delete packet; |
|
544 |
|
545 if (status != eap_status_ok) |
|
546 { |
|
547 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
548 return EAP_STATUS_RETURN(m_am_tools, status); |
|
549 } |
|
550 |
|
551 m_session.set_state(eap_type_mschapv2_state_challenge_request); |
|
552 |
|
553 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
554 return EAP_STATUS_RETURN(m_am_tools, eap_status_ok); |
|
555 } |
|
556 |
|
557 eap_status_e eap_type_mschapv2_c::client_handle_success_request(mschapv2_header_c & success_request) |
|
558 { |
|
559 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
560 |
|
561 EAP_TRACE_DEBUG( |
|
562 m_am_tools, |
|
563 TRACE_FLAGS_DEFAULT, |
|
564 (EAPL("eap_type_mschapv2_c::client_handle_success_request(): this = 0x%08x\n"), |
|
565 this)); |
|
566 |
|
567 eap_status_e status = eap_status_drop_packet_quietly; |
|
568 |
|
569 if (success_request.get_data_length() < EAP_MSCHAPV2_SUCCESS_REQUEST_MESSAGE_MIN_LENGTH) // Check this out |
|
570 { |
|
571 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
572 return EAP_STATUS_RETURN(m_am_tools, status); |
|
573 } |
|
574 |
|
575 m_mschapv2id = success_request.get_mschapv2_id(); |
|
576 |
|
577 u8_t * success_payload = success_request.get_data(); |
|
578 bool response_check; |
|
579 |
|
580 eap_variable_data_c new_password_hash(m_am_tools); |
|
581 eap_variable_data_c new_password_hash_hash(m_am_tools); |
|
582 |
|
583 EAP_TRACE_DATA_DEBUG( |
|
584 m_am_tools, |
|
585 TRACE_FLAGS_DEFAULT, |
|
586 (EAPL("client_handle_success_request(): m_authenticator_challenge"), |
|
587 m_authenticator_challenge, |
|
588 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE)); |
|
589 |
|
590 EAP_TRACE_DATA_DEBUG( |
|
591 m_am_tools, |
|
592 TRACE_FLAGS_DEFAULT, |
|
593 (EAPL("client_handle_success_request(): m_peer_challenge"), |
|
594 m_peer_challenge, |
|
595 EAP_MSCHAPV2_PEER_CHALLENGE_SIZE)); |
|
596 |
|
597 EAP_TRACE_DATA_DEBUG( |
|
598 m_am_tools, |
|
599 TRACE_FLAGS_DEFAULT, |
|
600 (EAPL("client_handle_success_request(): m_nt_response"), |
|
601 m_nt_response, |
|
602 EAP_MSCHAPV2_NT_RESPONSE_SIZE)); |
|
603 |
|
604 if (m_session.get_state() == eap_type_mschapv2_state_change_password_request) |
|
605 { |
|
606 // Here we need to generate password hashes from new_password |
|
607 |
|
608 crypto_nt_hash_c nt_hash(m_am_tools); |
|
609 if (nt_hash.get_is_valid() == false) |
|
610 { |
|
611 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
612 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
613 } |
|
614 |
|
615 status = nt_hash.nt_password_hash( |
|
616 &m_password_utf8, |
|
617 &new_password_hash, |
|
618 EAP_MSCHAPV2_MD4_DIGEST_SIZE); |
|
619 if (status != eap_status_ok) |
|
620 { |
|
621 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
622 return EAP_STATUS_RETURN(m_am_tools, status); |
|
623 } |
|
624 |
|
625 status = nt_hash.hash_nt_password_hash( |
|
626 &new_password_hash, |
|
627 &new_password_hash_hash, |
|
628 EAP_MSCHAPV2_MD4_DIGEST_SIZE); |
|
629 if (status != eap_status_ok) |
|
630 { |
|
631 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
632 return EAP_STATUS_RETURN(m_am_tools, status); |
|
633 } |
|
634 |
|
635 status = check_authenticator_response( |
|
636 &new_password_hash_hash, |
|
637 m_nt_response, |
|
638 m_peer_challenge, |
|
639 m_authenticator_challenge, |
|
640 m_username_utf8.get_data(), |
|
641 m_username_utf8.get_data_length(), |
|
642 success_payload, |
|
643 response_check); |
|
644 } |
|
645 else |
|
646 { |
|
647 status = check_authenticator_response( |
|
648 &m_password_hash_hash, |
|
649 m_nt_response, |
|
650 m_peer_challenge, |
|
651 m_authenticator_challenge, |
|
652 m_username_utf8.get_data(), |
|
653 m_username_utf8.get_data_length(), |
|
654 success_payload, |
|
655 response_check); |
|
656 } |
|
657 if (status != eap_status_ok) |
|
658 { |
|
659 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
660 return EAP_STATUS_RETURN(m_am_tools, status); |
|
661 } |
|
662 |
|
663 if (response_check) |
|
664 { |
|
665 EAP_TRACE_DEBUG( |
|
666 m_am_tools, |
|
667 TRACE_FLAGS_DEFAULT, |
|
668 (EAPL("EAP_type_MSCHAPV2: client_handle_success_request(): mschapv2_opcode_success, authenticator_response correct\n"))); |
|
669 |
|
670 // Check if earlier state was password change |
|
671 if (m_session.get_state() == eap_type_mschapv2_state_change_password_request) |
|
672 { |
|
673 if (m_password_prompt_enabled == false) |
|
674 { |
|
675 // Save new password |
|
676 status = m_am_type_mschapv2->update_username_password(); |
|
677 } |
|
678 |
|
679 // Save new hashes |
|
680 status = m_password_hash.set_copy_of_buffer(&new_password_hash); |
|
681 if (status != eap_status_ok) |
|
682 { |
|
683 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
684 return EAP_STATUS_RETURN(m_am_tools, status); |
|
685 } |
|
686 |
|
687 status = m_password_hash_hash.set_copy_of_buffer(&new_password_hash_hash); |
|
688 if (status != eap_status_ok) |
|
689 { |
|
690 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
691 return EAP_STATUS_RETURN(m_am_tools, status); |
|
692 } |
|
693 } |
|
694 |
|
695 // Send success response |
|
696 |
|
697 // Return value will be not checked. If fails we still try to finish authentication |
|
698 status = send_success_failure_response(true); |
|
699 |
|
700 if (m_wait_eap_success == false) |
|
701 { |
|
702 status = finish_successful_authentication(); |
|
703 m_session.set_state(eap_type_mschapv2_state_success); |
|
704 } |
|
705 else |
|
706 { |
|
707 m_session.set_state(eap_type_mschapv2_state_success_request); |
|
708 } |
|
709 } |
|
710 else // drop |
|
711 { |
|
712 EAP_TRACE_DEBUG( |
|
713 m_am_tools, |
|
714 TRACE_FLAGS_DEFAULT, |
|
715 (EAPL("EAP_type_MSCHAPV2: client_handle_success_request(): mschapv2_opcode_success, authenticator_response incorrect\n"))); |
|
716 |
|
717 status = eap_status_drop_packet_quietly; |
|
718 } |
|
719 |
|
720 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
721 return EAP_STATUS_RETURN(m_am_tools, status); |
|
722 } |
|
723 |
|
724 eap_status_e eap_type_mschapv2_c::client_handle_failure_request(mschapv2_header_c & failure_request) |
|
725 { |
|
726 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
727 |
|
728 EAP_TRACE_DEBUG( |
|
729 m_am_tools, |
|
730 TRACE_FLAGS_DEFAULT, |
|
731 (EAPL("eap_type_mschapv2_c::client_handle_failure_request(): this = 0x%08x\n"), |
|
732 this)); |
|
733 |
|
734 eap_status_e status = eap_status_drop_packet_quietly; |
|
735 |
|
736 u32_t buffer_left = failure_request.get_data_length(); |
|
737 if (buffer_left < EAP_MSCHAPV2_FAILURE_MIN_SIZE) |
|
738 { |
|
739 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
740 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
741 } |
|
742 |
|
743 m_mschapv2id = failure_request.get_mschapv2_id(); |
|
744 |
|
745 const u8_t * buffer_ptr = failure_request.get_data(); |
|
746 |
|
747 // "E=" |
|
748 if (*buffer_ptr != 'E' || *(buffer_ptr + 1) != '=') |
|
749 { |
|
750 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
751 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
752 } |
|
753 buffer_ptr += 2; |
|
754 buffer_left -= 2; |
|
755 |
|
756 while (buffer_left && *buffer_ptr == '0') |
|
757 { |
|
758 buffer_ptr++; |
|
759 buffer_left--; |
|
760 } |
|
761 |
|
762 if (buffer_left == 0) |
|
763 { |
|
764 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
765 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
766 } |
|
767 |
|
768 const u8_t * error_code_str = buffer_ptr; |
|
769 |
|
770 while (buffer_left && *buffer_ptr != ' ') |
|
771 { |
|
772 if (*buffer_ptr < '0' || *buffer_ptr > '9') |
|
773 { |
|
774 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
775 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
776 } |
|
777 buffer_ptr++; |
|
778 buffer_left--; |
|
779 } |
|
780 |
|
781 u32_t error_code_str_len = buffer_ptr - error_code_str; |
|
782 if (buffer_left < 43 || error_code_str_len != 3 || *buffer_ptr != ' ') // " R=x C=<32 bytes> V=x", min 43 bytes |
|
783 { |
|
784 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
785 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
786 } |
|
787 buffer_ptr++; |
|
788 buffer_left--; |
|
789 |
|
790 // "R=" |
|
791 if (*buffer_ptr != 'R' || *(buffer_ptr + 1) != '=') |
|
792 { |
|
793 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
794 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
795 } |
|
796 |
|
797 bool retry_allowed = true; // value = 1 |
|
798 if (*(buffer_ptr + 2) == '0') |
|
799 { |
|
800 retry_allowed = false; |
|
801 } |
|
802 else if (*(buffer_ptr + 2) != '1') |
|
803 { |
|
804 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
805 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
806 } |
|
807 buffer_ptr += 4; |
|
808 buffer_left -= 4; |
|
809 |
|
810 // "C=" |
|
811 if (*buffer_ptr != 'C' || *(buffer_ptr + 1) != '=') |
|
812 { |
|
813 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
814 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
815 } |
|
816 buffer_ptr += 2; |
|
817 buffer_left -= 2; |
|
818 |
|
819 const u8_t * challenge_str = buffer_ptr; |
|
820 u32_t i; |
|
821 for (i = 0; i < EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE * 2; i++) |
|
822 { |
|
823 if ((*(buffer_ptr + i) >= '0' && *(buffer_ptr + i) <= '9') |
|
824 || |
|
825 (*(buffer_ptr + i) >= 'A' && *(buffer_ptr + i) <= 'F')) |
|
826 { |
|
827 continue; |
|
828 } |
|
829 break; |
|
830 } |
|
831 if (i != EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE * 2) |
|
832 { |
|
833 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
834 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
835 } |
|
836 |
|
837 buffer_ptr += EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE * 2; |
|
838 buffer_left -= EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE * 2; |
|
839 |
|
840 if (*buffer_ptr != ' ' |
|
841 || *(buffer_ptr + 1) != 'V' // " V=" |
|
842 || *(buffer_ptr + 2) != '=') |
|
843 { |
|
844 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
845 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
846 } |
|
847 buffer_ptr += 3; |
|
848 buffer_left -= 3; |
|
849 |
|
850 while (buffer_left && *buffer_ptr == '0') |
|
851 { |
|
852 buffer_ptr++; |
|
853 buffer_left--; |
|
854 } |
|
855 |
|
856 if (buffer_left == 0 |
|
857 || *buffer_ptr != '3') // Version must be 3 |
|
858 { |
|
859 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
860 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
861 } |
|
862 |
|
863 u32_t error_code = |
|
864 (*error_code_str - '0') * 100 |
|
865 + (*(error_code_str + 1) - '0') * 10 |
|
866 + (*(error_code_str + 2) - '0'); |
|
867 m_error_code = error_code; |
|
868 |
|
869 { |
|
870 u32_t length = EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE; |
|
871 |
|
872 status = m_am_tools->convert_hex_ascii_to_bytes( |
|
873 challenge_str, |
|
874 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE * 2, |
|
875 m_authenticator_challenge, |
|
876 &length); |
|
877 if (status != eap_status_ok) |
|
878 { |
|
879 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
880 return EAP_STATUS_RETURN(m_am_tools, status); |
|
881 } |
|
882 |
|
883 if (length != EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE) |
|
884 { |
|
885 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
886 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
887 } |
|
888 |
|
889 EAP_TRACE_DATA_DEBUG( |
|
890 m_am_tools, |
|
891 TRACE_FLAGS_DEFAULT, |
|
892 (EAPL("EAP_type_MSCHAPV2: client_handle_failure_request(): client got auth_challenge:"), |
|
893 m_authenticator_challenge, |
|
894 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE)); |
|
895 |
|
896 EAP_TRACE_DATA_DEBUG( |
|
897 m_am_tools, |
|
898 TRACE_FLAGS_DEFAULT, |
|
899 (EAPL("EAP_type_MSCHAPV2: client_handle_failure_request(): client has peer_challenge:"), |
|
900 m_peer_challenge, |
|
901 EAP_MSCHAPV2_PEER_CHALLENGE_SIZE)); |
|
902 } |
|
903 |
|
904 #if defined(USE_USER_NOTIFICATIONS) |
|
905 // Notification to user |
|
906 eap_variable_data_c string(m_am_tools); |
|
907 status = m_am_type_mschapv2->read_auth_failure_string(static_cast<eap_mschapv2_error_e> (m_error_code), string); |
|
908 if (status == eap_status_ok) |
|
909 { |
|
910 eap_state_notification_c notification( |
|
911 m_am_tools, |
|
912 &m_send_network_id, |
|
913 m_is_client, |
|
914 eap_state_notification_eap, |
|
915 eap_protocol_layer_general, // This must be used with eap_general_state_show_notification_string. |
|
916 eap_type_mschapv2, |
|
917 eap_state_none, |
|
918 eap_general_state_show_notification_string, |
|
919 m_identifier, |
|
920 false); |
|
921 notification.set_notification_string(&string, true); |
|
922 get_type_partner()->state_notification(¬ification); |
|
923 } |
|
924 #endif //#if defined(USE_USER_NOTIFICATIONS) |
|
925 |
|
926 switch (m_error_code) |
|
927 { |
|
928 |
|
929 case EAP_MSCHAPV2_ERROR_RESTRICTED_LOGON_HOURS: |
|
930 case EAP_MSCHAPV2_ERROR_ACCT_DISABLED: |
|
931 case EAP_MSCHAPV2_ERROR_NO_DIALIN_PERMISSION: |
|
932 |
|
933 // Notification to user |
|
934 if (m_error_code == EAP_MSCHAPV2_ERROR_RESTRICTED_LOGON_HOURS) |
|
935 { |
|
936 send_error_notification(eap_status_restricted_logon_hours); |
|
937 } |
|
938 else if (m_error_code == EAP_MSCHAPV2_ERROR_ACCT_DISABLED) |
|
939 { |
|
940 send_error_notification(eap_status_account_disabled); |
|
941 } |
|
942 else if (m_error_code == EAP_MSCHAPV2_ERROR_NO_DIALIN_PERMISSION) |
|
943 { |
|
944 send_error_notification(eap_status_no_dialin_permission); |
|
945 } |
|
946 |
|
947 // Send failure response |
|
948 status = send_success_failure_response(false); // failure |
|
949 if (status != eap_status_ok) |
|
950 { |
|
951 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
952 return EAP_STATUS_RETURN(m_am_tools, status); |
|
953 } |
|
954 break; |
|
955 |
|
956 case EAP_MSCHAPV2_ERROR_AUTHENTICATION_FAILURE: |
|
957 |
|
958 EAP_TRACE_DEBUG( |
|
959 m_am_tools, |
|
960 TRACE_FLAGS_DEFAULT, |
|
961 (EAPL("EAP_type_MSCHAPV2: client_handle_failure_request(): EAP_MSCHAPV2_ERROR_AUTHENTICATION_FAILURE\n"))); |
|
962 |
|
963 #if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
964 EAP_TRACE_DEBUG( |
|
965 m_am_tools, |
|
966 TRACE_FLAGS_DEFAULT, |
|
967 (EAPL("EAP_type_MSCHAPV2: client_handle_failure_request(): m_use_implicit_challenge = %d\n"), |
|
968 m_use_implicit_challenge)); |
|
969 #endif //#if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
970 |
|
971 if (retry_allowed == true |
|
972 #if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
973 // Note, retry is supported only inside EAP-MsChapv2. |
|
974 // Note, inside TTLS/plain-MsChapv2 the retry is not supported. Authentication will fail immediately. |
|
975 && m_use_implicit_challenge == false |
|
976 #endif //#if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
977 ) |
|
978 { |
|
979 m_is_pending = true; |
|
980 |
|
981 // Prompt for username/password |
|
982 status = m_am_type_mschapv2->show_username_password_dialog( |
|
983 m_username_utf8, |
|
984 m_password_utf8, |
|
985 m_password_prompt_enabled, |
|
986 false); |
|
987 } |
|
988 else |
|
989 { |
|
990 // Notification to user |
|
991 send_error_notification(eap_status_authentication_failure); |
|
992 |
|
993 // Send failure response |
|
994 status = send_success_failure_response(false); |
|
995 } |
|
996 break; |
|
997 |
|
998 case EAP_MSCHAPV2_ERROR_PASSWD_EXPIRED: |
|
999 case EAP_MSCHAPV2_ERROR_CHANGING_PASSWORD: |
|
1000 |
|
1001 if (m_error_code == EAP_MSCHAPV2_ERROR_PASSWD_EXPIRED) |
|
1002 { |
|
1003 EAP_TRACE_DEBUG( |
|
1004 m_am_tools, |
|
1005 TRACE_FLAGS_DEFAULT, |
|
1006 (EAPL("EAP_type_MSCHAPV2: client_handle_failure_request(): EAP_MSCHAPV2_ERROR_PASSWD_EXPIRED\n"))); |
|
1007 } |
|
1008 else if (m_error_code == EAP_MSCHAPV2_ERROR_CHANGING_PASSWORD) |
|
1009 { |
|
1010 EAP_TRACE_DEBUG( |
|
1011 m_am_tools, |
|
1012 TRACE_FLAGS_DEFAULT, |
|
1013 (EAPL("EAP_type_MSCHAPV2: client_handle_failure_request(): EAP_MSCHAPV2_ERROR_CHANGING_PASSWORD\n"))); |
|
1014 } |
|
1015 |
|
1016 #if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
1017 EAP_TRACE_DEBUG( |
|
1018 m_am_tools, |
|
1019 TRACE_FLAGS_DEFAULT, |
|
1020 (EAPL("EAP_type_MSCHAPV2: client_handle_failure_request(): m_use_implicit_challenge = %d\n"), |
|
1021 m_use_implicit_challenge)); |
|
1022 #endif //#if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
1023 |
|
1024 if ( |
|
1025 #if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
1026 m_use_implicit_challenge == false |
|
1027 && |
|
1028 #endif //#if defined(EAP_USE_TTLS_PLAIN_MS_CHAP_V2_HACK) |
|
1029 (m_error_code == EAP_MSCHAPV2_ERROR_PASSWD_EXPIRED |
|
1030 || (m_error_code == EAP_MSCHAPV2_ERROR_CHANGING_PASSWORD && retry_allowed))) |
|
1031 { |
|
1032 m_old_password_utf8.set_copy_of_buffer(&m_password_utf8); |
|
1033 |
|
1034 m_is_pending = true; |
|
1035 |
|
1036 m_session.set_state(eap_type_mschapv2_state_failure_request); |
|
1037 |
|
1038 // Prompt for password change |
|
1039 status = m_am_type_mschapv2->show_change_password_dialog( |
|
1040 m_username_utf8, |
|
1041 m_old_password_utf8, |
|
1042 m_password_utf8, |
|
1043 m_password_prompt_enabled); |
|
1044 |
|
1045 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1046 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1047 } |
|
1048 else // Retry not allowed |
|
1049 { |
|
1050 send_error_notification(eap_status_password_expired); |
|
1051 |
|
1052 status = send_success_failure_response(false); |
|
1053 |
|
1054 if (status != eap_status_ok) |
|
1055 { |
|
1056 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1057 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1058 } |
|
1059 // Show message without retry |
|
1060 } |
|
1061 break; |
|
1062 |
|
1063 default: |
|
1064 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1065 return EAP_STATUS_RETURN(m_am_tools, eap_status_header_corrupted); |
|
1066 }; |
|
1067 |
|
1068 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1069 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1070 } |
|
1071 |
|
1072 EAP_FUNC_EXPORT eap_status_e eap_type_mschapv2_c::eap_acknowledge( |
|
1073 const eap_am_network_id_c * const /* receive_network_id */) |
|
1074 { |
|
1075 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1076 |
|
1077 EAP_TRACE_DEBUG( |
|
1078 m_am_tools, |
|
1079 TRACE_FLAGS_DEFAULT, |
|
1080 (EAPL("eap_type_mschapv2_c::eap_acknowledge(): this = 0x%08x\n"), |
|
1081 this)); |
|
1082 |
|
1083 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1084 return EAP_STATUS_RETURN(m_am_tools, eap_status_not_supported); |
|
1085 } |
|
1086 |
|
1087 EAP_FUNC_EXPORT eap_status_e eap_type_mschapv2_c::set_initial_eap_identifier( |
|
1088 const eap_am_network_id_c * const /*receive_network_id*/, |
|
1089 const u8_t /*initial_identifier*/) |
|
1090 { |
|
1091 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1092 |
|
1093 EAP_TRACE_DEBUG( |
|
1094 m_am_tools, |
|
1095 TRACE_FLAGS_DEFAULT, |
|
1096 (EAPL("eap_type_mschapv2_c::set_initial_eap_identifier(): this = 0x%08x\n"), |
|
1097 this)); |
|
1098 |
|
1099 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1100 return EAP_STATUS_RETURN(m_am_tools, eap_status_ok); |
|
1101 } |
|
1102 |
|
1103 EAP_FUNC_EXPORT eap_status_e eap_type_mschapv2_c::query_eap_identity( |
|
1104 const bool /*must_be_synchronous*/, |
|
1105 eap_variable_data_c * const identity, |
|
1106 const eap_am_network_id_c * const receive_network_id, |
|
1107 const u8_t eap_identifier) |
|
1108 { |
|
1109 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1110 |
|
1111 EAP_TRACE_DEBUG( |
|
1112 m_am_tools, |
|
1113 TRACE_FLAGS_DEFAULT, |
|
1114 (EAPL("eap_type_mschapv2_c::query_eap_identity(): this = 0x%08x\n"), |
|
1115 this)); |
|
1116 |
|
1117 if (m_session.is_valid_state(eap_type_mschapv2_state_identity_request) == false) |
|
1118 { |
|
1119 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1120 return EAP_STATUS_RETURN(m_am_tools, eap_status_drop_packet_quietly); |
|
1121 } |
|
1122 |
|
1123 // Here we swap the addresses. |
|
1124 eap_am_network_id_c send_network_id(m_am_tools, |
|
1125 receive_network_id->get_destination_id(), |
|
1126 receive_network_id->get_source_id(), |
|
1127 receive_network_id->get_type()); |
|
1128 |
|
1129 m_identifier = eap_identifier; |
|
1130 |
|
1131 eap_status_e status; |
|
1132 |
|
1133 EAP_TRACE_DEBUG(m_am_tools, |
|
1134 TRACE_FLAGS_DEFAULT, ( |
|
1135 EAPL("eap_type_mschapv2_c::query_eap_identity: m_identity_asked=%d, m_password_prompt_enabled=%d\n"), |
|
1136 m_identity_asked, m_password_prompt_enabled)); |
|
1137 |
|
1138 EAP_TRACE_DEBUG(m_am_tools, |
|
1139 TRACE_FLAGS_DEFAULT, ( |
|
1140 EAPL("eap_type_mschapv2_c::query_eap_identity: user name length=%d, PW length=%d, m_is_pending=%d\n"), |
|
1141 m_username_utf8.get_data_length(), m_password_utf8.get_data_length(), m_is_pending)); |
|
1142 |
|
1143 if (m_identity_asked == false && // Only at first time username/password dialog is shown if needed |
|
1144 (m_username_utf8.get_is_valid_data() == false |
|
1145 || m_username_utf8.get_data_length() == 0 |
|
1146 || m_password_prompt_enabled == true)) |
|
1147 { |
|
1148 // Ask username and password |
|
1149 |
|
1150 EAP_TRACE_DATA_DEBUG( |
|
1151 m_am_tools, |
|
1152 TRACE_FLAGS_DEFAULT, |
|
1153 (EAPL("EAP_type_MSCHAPV2: query_eap_identity(): m_username_utf8:"), |
|
1154 m_username_utf8.get_data(), |
|
1155 m_username_utf8.get_data_length())); |
|
1156 |
|
1157 EAP_TRACE_DATA_DEBUG( |
|
1158 m_am_tools, |
|
1159 TRACE_FLAGS_DEFAULT, |
|
1160 (EAPL("EAP_type_MSCHAPV2: query_eap_identity(): m_password_utf8:"), |
|
1161 m_password_utf8.get_data(), |
|
1162 m_password_utf8.get_data_length())); |
|
1163 |
|
1164 EAP_TRACE_DEBUG( |
|
1165 m_am_tools, |
|
1166 TRACE_FLAGS_DEFAULT, |
|
1167 (EAPL("EAP_type_MSCHAPV2: query_eap_identity(): password length %d\n"), |
|
1168 m_password_utf8.get_buffer_length())); |
|
1169 |
|
1170 if (m_is_pending == false) |
|
1171 { |
|
1172 m_is_pending = true; |
|
1173 status = m_am_type_mschapv2->show_username_password_dialog( |
|
1174 m_username_utf8, |
|
1175 m_password_utf8, |
|
1176 m_password_prompt_enabled, |
|
1177 true); |
|
1178 if (status == eap_status_pending_request |
|
1179 || status == eap_status_completed_request) |
|
1180 { |
|
1181 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1182 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1183 } |
|
1184 } |
|
1185 else |
|
1186 { |
|
1187 EAP_TRACE_DEBUG( |
|
1188 m_am_tools, |
|
1189 TRACE_FLAGS_DEFAULT, |
|
1190 (EAPL("EAP_type_MSCHAPV2: query_eap_identity(): identity query is already pending!.\n"))); |
|
1191 |
|
1192 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1193 return EAP_STATUS_RETURN(m_am_tools, eap_status_pending_request); |
|
1194 } |
|
1195 } |
|
1196 |
|
1197 m_identity_asked = true; |
|
1198 |
|
1199 // If this is not the first query, use already stored identity information for reply |
|
1200 status = identity->set_copy_of_buffer(&m_username_utf8); |
|
1201 |
|
1202 EAP_TRACE_DATA_DEBUG( |
|
1203 m_am_tools, |
|
1204 TRACE_FLAGS_DEFAULT, |
|
1205 (EAPL("EAP_type_MSCHAPV2: query_eap_identity(): identity:"), |
|
1206 identity->get_data(), |
|
1207 identity->get_data_length())); |
|
1208 |
|
1209 m_session.set_state(eap_type_mschapv2_state_identity_request); |
|
1210 |
|
1211 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1212 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1213 } |
|
1214 |
|
1215 EAP_FUNC_EXPORT eap_status_e eap_type_mschapv2_c::complete_eap_identity_query() |
|
1216 { |
|
1217 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1218 |
|
1219 EAP_TRACE_DATA_DEBUG( |
|
1220 m_am_tools, |
|
1221 TRACE_FLAGS_DEFAULT, |
|
1222 (EAPL("EAP_type_MSCHAPV2: complete_eap_identity_query() m_username_utf8:"), |
|
1223 m_username_utf8.get_data(), |
|
1224 m_username_utf8.get_data_length())); |
|
1225 |
|
1226 EAP_TRACE_DEBUG( |
|
1227 m_am_tools, |
|
1228 TRACE_FLAGS_DEFAULT, |
|
1229 (EAPL("EAP_type_MSCHAPV2: complete_eap_identity_query(), password length %d\n"), |
|
1230 m_password_utf8.get_buffer_length())); |
|
1231 |
|
1232 m_identity_asked = true; |
|
1233 |
|
1234 m_session.set_state(eap_type_mschapv2_state_identity_request); |
|
1235 |
|
1236 eap_status_e status = get_type_partner()->complete_eap_identity_query( |
|
1237 &m_send_network_id, |
|
1238 &m_username_utf8, |
|
1239 m_identifier); |
|
1240 if (status != eap_status_ok) |
|
1241 { |
|
1242 m_session.set_state(eap_type_mschapv2_state_failure); |
|
1243 } |
|
1244 |
|
1245 m_is_pending = false; |
|
1246 |
|
1247 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1248 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1249 } |
|
1250 |
|
1251 eap_status_e eap_type_mschapv2_c::send_success_failure_response(bool is_success_response) |
|
1252 { |
|
1253 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1254 |
|
1255 EAP_TRACE_DEBUG( |
|
1256 m_am_tools, |
|
1257 TRACE_FLAGS_DEFAULT, |
|
1258 (EAPL("eap_type_mschapv2_c::send_success_failure_response(): this = 0x%08x\n"), |
|
1259 this)); |
|
1260 |
|
1261 eap_status_e status = eap_status_allocation_error; |
|
1262 |
|
1263 u32_t packet_length |
|
1264 = EAP_MSCHAPV2_OPCODE_SIZE // OpCode is the only payload |
|
1265 + eap_header_base_c::get_type_data_start_offset(m_use_eap_expanded_type); |
|
1266 |
|
1267 eap_buf_chain_wr_c * packet = create_send_packet(packet_length); |
|
1268 if (!packet) |
|
1269 { |
|
1270 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1271 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
1272 } |
|
1273 |
|
1274 eap_header_base_c eap_header( |
|
1275 m_am_tools, |
|
1276 packet->get_data_offset(m_offset, packet_length), |
|
1277 packet_length); |
|
1278 if (eap_header.get_is_valid() == false) |
|
1279 { |
|
1280 delete packet; |
|
1281 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1282 return EAP_STATUS_RETURN(m_am_tools, eap_status_illegal_parameter); |
|
1283 } |
|
1284 eap_header.set_code(eap_code_response); |
|
1285 eap_header.set_identifier(m_identifier); |
|
1286 eap_header.set_length( |
|
1287 static_cast<u16_t>(packet_length), |
|
1288 m_use_eap_expanded_type); |
|
1289 eap_header.set_type( |
|
1290 eap_type_mschapv2, |
|
1291 m_use_eap_expanded_type); |
|
1292 |
|
1293 mschapv2_header_c mschapv2_header( |
|
1294 m_am_tools, |
|
1295 eap_header.get_type_data_offset(0, eap_header.get_type_data_length()), |
|
1296 eap_header.get_type_data_length()); |
|
1297 |
|
1298 if (is_success_response) |
|
1299 { |
|
1300 mschapv2_header.set_opcode(mschapv2_opcode_success); |
|
1301 m_session.set_state(eap_type_mschapv2_state_success_request); |
|
1302 } |
|
1303 else |
|
1304 { |
|
1305 mschapv2_header.set_opcode(mschapv2_opcode_failure); |
|
1306 m_session.set_state(eap_type_mschapv2_state_failure_request); |
|
1307 } |
|
1308 |
|
1309 status = packet_send(packet, packet_length); |
|
1310 |
|
1311 EAP_TRACE_DEBUG( |
|
1312 m_am_tools, |
|
1313 TRACE_FLAGS_DEFAULT, |
|
1314 (EAPL("EAP_type_MSCHAPV2: send_success_failure_response():\n"))); |
|
1315 |
|
1316 delete packet; |
|
1317 |
|
1318 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1319 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1320 } |
|
1321 |
|
1322 EAP_FUNC_EXPORT eap_status_e eap_type_mschapv2_c::complete_failure_retry_response() |
|
1323 { |
|
1324 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1325 |
|
1326 EAP_TRACE_DEBUG( |
|
1327 m_am_tools, |
|
1328 TRACE_FLAGS_DEFAULT, |
|
1329 (EAPL("eap_type_mschapv2_c::complete_failure_retry_response(): this = 0x%08x\n"), |
|
1330 this)); |
|
1331 |
|
1332 m_is_pending = false; |
|
1333 |
|
1334 eap_status_e status = m_rand.add_rand_seed_hw_ticks(); |
|
1335 if (status != eap_status_ok) |
|
1336 { |
|
1337 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1338 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1339 } |
|
1340 |
|
1341 status = m_rand.add_rand_seed( |
|
1342 m_password_utf8.get_data(), |
|
1343 m_password_utf8.get_data_length()); |
|
1344 if (status != eap_status_ok) |
|
1345 { |
|
1346 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1347 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1348 } |
|
1349 |
|
1350 #if defined(USE_FAST_EAP_TYPE) |
|
1351 if (m_use_EAP_FAST_challenge == true |
|
1352 && m_client_EAP_FAST_challenge.get_is_valid_data() == true |
|
1353 && m_client_EAP_FAST_challenge.get_data_length() == EAP_MSCHAPV2_PEER_CHALLENGE_SIZE) |
|
1354 { |
|
1355 m_am_tools->memmove( |
|
1356 m_peer_challenge, |
|
1357 m_client_EAP_FAST_challenge.get_data(), |
|
1358 EAP_MSCHAPV2_PEER_CHALLENGE_SIZE); |
|
1359 } |
|
1360 else |
|
1361 #endif //#if defined(USE_FAST_EAP_TYPE) |
|
1362 { |
|
1363 status = m_rand.get_rand_bytes( |
|
1364 m_peer_challenge, |
|
1365 EAP_MSCHAPV2_PEER_CHALLENGE_SIZE); |
|
1366 if (status != eap_status_ok) |
|
1367 { |
|
1368 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1369 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1370 } |
|
1371 } |
|
1372 |
|
1373 crypto_nt_hash_c nt_hash(m_am_tools); |
|
1374 if (nt_hash.get_is_valid() == false) |
|
1375 { |
|
1376 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1377 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
1378 } |
|
1379 |
|
1380 status = nt_hash.nt_password_hash( |
|
1381 &m_password_utf8, |
|
1382 &m_password_hash, |
|
1383 EAP_MSCHAPV2_MD4_DIGEST_SIZE); |
|
1384 if (status != eap_status_ok) |
|
1385 { |
|
1386 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1387 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1388 } |
|
1389 |
|
1390 status = nt_hash.hash_nt_password_hash( |
|
1391 &m_password_hash, |
|
1392 &m_password_hash_hash, |
|
1393 EAP_MSCHAPV2_MD4_DIGEST_SIZE); |
|
1394 if (status != eap_status_ok) |
|
1395 { |
|
1396 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1397 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1398 } |
|
1399 |
|
1400 EAP_TRACE_DATA_DEBUG( |
|
1401 m_am_tools, |
|
1402 TRACE_FLAGS_DEFAULT, |
|
1403 (EAPL("EAP_type_MSCHAPV2: complete_failure_retry_response(), m_password_utf8"), |
|
1404 m_password_utf8.get_data(), |
|
1405 m_password_utf8.get_data_length())); |
|
1406 |
|
1407 EAP_TRACE_DATA_DEBUG( |
|
1408 m_am_tools, |
|
1409 TRACE_FLAGS_DEFAULT, |
|
1410 (EAPL("EAP_type_MSCHAPV2: complete_failure_retry_response(), m_authenticator_challenge"), |
|
1411 m_authenticator_challenge, |
|
1412 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE)); |
|
1413 |
|
1414 EAP_TRACE_DATA_DEBUG( |
|
1415 m_am_tools, |
|
1416 TRACE_FLAGS_DEFAULT, |
|
1417 (EAPL("EAP_type_MSCHAPV2: complete_failure_retry_response(), m_peer_challenge"), |
|
1418 m_peer_challenge, |
|
1419 EAP_MSCHAPV2_PEER_CHALLENGE_SIZE)); |
|
1420 |
|
1421 EAP_TRACE_DATA_DEBUG( |
|
1422 m_am_tools, |
|
1423 TRACE_FLAGS_DEFAULT, |
|
1424 (EAPL("EAP_type_MSCHAPV2: complete_failure_retry_response(), m_password_hash"), |
|
1425 m_password_hash.get_data(), |
|
1426 m_password_hash.get_data_length())); |
|
1427 |
|
1428 EAP_TRACE_DATA_DEBUG( |
|
1429 m_am_tools, |
|
1430 TRACE_FLAGS_DEFAULT, |
|
1431 (EAPL("EAP_type_MSCHAPV2: complete_failure_retry_response(), m_username_utf8"), |
|
1432 m_username_utf8.get_data(), |
|
1433 m_username_utf8.get_data_length())); |
|
1434 |
|
1435 EAP_TRACE_DATA_DEBUG( |
|
1436 m_am_tools, |
|
1437 TRACE_FLAGS_DEFAULT, |
|
1438 (EAPL("EAP_type_MSCHAPV2: complete_failure_retry_response(): m_authenticator_challenge"), |
|
1439 m_authenticator_challenge, |
|
1440 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE)); |
|
1441 |
|
1442 |
|
1443 status = generate_nt_response( |
|
1444 m_authenticator_challenge, |
|
1445 m_peer_challenge, |
|
1446 m_username_utf8.get_data(), |
|
1447 m_username_utf8.get_data_length(), |
|
1448 &m_password_hash, |
|
1449 m_nt_response); |
|
1450 if (status != eap_status_ok) |
|
1451 { |
|
1452 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1453 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1454 } |
|
1455 |
|
1456 EAP_TRACE_DATA_DEBUG( |
|
1457 m_am_tools, |
|
1458 TRACE_FLAGS_DEFAULT, |
|
1459 (EAPL("EAP_type_MSCHAPV2: complete_failure_retry_response(), m_nt_response:"), |
|
1460 m_nt_response, |
|
1461 EAP_MSCHAPV2_NT_RESPONSE_SIZE)); |
|
1462 |
|
1463 // Send response |
|
1464 |
|
1465 const u32_t type_data_length = EAP_MSCHAPV2_HEADER_SIZE // OpCode, MS-CHAPv2-ID and MS-Length |
|
1466 + mschapv2_response_c::get_header_minimum_size() |
|
1467 + m_username_utf8.get_data_length(); |
|
1468 |
|
1469 const u32_t packet_length = eap_header_base_c::get_type_data_start_offset(m_use_eap_expanded_type) |
|
1470 + type_data_length; |
|
1471 |
|
1472 eap_buf_chain_wr_c * packet = create_send_packet(packet_length); |
|
1473 |
|
1474 if (!packet) |
|
1475 { |
|
1476 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1477 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
1478 } |
|
1479 |
|
1480 |
|
1481 eap_header_base_c eap_header( |
|
1482 m_am_tools, |
|
1483 packet->get_data_offset(m_offset, packet_length), |
|
1484 packet_length); |
|
1485 if (eap_header.get_is_valid() == false) |
|
1486 { |
|
1487 delete packet; |
|
1488 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1489 return EAP_STATUS_RETURN(m_am_tools, eap_status_illegal_parameter); |
|
1490 } |
|
1491 eap_header.set_code(eap_code_response); |
|
1492 eap_header.set_identifier(m_identifier); |
|
1493 eap_header.set_length( |
|
1494 static_cast<u16_t>(packet_length), |
|
1495 m_use_eap_expanded_type); |
|
1496 eap_header.set_type( |
|
1497 eap_type_mschapv2, |
|
1498 m_use_eap_expanded_type); |
|
1499 |
|
1500 mschapv2_header_c mschapv2_header( |
|
1501 m_am_tools, |
|
1502 eap_header.get_type_data_offset(0, eap_header.get_type_data_length()), |
|
1503 eap_header.get_type_data_length()); |
|
1504 |
|
1505 mschapv2_header.set_opcode(mschapv2_opcode_response); |
|
1506 mschapv2_header.set_mschapv2_id(++m_mschapv2id); |
|
1507 mschapv2_header.set_ms_length(static_cast<u16_t>(type_data_length)); |
|
1508 |
|
1509 mschapv2_response_c response( |
|
1510 m_am_tools, |
|
1511 mschapv2_header.get_data(), |
|
1512 mschapv2_header.get_data_length()); |
|
1513 if (response.get_is_valid() == false) |
|
1514 { |
|
1515 delete packet; |
|
1516 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1517 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
1518 } |
|
1519 |
|
1520 status = response.set_constants(); |
|
1521 if (status != eap_status_ok) |
|
1522 { |
|
1523 delete packet; |
|
1524 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1525 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1526 } |
|
1527 |
|
1528 response.set_nt_response(m_nt_response); |
|
1529 response.set_peer_challenge(m_peer_challenge); |
|
1530 response.set_name(m_username_utf8.get_data()); |
|
1531 |
|
1532 // Send |
|
1533 status = packet_send(packet, packet_length); |
|
1534 delete packet; |
|
1535 |
|
1536 m_session.set_state(eap_type_mschapv2_state_challenge_request); |
|
1537 |
|
1538 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1539 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1540 } |
|
1541 |
|
1542 EAP_FUNC_EXPORT eap_status_e eap_type_mschapv2_c::complete_change_password_query() |
|
1543 { |
|
1544 EAP_TRACE_BEGIN(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1545 |
|
1546 EAP_TRACE_DEBUG( |
|
1547 m_am_tools, |
|
1548 TRACE_FLAGS_DEFAULT, |
|
1549 (EAPL("eap_type_mschapv2_c::complete_change_password_query(): this = 0x%08x\n"), |
|
1550 this)); |
|
1551 |
|
1552 eap_status_e status = eap_status_process_general_error; |
|
1553 |
|
1554 m_is_pending = false; |
|
1555 |
|
1556 status = m_rand.add_rand_seed_hw_ticks(); |
|
1557 if (status != eap_status_ok) |
|
1558 { |
|
1559 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1560 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1561 } |
|
1562 |
|
1563 status = m_rand.add_rand_seed( |
|
1564 m_password_utf8.get_data(), |
|
1565 m_password_utf8.get_data_length()); |
|
1566 if (status != eap_status_ok) |
|
1567 { |
|
1568 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1569 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1570 } |
|
1571 |
|
1572 #if defined(USE_FAST_EAP_TYPE) |
|
1573 if (m_use_EAP_FAST_challenge == true |
|
1574 && m_client_EAP_FAST_challenge.get_is_valid_data() == true |
|
1575 && m_client_EAP_FAST_challenge.get_data_length() == EAP_MSCHAPV2_PEER_CHALLENGE_SIZE) |
|
1576 { |
|
1577 m_am_tools->memmove( |
|
1578 m_peer_challenge, |
|
1579 m_client_EAP_FAST_challenge.get_data(), |
|
1580 EAP_MSCHAPV2_PEER_CHALLENGE_SIZE); |
|
1581 } |
|
1582 else |
|
1583 #endif //#if defined(USE_FAST_EAP_TYPE) |
|
1584 { |
|
1585 status = m_rand.get_rand_bytes(m_peer_challenge, EAP_MSCHAPV2_PEER_CHALLENGE_SIZE); |
|
1586 if (status != eap_status_ok) |
|
1587 { |
|
1588 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1589 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1590 } |
|
1591 } |
|
1592 |
|
1593 u8_t * encrypted_pw_block = new u8_t[sizeof(pw_block_s)]; |
|
1594 if (!encrypted_pw_block) |
|
1595 { |
|
1596 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1597 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
1598 } |
|
1599 |
|
1600 eap_variable_data_c new_password_hash(m_am_tools); |
|
1601 |
|
1602 crypto_nt_hash_c nt_hash(m_am_tools); |
|
1603 if (nt_hash.get_is_valid() == false) |
|
1604 { |
|
1605 delete [] encrypted_pw_block; |
|
1606 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1607 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
1608 } |
|
1609 |
|
1610 status = nt_hash.nt_password_hash( |
|
1611 &m_password_utf8, |
|
1612 &new_password_hash, |
|
1613 EAP_MSCHAPV2_MD4_DIGEST_SIZE); |
|
1614 if (status != eap_status_ok) |
|
1615 { |
|
1616 delete [] encrypted_pw_block; |
|
1617 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1618 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1619 } |
|
1620 |
|
1621 status = new_password_encrypted_with_old_nt_password_hash( |
|
1622 &m_password_utf8, |
|
1623 &m_password_hash, |
|
1624 encrypted_pw_block); |
|
1625 if (status != eap_status_ok) |
|
1626 { |
|
1627 delete [] encrypted_pw_block; |
|
1628 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1629 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1630 } |
|
1631 |
|
1632 eap_variable_data_c encrypted_pw_hash(m_am_tools); |
|
1633 |
|
1634 status = old_nt_password_hash_encrypted_with_new_nt_password_hash( |
|
1635 &new_password_hash, |
|
1636 &m_password_hash, |
|
1637 &encrypted_pw_hash); |
|
1638 if (status != eap_status_ok) |
|
1639 { |
|
1640 delete [] encrypted_pw_block; |
|
1641 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1642 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1643 } |
|
1644 |
|
1645 EAP_TRACE_DATA_DEBUG( |
|
1646 m_am_tools, |
|
1647 TRACE_FLAGS_DEFAULT, |
|
1648 (EAPL("complete_change_password_query(): m_authenticator_challenge"), |
|
1649 m_authenticator_challenge, |
|
1650 EAP_MSCHAPV2_AUTHENTICATOR_CHALLENGE_SIZE)); |
|
1651 |
|
1652 status = generate_nt_response( |
|
1653 m_authenticator_challenge, |
|
1654 m_peer_challenge, |
|
1655 m_username_utf8.get_data(), |
|
1656 m_username_utf8.get_data_length(), |
|
1657 &new_password_hash, |
|
1658 m_nt_response); |
|
1659 if (status != eap_status_ok) |
|
1660 { |
|
1661 delete [] encrypted_pw_block; |
|
1662 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1663 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1664 } |
|
1665 |
|
1666 const u32_t type_data_length = EAP_MSCHAPV2_HEADER_SIZE // OpCode, MS-CHAPv2-ID and MS-Length |
|
1667 + mschapv2_change_password_c::get_header_minimum_size(); |
|
1668 |
|
1669 const u32_t packet_length |
|
1670 = eap_header_base_c::get_type_data_start_offset(m_use_eap_expanded_type) |
|
1671 + type_data_length; |
|
1672 |
|
1673 |
|
1674 eap_buf_chain_wr_c * packet = create_send_packet(packet_length); |
|
1675 if (!packet) |
|
1676 { |
|
1677 delete [] encrypted_pw_block; |
|
1678 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1679 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
1680 } |
|
1681 |
|
1682 eap_header_base_c eap_header( |
|
1683 m_am_tools, |
|
1684 packet->get_data_offset(m_offset, packet_length), |
|
1685 packet_length); |
|
1686 if (eap_header.get_is_valid() == false) |
|
1687 { |
|
1688 delete [] encrypted_pw_block; |
|
1689 delete packet; |
|
1690 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1691 return EAP_STATUS_RETURN(m_am_tools, eap_status_illegal_parameter); |
|
1692 } |
|
1693 eap_header.set_code(eap_code_response); |
|
1694 eap_header.set_identifier(m_identifier); |
|
1695 eap_header.set_length( |
|
1696 static_cast<u16_t>(packet_length), |
|
1697 m_use_eap_expanded_type); |
|
1698 eap_header.set_type( |
|
1699 eap_type_mschapv2, |
|
1700 m_use_eap_expanded_type); |
|
1701 |
|
1702 mschapv2_header_c mschapv2_header( |
|
1703 m_am_tools, |
|
1704 eap_header.get_type_data_offset(0, eap_header.get_type_data_length()), |
|
1705 eap_header.get_type_data_length()); |
|
1706 |
|
1707 mschapv2_header.set_opcode(mschapv2_opcode_change_password); |
|
1708 mschapv2_header.set_mschapv2_id(static_cast<u8_t>((++m_mschapv2id))); |
|
1709 mschapv2_header.set_ms_length(static_cast<u16_t>(type_data_length)); |
|
1710 |
|
1711 mschapv2_change_password_c response( |
|
1712 m_am_tools, |
|
1713 mschapv2_header.get_data(), |
|
1714 mschapv2_header.get_data_length()); |
|
1715 if (response.get_is_valid() == false) |
|
1716 { |
|
1717 delete [] encrypted_pw_block; |
|
1718 delete packet; |
|
1719 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1720 return EAP_STATUS_RETURN(m_am_tools, eap_status_allocation_error); |
|
1721 } |
|
1722 |
|
1723 status = response.set_constants(); |
|
1724 if (status != eap_status_ok) |
|
1725 { |
|
1726 delete [] encrypted_pw_block; |
|
1727 delete packet; |
|
1728 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1729 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1730 } |
|
1731 |
|
1732 response.set_encrypted_pw_block(encrypted_pw_block); |
|
1733 delete [] encrypted_pw_block; |
|
1734 response.set_encrypted_hash(encrypted_pw_hash.get_data()); |
|
1735 response.set_peer_challenge(m_peer_challenge); |
|
1736 response.set_nt_response(m_nt_response); |
|
1737 |
|
1738 // Send change password response |
|
1739 status = packet_send(packet, packet_length); |
|
1740 delete packet; |
|
1741 if (status != eap_status_ok) |
|
1742 { |
|
1743 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1744 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1745 } |
|
1746 |
|
1747 m_session.set_state(eap_type_mschapv2_state_change_password_request); |
|
1748 |
|
1749 EAP_TRACE_END(m_am_tools, TRACE_FLAGS_DEFAULT); |
|
1750 return EAP_STATUS_RETURN(m_am_tools, status); |
|
1751 } |
|
1752 |
|
1753 // End of file. |