Lines Matching +full:vendor +full:- +full:extension
2 * EAP peer method: EAP-TEAP (RFC 7170)
3 * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
85 wpa_printf(MSG_DEBUG, "EAP-TEAP: SessionTicket callback"); in eap_teap_session_ticket_cb()
89 "EAP-TEAP: SessionTicket failed - fall back to full TLS handshake"); in eap_teap_session_ticket_cb()
90 data->session_ticket_used = 0; in eap_teap_session_ticket_cb()
91 if (data->provisioning_allowed) { in eap_teap_session_ticket_cb()
93 "EAP-TEAP: Try to provision a new PAC-Key"); in eap_teap_session_ticket_cb()
94 data->provisioning = 1; in eap_teap_session_ticket_cb()
95 data->current_pac = NULL; in eap_teap_session_ticket_cb()
100 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: SessionTicket", ticket, len); in eap_teap_session_ticket_cb()
102 if (!data->current_pac) { in eap_teap_session_ticket_cb()
104 "EAP-TEAP: No PAC-Key available for using SessionTicket"); in eap_teap_session_ticket_cb()
105 data->session_ticket_used = 0; in eap_teap_session_ticket_cb()
109 /* EAP-TEAP uses PAC-Key as the TLS master_secret */ in eap_teap_session_ticket_cb()
110 os_memcpy(master_secret, data->current_pac->pac_key, in eap_teap_session_ticket_cb()
113 data->session_ticket_used = 1; in eap_teap_session_ticket_cb()
126 data->provisioning_allowed = atoi(pos + 18); in eap_teap_parse_phase1()
128 "EAP-TEAP: Automatic PAC provisioning mode: %d", in eap_teap_parse_phase1()
129 data->provisioning_allowed); in eap_teap_parse_phase1()
134 data->max_pac_list_len = atoi(pos + 22); in eap_teap_parse_phase1()
135 if (data->max_pac_list_len == 0) in eap_teap_parse_phase1()
136 data->max_pac_list_len = 1; in eap_teap_parse_phase1()
137 wpa_printf(MSG_DEBUG, "EAP-TEAP: Maximum PAC list length: %lu", in eap_teap_parse_phase1()
138 (unsigned long) data->max_pac_list_len); in eap_teap_parse_phase1()
142 data->use_pac_binary_format = 1; in eap_teap_parse_phase1()
144 "EAP-TEAP: Using binary format for PAC list"); in eap_teap_parse_phase1()
149 data->test_outer_tlvs = 1; in eap_teap_parse_phase1()
165 data->teap_version = EAP_TEAP_VERSION; in eap_teap_init()
166 data->max_pac_list_len = 10; in eap_teap_init()
168 if (config->phase1) in eap_teap_init()
169 eap_teap_parse_phase1(data, config->phase1); in eap_teap_init()
171 if ((data->provisioning_allowed & EAP_TEAP_PROV_AUTH) && in eap_teap_init()
172 !config->cert.ca_cert && !config->cert.ca_path) { in eap_teap_init()
177 "EAP-TEAP: Disable authenticated provisioning due to no ca_cert/ca_path"); in eap_teap_init()
178 data->provisioning_allowed &= ~EAP_TEAP_PROV_AUTH; in eap_teap_init()
182 &data->phase2_types, in eap_teap_init()
183 &data->num_phase2_types, 0) < 0) { in eap_teap_init()
188 data->phase2_type.vendor = EAP_VENDOR_IETF; in eap_teap_init()
189 data->phase2_type.method = EAP_TYPE_NONE; in eap_teap_init()
191 config->teap_anon_dh = !!(data->provisioning_allowed & in eap_teap_init()
193 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TEAP)) { in eap_teap_init()
194 wpa_printf(MSG_INFO, "EAP-TEAP: Failed to initialize SSL"); in eap_teap_init()
199 if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn, in eap_teap_init()
203 "EAP-TEAP: Failed to set SessionTicket callback"); in eap_teap_init()
208 if (!config->pac_file) { in eap_teap_init()
209 wpa_printf(MSG_INFO, "EAP-TEAP: No PAC file configured"); in eap_teap_init()
214 if (data->use_pac_binary_format && in eap_teap_init()
215 eap_teap_load_pac_bin(sm, &data->pac, config->pac_file) < 0) { in eap_teap_init()
216 wpa_printf(MSG_INFO, "EAP-TEAP: Failed to load PAC file"); in eap_teap_init()
221 if (!data->use_pac_binary_format && in eap_teap_init()
222 eap_teap_load_pac(sm, &data->pac, config->pac_file) < 0) { in eap_teap_init()
223 wpa_printf(MSG_INFO, "EAP-TEAP: Failed to load PAC file"); in eap_teap_init()
227 eap_teap_pac_list_truncate(data->pac, data->max_pac_list_len); in eap_teap_init()
235 forced_memzero(data->key_data, EAP_TEAP_KEY_LEN); in eap_teap_clear()
236 forced_memzero(data->emsk, EAP_EMSK_LEN); in eap_teap_clear()
237 os_free(data->session_id); in eap_teap_clear()
238 data->session_id = NULL; in eap_teap_clear()
239 wpabuf_free(data->pending_phase2_req); in eap_teap_clear()
240 data->pending_phase2_req = NULL; in eap_teap_clear()
241 wpabuf_free(data->pending_resp); in eap_teap_clear()
242 data->pending_resp = NULL; in eap_teap_clear()
243 wpabuf_free(data->server_outer_tlvs); in eap_teap_clear()
244 data->server_outer_tlvs = NULL; in eap_teap_clear()
245 wpabuf_free(data->peer_outer_tlvs); in eap_teap_clear()
246 data->peer_outer_tlvs = NULL; in eap_teap_clear()
247 forced_memzero(data->simck_msk, EAP_TEAP_SIMCK_LEN); in eap_teap_clear()
248 forced_memzero(data->simck_emsk, EAP_TEAP_SIMCK_LEN); in eap_teap_clear()
259 if (data->phase2_priv && data->phase2_method) in eap_teap_deinit()
260 data->phase2_method->deinit(sm, data->phase2_priv); in eap_teap_deinit()
262 os_free(data->phase2_types); in eap_teap_deinit()
263 eap_peer_tls_ssl_deinit(sm, &data->ssl); in eap_teap_deinit()
265 pac = data->pac; in eap_teap_deinit()
269 pac = pac->next; in eap_teap_deinit()
279 /* FIX: RFC 7170 does not describe whether MSK or EMSK based S-IMCK[j] in eap_teap_derive_msk()
281 if (eap_teap_derive_eap_msk(data->tls_cs, data->simck_msk, in eap_teap_derive_msk()
282 data->key_data) < 0 || in eap_teap_derive_msk()
283 eap_teap_derive_eap_emsk(data->tls_cs, data->simck_msk, in eap_teap_derive_msk()
284 data->emsk) < 0) in eap_teap_derive_msk()
285 return -1; in eap_teap_derive_msk()
286 data->success = 1; in eap_teap_derive_msk()
297 res = tls_connection_export_key(sm->ssl_ctx, data->ssl.conn, in eap_teap_derive_key_auth()
299 data->simck_msk, EAP_TEAP_SIMCK_LEN); in eap_teap_derive_key_auth()
303 "EAP-TEAP: session_key_seed (S-IMCK[0])", in eap_teap_derive_key_auth()
304 data->simck_msk, EAP_TEAP_SIMCK_LEN); in eap_teap_derive_key_auth()
305 os_memcpy(data->simck_emsk, data->simck_msk, EAP_TEAP_SIMCK_LEN); in eap_teap_derive_key_auth()
306 data->simck_idx = 0; in eap_teap_derive_key_auth()
314 data->inner_method_done = 0; in eap_teap_init_phase2_method()
315 data->iresult_verified = 0; in eap_teap_init_phase2_method()
316 data->phase2_method = in eap_teap_init_phase2_method()
317 eap_peer_get_eap_method(data->phase2_type.vendor, in eap_teap_init_phase2_method()
318 data->phase2_type.method); in eap_teap_init_phase2_method()
319 if (!data->phase2_method) in eap_teap_init_phase2_method()
320 return -1; in eap_teap_init_phase2_method()
322 /* While RFC 7170 does not describe this, EAP-TEAP has been deployed in eap_teap_init_phase2_method()
323 * with implementations that use the EAP-FAST-MSCHAPv2, instead of the in eap_teap_init_phase2_method()
324 * EAP-MSCHAPv2, way of deriving the MSK for IMSK. Use that design here in eap_teap_init_phase2_method()
327 sm->eap_fast_mschapv2 = true; in eap_teap_init_phase2_method()
329 sm->init_phase2 = 1; in eap_teap_init_phase2_method()
330 data->phase2_priv = data->phase2_method->init(sm); in eap_teap_init_phase2_method()
331 sm->init_phase2 = 0; in eap_teap_init_phase2_method()
333 return data->phase2_priv == NULL ? -1 : 0; in eap_teap_init_phase2_method()
338 int vendor, enum eap_type type) in eap_teap_select_phase2_method() argument
343 * completed inner EAP authentication (EAP-pwd or EAP-EKE) and TNC */ in eap_teap_select_phase2_method()
345 if (data->anon_provisioning && in eap_teap_select_phase2_method()
346 !eap_teap_allowed_anon_prov_phase2_method(vendor, type)) { in eap_teap_select_phase2_method()
348 "EAP-TEAP: EAP type %u:%u not allowed during unauthenticated provisioning", in eap_teap_select_phase2_method()
349 vendor, type); in eap_teap_select_phase2_method()
350 return -1; in eap_teap_select_phase2_method()
354 if (vendor == EAP_VENDOR_IETF && type == EAP_TYPE_TNC) { in eap_teap_select_phase2_method()
355 data->phase2_type.vendor = EAP_VENDOR_IETF; in eap_teap_select_phase2_method()
356 data->phase2_type.method = EAP_TYPE_TNC; in eap_teap_select_phase2_method()
358 "EAP-TEAP: Selected Phase 2 EAP vendor %d method %d for TNC", in eap_teap_select_phase2_method()
359 data->phase2_type.vendor, in eap_teap_select_phase2_method()
360 data->phase2_type.method); in eap_teap_select_phase2_method()
365 for (i = 0; i < data->num_phase2_types; i++) { in eap_teap_select_phase2_method()
366 if (data->phase2_types[i].vendor != vendor || in eap_teap_select_phase2_method()
367 data->phase2_types[i].method != type) in eap_teap_select_phase2_method()
370 data->phase2_type.vendor = data->phase2_types[i].vendor; in eap_teap_select_phase2_method()
371 data->phase2_type.method = data->phase2_types[i].method; in eap_teap_select_phase2_method()
373 "EAP-TEAP: Selected Phase 2 EAP vendor %d method %d", in eap_teap_select_phase2_method()
374 data->phase2_type.vendor, in eap_teap_select_phase2_method()
375 data->phase2_type.method); in eap_teap_select_phase2_method()
379 if (vendor != data->phase2_type.vendor || in eap_teap_select_phase2_method()
380 type != data->phase2_type.method || in eap_teap_select_phase2_method()
381 (vendor == EAP_VENDOR_IETF && type == EAP_TYPE_NONE)) in eap_teap_select_phase2_method()
382 return -1; in eap_teap_select_phase2_method()
391 if (!data->phase2_priv || !data->phase2_method) in eap_teap_deinit_inner_eap()
395 "EAP-TEAP: Phase 2 EAP sequence - deinitialize previous method"); in eap_teap_deinit_inner_eap()
396 data->phase2_method->deinit(sm, data->phase2_priv); in eap_teap_deinit_inner_eap()
397 data->phase2_method = NULL; in eap_teap_deinit_inner_eap()
398 data->phase2_priv = NULL; in eap_teap_deinit_inner_eap()
399 data->phase2_type.vendor = EAP_VENDOR_IETF; in eap_teap_deinit_inner_eap()
400 data->phase2_type.method = EAP_TYPE_NONE; in eap_teap_deinit_inner_eap()
410 size_t len = be_to_host16(hdr->length); in eap_teap_phase2_request()
415 int vendor = EAP_VENDOR_IETF; in eap_teap_phase2_request() local
420 "EAP-TEAP: too short Phase 2 request (len=%lu)", in eap_teap_phase2_request()
422 return -1; in eap_teap_phase2_request()
429 "EAP-TEAP: Too short Phase 2 request (expanded header) (len=%lu)", in eap_teap_phase2_request()
431 return -1; in eap_teap_phase2_request()
433 vendor = WPA_GET_BE24(pos + 1); in eap_teap_phase2_request()
436 wpa_printf(MSG_DEBUG, "EAP-TEAP: Phase 2 Request: type=%u:%u", in eap_teap_phase2_request()
437 vendor, method); in eap_teap_phase2_request()
438 if (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_IDENTITY) { in eap_teap_phase2_request()
440 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); in eap_teap_phase2_request()
444 if (data->phase2_priv && data->phase2_method && in eap_teap_phase2_request()
445 (vendor != data->phase2_type.vendor || in eap_teap_phase2_request()
446 method != data->phase2_type.method)) in eap_teap_phase2_request()
449 if (data->phase2_type.vendor == EAP_VENDOR_IETF && in eap_teap_phase2_request()
450 data->phase2_type.method == EAP_TYPE_NONE && in eap_teap_phase2_request()
451 eap_teap_select_phase2_method(data, vendor, method) < 0) { in eap_teap_phase2_request()
452 if (eap_peer_tls_phase2_nak(data->phase2_types, in eap_teap_phase2_request()
453 data->num_phase2_types, in eap_teap_phase2_request()
455 return -1; in eap_teap_phase2_request()
459 if ((!data->phase2_priv && eap_teap_init_phase2_method(sm, data) < 0) || in eap_teap_phase2_request()
460 !data->phase2_method) { in eap_teap_phase2_request()
462 "EAP-TEAP: Failed to initialize Phase 2 EAP method %u:%u", in eap_teap_phase2_request()
463 vendor, method); in eap_teap_phase2_request()
464 ret->methodState = METHOD_DONE; in eap_teap_phase2_request()
465 ret->decision = DECISION_FAIL; in eap_teap_phase2_request()
466 return -1; in eap_teap_phase2_request()
471 *resp = data->phase2_method->process(sm, data->phase2_priv, &iret, in eap_teap_phase2_request()
474 data->inner_method_done = 1; in eap_teap_phase2_request()
479 ret->methodState = METHOD_MAY_CONT; in eap_teap_phase2_request()
480 ret->decision = DECISION_FAIL; in eap_teap_phase2_request()
485 data->phase2_success = 1; in eap_teap_phase2_request()
489 (config->pending_req_identity || config->pending_req_password || in eap_teap_phase2_request()
490 config->pending_req_otp || config->pending_req_new_password || in eap_teap_phase2_request()
491 config->pending_req_sim)) { in eap_teap_phase2_request()
492 wpabuf_free(data->pending_phase2_req); in eap_teap_phase2_request()
493 data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); in eap_teap_phase2_request()
495 return -1; in eap_teap_phase2_request()
507 "EAP-TEAP: Add NAK TLV (Vendor-Id %u NAK-Type %u)", in eap_teap_tlv_nak()
513 nak->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | TEAP_TLV_NAK); in eap_teap_tlv_nak()
514 nak->length = host_to_be16(6); in eap_teap_tlv_nak()
515 nak->vendor_id = host_to_be32(vendor_id); in eap_teap_tlv_nak()
516 nak->nak_type = host_to_be16(tlv_type); in eap_teap_tlv_nak()
531 wpa_printf(MSG_DEBUG, "EAP-TEAP: Add PAC TLV (ack)"); in eap_teap_tlv_pac_ack()
533 ack->tlv_type = host_to_be16(TEAP_TLV_PAC | TEAP_TLV_MANDATORY); in eap_teap_tlv_pac_ack()
534 ack->length = host_to_be16(sizeof(*ack) - sizeof(struct teap_tlv_hdr)); in eap_teap_tlv_pac_ack()
535 ack->pac_type = host_to_be16(PAC_TYPE_PAC_ACKNOWLEDGEMENT); in eap_teap_tlv_pac_ack()
536 ack->pac_len = host_to_be16(2); in eap_teap_tlv_pac_ack()
537 ack->result = host_to_be16(TEAP_STATUS_SUCCESS); in eap_teap_tlv_pac_ack()
548 tlv = eap_teap_tlv_identity_type(sm->use_machine_cred ? in eap_teap_add_identity_type()
566 "EAP-TEAP: too short EAP Payload TLV (len=%lu)", in eap_teap_process_eap_payload_tlv()
572 if (be_to_host16(hdr->length) > eap_payload_tlv_len) { in eap_teap_process_eap_payload_tlv()
574 "EAP-TEAP: EAP packet overflow in EAP Payload TLV"); in eap_teap_process_eap_payload_tlv()
578 if (hdr->code != EAP_CODE_REQUEST) { in eap_teap_process_eap_payload_tlv()
580 "EAP-TEAP: Unexpected code=%d in Phase 2 EAP header", in eap_teap_process_eap_payload_tlv()
581 hdr->code); in eap_teap_process_eap_payload_tlv()
587 "EAP-TEAP: Phase 2 Request processing failed"); in eap_teap_process_eap_payload_tlv()
608 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TEAP: Basic-Password-Auth-Req prompt", in eap_teap_process_basic_auth_req()
617 "EAP-TEAP: No username/password suitable for Basic-Password-Auth"); in eap_teap_process_basic_auth_req()
630 wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TEAP: Basic-Password-Auth-Resp", in eap_teap_process_basic_auth_req()
637 data->phase2_success = 1; in eap_teap_process_basic_auth_req()
649 subtype = cb->subtype & 0x0f; in eap_teap_validate_crypto_binding()
650 flags = cb->subtype >> 4; in eap_teap_validate_crypto_binding()
653 "EAP-TEAP: Crypto-Binding TLV: Version %u Received Version %u Flags %u Sub-Type %u", in eap_teap_validate_crypto_binding()
654 cb->version, cb->received_version, flags, subtype); in eap_teap_validate_crypto_binding()
655 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Nonce", in eap_teap_validate_crypto_binding()
656 cb->nonce, sizeof(cb->nonce)); in eap_teap_validate_crypto_binding()
657 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: EMSK Compound MAC", in eap_teap_validate_crypto_binding()
658 cb->emsk_compound_mac, sizeof(cb->emsk_compound_mac)); in eap_teap_validate_crypto_binding()
659 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: MSK Compound MAC", in eap_teap_validate_crypto_binding()
660 cb->msk_compound_mac, sizeof(cb->msk_compound_mac)); in eap_teap_validate_crypto_binding()
662 if (cb->version != EAP_TEAP_VERSION || in eap_teap_validate_crypto_binding()
663 cb->received_version != data->received_version || in eap_teap_validate_crypto_binding()
667 …"EAP-TEAP: Invalid Version/Flags/Sub-Type in Crypto-Binding TLV: Version %u Received Version %u Fl… in eap_teap_validate_crypto_binding()
668 cb->version, cb->received_version, flags, subtype); in eap_teap_validate_crypto_binding()
669 return -1; in eap_teap_validate_crypto_binding()
672 if (cb->nonce[EAP_TEAP_NONCE_LEN - 1] & 0x01) { in eap_teap_validate_crypto_binding()
674 "EAP-TEAP: Invalid Crypto-Binding TLV Nonce in request"); in eap_teap_validate_crypto_binding()
675 return -1; in eap_teap_validate_crypto_binding()
690 rbind->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | in eap_teap_write_crypto_binding()
692 rbind->length = host_to_be16(sizeof(*rbind) - in eap_teap_write_crypto_binding()
694 rbind->version = EAP_TEAP_VERSION; in eap_teap_write_crypto_binding()
695 rbind->received_version = data->received_version; in eap_teap_write_crypto_binding()
697 * Crypto-Binding TLV is used with Basic-Password-Auth */ in eap_teap_write_crypto_binding()
701 rbind->subtype = (flags << 4) | subtype; in eap_teap_write_crypto_binding()
702 os_memcpy(rbind->nonce, cb->nonce, sizeof(cb->nonce)); in eap_teap_write_crypto_binding()
703 inc_byte_array(rbind->nonce, sizeof(rbind->nonce)); in eap_teap_write_crypto_binding()
704 os_memset(rbind->emsk_compound_mac, 0, EAP_TEAP_COMPOUND_MAC_LEN); in eap_teap_write_crypto_binding()
705 os_memset(rbind->msk_compound_mac, 0, EAP_TEAP_COMPOUND_MAC_LEN); in eap_teap_write_crypto_binding()
707 if (eap_teap_compound_mac(data->tls_cs, rbind, data->server_outer_tlvs, in eap_teap_write_crypto_binding()
708 data->peer_outer_tlvs, cmk_msk, in eap_teap_write_crypto_binding()
709 rbind->msk_compound_mac) < 0) in eap_teap_write_crypto_binding()
710 return -1; in eap_teap_write_crypto_binding()
712 eap_teap_compound_mac(data->tls_cs, rbind, data->server_outer_tlvs, in eap_teap_write_crypto_binding()
713 data->peer_outer_tlvs, cmk_emsk, in eap_teap_write_crypto_binding()
714 rbind->emsk_compound_mac) < 0) in eap_teap_write_crypto_binding()
715 return -1; in eap_teap_write_crypto_binding()
718 "EAP-TEAP: Reply Crypto-Binding TLV: Version %u Received Version %u Flags %u SubType %u", in eap_teap_write_crypto_binding()
719 rbind->version, rbind->received_version, flags, subtype); in eap_teap_write_crypto_binding()
720 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Nonce", in eap_teap_write_crypto_binding()
721 rbind->nonce, sizeof(rbind->nonce)); in eap_teap_write_crypto_binding()
722 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: EMSK Compound MAC", in eap_teap_write_crypto_binding()
723 rbind->emsk_compound_mac, sizeof(rbind->emsk_compound_mac)); in eap_teap_write_crypto_binding()
724 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: MSK Compound MAC", in eap_teap_write_crypto_binding()
725 rbind->msk_compound_mac, sizeof(rbind->msk_compound_mac)); in eap_teap_write_crypto_binding()
739 "EAP-TEAP: Determining CMK[%d] for Compound MAC calculation", in eap_teap_get_cmk()
740 data->simck_idx + 1); in eap_teap_get_cmk()
742 if (!data->phase2_method) in eap_teap_get_cmk()
743 return eap_teap_derive_cmk_basic_pw_auth(data->tls_cs, in eap_teap_get_cmk()
744 data->simck_msk, in eap_teap_get_cmk()
747 if (!data->phase2_method || !data->phase2_priv) { in eap_teap_get_cmk()
748 wpa_printf(MSG_INFO, "EAP-TEAP: Phase 2 method not available"); in eap_teap_get_cmk()
749 return -1; in eap_teap_get_cmk()
752 if (data->phase2_method->isKeyAvailable && in eap_teap_get_cmk()
753 !data->phase2_method->isKeyAvailable(sm, data->phase2_priv)) { in eap_teap_get_cmk()
755 "EAP-TEAP: Phase 2 key material not available"); in eap_teap_get_cmk()
756 return -1; in eap_teap_get_cmk()
759 if (data->phase2_method->isKeyAvailable && in eap_teap_get_cmk()
760 data->phase2_method->getKey) { in eap_teap_get_cmk()
761 msk = data->phase2_method->getKey(sm, data->phase2_priv, in eap_teap_get_cmk()
765 "EAP-TEAP: Could not fetch Phase 2 MSK"); in eap_teap_get_cmk()
766 return -1; in eap_teap_get_cmk()
770 if (data->phase2_method->isKeyAvailable && in eap_teap_get_cmk()
771 data->phase2_method->get_emsk) { in eap_teap_get_cmk()
772 emsk = data->phase2_method->get_emsk(sm, data->phase2_priv, in eap_teap_get_cmk()
776 res = eap_teap_derive_imck(data->tls_cs, in eap_teap_get_cmk()
777 data->simck_msk, data->simck_emsk, in eap_teap_get_cmk()
779 data->simck_msk, cmk_msk, in eap_teap_get_cmk()
780 data->simck_emsk, cmk_emsk); in eap_teap_get_cmk()
784 data->simck_idx++; in eap_teap_get_cmk()
786 data->cmk_emsk_available = 1; in eap_teap_get_cmk()
797 os_free(data->session_id); in eap_teap_session_id()
798 data->session_id = os_malloc(max_id_len); in eap_teap_session_id()
799 if (!data->session_id) in eap_teap_session_id()
800 return -1; in eap_teap_session_id()
802 data->session_id[0] = EAP_TYPE_TEAP; in eap_teap_session_id()
803 res = tls_get_tls_unique(data->ssl.conn, data->session_id + 1, in eap_teap_session_id()
804 max_id_len - 1); in eap_teap_session_id()
806 os_free(data->session_id); in eap_teap_session_id()
807 data->session_id = NULL; in eap_teap_session_id()
808 wpa_printf(MSG_ERROR, "EAP-TEAP: Failed to derive Session-Id"); in eap_teap_session_id()
809 return -1; in eap_teap_session_id()
812 data->id_len = 1 + res; in eap_teap_session_id()
813 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: Derived Session-Id", in eap_teap_session_id()
814 data->session_id, data->id_len); in eap_teap_session_id()
838 flags = cb->subtype >> 4; in eap_teap_process_crypto_binding()
844 if (eap_teap_compound_mac(data->tls_cs, cb, in eap_teap_process_crypto_binding()
845 data->server_outer_tlvs, in eap_teap_process_crypto_binding()
846 data->peer_outer_tlvs, cmk_msk, in eap_teap_process_crypto_binding()
849 res = os_memcmp_const(msk_compound_mac, cb->msk_compound_mac, in eap_teap_process_crypto_binding()
851 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Received MSK Compound MAC", in eap_teap_process_crypto_binding()
852 cb->msk_compound_mac, EAP_TEAP_COMPOUND_MAC_LEN); in eap_teap_process_crypto_binding()
854 "EAP-TEAP: Calculated MSK Compound MAC", in eap_teap_process_crypto_binding()
858 "EAP-TEAP: MSK Compound MAC did not match"); in eap_teap_process_crypto_binding()
865 data->cmk_emsk_available) { in eap_teap_process_crypto_binding()
868 if (eap_teap_compound_mac(data->tls_cs, cb, in eap_teap_process_crypto_binding()
869 data->server_outer_tlvs, in eap_teap_process_crypto_binding()
870 data->peer_outer_tlvs, cmk_emsk, in eap_teap_process_crypto_binding()
873 res = os_memcmp_const(emsk_compound_mac, cb->emsk_compound_mac, in eap_teap_process_crypto_binding()
875 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Received EMSK Compound MAC", in eap_teap_process_crypto_binding()
876 cb->emsk_compound_mac, EAP_TEAP_COMPOUND_MAC_LEN); in eap_teap_process_crypto_binding()
878 "EAP-TEAP: Calculated EMSK Compound MAC", in eap_teap_process_crypto_binding()
882 "EAP-TEAP: EMSK Compound MAC did not match"); in eap_teap_process_crypto_binding()
890 !data->cmk_emsk_available) { in eap_teap_process_crypto_binding()
892 …"EAP-TEAP: Server included only EMSK Compound MAC, but no locally generated inner EAP EMSK to vali… in eap_teap_process_crypto_binding()
906 if (data->phase2_success && eap_teap_derive_msk(data) < 0) { in eap_teap_process_crypto_binding()
907 wpa_printf(MSG_INFO, "EAP-TEAP: Failed to generate MSK"); in eap_teap_process_crypto_binding()
908 ret->methodState = METHOD_DONE; in eap_teap_process_crypto_binding()
909 ret->decision = DECISION_FAIL; in eap_teap_process_crypto_binding()
910 data->phase2_success = 0; in eap_teap_process_crypto_binding()
915 if (data->phase2_success && eap_teap_session_id(data) < 0) { in eap_teap_process_crypto_binding()
937 wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: PAC-Key", pos, len); in eap_teap_parse_pac_tlv()
940 "EAP-TEAP: Invalid PAC-Key length %lu", in eap_teap_parse_pac_tlv()
945 os_memcpy(entry->pac_key, pos, len); in eap_teap_parse_pac_tlv()
948 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: PAC-Opaque", pos, len); in eap_teap_parse_pac_tlv()
949 entry->pac_opaque = pos; in eap_teap_parse_pac_tlv()
950 entry->pac_opaque_len = len; in eap_teap_parse_pac_tlv()
953 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: PAC-Info", pos, len); in eap_teap_parse_pac_tlv()
954 entry->pac_info = pos; in eap_teap_parse_pac_tlv()
955 entry->pac_info_len = len; in eap_teap_parse_pac_tlv()
958 wpa_printf(MSG_DEBUG, "EAP-TEAP: Ignored unknown PAC type %d", in eap_teap_parse_pac_tlv()
978 type = be_to_host16(hdr->type); in eap_teap_process_pac_tlv()
979 len = be_to_host16(hdr->len); in eap_teap_process_pac_tlv()
981 left -= sizeof(*hdr); in eap_teap_process_pac_tlv()
984 "EAP-TEAP: PAC TLV overrun (type=%d len=%lu left=%lu)", in eap_teap_process_pac_tlv()
987 return -1; in eap_teap_process_pac_tlv()
993 left -= len; in eap_teap_process_pac_tlv()
996 if (!pac_key_found || !entry->pac_opaque || !entry->pac_info) { in eap_teap_process_pac_tlv()
998 "EAP-TEAP: PAC TLV does not include all the required fields"); in eap_teap_process_pac_tlv()
999 return -1; in eap_teap_process_pac_tlv()
1017 "EAP-TEAP: PAC-Info - Invalid CRED_LIFETIME length - ignored", in eap_teap_parse_pac_info()
1025 * needed. Anyway, the information is available from PAC-Info in eap_teap_parse_pac_info()
1031 "EAP-TEAP: PAC-Info - CRED_LIFETIME %d (%d days)", in eap_teap_parse_pac_info()
1032 lifetime, (lifetime - (u32) now.sec) / 86400); in eap_teap_parse_pac_info()
1035 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TEAP: PAC-Info - A-ID", in eap_teap_parse_pac_info()
1037 entry->a_id = pos; in eap_teap_parse_pac_info()
1038 entry->a_id_len = len; in eap_teap_parse_pac_info()
1041 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TEAP: PAC-Info - I-ID", in eap_teap_parse_pac_info()
1043 entry->i_id = pos; in eap_teap_parse_pac_info()
1044 entry->i_id_len = len; in eap_teap_parse_pac_info()
1047 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TEAP: PAC-Info - A-ID-Info", in eap_teap_parse_pac_info()
1049 entry->a_id_info = pos; in eap_teap_parse_pac_info()
1050 entry->a_id_info_len = len; in eap_teap_parse_pac_info()
1053 /* RFC 7170, Section 4.2.12.6 - PAC-Type TLV */ in eap_teap_parse_pac_info()
1056 "EAP-TEAP: Invalid PAC-Type length %lu (expected 2)", in eap_teap_parse_pac_info()
1059 "EAP-TEAP: PAC-Info - PAC-Type", in eap_teap_parse_pac_info()
1061 return -1; in eap_teap_parse_pac_info()
1066 "EAP-TEAP: Unsupported PAC Type %d", in eap_teap_parse_pac_info()
1068 return -1; in eap_teap_parse_pac_info()
1071 wpa_printf(MSG_DEBUG, "EAP-TEAP: PAC-Info - PAC-Type %d", in eap_teap_parse_pac_info()
1073 entry->pac_type = pac_type; in eap_teap_parse_pac_info()
1077 "EAP-TEAP: Ignored unknown PAC-Info type %d", type); in eap_teap_parse_pac_info()
1094 /* PAC-Type defaults to Tunnel PAC (Type 1) */ in eap_teap_process_pac_info()
1095 entry->pac_type = PAC_TYPE_TUNNEL_PAC; in eap_teap_process_pac_info()
1097 pos = entry->pac_info; in eap_teap_process_pac_info()
1098 left = entry->pac_info_len; in eap_teap_process_pac_info()
1101 type = be_to_host16(hdr->type); in eap_teap_process_pac_info()
1102 len = be_to_host16(hdr->len); in eap_teap_process_pac_info()
1104 left -= sizeof(*hdr); in eap_teap_process_pac_info()
1107 "EAP-TEAP: PAC-Info overrun (type=%d len=%lu left=%lu)", in eap_teap_process_pac_info()
1110 return -1; in eap_teap_process_pac_info()
1114 return -1; in eap_teap_process_pac_info()
1117 left -= len; in eap_teap_process_pac_info()
1120 if (!entry->a_id || !entry->a_id_info) { in eap_teap_process_pac_info()
1122 "EAP-TEAP: PAC-Info does not include all the required fields"); in eap_teap_process_pac_info()
1123 return -1; in eap_teap_process_pac_info()
1143 eap_teap_add_pac(&data->pac, &data->current_pac, &entry); in eap_teap_process_pac()
1144 eap_teap_pac_list_truncate(data->pac, data->max_pac_list_len); in eap_teap_process_pac()
1145 if (data->use_pac_binary_format) in eap_teap_process_pac()
1146 eap_teap_save_pac_bin(sm, data->pac, config->pac_file); in eap_teap_process_pac()
1148 eap_teap_save_pac(sm, data->pac, config->pac_file); in eap_teap_process_pac()
1151 "EAP-TEAP: Send PAC-Acknowledgement - %s initiated provisioning completed successfully", in eap_teap_process_pac()
1152 data->provisioning ? "peer" : "server"); in eap_teap_process_pac()
1171 while (end - pos >= 4) { in eap_teap_parse_decrypted()
1177 if (len > (size_t) (end - pos)) { in eap_teap_parse_decrypted()
1178 wpa_printf(MSG_INFO, "EAP-TEAP: TLV overflow"); in eap_teap_parse_decrypted()
1179 return -1; in eap_teap_parse_decrypted()
1182 "EAP-TEAP: Received Phase 2: TLV type %u (%s) length %u%s", in eap_teap_parse_decrypted()
1188 if (res == -2) in eap_teap_parse_decrypted()
1193 "EAP-TEAP: NAK unknown mandatory TLV type %u", in eap_teap_parse_decrypted()
1200 "EAP-TEAP: Ignore unknown optional TLV type %u", in eap_teap_parse_decrypted()
1222 wpa_printf(MSG_DEBUG, "EAP-TEAP: Add Request Action TLV (Process TLV)"); in eap_teap_pac_request()
1224 act->tlv_type = host_to_be16(TEAP_TLV_REQUEST_ACTION); in eap_teap_pac_request()
1225 act->length = host_to_be16(2); in eap_teap_pac_request()
1226 act->status = TEAP_STATUS_SUCCESS; in eap_teap_pac_request()
1227 act->action = TEAP_REQUEST_ACTION_PROCESS_TLV; in eap_teap_pac_request()
1229 wpa_printf(MSG_DEBUG, "EAP-TEAP: Add PAC TLV (PAC-Type = Tunnel)"); in eap_teap_pac_request()
1231 pac->tlv_type = host_to_be16(TEAP_TLV_PAC); in eap_teap_pac_request()
1232 pac->length = host_to_be16(sizeof(*type)); in eap_teap_pac_request()
1235 type->type = host_to_be16(PAC_TYPE_PAC_TYPE); in eap_teap_pac_request()
1236 type->length = host_to_be16(2); in eap_teap_pac_request()
1237 type->pac_type = host_to_be16(PAC_TYPE_TUNNEL_PAC); in eap_teap_pac_request()
1257 /* Parsing failed - no response available */ in eap_teap_process_decrypted()
1262 /* Parsing rejected the message - send out an error response */ in eap_teap_process_decrypted()
1267 /* Server indicated failure - respond similarly per in eap_teap_process_decrypted()
1271 "EAP-TEAP: Server rejected authentication"); in eap_teap_process_decrypted()
1273 ret->methodState = METHOD_DONE; in eap_teap_process_decrypted()
1274 ret->decision = DECISION_FAIL; in eap_teap_process_decrypted()
1279 /* Intermediate-Result TLV indicating success, but no in eap_teap_process_decrypted()
1280 * Crypto-Binding TLV */ in eap_teap_process_decrypted()
1282 "EAP-TEAP: Intermediate-Result TLV indicating success, but no Crypto-Binding TLV"); in eap_teap_process_decrypted()
1288 if (!data->iresult_verified && !data->result_success_done && in eap_teap_process_decrypted()
1290 /* Result TLV indicating success, but no Crypto-Binding TLV */ in eap_teap_process_decrypted()
1292 "EAP-TEAP: Result TLV indicating success, but no Crypto-Binding TLV"); in eap_teap_process_decrypted()
1300 data->inner_method_done) { in eap_teap_process_decrypted()
1302 "EAP-TEAP: Inner EAP method exchange completed, but no Intermediate-Result TLV included"); in eap_teap_process_decrypted()
1312 …"EAP-TEAP: Unexpected Crypto-Binding TLV without Result TLV or Intermediate-Result TLV indicating … in eap_teap_process_decrypted()
1327 data->result_success_done = 1; in eap_teap_process_decrypted()
1329 data->inner_method_done = 0; in eap_teap_process_decrypted()
1330 data->iresult_verified = 1; in eap_teap_process_decrypted()
1338 sm->use_machine_cred = config && config->machine_identity && in eap_teap_process_decrypted()
1339 config->machine_identity_len; in eap_teap_process_decrypted()
1341 sm->use_machine_cred = 0; in eap_teap_process_decrypted()
1346 os_free(data->phase2_types); in eap_teap_process_decrypted()
1347 data->phase2_types = NULL; in eap_teap_process_decrypted()
1348 data->num_phase2_types = 0; in eap_teap_process_decrypted()
1351 &data->phase2_types, in eap_teap_process_decrypted()
1352 &data->num_phase2_types, in eap_teap_process_decrypted()
1353 sm->use_machine_cred) < 0) { in eap_teap_process_decrypted()
1355 "EAP-TEAP: Failed to update Phase 2 EAP types"); in eap_teap_process_decrypted()
1390 if (data->result_success_done && data->session_ticket_used && in eap_teap_process_decrypted()
1395 "EAP-TEAP: PAC used - server may decide to skip inner authentication"); in eap_teap_process_decrypted()
1396 ret->methodState = METHOD_MAY_CONT; in eap_teap_process_decrypted()
1397 ret->decision = DECISION_COND_SUCC; in eap_teap_process_decrypted()
1398 } else if (data->result_success_done && in eap_teap_process_decrypted()
1399 tls_connection_get_own_cert_used(data->ssl.conn) && in eap_teap_process_decrypted()
1404 "EAP-TEAP: Client certificate used - server may decide to skip inner authentication"); in eap_teap_process_decrypted()
1405 ret->methodState = METHOD_MAY_CONT; in eap_teap_process_decrypted()
1406 ret->decision = DECISION_COND_SUCC; in eap_teap_process_decrypted()
1416 "EAP-TEAP: PAC TLV without Result TLV acknowledging success"); in eap_teap_process_decrypted()
1422 if (!data->current_pac && data->provisioning && !failed && !tlv.pac && in eap_teap_process_decrypted()
1424 (!data->anon_provisioning || in eap_teap_process_decrypted()
1425 (data->phase2_success && data->phase2_method && in eap_teap_process_decrypted()
1426 data->phase2_method->vendor == 0 && in eap_teap_process_decrypted()
1427 eap_teap_allowed_anon_prov_cipher_suite(data->tls_cs) && in eap_teap_process_decrypted()
1429 data->phase2_method->vendor, in eap_teap_process_decrypted()
1430 data->phase2_method->method))) && in eap_teap_process_decrypted()
1437 wpa_printf(MSG_DEBUG, "EAP-TEAP: Request Tunnel PAC"); in eap_teap_process_decrypted()
1452 ret->methodState = METHOD_DONE; in eap_teap_process_decrypted()
1453 ret->decision = DECISION_FAIL; in eap_teap_process_decrypted()
1460 tmp = eap_teap_tlv_result((!failed && data->phase2_success) ? in eap_teap_process_decrypted()
1467 (tlv.crypto_binding || data->iresult_verified) && in eap_teap_process_decrypted()
1468 data->phase2_success) { in eap_teap_process_decrypted()
1471 "EAP-TEAP: Authentication completed successfully"); in eap_teap_process_decrypted()
1472 ret->methodState = METHOD_MAY_CONT; in eap_teap_process_decrypted()
1473 data->on_tx_completion = data->provisioning ? in eap_teap_process_decrypted()
1475 ret->decision = DECISION_UNCOND_SUCC; in eap_teap_process_decrypted()
1480 "EAP-TEAP: No recognized TLVs - send empty response packet"); in eap_teap_process_decrypted()
1488 wpa_hexdump_buf(MSG_DEBUG, "EAP-TEAP: Encrypting Phase 2 data", resp); in eap_teap_process_decrypted()
1489 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TEAP, in eap_teap_process_decrypted()
1490 data->teap_version, identifier, in eap_teap_process_decrypted()
1493 "EAP-TEAP: Failed to encrypt a Phase 2 frame"); in eap_teap_process_decrypted()
1510 "EAP-TEAP: Received %lu bytes encrypted data for Phase 2", in eap_teap_decrypt()
1513 if (data->pending_phase2_req) { in eap_teap_decrypt()
1515 "EAP-TEAP: Pending Phase 2 request - skip decryption and use old data"); in eap_teap_decrypt()
1517 eap_peer_tls_reset_input(&data->ssl); in eap_teap_decrypt()
1519 in_decrypted = data->pending_phase2_req; in eap_teap_decrypt()
1520 data->pending_phase2_req = NULL; in eap_teap_decrypt()
1525 /* Received TLS ACK - requesting more fragments */ in eap_teap_decrypt()
1526 res = eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TEAP, in eap_teap_decrypt()
1527 data->teap_version, in eap_teap_decrypt()
1529 if (res == 0 && !data->ssl.tls_out && in eap_teap_decrypt()
1530 data->on_tx_completion) { in eap_teap_decrypt()
1532 "EAP-TEAP: Mark authentication completed at full TX of fragments"); in eap_teap_decrypt()
1533 ret->methodState = data->on_tx_completion; in eap_teap_decrypt()
1534 data->on_tx_completion = 0; in eap_teap_decrypt()
1535 ret->decision = DECISION_UNCOND_SUCC; in eap_teap_decrypt()
1540 res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); in eap_teap_decrypt()
1545 wpa_hexdump_buf(MSG_MSGDUMP, "EAP-TEAP: Decrypted Phase 2 TLV(s)", in eap_teap_decrypt()
1550 "EAP-TEAP: Too short Phase 2 TLV frame (len=%lu)", in eap_teap_decrypt()
1553 return -1; in eap_teap_decrypt()
1570 data->current_pac = eap_teap_get_pac(data->pac, a_id, a_id_len, in eap_teap_select_pac()
1572 if (data->current_pac) { in eap_teap_select_pac()
1574 "EAP-TEAP: PAC found for this A-ID (PAC-Type %d)", in eap_teap_select_pac()
1575 data->current_pac->pac_type); in eap_teap_select_pac()
1576 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TEAP: A-ID-Info", in eap_teap_select_pac()
1577 data->current_pac->a_id_info, in eap_teap_select_pac()
1578 data->current_pac->a_id_info_len); in eap_teap_select_pac()
1591 wpa_printf(MSG_DEBUG, "EAP-TEAP: Add PAC-Opaque TLS extension"); in eap_teap_use_pac_opaque()
1592 olen = pac->pac_opaque_len; in eap_teap_use_pac_opaque()
1597 ehdr->tlv_type = host_to_be16(PAC_TYPE_PAC_OPAQUE); in eap_teap_use_pac_opaque()
1598 ehdr->length = host_to_be16(olen); in eap_teap_use_pac_opaque()
1599 os_memcpy(ehdr + 1, pac->pac_opaque, olen); in eap_teap_use_pac_opaque()
1602 tls_connection_client_hello_ext(sm->ssl_ctx, data->ssl.conn, in eap_teap_use_pac_opaque()
1606 "EAP-TEAP: Failed to add PAC-Opaque TLS extension"); in eap_teap_use_pac_opaque()
1608 return -1; in eap_teap_use_pac_opaque()
1619 if (tls_connection_client_hello_ext(sm->ssl_ctx, data->ssl.conn, in eap_teap_clear_pac_opaque_ext()
1622 "EAP-TEAP: Failed to remove PAC-Opaque TLS extension"); in eap_teap_clear_pac_opaque_ext()
1623 return -1; in eap_teap_clear_pac_opaque_ext()
1639 /* EAP-TEAP version negotiation (RFC 7170, Section 3.2) */ in eap_teap_process_start()
1640 data->received_version = flags & EAP_TLS_VERSION_MASK; in eap_teap_process_start()
1641 wpa_printf(MSG_DEBUG, "EAP-TEAP: Start (server ver=%u, own ver=%u)", in eap_teap_process_start()
1642 data->received_version, data->teap_version); in eap_teap_process_start()
1643 if (data->received_version < 1) { in eap_teap_process_start()
1646 "EAP-TEAP: Server used unknown TEAP version %u", in eap_teap_process_start()
1647 data->received_version); in eap_teap_process_start()
1648 return -1; in eap_teap_process_start()
1650 if (data->received_version < data->teap_version) in eap_teap_process_start()
1651 data->teap_version = data->received_version; in eap_teap_process_start()
1652 wpa_printf(MSG_DEBUG, "EAP-TEAP: Using TEAP version %d", in eap_teap_process_start()
1653 data->teap_version); in eap_teap_process_start()
1654 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Start message payload", pos, left); in eap_teap_process_start()
1656 /* Parse Authority-ID TLV from Outer TLVs, if present */ in eap_teap_process_start()
1663 "EAP-TEAP: Not enough room for the Outer TLV Length field"); in eap_teap_process_start()
1664 return -1; in eap_teap_process_start()
1669 left -= 4; in eap_teap_process_start()
1673 "EAP-TEAP: Truncated Outer TLVs field (Outer TLV Length: %u; remaining buffer: %u)", in eap_teap_process_start()
1675 return -1; in eap_teap_process_start()
1678 outer_pos = pos + left - outer_tlv_len; in eap_teap_process_start()
1680 wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Start message Outer TLVs", in eap_teap_process_start()
1682 wpabuf_free(data->server_outer_tlvs); in eap_teap_process_start()
1683 data->server_outer_tlvs = wpabuf_alloc_copy(outer_pos, in eap_teap_process_start()
1685 if (!data->server_outer_tlvs) in eap_teap_process_start()
1686 return -1; in eap_teap_process_start()
1687 left -= outer_tlv_len; in eap_teap_process_start()
1690 "EAP-TEAP: Unexpected TLS Data in Start message", in eap_teap_process_start()
1692 return -1; in eap_teap_process_start()
1698 if (outer_end - outer_pos < 4) { in eap_teap_process_start()
1700 "EAP-TEAP: Truncated Outer TLV header"); in eap_teap_process_start()
1701 return -1; in eap_teap_process_start()
1711 "EAP-TEAP: Outer TLV: Type=%u Length=%u", in eap_teap_process_start()
1713 if (outer_end - outer_pos < tlv_len) { in eap_teap_process_start()
1715 "EAP-TEAP: Truncated Outer TLV (Type %u)", in eap_teap_process_start()
1717 return -1; in eap_teap_process_start()
1720 wpa_hexdump(MSG_DEBUG, "EAP-TEAP: Authority-ID", in eap_teap_process_start()
1724 "EAP-TEAP: Multiple Authority-ID TLVs in TEAP/Start"); in eap_teap_process_start()
1725 return -1; in eap_teap_process_start()
1731 "EAP-TEAP: Ignore unknown Outer TLV (Type %u)", in eap_teap_process_start()
1738 "EAP-TEAP: Unexpected TLS Data in Start message", in eap_teap_process_start()
1740 return -1; in eap_teap_process_start()
1745 if (data->resuming && data->current_pac) { in eap_teap_process_start()
1747 "EAP-TEAP: Trying to resume session - do not add PAC-Opaque to TLS ClientHello"); in eap_teap_process_start()
1749 return -1; in eap_teap_process_start()
1750 } else if (data->current_pac) { in eap_teap_process_start()
1752 * PAC found for the A-ID and we are not resuming an old in eap_teap_process_start()
1753 * session, so add PAC-Opaque extension to ClientHello. in eap_teap_process_start()
1755 if (eap_teap_use_pac_opaque(sm, data, data->current_pac) < 0) in eap_teap_process_start()
1756 return -1; in eap_teap_process_start()
1757 } else if (data->provisioning_allowed) { in eap_teap_process_start()
1759 "EAP-TEAP: No PAC found - starting provisioning"); in eap_teap_process_start()
1761 return -1; in eap_teap_process_start()
1762 data->provisioning = 1; in eap_teap_process_start()
1778 wpabuf_free(data->peer_outer_tlvs); in eap_teap_add_stub_outer_tlvs()
1779 data->peer_outer_tlvs = wpabuf_alloc(4 + 4); in eap_teap_add_stub_outer_tlvs()
1780 if (!data->peer_outer_tlvs) { in eap_teap_add_stub_outer_tlvs()
1785 /* Outer TLVs (stub Vendor-Specific TLV for testing) */ in eap_teap_add_stub_outer_tlvs()
1786 wpabuf_put_be16(data->peer_outer_tlvs, TEAP_TLV_VENDOR_SPECIFIC); in eap_teap_add_stub_outer_tlvs()
1787 wpabuf_put_be16(data->peer_outer_tlvs, 4); in eap_teap_add_stub_outer_tlvs()
1788 wpabuf_put_be32(data->peer_outer_tlvs, EAP_VENDOR_HOSTAP); in eap_teap_add_stub_outer_tlvs()
1789 wpa_hexdump_buf(MSG_DEBUG, "EAP-TEAP: TESTING - Add stub Outer TLVs", in eap_teap_add_stub_outer_tlvs()
1790 data->peer_outer_tlvs); in eap_teap_add_stub_outer_tlvs()
1793 "EAP-TEAP: TEAP/Start response before modification", in eap_teap_add_stub_outer_tlvs()
1796 wpabuf_len(data->peer_outer_tlvs)); in eap_teap_add_stub_outer_tlvs()
1807 wpabuf_put_be16(resp2, len + 4 + wpabuf_len(data->peer_outer_tlvs)); in eap_teap_add_stub_outer_tlvs()
1814 "EAP-TEAP: Cannot add Outer TLVs for testing"); in eap_teap_add_stub_outer_tlvs()
1822 wpabuf_put_be32(resp2, wpabuf_len(data->peer_outer_tlvs)); in eap_teap_add_stub_outer_tlvs()
1824 wpabuf_put_data(resp2, pos, wpabuf_len(resp) - 6); in eap_teap_add_stub_outer_tlvs()
1825 wpabuf_put_buf(resp2, data->peer_outer_tlvs); /* Outer TLVs */ in eap_teap_add_stub_outer_tlvs()
1829 "EAP-TEAP: TEAP/Start response after modification", in eap_teap_add_stub_outer_tlvs()
1849 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TEAP, ret, in eap_teap_process()
1855 id = req->identifier; in eap_teap_process()
1871 "EAP-TEAP: Outer TLVs present in non-Start message -> ignore message"); in eap_teap_process()
1878 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && in eap_teap_process()
1879 !data->resuming) { in eap_teap_process()
1883 ret->methodState = METHOD_DONE; in eap_teap_process()
1884 ret->decision = DECISION_FAIL; in eap_teap_process()
1892 if (sm->waiting_ext_cert_check && data->pending_resp) { in eap_teap_process()
1895 if (config->pending_ext_cert_check == in eap_teap_process()
1898 "EAP-TEAP: External certificate check succeeded - continue handshake"); in eap_teap_process()
1899 resp = data->pending_resp; in eap_teap_process()
1900 data->pending_resp = NULL; in eap_teap_process()
1901 sm->waiting_ext_cert_check = 0; in eap_teap_process()
1905 if (config->pending_ext_cert_check == in eap_teap_process()
1908 "EAP-TEAP: External certificate check failed - force authentication failure"); in eap_teap_process()
1909 ret->methodState = METHOD_DONE; in eap_teap_process()
1910 ret->decision = DECISION_FAIL; in eap_teap_process()
1911 sm->waiting_ext_cert_check = 0; in eap_teap_process()
1916 "EAP-TEAP: Continuing to wait external server certificate validation"); in eap_teap_process()
1921 res = eap_peer_tls_process_helper(sm, &data->ssl, in eap_teap_process()
1923 data->teap_version, id, &msg, in eap_teap_process()
1927 "EAP-TEAP: TLS processing failed"); in eap_teap_process()
1928 ret->methodState = METHOD_DONE; in eap_teap_process()
1929 ret->decision = DECISION_FAIL; in eap_teap_process()
1933 if (sm->waiting_ext_cert_check) { in eap_teap_process()
1935 "EAP-TEAP: Waiting external server certificate validation"); in eap_teap_process()
1936 wpabuf_free(data->pending_resp); in eap_teap_process()
1937 data->pending_resp = resp; in eap_teap_process()
1941 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { in eap_teap_process()
1945 "EAP-TEAP: TLS done, proceed to Phase 2"); in eap_teap_process()
1946 data->tls_cs = in eap_teap_process()
1947 tls_connection_get_cipher_suite(data->ssl.conn); in eap_teap_process()
1949 "EAP-TEAP: TLS cipher suite 0x%04x", in eap_teap_process()
1950 data->tls_cs); in eap_teap_process()
1952 if (data->provisioning && in eap_teap_process()
1953 (!(data->provisioning_allowed & in eap_teap_process()
1955 tls_get_cipher(sm->ssl_ctx, data->ssl.conn, in eap_teap_process()
1957 os_strstr(cipher, "ADH-") || in eap_teap_process()
1960 "EAP-TEAP: Using anonymous (unauthenticated) provisioning"); in eap_teap_process()
1961 data->anon_provisioning = 1; in eap_teap_process()
1963 data->anon_provisioning = 0; in eap_teap_process()
1965 data->resuming = 0; in eap_teap_process()
1968 "EAP-TEAP: Could not derive keys"); in eap_teap_process()
1969 ret->methodState = METHOD_DONE; in eap_teap_process()
1970 ret->decision = DECISION_FAIL; in eap_teap_process()
1980 wpabuf_free(data->pending_phase2_req); in eap_teap_process()
1981 data->pending_phase2_req = resp; in eap_teap_process()
1990 data->teap_version); in eap_teap_process()
1994 if (data->test_outer_tlvs && res == 0 && resp && in eap_teap_process()
2008 return tls_connection_established(sm->ssl_ctx, data->ssl.conn);
2016 if (data->phase2_priv && data->phase2_method &&
2017 data->phase2_method->deinit_for_reauth)
2018 data->phase2_method->deinit_for_reauth(sm, data->phase2_priv);
2027 if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
2031 if (data->phase2_priv && data->phase2_method &&
2032 data->phase2_method->init_for_reauth)
2033 data->phase2_method->init_for_reauth(sm, data->phase2_priv);
2034 data->phase2_success = 0;
2035 data->inner_method_done = 0;
2036 data->result_success_done = 0;
2037 data->iresult_verified = 0;
2038 data->done_on_tx_completion = 0;
2039 data->resuming = 1;
2040 data->provisioning = 0;
2041 data->anon_provisioning = 0;
2042 data->simck_idx = 0;
2054 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); in eap_teap_get_status()
2055 if (data->phase2_method) { in eap_teap_get_status()
2056 ret = os_snprintf(buf + len, buflen - len, in eap_teap_get_status()
2057 "EAP-TEAP Phase 2 method=%s\n", in eap_teap_get_status()
2058 data->phase2_method->name); in eap_teap_get_status()
2059 if (os_snprintf_error(buflen - len, ret)) in eap_teap_get_status()
2071 return data->success; in eap_teap_isKeyAvailable()
2080 if (!data->success) in eap_teap_getKey()
2083 key = os_memdup(data->key_data, EAP_TEAP_KEY_LEN); in eap_teap_getKey()
2098 if (!data->success || !data->session_id) in eap_teap_get_session_id()
2101 id = os_memdup(data->session_id, data->id_len); in eap_teap_get_session_id()
2105 *len = data->id_len; in eap_teap_get_session_id()
2116 if (!data->success) in eap_teap_get_emsk()
2119 key = os_memdup(data->emsk, EAP_EMSK_LEN); in eap_teap_get_emsk()
2136 return -1; in eap_peer_teap_register()
2138 eap->init = eap_teap_init; in eap_peer_teap_register()
2139 eap->deinit = eap_teap_deinit; in eap_peer_teap_register()
2140 eap->process = eap_teap_process; in eap_peer_teap_register()
2141 eap->isKeyAvailable = eap_teap_isKeyAvailable; in eap_peer_teap_register()
2142 eap->getKey = eap_teap_getKey; in eap_peer_teap_register()
2143 eap->getSessionId = eap_teap_get_session_id; in eap_peer_teap_register()
2144 eap->get_status = eap_teap_get_status; in eap_peer_teap_register()
2146 eap->has_reauth_data = eap_teap_has_reauth_data; in eap_peer_teap_register()
2147 eap->deinit_for_reauth = eap_teap_deinit_for_reauth; in eap_peer_teap_register()
2148 eap->init_for_reauth = eap_teap_init_for_reauth; in eap_peer_teap_register()
2150 eap->get_emsk = eap_teap_get_emsk; in eap_peer_teap_register()