1 /* 2 * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "eap_common/eap_tlv_common.h" 15 #include "eap_common/eap_peap_common.h" 16 #include "eap_i.h" 17 #include "eap_tls_common.h" 18 #include "eap_config.h" 19 #include "tncc.h" 20 21 22 /* Maximum supported PEAP version 23 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt 24 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt 25 */ 26 #define EAP_PEAP_VERSION 1 27 28 29 static void eap_peap_deinit(struct eap_sm *sm, void *priv); 30 31 32 struct eap_peap_data { 33 struct eap_ssl_data ssl; 34 35 int peap_version, force_peap_version, force_new_label; 36 37 const struct eap_method *phase2_method; 38 void *phase2_priv; 39 int phase2_success; 40 int phase2_eap_success; 41 int phase2_eap_started; 42 43 struct eap_method_type phase2_type; 44 struct eap_method_type *phase2_types; 45 size_t num_phase2_types; 46 47 int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner 48 * EAP-Success 49 * 1 = reply with tunneled EAP-Success to inner 50 * EAP-Success and expect AS to send outer 51 * (unencrypted) EAP-Success after this 52 * 2 = reply with PEAP/TLS ACK to inner 53 * EAP-Success and expect AS to send outer 54 * (unencrypted) EAP-Success after this */ 55 int resuming; /* starting a resumed session */ 56 int reauth; /* reauthentication */ 57 u8 *key_data; 58 u8 *session_id; 59 size_t id_len; 60 61 struct wpabuf *pending_phase2_req; 62 enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding; 63 int crypto_binding_used; 64 u8 binding_nonce[32]; 65 u8 ipmk[40]; 66 u8 cmk[20]; 67 int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) 68 * is enabled. */ 69 }; 70 71 72 static int eap_peap_parse_phase1(struct eap_peap_data *data, 73 const char *phase1) 74 { 75 const char *pos; 76 77 pos = os_strstr(phase1, "peapver="); 78 if (pos) { 79 data->force_peap_version = atoi(pos + 8); 80 data->peap_version = data->force_peap_version; 81 wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d", 82 data->force_peap_version); 83 } 84 85 if (os_strstr(phase1, "peaplabel=1")) { 86 data->force_new_label = 1; 87 wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key " 88 "derivation"); 89 } 90 91 if (os_strstr(phase1, "peap_outer_success=0")) { 92 data->peap_outer_success = 0; 93 wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on " 94 "tunneled EAP-Success"); 95 } else if (os_strstr(phase1, "peap_outer_success=1")) { 96 data->peap_outer_success = 1; 97 wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success " 98 "after receiving tunneled EAP-Success"); 99 } else if (os_strstr(phase1, "peap_outer_success=2")) { 100 data->peap_outer_success = 2; 101 wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after " 102 "receiving tunneled EAP-Success"); 103 } 104 105 if (os_strstr(phase1, "crypto_binding=0")) { 106 data->crypto_binding = NO_BINDING; 107 wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding"); 108 } else if (os_strstr(phase1, "crypto_binding=1")) { 109 data->crypto_binding = OPTIONAL_BINDING; 110 wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding"); 111 } else if (os_strstr(phase1, "crypto_binding=2")) { 112 data->crypto_binding = REQUIRE_BINDING; 113 wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); 114 } 115 116 #ifdef EAP_TNC 117 if (os_strstr(phase1, "tnc=soh2")) { 118 data->soh = 2; 119 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 120 } else if (os_strstr(phase1, "tnc=soh1")) { 121 data->soh = 1; 122 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled"); 123 } else if (os_strstr(phase1, "tnc=soh")) { 124 data->soh = 2; 125 wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled"); 126 } 127 #endif /* EAP_TNC */ 128 129 return 0; 130 } 131 132 133 static void * eap_peap_init(struct eap_sm *sm) 134 { 135 struct eap_peap_data *data; 136 struct eap_peer_config *config = eap_get_config(sm); 137 138 data = os_zalloc(sizeof(*data)); 139 if (data == NULL) 140 return NULL; 141 sm->peap_done = FALSE; 142 data->peap_version = EAP_PEAP_VERSION; 143 data->force_peap_version = -1; 144 data->peap_outer_success = 2; 145 data->crypto_binding = OPTIONAL_BINDING; 146 147 if (config && config->phase1 && 148 eap_peap_parse_phase1(data, config->phase1) < 0) { 149 eap_peap_deinit(sm, data); 150 return NULL; 151 } 152 153 if (eap_peer_select_phase2_methods(config, "auth=", 154 &data->phase2_types, 155 &data->num_phase2_types) < 0) { 156 eap_peap_deinit(sm, data); 157 return NULL; 158 } 159 160 data->phase2_type.vendor = EAP_VENDOR_IETF; 161 data->phase2_type.method = EAP_TYPE_NONE; 162 163 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) { 164 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL."); 165 eap_peap_deinit(sm, data); 166 return NULL; 167 } 168 169 return data; 170 } 171 172 173 static void eap_peap_free_key(struct eap_peap_data *data) 174 { 175 if (data->key_data) { 176 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN); 177 data->key_data = NULL; 178 } 179 } 180 181 182 static void eap_peap_deinit(struct eap_sm *sm, void *priv) 183 { 184 struct eap_peap_data *data = priv; 185 if (data == NULL) 186 return; 187 if (data->phase2_priv && data->phase2_method) 188 data->phase2_method->deinit(sm, data->phase2_priv); 189 os_free(data->phase2_types); 190 eap_peer_tls_ssl_deinit(sm, &data->ssl); 191 eap_peap_free_key(data); 192 os_free(data->session_id); 193 wpabuf_free(data->pending_phase2_req); 194 os_free(data); 195 } 196 197 198 /** 199 * eap_tlv_build_nak - Build EAP-TLV NAK message 200 * @id: EAP identifier for the header 201 * @nak_type: TLV type (EAP_TLV_*) 202 * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure 203 * 204 * This function builds an EAP-TLV NAK message. The caller is responsible for 205 * freeing the returned buffer. 206 */ 207 static struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type) 208 { 209 struct wpabuf *msg; 210 211 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10, 212 EAP_CODE_RESPONSE, id); 213 if (msg == NULL) 214 return NULL; 215 216 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 217 wpabuf_put_u8(msg, EAP_TLV_NAK_TLV); 218 wpabuf_put_be16(msg, 6); /* Length */ 219 wpabuf_put_be32(msg, 0); /* Vendor-Id */ 220 wpabuf_put_be16(msg, nak_type); /* NAK-Type */ 221 222 return msg; 223 } 224 225 226 static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, 227 u8 *isk, size_t isk_len) 228 { 229 u8 *key; 230 size_t key_len; 231 232 os_memset(isk, 0, isk_len); 233 if (data->phase2_method == NULL || data->phase2_priv == NULL || 234 data->phase2_method->isKeyAvailable == NULL || 235 data->phase2_method->getKey == NULL) 236 return 0; 237 238 if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || 239 (key = data->phase2_method->getKey(sm, data->phase2_priv, 240 &key_len)) == NULL) { 241 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material " 242 "from Phase 2"); 243 return -1; 244 } 245 246 if (key_len > isk_len) 247 key_len = isk_len; 248 os_memcpy(isk, key, key_len); 249 os_free(key); 250 251 return 0; 252 } 253 254 255 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) 256 { 257 u8 *tk; 258 u8 isk[32], imck[60]; 259 260 /* 261 * Tunnel key (TK) is the first 60 octets of the key generated by 262 * phase 1 of PEAP (based on TLS). 263 */ 264 tk = data->key_data; 265 if (tk == NULL) 266 return -1; 267 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); 268 269 if (data->reauth && 270 tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { 271 /* Fast-connect: IPMK|CMK = TK */ 272 os_memcpy(data->ipmk, tk, 40); 273 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", 274 data->ipmk, 40); 275 os_memcpy(data->cmk, tk + 40, 20); 276 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK", 277 data->cmk, 20); 278 return 0; 279 } 280 281 if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) 282 return -1; 283 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk)); 284 285 /* 286 * IPMK Seed = "Inner Methods Compound Keys" | ISK 287 * TempKey = First 40 octets of TK 288 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60) 289 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space 290 * in the end of the label just before ISK; is that just a typo?) 291 */ 292 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40); 293 if (peap_prfplus(data->peap_version, tk, 40, 294 "Inner Methods Compound Keys", 295 isk, sizeof(isk), imck, sizeof(imck)) < 0) 296 return -1; 297 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)", 298 imck, sizeof(imck)); 299 300 os_memcpy(data->ipmk, imck, 40); 301 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); 302 os_memcpy(data->cmk, imck + 40, 20); 303 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); 304 305 return 0; 306 } 307 308 309 static int eap_tlv_add_cryptobinding(struct eap_sm *sm, 310 struct eap_peap_data *data, 311 struct wpabuf *buf) 312 { 313 u8 *mac; 314 u8 eap_type = EAP_TYPE_PEAP; 315 const u8 *addr[2]; 316 size_t len[2]; 317 u16 tlv_type; 318 319 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 320 addr[0] = wpabuf_put(buf, 0); 321 len[0] = 60; 322 addr[1] = &eap_type; 323 len[1] = 1; 324 325 tlv_type = EAP_TLV_CRYPTO_BINDING_TLV; 326 wpabuf_put_be16(buf, tlv_type); 327 wpabuf_put_be16(buf, 56); 328 329 wpabuf_put_u8(buf, 0); /* Reserved */ 330 wpabuf_put_u8(buf, data->peap_version); /* Version */ 331 wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ 332 wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */ 333 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ 334 mac = wpabuf_put(buf, 20); /* Compound_MAC */ 335 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); 336 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1", 337 addr[0], len[0]); 338 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2", 339 addr[1], len[1]); 340 hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac); 341 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN); 342 data->crypto_binding_used = 1; 343 344 return 0; 345 } 346 347 348 /** 349 * eap_tlv_build_result - Build EAP-TLV Result message 350 * @id: EAP identifier for the header 351 * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE) 352 * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure 353 * 354 * This function builds an EAP-TLV Result message. The caller is responsible 355 * for freeing the returned buffer. 356 */ 357 static struct wpabuf * eap_tlv_build_result(struct eap_sm *sm, 358 struct eap_peap_data *data, 359 int crypto_tlv_used, 360 int id, u16 status) 361 { 362 struct wpabuf *msg; 363 size_t len; 364 365 if (data->crypto_binding == NO_BINDING) 366 crypto_tlv_used = 0; 367 368 len = 6; 369 if (crypto_tlv_used) 370 len += 60; /* Cryptobinding TLV */ 371 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len, 372 EAP_CODE_RESPONSE, id); 373 if (msg == NULL) 374 return NULL; 375 376 wpabuf_put_u8(msg, 0x80); /* Mandatory */ 377 wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV); 378 wpabuf_put_be16(msg, 2); /* Length */ 379 wpabuf_put_be16(msg, status); /* Status */ 380 381 if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { 382 wpabuf_free(msg); 383 return NULL; 384 } 385 386 return msg; 387 } 388 389 390 static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, 391 struct eap_peap_data *data, 392 const u8 *crypto_tlv, 393 size_t crypto_tlv_len) 394 { 395 u8 buf[61], mac[SHA1_MAC_LEN]; 396 const u8 *pos; 397 398 if (eap_peap_derive_cmk(sm, data) < 0) { 399 wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK"); 400 return -1; 401 } 402 403 if (crypto_tlv_len != 4 + 56) { 404 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV " 405 "length %d", (int) crypto_tlv_len); 406 return -1; 407 } 408 409 pos = crypto_tlv; 410 pos += 4; /* TLV header */ 411 if (pos[1] != data->peap_version) { 412 wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version " 413 "mismatch (was %d; expected %d)", 414 pos[1], data->peap_version); 415 return -1; 416 } 417 418 if (pos[3] != 0) { 419 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV " 420 "SubType %d", pos[3]); 421 return -1; 422 } 423 pos += 4; 424 os_memcpy(data->binding_nonce, pos, 32); 425 pos += 32; /* Nonce */ 426 427 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */ 428 os_memcpy(buf, crypto_tlv, 60); 429 os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */ 430 buf[60] = EAP_TYPE_PEAP; 431 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data", 432 buf, sizeof(buf)); 433 hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); 434 435 if (os_memcmp_const(mac, pos, SHA1_MAC_LEN) != 0) { 436 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in " 437 "cryptobinding TLV"); 438 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC", 439 pos, SHA1_MAC_LEN); 440 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC", 441 mac, SHA1_MAC_LEN); 442 return -1; 443 } 444 445 wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received"); 446 447 return 0; 448 } 449 450 451 /** 452 * eap_tlv_process - Process a received EAP-TLV message and generate a response 453 * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() 454 * @ret: Return values from EAP request validation and processing 455 * @req: EAP-TLV request to be processed. The caller must have validated that 456 * the buffer is large enough to contain full request (hdr->length bytes) and 457 * that the EAP type is EAP_TYPE_TLV. 458 * @resp: Buffer to return a pointer to the allocated response message. This 459 * field should be initialized to %NULL before the call. The value will be 460 * updated if a response message is generated. The caller is responsible for 461 * freeing the allocated message. 462 * @force_failure: Force negotiation to fail 463 * Returns: 0 on success, -1 on failure 464 */ 465 static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, 466 struct eap_method_ret *ret, 467 const struct wpabuf *req, struct wpabuf **resp, 468 int force_failure) 469 { 470 size_t left, tlv_len; 471 const u8 *pos; 472 const u8 *result_tlv = NULL, *crypto_tlv = NULL; 473 size_t result_tlv_len = 0, crypto_tlv_len = 0; 474 int tlv_type, mandatory; 475 476 /* Parse TLVs */ 477 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left); 478 if (pos == NULL) 479 return -1; 480 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left); 481 while (left >= 4) { 482 mandatory = !!(pos[0] & 0x80); 483 tlv_type = WPA_GET_BE16(pos) & 0x3fff; 484 pos += 2; 485 tlv_len = WPA_GET_BE16(pos); 486 pos += 2; 487 left -= 4; 488 if (tlv_len > left) { 489 wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun " 490 "(tlv_len=%lu left=%lu)", 491 (unsigned long) tlv_len, 492 (unsigned long) left); 493 return -1; 494 } 495 switch (tlv_type) { 496 case EAP_TLV_RESULT_TLV: 497 result_tlv = pos; 498 result_tlv_len = tlv_len; 499 break; 500 case EAP_TLV_CRYPTO_BINDING_TLV: 501 crypto_tlv = pos; 502 crypto_tlv_len = tlv_len; 503 break; 504 default: 505 wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type " 506 "%d%s", tlv_type, 507 mandatory ? " (mandatory)" : ""); 508 if (mandatory) { 509 /* NAK TLV and ignore all TLVs in this packet. 510 */ 511 *resp = eap_tlv_build_nak(eap_get_id(req), 512 tlv_type); 513 return *resp == NULL ? -1 : 0; 514 } 515 /* Ignore this TLV, but process other TLVs */ 516 break; 517 } 518 519 pos += tlv_len; 520 left -= tlv_len; 521 } 522 if (left) { 523 wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in " 524 "Request (left=%lu)", (unsigned long) left); 525 return -1; 526 } 527 528 /* Process supported TLVs */ 529 if (crypto_tlv && data->crypto_binding != NO_BINDING) { 530 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV", 531 crypto_tlv, crypto_tlv_len); 532 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, 533 crypto_tlv_len + 4) < 0) { 534 if (result_tlv == NULL) 535 return -1; 536 force_failure = 1; 537 crypto_tlv = NULL; /* do not include Cryptobinding TLV 538 * in response, if the received 539 * cryptobinding was invalid. */ 540 } 541 } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { 542 wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV"); 543 return -1; 544 } 545 546 if (result_tlv) { 547 int status, resp_status; 548 wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV", 549 result_tlv, result_tlv_len); 550 if (result_tlv_len < 2) { 551 wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV " 552 "(len=%lu)", 553 (unsigned long) result_tlv_len); 554 return -1; 555 } 556 status = WPA_GET_BE16(result_tlv); 557 if (status == EAP_TLV_RESULT_SUCCESS) { 558 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success " 559 "- EAP-TLV/Phase2 Completed"); 560 if (force_failure) { 561 wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure" 562 " - force failed Phase 2"); 563 resp_status = EAP_TLV_RESULT_FAILURE; 564 ret->decision = DECISION_FAIL; 565 } else { 566 resp_status = EAP_TLV_RESULT_SUCCESS; 567 ret->decision = DECISION_UNCOND_SUCC; 568 } 569 } else if (status == EAP_TLV_RESULT_FAILURE) { 570 wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure"); 571 resp_status = EAP_TLV_RESULT_FAILURE; 572 ret->decision = DECISION_FAIL; 573 } else { 574 wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result " 575 "Status %d", status); 576 resp_status = EAP_TLV_RESULT_FAILURE; 577 ret->decision = DECISION_FAIL; 578 } 579 ret->methodState = METHOD_DONE; 580 581 *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, 582 eap_get_id(req), resp_status); 583 } 584 585 return 0; 586 } 587 588 589 static int eap_peap_phase2_request(struct eap_sm *sm, 590 struct eap_peap_data *data, 591 struct eap_method_ret *ret, 592 struct wpabuf *req, 593 struct wpabuf **resp) 594 { 595 struct eap_hdr *hdr = wpabuf_mhead(req); 596 size_t len = be_to_host16(hdr->length); 597 u8 *pos; 598 struct eap_method_ret iret; 599 struct eap_peer_config *config = eap_get_config(sm); 600 601 if (len <= sizeof(struct eap_hdr)) { 602 wpa_printf(MSG_INFO, "EAP-PEAP: too short " 603 "Phase 2 request (len=%lu)", (unsigned long) len); 604 return -1; 605 } 606 pos = (u8 *) (hdr + 1); 607 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos); 608 switch (*pos) { 609 case EAP_TYPE_IDENTITY: 610 *resp = eap_sm_buildIdentity(sm, hdr->identifier, 1); 611 break; 612 case EAP_TYPE_TLV: 613 os_memset(&iret, 0, sizeof(iret)); 614 if (eap_tlv_process(sm, data, &iret, req, resp, 615 data->phase2_eap_started && 616 !data->phase2_eap_success)) { 617 ret->methodState = METHOD_DONE; 618 ret->decision = DECISION_FAIL; 619 return -1; 620 } 621 if (iret.methodState == METHOD_DONE || 622 iret.methodState == METHOD_MAY_CONT) { 623 ret->methodState = iret.methodState; 624 ret->decision = iret.decision; 625 data->phase2_success = 1; 626 } 627 break; 628 case EAP_TYPE_EXPANDED: 629 #ifdef EAP_TNC 630 if (data->soh) { 631 const u8 *epos; 632 size_t eleft; 633 634 epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, 635 req, &eleft); 636 if (epos) { 637 struct wpabuf *buf; 638 wpa_printf(MSG_DEBUG, 639 "EAP-PEAP: SoH EAP Extensions"); 640 buf = tncc_process_soh_request(data->soh, 641 epos, eleft); 642 if (buf) { 643 *resp = eap_msg_alloc( 644 EAP_VENDOR_MICROSOFT, 0x21, 645 wpabuf_len(buf), 646 EAP_CODE_RESPONSE, 647 hdr->identifier); 648 if (*resp == NULL) { 649 ret->methodState = METHOD_DONE; 650 ret->decision = DECISION_FAIL; 651 return -1; 652 } 653 wpabuf_put_buf(*resp, buf); 654 wpabuf_free(buf); 655 break; 656 } 657 } 658 } 659 #endif /* EAP_TNC */ 660 /* fall through */ 661 default: 662 if (data->phase2_type.vendor == EAP_VENDOR_IETF && 663 data->phase2_type.method == EAP_TYPE_NONE) { 664 size_t i; 665 for (i = 0; i < data->num_phase2_types; i++) { 666 if (data->phase2_types[i].vendor != 667 EAP_VENDOR_IETF || 668 data->phase2_types[i].method != *pos) 669 continue; 670 671 data->phase2_type.vendor = 672 data->phase2_types[i].vendor; 673 data->phase2_type.method = 674 data->phase2_types[i].method; 675 wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected " 676 "Phase 2 EAP vendor %d method %d", 677 data->phase2_type.vendor, 678 data->phase2_type.method); 679 break; 680 } 681 } 682 if (*pos != data->phase2_type.method || 683 *pos == EAP_TYPE_NONE) { 684 if (eap_peer_tls_phase2_nak(data->phase2_types, 685 data->num_phase2_types, 686 hdr, resp)) 687 return -1; 688 return 0; 689 } 690 691 if (data->phase2_priv == NULL) { 692 data->phase2_method = eap_peer_get_eap_method( 693 data->phase2_type.vendor, 694 data->phase2_type.method); 695 if (data->phase2_method) { 696 sm->init_phase2 = 1; 697 data->phase2_priv = 698 data->phase2_method->init(sm); 699 sm->init_phase2 = 0; 700 } 701 } 702 if (data->phase2_priv == NULL || data->phase2_method == NULL) { 703 wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize " 704 "Phase 2 EAP method %d", *pos); 705 ret->methodState = METHOD_DONE; 706 ret->decision = DECISION_FAIL; 707 return -1; 708 } 709 data->phase2_eap_started = 1; 710 os_memset(&iret, 0, sizeof(iret)); 711 *resp = data->phase2_method->process(sm, data->phase2_priv, 712 &iret, req); 713 if ((iret.methodState == METHOD_DONE || 714 iret.methodState == METHOD_MAY_CONT) && 715 (iret.decision == DECISION_UNCOND_SUCC || 716 iret.decision == DECISION_COND_SUCC)) { 717 data->phase2_eap_success = 1; 718 data->phase2_success = 1; 719 } 720 break; 721 } 722 723 if (*resp == NULL && 724 (config->pending_req_identity || config->pending_req_password || 725 config->pending_req_otp || config->pending_req_new_password)) { 726 wpabuf_free(data->pending_phase2_req); 727 data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); 728 } 729 730 return 0; 731 } 732 733 734 static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, 735 struct eap_method_ret *ret, 736 const struct eap_hdr *req, 737 const struct wpabuf *in_data, 738 struct wpabuf **out_data) 739 { 740 struct wpabuf *in_decrypted = NULL; 741 int res, skip_change = 0; 742 struct eap_hdr *hdr, *rhdr; 743 struct wpabuf *resp = NULL; 744 size_t len; 745 746 wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" 747 " Phase 2", (unsigned long) wpabuf_len(in_data)); 748 749 if (data->pending_phase2_req) { 750 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " 751 "skip decryption and use old data"); 752 /* Clear TLS reassembly state. */ 753 eap_peer_tls_reset_input(&data->ssl); 754 in_decrypted = data->pending_phase2_req; 755 data->pending_phase2_req = NULL; 756 skip_change = 1; 757 goto continue_req; 758 } 759 760 if (wpabuf_len(in_data) == 0 && sm->workaround && 761 data->phase2_success) { 762 /* 763 * Cisco ACS seems to be using TLS ACK to terminate 764 * EAP-PEAPv0/GTC. Try to reply with TLS ACK. 765 */ 766 wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " 767 "expected data - acknowledge with TLS ACK since " 768 "Phase 2 has been completed"); 769 ret->decision = DECISION_COND_SUCC; 770 ret->methodState = METHOD_DONE; 771 return 1; 772 } else if (wpabuf_len(in_data) == 0) { 773 /* Received TLS ACK - requesting more fragments */ 774 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 775 data->peap_version, 776 req->identifier, NULL, out_data); 777 } 778 779 res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); 780 if (res) 781 return res; 782 783 continue_req: 784 wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP", 785 in_decrypted); 786 787 hdr = wpabuf_mhead(in_decrypted); 788 if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST && 789 be_to_host16(hdr->length) == 5 && 790 eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) { 791 /* At least FreeRADIUS seems to send full EAP header with 792 * EAP Request Identity */ 793 skip_change = 1; 794 } 795 if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST && 796 eap_get_type(in_decrypted) == EAP_TYPE_TLV) { 797 skip_change = 1; 798 } 799 800 if (data->peap_version == 0 && !skip_change) { 801 struct eap_hdr *nhdr; 802 struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) + 803 wpabuf_len(in_decrypted)); 804 if (nmsg == NULL) { 805 wpabuf_free(in_decrypted); 806 return 0; 807 } 808 nhdr = wpabuf_put(nmsg, sizeof(*nhdr)); 809 wpabuf_put_buf(nmsg, in_decrypted); 810 nhdr->code = req->code; 811 nhdr->identifier = req->identifier; 812 nhdr->length = host_to_be16(sizeof(struct eap_hdr) + 813 wpabuf_len(in_decrypted)); 814 815 wpabuf_free(in_decrypted); 816 in_decrypted = nmsg; 817 } 818 819 hdr = wpabuf_mhead(in_decrypted); 820 if (wpabuf_len(in_decrypted) < sizeof(*hdr)) { 821 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 " 822 "EAP frame (len=%lu)", 823 (unsigned long) wpabuf_len(in_decrypted)); 824 wpabuf_free(in_decrypted); 825 return 0; 826 } 827 len = be_to_host16(hdr->length); 828 if (len > wpabuf_len(in_decrypted)) { 829 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in " 830 "Phase 2 EAP frame (len=%lu hdr->length=%lu)", 831 (unsigned long) wpabuf_len(in_decrypted), 832 (unsigned long) len); 833 wpabuf_free(in_decrypted); 834 return 0; 835 } 836 if (len < wpabuf_len(in_decrypted)) { 837 wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has " 838 "shorter length than full decrypted data " 839 "(%lu < %lu)", 840 (unsigned long) len, 841 (unsigned long) wpabuf_len(in_decrypted)); 842 } 843 wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d " 844 "identifier=%d length=%lu", hdr->code, hdr->identifier, 845 (unsigned long) len); 846 switch (hdr->code) { 847 case EAP_CODE_REQUEST: 848 if (eap_peap_phase2_request(sm, data, ret, in_decrypted, 849 &resp)) { 850 wpabuf_free(in_decrypted); 851 wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request " 852 "processing failed"); 853 return 0; 854 } 855 break; 856 case EAP_CODE_SUCCESS: 857 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success"); 858 if (data->peap_version == 1) { 859 /* EAP-Success within TLS tunnel is used to indicate 860 * shutdown of the TLS channel. The authentication has 861 * been completed. */ 862 if (data->phase2_eap_started && 863 !data->phase2_eap_success) { 864 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " 865 "Success used to indicate success, " 866 "but Phase 2 EAP was not yet " 867 "completed successfully"); 868 ret->methodState = METHOD_DONE; 869 ret->decision = DECISION_FAIL; 870 wpabuf_free(in_decrypted); 871 return 0; 872 } 873 wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - " 874 "EAP-Success within TLS tunnel - " 875 "authentication completed"); 876 ret->decision = DECISION_UNCOND_SUCC; 877 ret->methodState = METHOD_DONE; 878 data->phase2_success = 1; 879 if (data->peap_outer_success == 2) { 880 wpabuf_free(in_decrypted); 881 wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK " 882 "to finish authentication"); 883 return 1; 884 } else if (data->peap_outer_success == 1) { 885 /* Reply with EAP-Success within the TLS 886 * channel to complete the authentication. */ 887 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 888 if (resp) { 889 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 890 rhdr->code = EAP_CODE_SUCCESS; 891 rhdr->identifier = hdr->identifier; 892 rhdr->length = 893 host_to_be16(sizeof(*rhdr)); 894 } 895 } else { 896 /* No EAP-Success expected for Phase 1 (outer, 897 * unencrypted auth), so force EAP state 898 * machine to SUCCESS state. */ 899 sm->peap_done = TRUE; 900 } 901 } else { 902 /* FIX: ? */ 903 } 904 break; 905 case EAP_CODE_FAILURE: 906 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure"); 907 ret->decision = DECISION_FAIL; 908 ret->methodState = METHOD_MAY_CONT; 909 ret->allowNotifications = FALSE; 910 /* Reply with EAP-Failure within the TLS channel to complete 911 * failure reporting. */ 912 resp = wpabuf_alloc(sizeof(struct eap_hdr)); 913 if (resp) { 914 rhdr = wpabuf_put(resp, sizeof(*rhdr)); 915 rhdr->code = EAP_CODE_FAILURE; 916 rhdr->identifier = hdr->identifier; 917 rhdr->length = host_to_be16(sizeof(*rhdr)); 918 } 919 break; 920 default: 921 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in " 922 "Phase 2 EAP header", hdr->code); 923 break; 924 } 925 926 wpabuf_free(in_decrypted); 927 928 if (resp) { 929 int skip_change2 = 0; 930 struct wpabuf *rmsg, buf; 931 932 wpa_hexdump_buf_key(MSG_DEBUG, 933 "EAP-PEAP: Encrypting Phase 2 data", resp); 934 /* PEAP version changes */ 935 if (wpabuf_len(resp) >= 5 && 936 wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE && 937 eap_get_type(resp) == EAP_TYPE_TLV) 938 skip_change2 = 1; 939 rmsg = resp; 940 if (data->peap_version == 0 && !skip_change2) { 941 wpabuf_set(&buf, wpabuf_head_u8(resp) + 942 sizeof(struct eap_hdr), 943 wpabuf_len(resp) - sizeof(struct eap_hdr)); 944 rmsg = &buf; 945 } 946 947 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, 948 data->peap_version, req->identifier, 949 rmsg, out_data)) { 950 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt " 951 "a Phase 2 frame"); 952 } 953 wpabuf_free(resp); 954 } 955 956 return 0; 957 } 958 959 960 static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, 961 struct eap_method_ret *ret, 962 const struct wpabuf *reqData) 963 { 964 const struct eap_hdr *req; 965 size_t left; 966 int res; 967 u8 flags, id; 968 struct wpabuf *resp; 969 const u8 *pos; 970 struct eap_peap_data *data = priv; 971 struct wpabuf msg; 972 973 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, 974 reqData, &left, &flags); 975 if (pos == NULL) 976 return NULL; 977 req = wpabuf_head(reqData); 978 id = req->identifier; 979 980 if (flags & EAP_TLS_FLAGS_START) { 981 wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own " 982 "ver=%d)", flags & EAP_TLS_VERSION_MASK, 983 data->peap_version); 984 if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) 985 data->peap_version = flags & EAP_TLS_VERSION_MASK; 986 if (data->force_peap_version >= 0 && 987 data->force_peap_version != data->peap_version) { 988 wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select " 989 "forced PEAP version %d", 990 data->force_peap_version); 991 ret->methodState = METHOD_DONE; 992 ret->decision = DECISION_FAIL; 993 ret->allowNotifications = FALSE; 994 return NULL; 995 } 996 wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d", 997 data->peap_version); 998 left = 0; /* make sure that this frame is empty, even though it 999 * should always be, anyway */ 1000 } 1001 1002 wpabuf_set(&msg, pos, left); 1003 1004 resp = NULL; 1005 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1006 !data->resuming) { 1007 res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); 1008 } else { 1009 res = eap_peer_tls_process_helper(sm, &data->ssl, 1010 EAP_TYPE_PEAP, 1011 data->peap_version, id, &msg, 1012 &resp); 1013 1014 if (res < 0) { 1015 wpa_printf(MSG_DEBUG, 1016 "EAP-PEAP: TLS processing failed"); 1017 ret->methodState = METHOD_DONE; 1018 ret->decision = DECISION_FAIL; 1019 return resp; 1020 } 1021 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { 1022 char *label; 1023 wpa_printf(MSG_DEBUG, 1024 "EAP-PEAP: TLS done, proceed to Phase 2"); 1025 eap_peap_free_key(data); 1026 /* draft-josefsson-ppext-eap-tls-eap-05.txt 1027 * specifies that PEAPv1 would use "client PEAP 1028 * encryption" as the label. However, most existing 1029 * PEAPv1 implementations seem to be using the old 1030 * label, "client EAP encryption", instead. Use the old 1031 * label by default, but allow it to be configured with 1032 * phase1 parameter peaplabel=1. */ 1033 if (data->force_new_label) 1034 label = "client PEAP encryption"; 1035 else 1036 label = "client EAP encryption"; 1037 wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in " 1038 "key derivation", label); 1039 data->key_data = 1040 eap_peer_tls_derive_key(sm, &data->ssl, label, 1041 EAP_TLS_KEY_LEN); 1042 if (data->key_data) { 1043 wpa_hexdump_key(MSG_DEBUG, 1044 "EAP-PEAP: Derived key", 1045 data->key_data, 1046 EAP_TLS_KEY_LEN); 1047 } else { 1048 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " 1049 "derive key"); 1050 } 1051 1052 os_free(data->session_id); 1053 data->session_id = 1054 eap_peer_tls_derive_session_id(sm, &data->ssl, 1055 EAP_TYPE_PEAP, 1056 &data->id_len); 1057 if (data->session_id) { 1058 wpa_hexdump(MSG_DEBUG, 1059 "EAP-PEAP: Derived Session-Id", 1060 data->session_id, data->id_len); 1061 } else { 1062 wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to " 1063 "derive Session-Id"); 1064 } 1065 1066 if (sm->workaround && data->resuming) { 1067 /* 1068 * At least few RADIUS servers (Aegis v1.1.6; 1069 * but not v1.1.4; and Cisco ACS) seem to be 1070 * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco 1071 * ACS) session resumption with outer 1072 * EAP-Success. This does not seem to follow 1073 * draft-josefsson-pppext-eap-tls-eap-05.txt 1074 * section 4.2, so only allow this if EAP 1075 * workarounds are enabled. 1076 */ 1077 wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " 1078 "allow outer EAP-Success to " 1079 "terminate PEAP resumption"); 1080 ret->decision = DECISION_COND_SUCC; 1081 data->phase2_success = 1; 1082 } 1083 1084 data->resuming = 0; 1085 } 1086 1087 if (res == 2) { 1088 /* 1089 * Application data included in the handshake message. 1090 */ 1091 wpabuf_free(data->pending_phase2_req); 1092 data->pending_phase2_req = resp; 1093 resp = NULL; 1094 res = eap_peap_decrypt(sm, data, ret, req, &msg, 1095 &resp); 1096 } 1097 } 1098 1099 if (ret->methodState == METHOD_DONE) { 1100 ret->allowNotifications = FALSE; 1101 } 1102 1103 if (res == 1) { 1104 wpabuf_free(resp); 1105 return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP, 1106 data->peap_version); 1107 } 1108 1109 return resp; 1110 } 1111 1112 1113 static Boolean eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) 1114 { 1115 struct eap_peap_data *data = priv; 1116 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && 1117 data->phase2_success; 1118 } 1119 1120 1121 static void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv) 1122 { 1123 struct eap_peap_data *data = priv; 1124 wpabuf_free(data->pending_phase2_req); 1125 data->pending_phase2_req = NULL; 1126 data->crypto_binding_used = 0; 1127 } 1128 1129 1130 static void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv) 1131 { 1132 struct eap_peap_data *data = priv; 1133 eap_peap_free_key(data); 1134 os_free(data->session_id); 1135 data->session_id = NULL; 1136 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { 1137 os_free(data); 1138 return NULL; 1139 } 1140 if (data->phase2_priv && data->phase2_method && 1141 data->phase2_method->init_for_reauth) 1142 data->phase2_method->init_for_reauth(sm, data->phase2_priv); 1143 data->phase2_success = 0; 1144 data->phase2_eap_success = 0; 1145 data->phase2_eap_started = 0; 1146 data->resuming = 1; 1147 data->reauth = 1; 1148 sm->peap_done = FALSE; 1149 return priv; 1150 } 1151 1152 1153 static int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf, 1154 size_t buflen, int verbose) 1155 { 1156 struct eap_peap_data *data = priv; 1157 int len, ret; 1158 1159 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); 1160 if (data->phase2_method) { 1161 ret = os_snprintf(buf + len, buflen - len, 1162 "EAP-PEAPv%d Phase2 method=%s\n", 1163 data->peap_version, 1164 data->phase2_method->name); 1165 if (os_snprintf_error(buflen - len, ret)) 1166 return len; 1167 len += ret; 1168 } 1169 return len; 1170 } 1171 1172 1173 static Boolean eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv) 1174 { 1175 struct eap_peap_data *data = priv; 1176 return data->key_data != NULL && data->phase2_success; 1177 } 1178 1179 1180 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len) 1181 { 1182 struct eap_peap_data *data = priv; 1183 u8 *key; 1184 1185 if (data->key_data == NULL || !data->phase2_success) 1186 return NULL; 1187 1188 key = os_malloc(EAP_TLS_KEY_LEN); 1189 if (key == NULL) 1190 return NULL; 1191 1192 *len = EAP_TLS_KEY_LEN; 1193 1194 if (data->crypto_binding_used) { 1195 u8 csk[128]; 1196 /* 1197 * Note: It looks like Microsoft implementation requires null 1198 * termination for this label while the one used for deriving 1199 * IPMK|CMK did not use null termination. 1200 */ 1201 if (peap_prfplus(data->peap_version, data->ipmk, 40, 1202 "Session Key Generating Function", 1203 (u8 *) "\00", 1, csk, sizeof(csk)) < 0) { 1204 os_free(key); 1205 return NULL; 1206 } 1207 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk)); 1208 os_memcpy(key, csk, EAP_TLS_KEY_LEN); 1209 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key", 1210 key, EAP_TLS_KEY_LEN); 1211 } else 1212 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); 1213 1214 return key; 1215 } 1216 1217 1218 static u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1219 { 1220 struct eap_peap_data *data = priv; 1221 u8 *id; 1222 1223 if (data->session_id == NULL || !data->phase2_success) 1224 return NULL; 1225 1226 id = os_malloc(data->id_len); 1227 if (id == NULL) 1228 return NULL; 1229 1230 *len = data->id_len; 1231 os_memcpy(id, data->session_id, data->id_len); 1232 1233 return id; 1234 } 1235 1236 1237 int eap_peer_peap_register(void) 1238 { 1239 struct eap_method *eap; 1240 int ret; 1241 1242 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1243 EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP"); 1244 if (eap == NULL) 1245 return -1; 1246 1247 eap->init = eap_peap_init; 1248 eap->deinit = eap_peap_deinit; 1249 eap->process = eap_peap_process; 1250 eap->isKeyAvailable = eap_peap_isKeyAvailable; 1251 eap->getKey = eap_peap_getKey; 1252 eap->get_status = eap_peap_get_status; 1253 eap->has_reauth_data = eap_peap_has_reauth_data; 1254 eap->deinit_for_reauth = eap_peap_deinit_for_reauth; 1255 eap->init_for_reauth = eap_peap_init_for_reauth; 1256 eap->getSessionId = eap_peap_get_session_id; 1257 1258 ret = eap_peer_method_register(eap); 1259 if (ret) 1260 eap_peer_method_free(eap); 1261 return ret; 1262 } 1263