xref: /freebsd/contrib/wpa/src/eap_peer/eap_peap.c (revision 87b759f0fa1f7554d50ce640c40138512bbded44)
1 /*
2  * EAP peer method: EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt)
3  * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "eap_common/eap_tlv_common.h"
15 #include "eap_common/eap_peap_common.h"
16 #include "eap_i.h"
17 #include "eap_tls_common.h"
18 #include "eap_config.h"
19 #include "tncc.h"
20 
21 
22 /* Maximum supported PEAP version
23  * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
24  * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
25  */
26 #define EAP_PEAP_VERSION 1
27 
28 
29 static void eap_peap_deinit(struct eap_sm *sm, void *priv);
30 
31 
32 struct eap_peap_data {
33 	struct eap_ssl_data ssl;
34 
35 	int peap_version, force_peap_version, force_new_label;
36 
37 	const struct eap_method *phase2_method;
38 	void *phase2_priv;
39 	int phase2_success;
40 	int phase2_eap_success;
41 	int phase2_eap_started;
42 
43 	struct eap_method_type phase2_type;
44 	struct eap_method_type *phase2_types;
45 	size_t num_phase2_types;
46 
47 	int peap_outer_success; /* 0 = PEAP terminated on Phase 2 inner
48 				 * EAP-Success
49 				 * 1 = reply with tunneled EAP-Success to inner
50 				 * EAP-Success and expect AS to send outer
51 				 * (unencrypted) EAP-Success after this
52 				 * 2 = reply with PEAP/TLS ACK to inner
53 				 * EAP-Success and expect AS to send outer
54 				 * (unencrypted) EAP-Success after this */
55 	int resuming; /* starting a resumed session */
56 	int reauth; /* reauthentication */
57 	u8 *key_data;
58 	u8 *session_id;
59 	size_t id_len;
60 
61 	struct wpabuf *pending_phase2_req;
62 	struct wpabuf *pending_resp;
63 	enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding;
64 	int crypto_binding_used;
65 	u8 binding_nonce[32];
66 	u8 ipmk[40];
67 	u8 cmk[20];
68 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
69 		  * is enabled. */
70 	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
71 };
72 
73 
74 static void eap_peap_parse_phase1(struct eap_peap_data *data,
75 				  const char *phase1)
76 {
77 	const char *pos;
78 
79 	pos = os_strstr(phase1, "peapver=");
80 	if (pos) {
81 		data->force_peap_version = atoi(pos + 8);
82 		data->peap_version = data->force_peap_version;
83 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Forced PEAP version %d",
84 			   data->force_peap_version);
85 	}
86 
87 	if (os_strstr(phase1, "peaplabel=1")) {
88 		data->force_new_label = 1;
89 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Force new label for key "
90 			   "derivation");
91 	}
92 
93 	if (os_strstr(phase1, "peap_outer_success=0")) {
94 		data->peap_outer_success = 0;
95 		wpa_printf(MSG_DEBUG, "EAP-PEAP: terminate authentication on "
96 			   "tunneled EAP-Success");
97 	} else if (os_strstr(phase1, "peap_outer_success=1")) {
98 		data->peap_outer_success = 1;
99 		wpa_printf(MSG_DEBUG, "EAP-PEAP: send tunneled EAP-Success "
100 			   "after receiving tunneled EAP-Success");
101 	} else if (os_strstr(phase1, "peap_outer_success=2")) {
102 		data->peap_outer_success = 2;
103 		wpa_printf(MSG_DEBUG, "EAP-PEAP: send PEAP/TLS ACK after "
104 			   "receiving tunneled EAP-Success");
105 	}
106 
107 	if (os_strstr(phase1, "crypto_binding=0")) {
108 		data->crypto_binding = NO_BINDING;
109 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Do not use cryptobinding");
110 	} else if (os_strstr(phase1, "crypto_binding=1")) {
111 		data->crypto_binding = OPTIONAL_BINDING;
112 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Optional cryptobinding");
113 	} else if (os_strstr(phase1, "crypto_binding=2")) {
114 		data->crypto_binding = REQUIRE_BINDING;
115 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
116 	}
117 
118 	if (os_strstr(phase1, "phase2_auth=0")) {
119 		data->phase2_auth = NO_AUTH;
120 		wpa_printf(MSG_DEBUG,
121 			   "EAP-PEAP: Do not require Phase 2 authentication");
122 	} else if (os_strstr(phase1, "phase2_auth=1")) {
123 		data->phase2_auth = FOR_INITIAL;
124 		wpa_printf(MSG_DEBUG,
125 			   "EAP-PEAP: Require Phase 2 authentication for initial connection");
126 	} else if (os_strstr(phase1, "phase2_auth=2")) {
127 		data->phase2_auth = ALWAYS;
128 		wpa_printf(MSG_DEBUG,
129 			   "EAP-PEAP: Require Phase 2 authentication for all cases");
130 	}
131 #ifdef EAP_TNC
132 	if (os_strstr(phase1, "tnc=soh2")) {
133 		data->soh = 2;
134 		wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled");
135 	} else if (os_strstr(phase1, "tnc=soh1")) {
136 		data->soh = 1;
137 		wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 1 enabled");
138 	} else if (os_strstr(phase1, "tnc=soh")) {
139 		data->soh = 2;
140 		wpa_printf(MSG_DEBUG, "EAP-PEAP: SoH version 2 enabled");
141 	}
142 #endif /* EAP_TNC */
143 }
144 
145 
146 static void * eap_peap_init(struct eap_sm *sm)
147 {
148 	struct eap_peap_data *data;
149 	struct eap_peer_config *config = eap_get_config(sm);
150 
151 	data = os_zalloc(sizeof(*data));
152 	if (data == NULL)
153 		return NULL;
154 	sm->peap_done = false;
155 	data->peap_version = EAP_PEAP_VERSION;
156 	data->force_peap_version = -1;
157 	data->peap_outer_success = 2;
158 	data->crypto_binding = OPTIONAL_BINDING;
159 	data->phase2_auth = FOR_INITIAL;
160 
161 	if (config && config->phase1)
162 		eap_peap_parse_phase1(data, config->phase1);
163 
164 	if (eap_peer_select_phase2_methods(config, "auth=",
165 					   &data->phase2_types,
166 					   &data->num_phase2_types, 0) < 0) {
167 		eap_peap_deinit(sm, data);
168 		return NULL;
169 	}
170 
171 	data->phase2_type.vendor = EAP_VENDOR_IETF;
172 	data->phase2_type.method = EAP_TYPE_NONE;
173 
174 	if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) {
175 		wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
176 		eap_peap_deinit(sm, data);
177 		return NULL;
178 	}
179 
180 	return data;
181 }
182 
183 
184 static void eap_peap_free_key(struct eap_peap_data *data)
185 {
186 	if (data->key_data) {
187 		bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
188 		data->key_data = NULL;
189 	}
190 }
191 
192 
193 static void eap_peap_deinit(struct eap_sm *sm, void *priv)
194 {
195 	struct eap_peap_data *data = priv;
196 	if (data == NULL)
197 		return;
198 	if (data->phase2_priv && data->phase2_method)
199 		data->phase2_method->deinit(sm, data->phase2_priv);
200 	os_free(data->phase2_types);
201 	eap_peer_tls_ssl_deinit(sm, &data->ssl);
202 	eap_peap_free_key(data);
203 	os_free(data->session_id);
204 	wpabuf_clear_free(data->pending_phase2_req);
205 	wpabuf_clear_free(data->pending_resp);
206 	bin_clear_free(data, sizeof(*data));
207 }
208 
209 
210 /**
211  * eap_tlv_build_nak - Build EAP-TLV NAK message
212  * @id: EAP identifier for the header
213  * @nak_type: TLV type (EAP_TLV_*)
214  * Returns: Buffer to the allocated EAP-TLV NAK message or %NULL on failure
215  *
216  * This function builds an EAP-TLV NAK message. The caller is responsible for
217  * freeing the returned buffer.
218  */
219 static struct wpabuf * eap_tlv_build_nak(int id, u16 nak_type)
220 {
221 	struct wpabuf *msg;
222 
223 	msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, 10,
224 			    EAP_CODE_RESPONSE, id);
225 	if (msg == NULL)
226 		return NULL;
227 
228 	wpabuf_put_u8(msg, 0x80); /* Mandatory */
229 	wpabuf_put_u8(msg, EAP_TLV_NAK_TLV);
230 	wpabuf_put_be16(msg, 6); /* Length */
231 	wpabuf_put_be32(msg, 0); /* Vendor-Id */
232 	wpabuf_put_be16(msg, nak_type); /* NAK-Type */
233 
234 	return msg;
235 }
236 
237 
238 static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data,
239 			    u8 *isk, size_t isk_len)
240 {
241 	u8 *key;
242 	size_t key_len;
243 
244 	os_memset(isk, 0, isk_len);
245 	if (data->phase2_method == NULL || data->phase2_priv == NULL ||
246 	    data->phase2_method->isKeyAvailable == NULL ||
247 	    data->phase2_method->getKey == NULL)
248 		return 0;
249 
250 	if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) ||
251 	    (key = data->phase2_method->getKey(sm, data->phase2_priv,
252 					       &key_len)) == NULL) {
253 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not get key material "
254 			   "from Phase 2");
255 		return -1;
256 	}
257 
258 	if (key_len > isk_len)
259 		key_len = isk_len;
260 	os_memcpy(isk, key, key_len);
261 	os_free(key);
262 
263 	return 0;
264 }
265 
266 
267 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
268 {
269 	u8 *tk;
270 	u8 isk[32], imck[60];
271 	int resumed, res;
272 
273 	/*
274 	 * Tunnel key (TK) is the first 60 octets of the key generated by
275 	 * phase 1 of PEAP (based on TLS).
276 	 */
277 	tk = data->key_data;
278 	if (tk == NULL)
279 		return -1;
280 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
281 
282 	resumed = tls_connection_resumed(sm->ssl_ctx, data->ssl.conn);
283 	wpa_printf(MSG_DEBUG,
284 		   "EAP-PEAP: CMK derivation - reauth=%d resumed=%d phase2_eap_started=%d phase2_success=%d",
285 		   data->reauth, resumed, data->phase2_eap_started,
286 		   data->phase2_success);
287 	if (data->reauth && !data->phase2_eap_started && resumed) {
288 		/* Fast-connect: IPMK|CMK = TK */
289 		os_memcpy(data->ipmk, tk, 40);
290 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK",
291 				data->ipmk, 40);
292 		os_memcpy(data->cmk, tk + 40, 20);
293 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK",
294 				data->cmk, 20);
295 		return 0;
296 	}
297 
298 	if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0)
299 		return -1;
300 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk));
301 
302 	/*
303 	 * IPMK Seed = "Inner Methods Compound Keys" | ISK
304 	 * TempKey = First 40 octets of TK
305 	 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60)
306 	 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space
307 	 * in the end of the label just before ISK; is that just a typo?)
308 	 */
309 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40);
310 	res = peap_prfplus(data->peap_version, tk, 40,
311 			   "Inner Methods Compound Keys",
312 			   isk, sizeof(isk), imck, sizeof(imck));
313 	forced_memzero(isk, sizeof(isk));
314 	if (res < 0)
315 		return -1;
316 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
317 			imck, sizeof(imck));
318 
319 	os_memcpy(data->ipmk, imck, 40);
320 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
321 	os_memcpy(data->cmk, imck + 40, 20);
322 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20);
323 	forced_memzero(imck, sizeof(imck));
324 
325 	return 0;
326 }
327 
328 
329 static int eap_tlv_add_cryptobinding(struct eap_sm *sm,
330 				     struct eap_peap_data *data,
331 				     struct wpabuf *buf)
332 {
333 	u8 *mac;
334 	u8 eap_type = EAP_TYPE_PEAP;
335 	const u8 *addr[2];
336 	size_t len[2];
337 	u16 tlv_type;
338 
339 	/* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
340 	addr[0] = wpabuf_put(buf, 0);
341 	len[0] = 60;
342 	addr[1] = &eap_type;
343 	len[1] = 1;
344 
345 	tlv_type = EAP_TLV_CRYPTO_BINDING_TLV;
346 	wpabuf_put_be16(buf, tlv_type);
347 	wpabuf_put_be16(buf, 56);
348 
349 	wpabuf_put_u8(buf, 0); /* Reserved */
350 	wpabuf_put_u8(buf, data->peap_version); /* Version */
351 	wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */
352 	wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */
353 	wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */
354 	mac = wpabuf_put(buf, 20); /* Compound_MAC */
355 	wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20);
356 	wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1",
357 		    addr[0], len[0]);
358 	wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2",
359 		    addr[1], len[1]);
360 	if (hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac) < 0)
361 		return -1;
362 	wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC", mac, SHA1_MAC_LEN);
363 	data->crypto_binding_used = 1;
364 
365 	return 0;
366 }
367 
368 
369 /**
370  * eap_tlv_build_result - Build EAP-TLV Result message
371  * @id: EAP identifier for the header
372  * @status: Status (EAP_TLV_RESULT_SUCCESS or EAP_TLV_RESULT_FAILURE)
373  * Returns: Buffer to the allocated EAP-TLV Result message or %NULL on failure
374  *
375  * This function builds an EAP-TLV Result message. The caller is responsible
376  * for freeing the returned buffer.
377  */
378 static struct wpabuf * eap_tlv_build_result(struct eap_sm *sm,
379 					    struct eap_peap_data *data,
380 					    int crypto_tlv_used,
381 					    int id, u16 status)
382 {
383 	struct wpabuf *msg;
384 	size_t len;
385 
386 	if (data->crypto_binding == NO_BINDING)
387 		crypto_tlv_used = 0;
388 
389 	len = 6;
390 	if (crypto_tlv_used)
391 		len += 60; /* Cryptobinding TLV */
392 	msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len,
393 			    EAP_CODE_RESPONSE, id);
394 	if (msg == NULL)
395 		return NULL;
396 
397 	wpabuf_put_u8(msg, 0x80); /* Mandatory */
398 	wpabuf_put_u8(msg, EAP_TLV_RESULT_TLV);
399 	wpabuf_put_be16(msg, 2); /* Length */
400 	wpabuf_put_be16(msg, status); /* Status */
401 
402 	if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) {
403 		wpabuf_clear_free(msg);
404 		return NULL;
405 	}
406 
407 	return msg;
408 }
409 
410 
411 static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
412 					  struct eap_peap_data *data,
413 					  const u8 *crypto_tlv,
414 					  size_t crypto_tlv_len)
415 {
416 	u8 buf[61], mac[SHA1_MAC_LEN];
417 	const u8 *pos;
418 
419 	if (eap_peap_derive_cmk(sm, data) < 0) {
420 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Could not derive CMK");
421 		return -1;
422 	}
423 
424 	if (crypto_tlv_len != 4 + 56) {
425 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV "
426 			   "length %d", (int) crypto_tlv_len);
427 		return -1;
428 	}
429 
430 	pos = crypto_tlv;
431 	pos += 4; /* TLV header */
432 	if (pos[1] != data->peap_version) {
433 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version "
434 			   "mismatch (was %d; expected %d)",
435 			   pos[1], data->peap_version);
436 		return -1;
437 	}
438 
439 	if (pos[3] != 0) {
440 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV "
441 			   "SubType %d", pos[3]);
442 		return -1;
443 	}
444 	pos += 4;
445 	os_memcpy(data->binding_nonce, pos, 32);
446 	pos += 32; /* Nonce */
447 
448 	/* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
449 	os_memcpy(buf, crypto_tlv, 60);
450 	os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */
451 	buf[60] = EAP_TYPE_PEAP;
452 	wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data",
453 		    buf, sizeof(buf));
454 	hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac);
455 
456 	if (os_memcmp_const(mac, pos, SHA1_MAC_LEN) != 0) {
457 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in "
458 			   "cryptobinding TLV");
459 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC",
460 			    pos, SHA1_MAC_LEN);
461 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC",
462 			    mac, SHA1_MAC_LEN);
463 		return -1;
464 	}
465 
466 	wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received");
467 
468 	return 0;
469 }
470 
471 
472 static bool peap_phase2_sufficient(struct eap_sm *sm,
473 				   struct eap_peap_data *data)
474 {
475 	if ((data->phase2_auth == ALWAYS ||
476 	     (data->phase2_auth == FOR_INITIAL &&
477 	      !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
478 	      !data->ssl.client_cert_conf) ||
479 	     data->phase2_eap_started) &&
480 	    !data->phase2_eap_success)
481 		return false;
482 	return true;
483 }
484 
485 
486 /**
487  * eap_tlv_process - Process a received EAP-TLV message and generate a response
488  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
489  * @ret: Return values from EAP request validation and processing
490  * @req: EAP-TLV request to be processed. The caller must have validated that
491  * the buffer is large enough to contain full request (hdr->length bytes) and
492  * that the EAP type is EAP_TYPE_TLV.
493  * @resp: Buffer to return a pointer to the allocated response message. This
494  * field should be initialized to %NULL before the call. The value will be
495  * updated if a response message is generated. The caller is responsible for
496  * freeing the allocated message.
497  * @force_failure: Force negotiation to fail
498  * Returns: 0 on success, -1 on failure
499  */
500 static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
501 			   struct eap_method_ret *ret,
502 			   const struct wpabuf *req, struct wpabuf **resp,
503 			   int force_failure)
504 {
505 	size_t left, tlv_len;
506 	const u8 *pos;
507 	const u8 *result_tlv = NULL, *crypto_tlv = NULL;
508 	size_t result_tlv_len = 0, crypto_tlv_len = 0;
509 	int tlv_type, mandatory;
510 
511 	/* Parse TLVs */
512 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, req, &left);
513 	if (pos == NULL)
514 		return -1;
515 	wpa_hexdump(MSG_DEBUG, "EAP-TLV: Received TLVs", pos, left);
516 	while (left >= 4) {
517 		mandatory = !!(pos[0] & 0x80);
518 		tlv_type = WPA_GET_BE16(pos) & 0x3fff;
519 		pos += 2;
520 		tlv_len = WPA_GET_BE16(pos);
521 		pos += 2;
522 		left -= 4;
523 		if (tlv_len > left) {
524 			wpa_printf(MSG_DEBUG, "EAP-TLV: TLV underrun "
525 				   "(tlv_len=%lu left=%lu)",
526 				   (unsigned long) tlv_len,
527 				   (unsigned long) left);
528 			return -1;
529 		}
530 		switch (tlv_type) {
531 		case EAP_TLV_RESULT_TLV:
532 			result_tlv = pos;
533 			result_tlv_len = tlv_len;
534 			break;
535 		case EAP_TLV_CRYPTO_BINDING_TLV:
536 			crypto_tlv = pos;
537 			crypto_tlv_len = tlv_len;
538 			break;
539 		default:
540 			wpa_printf(MSG_DEBUG, "EAP-TLV: Unsupported TLV Type "
541 				   "%d%s", tlv_type,
542 				   mandatory ? " (mandatory)" : "");
543 			if (mandatory) {
544 				/* NAK TLV and ignore all TLVs in this packet.
545 				 */
546 				*resp = eap_tlv_build_nak(eap_get_id(req),
547 							  tlv_type);
548 				return *resp == NULL ? -1 : 0;
549 			}
550 			/* Ignore this TLV, but process other TLVs */
551 			break;
552 		}
553 
554 		pos += tlv_len;
555 		left -= tlv_len;
556 	}
557 	if (left) {
558 		wpa_printf(MSG_DEBUG, "EAP-TLV: Last TLV too short in "
559 			   "Request (left=%lu)", (unsigned long) left);
560 		return -1;
561 	}
562 
563 	/* Process supported TLVs */
564 	if (crypto_tlv && data->crypto_binding != NO_BINDING) {
565 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV",
566 			    crypto_tlv, crypto_tlv_len);
567 		if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4,
568 						   crypto_tlv_len + 4) < 0) {
569 			if (result_tlv == NULL)
570 				return -1;
571 			force_failure = 1;
572 			crypto_tlv = NULL; /* do not include Cryptobinding TLV
573 					    * in response, if the received
574 					    * cryptobinding was invalid. */
575 		}
576 	} else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) {
577 		wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV");
578 		return -1;
579 	}
580 
581 	if (result_tlv) {
582 		int status, resp_status;
583 		wpa_hexdump(MSG_DEBUG, "EAP-TLV: Result TLV",
584 			    result_tlv, result_tlv_len);
585 		if (result_tlv_len < 2) {
586 			wpa_printf(MSG_INFO, "EAP-TLV: Too short Result TLV "
587 				   "(len=%lu)",
588 				   (unsigned long) result_tlv_len);
589 			return -1;
590 		}
591 		status = WPA_GET_BE16(result_tlv);
592 		if (status == EAP_TLV_RESULT_SUCCESS) {
593 			wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Success "
594 				   "- EAP-TLV/Phase2 Completed");
595 			if (force_failure) {
596 				wpa_printf(MSG_INFO, "EAP-TLV: Earlier failure"
597 					   " - force failed Phase 2");
598 				resp_status = EAP_TLV_RESULT_FAILURE;
599 				ret->decision = DECISION_FAIL;
600 			} else if (!peap_phase2_sufficient(sm, data)) {
601 				wpa_printf(MSG_INFO,
602 					   "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
603 				resp_status = EAP_TLV_RESULT_FAILURE;
604 				ret->decision = DECISION_FAIL;
605 			} else {
606 				resp_status = EAP_TLV_RESULT_SUCCESS;
607 				ret->decision = DECISION_UNCOND_SUCC;
608 			}
609 		} else if (status == EAP_TLV_RESULT_FAILURE) {
610 			wpa_printf(MSG_INFO, "EAP-TLV: TLV Result - Failure");
611 			resp_status = EAP_TLV_RESULT_FAILURE;
612 			ret->decision = DECISION_FAIL;
613 		} else {
614 			wpa_printf(MSG_INFO, "EAP-TLV: Unknown TLV Result "
615 				   "Status %d", status);
616 			resp_status = EAP_TLV_RESULT_FAILURE;
617 			ret->decision = DECISION_FAIL;
618 		}
619 		ret->methodState = METHOD_DONE;
620 
621 		*resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL,
622 					     eap_get_id(req), resp_status);
623 	}
624 
625 	return 0;
626 }
627 
628 
629 static int eap_peap_phase2_request(struct eap_sm *sm,
630 				   struct eap_peap_data *data,
631 				   struct eap_method_ret *ret,
632 				   struct wpabuf *req,
633 				   struct wpabuf **resp)
634 {
635 	struct eap_hdr *hdr = wpabuf_mhead(req);
636 	size_t len = be_to_host16(hdr->length);
637 	u8 *pos;
638 	struct eap_method_ret iret;
639 	struct eap_peer_config *config = eap_get_config(sm);
640 	int vendor;
641 	enum eap_type method;
642 
643 	if (len <= sizeof(struct eap_hdr)) {
644 		wpa_printf(MSG_INFO, "EAP-PEAP: too short "
645 			   "Phase 2 request (len=%lu)", (unsigned long) len);
646 		return -1;
647 	}
648 	pos = (u8 *) (hdr + 1);
649 	wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Request: type=%d", *pos);
650 	switch (*pos) {
651 	case EAP_TYPE_IDENTITY:
652 		*resp = eap_sm_buildIdentity(sm, hdr->identifier, 1);
653 		break;
654 	case EAP_TYPE_TLV:
655 		os_memset(&iret, 0, sizeof(iret));
656 		if (eap_tlv_process(sm, data, &iret, req, resp,
657 				    data->phase2_eap_started &&
658 				    !data->phase2_eap_success)) {
659 			ret->methodState = METHOD_DONE;
660 			ret->decision = DECISION_FAIL;
661 			return -1;
662 		}
663 		if (iret.methodState == METHOD_DONE ||
664 		    iret.methodState == METHOD_MAY_CONT) {
665 			ret->methodState = iret.methodState;
666 			ret->decision = iret.decision;
667 			data->phase2_success = 1;
668 		}
669 		break;
670 	case EAP_TYPE_EXPANDED:
671 #ifdef EAP_TNC
672 		if (data->soh) {
673 			const u8 *epos;
674 			size_t eleft;
675 
676 			epos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21,
677 						req, &eleft);
678 			if (epos) {
679 				struct wpabuf *buf;
680 				wpa_printf(MSG_DEBUG,
681 					   "EAP-PEAP: SoH EAP Extensions");
682 				buf = tncc_process_soh_request(data->soh,
683 							       epos, eleft);
684 				if (buf) {
685 					*resp = eap_msg_alloc(
686 						EAP_VENDOR_MICROSOFT, 0x21,
687 						wpabuf_len(buf),
688 						EAP_CODE_RESPONSE,
689 						hdr->identifier);
690 					if (*resp == NULL) {
691 						ret->methodState = METHOD_DONE;
692 						ret->decision = DECISION_FAIL;
693 						wpabuf_clear_free(buf);
694 						return -1;
695 					}
696 					wpabuf_put_buf(*resp, buf);
697 					wpabuf_clear_free(buf);
698 					break;
699 				}
700 			}
701 		}
702 #endif /* EAP_TNC */
703 		/* fall through */
704 	default:
705 		vendor = EAP_VENDOR_IETF;
706 		method = *pos;
707 
708 		if (method == EAP_TYPE_EXPANDED) {
709 			if (len < sizeof(struct eap_hdr) + 8) {
710 				wpa_printf(MSG_INFO,
711 					   "EAP-PEAP: Too short Phase 2 request (expanded header) (len=%lu)",
712 					   (unsigned long) len);
713 				return -1;
714 			}
715 			vendor = WPA_GET_BE24(pos + 1);
716 			method = WPA_GET_BE32(pos + 4);
717 		}
718 
719 		if (data->phase2_type.vendor == EAP_VENDOR_IETF &&
720 		    data->phase2_type.method == EAP_TYPE_NONE) {
721 			size_t i;
722 			for (i = 0; i < data->num_phase2_types; i++) {
723 				if (data->phase2_types[i].vendor != vendor ||
724 				    data->phase2_types[i].method != method)
725 					continue;
726 
727 				data->phase2_type.vendor =
728 					data->phase2_types[i].vendor;
729 				data->phase2_type.method =
730 					data->phase2_types[i].method;
731 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Selected "
732 					   "Phase 2 EAP vendor %d method %d",
733 					   data->phase2_type.vendor,
734 					   data->phase2_type.method);
735 				break;
736 			}
737 		}
738 		if (vendor != data->phase2_type.vendor ||
739 		    method != data->phase2_type.method ||
740 		    (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_NONE)) {
741 			if (eap_peer_tls_phase2_nak(data->phase2_types,
742 						    data->num_phase2_types,
743 						    hdr, resp))
744 				return -1;
745 			return 0;
746 		}
747 
748 		if (data->phase2_priv == NULL) {
749 			data->phase2_method = eap_peer_get_eap_method(
750 				data->phase2_type.vendor,
751 				data->phase2_type.method);
752 			if (data->phase2_method) {
753 				sm->init_phase2 = 1;
754 				data->phase2_priv =
755 					data->phase2_method->init(sm);
756 				sm->init_phase2 = 0;
757 			}
758 		}
759 		if (data->phase2_priv == NULL || data->phase2_method == NULL) {
760 			wpa_printf(MSG_INFO, "EAP-PEAP: failed to initialize "
761 				   "Phase 2 EAP method %d", *pos);
762 			ret->methodState = METHOD_DONE;
763 			ret->decision = DECISION_FAIL;
764 			return -1;
765 		}
766 		data->phase2_eap_started = 1;
767 		os_memset(&iret, 0, sizeof(iret));
768 		*resp = data->phase2_method->process(sm, data->phase2_priv,
769 						     &iret, req);
770 		if ((iret.methodState == METHOD_DONE ||
771 		     iret.methodState == METHOD_MAY_CONT) &&
772 		    (iret.decision == DECISION_UNCOND_SUCC ||
773 		     iret.decision == DECISION_COND_SUCC)) {
774 			data->phase2_eap_success = 1;
775 			data->phase2_success = 1;
776 		}
777 		break;
778 	}
779 
780 	if (*resp == NULL &&
781 	    (config->pending_req_identity || config->pending_req_password ||
782 	     config->pending_req_otp || config->pending_req_new_password ||
783 	     config->pending_req_sim)) {
784 		wpabuf_clear_free(data->pending_phase2_req);
785 		data->pending_phase2_req = wpabuf_alloc_copy(hdr, len);
786 	}
787 
788 	return 0;
789 }
790 
791 
792 static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data,
793 			    struct eap_method_ret *ret,
794 			    const struct eap_hdr *req,
795 			    const struct wpabuf *in_data,
796 			    struct wpabuf **out_data)
797 {
798 	struct wpabuf *in_decrypted = NULL;
799 	int res, skip_change = 0;
800 	struct eap_hdr *hdr, *rhdr;
801 	struct wpabuf *resp = NULL;
802 	size_t len;
803 
804 	wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
805 		   " Phase 2", (unsigned long) wpabuf_len(in_data));
806 
807 	if (data->pending_phase2_req) {
808 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - "
809 			   "skip decryption and use old data");
810 		/* Clear TLS reassembly state. */
811 		eap_peer_tls_reset_input(&data->ssl);
812 		in_decrypted = data->pending_phase2_req;
813 		data->pending_phase2_req = NULL;
814 		skip_change = 1;
815 		goto continue_req;
816 	}
817 
818 	if (wpabuf_len(in_data) == 0 && sm->workaround &&
819 	    data->phase2_success) {
820 		/*
821 		 * Cisco ACS seems to be using TLS ACK to terminate
822 		 * EAP-PEAPv0/GTC. Try to reply with TLS ACK.
823 		 */
824 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but "
825 			   "expected data - acknowledge with TLS ACK since "
826 			   "Phase 2 has been completed");
827 		ret->decision = DECISION_COND_SUCC;
828 		ret->methodState = METHOD_DONE;
829 		return 1;
830 	} else if (wpabuf_len(in_data) == 0) {
831 		/* Received TLS ACK - requesting more fragments */
832 		return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP,
833 					    data->peap_version,
834 					    req->identifier, NULL, out_data);
835 	}
836 
837 	res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
838 	if (res)
839 		return res;
840 	if (wpabuf_len(in_decrypted) == 0) {
841 		wpabuf_free(in_decrypted);
842 		return 1;
843 	}
844 
845 continue_req:
846 	wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
847 			in_decrypted);
848 
849 	hdr = wpabuf_mhead(in_decrypted);
850 	if (wpabuf_len(in_decrypted) == 5 && hdr->code == EAP_CODE_REQUEST &&
851 	    be_to_host16(hdr->length) == 5 &&
852 	    eap_get_type(in_decrypted) == EAP_TYPE_IDENTITY) {
853 		/* At least FreeRADIUS seems to send full EAP header with
854 		 * EAP Request Identity */
855 		skip_change = 1;
856 	}
857 	if (wpabuf_len(in_decrypted) >= 5 && hdr->code == EAP_CODE_REQUEST &&
858 	    eap_get_type(in_decrypted) == EAP_TYPE_TLV) {
859 		skip_change = 1;
860 	}
861 
862 	if (data->peap_version == 0 && !skip_change) {
863 		struct eap_hdr *nhdr;
864 		struct wpabuf *nmsg = wpabuf_alloc(sizeof(struct eap_hdr) +
865 						   wpabuf_len(in_decrypted));
866 		if (nmsg == NULL) {
867 			wpabuf_clear_free(in_decrypted);
868 			return 0;
869 		}
870 		nhdr = wpabuf_put(nmsg, sizeof(*nhdr));
871 		wpabuf_put_buf(nmsg, in_decrypted);
872 		nhdr->code = req->code;
873 		nhdr->identifier = req->identifier;
874 		nhdr->length = host_to_be16(sizeof(struct eap_hdr) +
875 					    wpabuf_len(in_decrypted));
876 
877 		wpabuf_clear_free(in_decrypted);
878 		in_decrypted = nmsg;
879 	}
880 
881 	hdr = wpabuf_mhead(in_decrypted);
882 	if (wpabuf_len(in_decrypted) < sizeof(*hdr)) {
883 		wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 "
884 			   "EAP frame (len=%lu)",
885 			   (unsigned long) wpabuf_len(in_decrypted));
886 		wpabuf_clear_free(in_decrypted);
887 		return 0;
888 	}
889 	len = be_to_host16(hdr->length);
890 	if (len > wpabuf_len(in_decrypted)) {
891 		wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in "
892 			   "Phase 2 EAP frame (len=%lu hdr->length=%lu)",
893 			   (unsigned long) wpabuf_len(in_decrypted),
894 			   (unsigned long) len);
895 		wpabuf_clear_free(in_decrypted);
896 		return 0;
897 	}
898 	if (len < wpabuf_len(in_decrypted)) {
899 		wpa_printf(MSG_INFO, "EAP-PEAP: Odd.. Phase 2 EAP header has "
900 			   "shorter length than full decrypted data "
901 			   "(%lu < %lu)",
902 			   (unsigned long) len,
903 			   (unsigned long) wpabuf_len(in_decrypted));
904 	}
905 	wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d "
906 		   "identifier=%d length=%lu", hdr->code, hdr->identifier,
907 		   (unsigned long) len);
908 	switch (hdr->code) {
909 	case EAP_CODE_REQUEST:
910 		if (eap_peap_phase2_request(sm, data, ret, in_decrypted,
911 					    &resp)) {
912 			wpabuf_clear_free(in_decrypted);
913 			wpa_printf(MSG_INFO, "EAP-PEAP: Phase2 Request "
914 				   "processing failed");
915 			return 0;
916 		}
917 		break;
918 	case EAP_CODE_SUCCESS:
919 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success");
920 		if (data->peap_version == 1) {
921 			/* EAP-Success within TLS tunnel is used to indicate
922 			 * shutdown of the TLS channel. The authentication has
923 			 * been completed. */
924 			if (!peap_phase2_sufficient(sm, data)) {
925 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
926 					   "Success used to indicate success, "
927 					   "but Phase 2 EAP was not yet "
928 					   "completed successfully");
929 				ret->methodState = METHOD_DONE;
930 				ret->decision = DECISION_FAIL;
931 				wpabuf_clear_free(in_decrypted);
932 				return 0;
933 			}
934 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Version 1 - "
935 				   "EAP-Success within TLS tunnel - "
936 				   "authentication completed");
937 			ret->decision = DECISION_UNCOND_SUCC;
938 			ret->methodState = METHOD_DONE;
939 			data->phase2_success = 1;
940 			if (data->peap_outer_success == 2) {
941 				wpabuf_clear_free(in_decrypted);
942 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Use TLS ACK "
943 					   "to finish authentication");
944 				return 1;
945 			} else if (data->peap_outer_success == 1) {
946 				/* Reply with EAP-Success within the TLS
947 				 * channel to complete the authentication. */
948 				resp = wpabuf_alloc(sizeof(struct eap_hdr));
949 				if (resp) {
950 					rhdr = wpabuf_put(resp, sizeof(*rhdr));
951 					rhdr->code = EAP_CODE_SUCCESS;
952 					rhdr->identifier = hdr->identifier;
953 					rhdr->length =
954 						host_to_be16(sizeof(*rhdr));
955 				}
956 			} else {
957 				/* No EAP-Success expected for Phase 1 (outer,
958 				 * unencrypted auth), so force EAP state
959 				 * machine to SUCCESS state. */
960 				sm->peap_done = true;
961 			}
962 		} else {
963 			/* FIX: ? */
964 		}
965 		break;
966 	case EAP_CODE_FAILURE:
967 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure");
968 		ret->decision = DECISION_FAIL;
969 		ret->methodState = METHOD_MAY_CONT;
970 		ret->allowNotifications = false;
971 		/* Reply with EAP-Failure within the TLS channel to complete
972 		 * failure reporting. */
973 		resp = wpabuf_alloc(sizeof(struct eap_hdr));
974 		if (resp) {
975 			rhdr = wpabuf_put(resp, sizeof(*rhdr));
976 			rhdr->code = EAP_CODE_FAILURE;
977 			rhdr->identifier = hdr->identifier;
978 			rhdr->length = host_to_be16(sizeof(*rhdr));
979 		}
980 		break;
981 	default:
982 		wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in "
983 			   "Phase 2 EAP header", hdr->code);
984 		break;
985 	}
986 
987 	wpabuf_clear_free(in_decrypted);
988 
989 	if (resp) {
990 		int skip_change2 = 0;
991 		struct wpabuf *rmsg, buf;
992 
993 		wpa_hexdump_buf_key(MSG_DEBUG,
994 				    "EAP-PEAP: Encrypting Phase 2 data", resp);
995 		/* PEAP version changes */
996 		if (wpabuf_len(resp) >= 5 &&
997 		    wpabuf_head_u8(resp)[0] == EAP_CODE_RESPONSE &&
998 		    eap_get_type(resp) == EAP_TYPE_TLV)
999 			skip_change2 = 1;
1000 		rmsg = resp;
1001 		if (data->peap_version == 0 && !skip_change2) {
1002 			wpabuf_set(&buf, wpabuf_head_u8(resp) +
1003 				   sizeof(struct eap_hdr),
1004 				   wpabuf_len(resp) - sizeof(struct eap_hdr));
1005 			rmsg = &buf;
1006 		}
1007 
1008 		if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP,
1009 					 data->peap_version, req->identifier,
1010 					 rmsg, out_data)) {
1011 			wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt "
1012 				   "a Phase 2 frame");
1013 		}
1014 		wpabuf_clear_free(resp);
1015 	}
1016 
1017 	return 0;
1018 }
1019 
1020 
1021 static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
1022 					struct eap_method_ret *ret,
1023 					const struct wpabuf *reqData)
1024 {
1025 	const struct eap_hdr *req;
1026 	size_t left;
1027 	int res;
1028 	u8 flags, id;
1029 	struct wpabuf *resp;
1030 	const u8 *pos;
1031 	struct eap_peap_data *data = priv;
1032 	struct wpabuf msg;
1033 
1034 	pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret,
1035 					reqData, &left, &flags);
1036 	if (pos == NULL)
1037 		return NULL;
1038 	req = wpabuf_head(reqData);
1039 	id = req->identifier;
1040 
1041 	if (flags & EAP_TLS_FLAGS_START) {
1042 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own "
1043 			   "ver=%d)", flags & EAP_TLS_VERSION_MASK,
1044 			data->peap_version);
1045 		if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version)
1046 			data->peap_version = flags & EAP_TLS_VERSION_MASK;
1047 		if (data->force_peap_version >= 0 &&
1048 		    data->force_peap_version != data->peap_version) {
1049 			wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select "
1050 				   "forced PEAP version %d",
1051 				   data->force_peap_version);
1052 			ret->methodState = METHOD_DONE;
1053 			ret->decision = DECISION_FAIL;
1054 			ret->allowNotifications = false;
1055 			return NULL;
1056 		}
1057 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Using PEAP version %d",
1058 			   data->peap_version);
1059 		left = 0; /* make sure that this frame is empty, even though it
1060 			   * should always be, anyway */
1061 	}
1062 
1063 	wpabuf_set(&msg, pos, left);
1064 
1065 	resp = NULL;
1066 	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1067 	    !data->resuming) {
1068 		res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp);
1069 	} else {
1070 		if (sm->waiting_ext_cert_check && data->pending_resp) {
1071 			struct eap_peer_config *config = eap_get_config(sm);
1072 
1073 			if (config->pending_ext_cert_check ==
1074 			    EXT_CERT_CHECK_GOOD) {
1075 				wpa_printf(MSG_DEBUG,
1076 					   "EAP-PEAP: External certificate check succeeded - continue handshake");
1077 				resp = data->pending_resp;
1078 				data->pending_resp = NULL;
1079 				sm->waiting_ext_cert_check = 0;
1080 				return resp;
1081 			}
1082 
1083 			if (config->pending_ext_cert_check ==
1084 			    EXT_CERT_CHECK_BAD) {
1085 				wpa_printf(MSG_DEBUG,
1086 					   "EAP-PEAP: External certificate check failed - force authentication failure");
1087 				ret->methodState = METHOD_DONE;
1088 				ret->decision = DECISION_FAIL;
1089 				sm->waiting_ext_cert_check = 0;
1090 				return NULL;
1091 			}
1092 
1093 			wpa_printf(MSG_DEBUG,
1094 				   "EAP-PEAP: Continuing to wait external server certificate validation");
1095 			return NULL;
1096 		}
1097 
1098 		res = eap_peer_tls_process_helper(sm, &data->ssl,
1099 						  EAP_TYPE_PEAP,
1100 						  data->peap_version, id, &msg,
1101 						  &resp);
1102 
1103 		if (res < 0) {
1104 			wpa_printf(MSG_DEBUG,
1105 				   "EAP-PEAP: TLS processing failed");
1106 			ret->methodState = METHOD_DONE;
1107 			ret->decision = DECISION_FAIL;
1108 			return resp;
1109 		}
1110 
1111 
1112 		if (sm->waiting_ext_cert_check) {
1113 			wpa_printf(MSG_DEBUG,
1114 				   "EAP-PEAP: Waiting external server certificate validation");
1115 			wpabuf_clear_free(data->pending_resp);
1116 			data->pending_resp = resp;
1117 			return NULL;
1118 		}
1119 
1120 		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1121 			const char *label;
1122 			const u8 eap_tls13_context[1] = { EAP_TYPE_PEAP };
1123 			const u8 *context = NULL;
1124 			size_t context_len = 0;
1125 
1126 			wpa_printf(MSG_DEBUG,
1127 				   "EAP-PEAP: TLS done, proceed to Phase 2");
1128 			eap_peap_free_key(data);
1129 			/* draft-josefsson-ppext-eap-tls-eap-05.txt
1130 			 * specifies that PEAPv1 would use "client PEAP
1131 			 * encryption" as the label. However, most existing
1132 			 * PEAPv1 implementations seem to be using the old
1133 			 * label, "client EAP encryption", instead. Use the old
1134 			 * label by default, but allow it to be configured with
1135 			 * phase1 parameter peaplabel=1.
1136 			 *
1137 			 * When using TLS 1.3, draft-ietf-emu-tls-eap-types
1138 			 * defines a new set of label and context parameters.
1139 			 */
1140 			if (data->ssl.tls_v13) {
1141 				label = "EXPORTER_EAP_TLS_Key_Material";
1142 				context = eap_tls13_context;
1143 				context_len = sizeof(eap_tls13_context);
1144 			} else if (data->force_new_label) {
1145 				label = "client PEAP encryption";
1146 			} else {
1147 				label = "client EAP encryption";
1148 			}
1149 			wpa_printf(MSG_DEBUG, "EAP-PEAP: using label '%s' in "
1150 				   "key derivation", label);
1151 			data->key_data =
1152 				eap_peer_tls_derive_key(sm, &data->ssl, label,
1153 							context, context_len,
1154 							EAP_TLS_KEY_LEN +
1155 							EAP_EMSK_LEN);
1156 			if (data->key_data) {
1157 				wpa_hexdump_key(MSG_DEBUG,
1158 						"EAP-PEAP: Derived key",
1159 						data->key_data,
1160 						EAP_TLS_KEY_LEN);
1161 				wpa_hexdump_key(MSG_DEBUG,
1162 						"EAP-PEAP: Derived EMSK",
1163 						data->key_data +
1164 						EAP_TLS_KEY_LEN,
1165 						EAP_EMSK_LEN);
1166 			} else {
1167 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to "
1168 					   "derive key");
1169 			}
1170 
1171 			os_free(data->session_id);
1172 			data->session_id =
1173 				eap_peer_tls_derive_session_id(sm, &data->ssl,
1174 							       EAP_TYPE_PEAP,
1175 							       &data->id_len);
1176 			if (data->session_id) {
1177 				wpa_hexdump(MSG_DEBUG,
1178 					    "EAP-PEAP: Derived Session-Id",
1179 					    data->session_id, data->id_len);
1180 			} else {
1181 				wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to "
1182 					   "derive Session-Id");
1183 			}
1184 
1185 			if (sm->workaround && data->resuming) {
1186 				/*
1187 				 * At least few RADIUS servers (Aegis v1.1.6;
1188 				 * but not v1.1.4; and Cisco ACS) seem to be
1189 				 * terminating PEAPv1 (Aegis) or PEAPv0 (Cisco
1190 				 * ACS) session resumption with outer
1191 				 * EAP-Success. This does not seem to follow
1192 				 * draft-josefsson-pppext-eap-tls-eap-05.txt
1193 				 * section 4.2, so only allow this if EAP
1194 				 * workarounds are enabled.
1195 				 */
1196 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - "
1197 					   "allow outer EAP-Success to "
1198 					   "terminate PEAP resumption");
1199 				ret->decision = DECISION_COND_SUCC;
1200 				data->phase2_success = 1;
1201 			}
1202 
1203 			data->resuming = 0;
1204 		}
1205 
1206 		if (res == 2) {
1207 			/*
1208 			 * Application data included in the handshake message.
1209 			 */
1210 			wpabuf_clear_free(data->pending_phase2_req);
1211 			data->pending_phase2_req = resp;
1212 			resp = NULL;
1213 			res = eap_peap_decrypt(sm, data, ret, req, &msg,
1214 					       &resp);
1215 		}
1216 	}
1217 
1218 	if (ret->methodState == METHOD_DONE) {
1219 		ret->allowNotifications = false;
1220 	}
1221 
1222 	if (res == 1) {
1223 		wpabuf_clear_free(resp);
1224 		return eap_peer_tls_build_ack(id, EAP_TYPE_PEAP,
1225 					      data->peap_version);
1226 	}
1227 
1228 	return resp;
1229 }
1230 
1231 
1232 static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
1233 {
1234 	struct eap_peap_data *data = priv;
1235 
1236 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1237 		data->phase2_success && data->phase2_auth != ALWAYS;
1238 }
1239 
1240 
1241 static void eap_peap_deinit_for_reauth(struct eap_sm *sm, void *priv)
1242 {
1243 	struct eap_peap_data *data = priv;
1244 
1245 	if (data->phase2_priv && data->phase2_method &&
1246 	    data->phase2_method->deinit_for_reauth)
1247 		data->phase2_method->deinit_for_reauth(sm, data->phase2_priv);
1248 	wpabuf_clear_free(data->pending_phase2_req);
1249 	data->pending_phase2_req = NULL;
1250 	wpabuf_clear_free(data->pending_resp);
1251 	data->pending_resp = NULL;
1252 	data->crypto_binding_used = 0;
1253 }
1254 
1255 
1256 static void * eap_peap_init_for_reauth(struct eap_sm *sm, void *priv)
1257 {
1258 	struct eap_peap_data *data = priv;
1259 	eap_peap_free_key(data);
1260 	os_free(data->session_id);
1261 	data->session_id = NULL;
1262 	if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
1263 		os_free(data);
1264 		return NULL;
1265 	}
1266 	if (data->phase2_priv && data->phase2_method &&
1267 	    data->phase2_method->init_for_reauth)
1268 		data->phase2_method->init_for_reauth(sm, data->phase2_priv);
1269 	data->phase2_success = 0;
1270 	data->phase2_eap_success = 0;
1271 	data->phase2_eap_started = 0;
1272 	data->resuming = 1;
1273 	data->reauth = 1;
1274 	sm->peap_done = false;
1275 	return priv;
1276 }
1277 
1278 
1279 static int eap_peap_get_status(struct eap_sm *sm, void *priv, char *buf,
1280 			       size_t buflen, int verbose)
1281 {
1282 	struct eap_peap_data *data = priv;
1283 	int len, ret;
1284 
1285 	len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
1286 	if (data->phase2_method) {
1287 		ret = os_snprintf(buf + len, buflen - len,
1288 				  "EAP-PEAPv%d Phase2 method=%s\n",
1289 				  data->peap_version,
1290 				  data->phase2_method->name);
1291 		if (os_snprintf_error(buflen - len, ret))
1292 			return len;
1293 		len += ret;
1294 	}
1295 	return len;
1296 }
1297 
1298 
1299 static bool eap_peap_isKeyAvailable(struct eap_sm *sm, void *priv)
1300 {
1301 	struct eap_peap_data *data = priv;
1302 	return data->key_data != NULL && data->phase2_success;
1303 }
1304 
1305 
1306 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
1307 {
1308 	struct eap_peap_data *data = priv;
1309 	u8 *key;
1310 
1311 	if (data->key_data == NULL || !data->phase2_success)
1312 		return NULL;
1313 
1314 	key = os_malloc(EAP_TLS_KEY_LEN);
1315 	if (key == NULL)
1316 		return NULL;
1317 
1318 	*len = EAP_TLS_KEY_LEN;
1319 
1320 	if (data->crypto_binding_used) {
1321 		u8 csk[128];
1322 		/*
1323 		 * Note: It looks like Microsoft implementation requires null
1324 		 * termination for this label while the one used for deriving
1325 		 * IPMK|CMK did not use null termination.
1326 		 */
1327 		if (peap_prfplus(data->peap_version, data->ipmk, 40,
1328 				 "Session Key Generating Function",
1329 				 (u8 *) "\00", 1, csk, sizeof(csk)) < 0) {
1330 			os_free(key);
1331 			return NULL;
1332 		}
1333 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
1334 		os_memcpy(key, csk, EAP_TLS_KEY_LEN);
1335 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1336 			    key, EAP_TLS_KEY_LEN);
1337 		forced_memzero(csk, sizeof(csk));
1338 	} else
1339 		os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
1340 
1341 	return key;
1342 }
1343 
1344 
1345 static u8 * eap_peap_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1346 {
1347 	struct eap_peap_data *data = priv;
1348 	u8 *key;
1349 
1350 	if (!data->key_data || !data->phase2_success)
1351 		return NULL;
1352 
1353 	if (data->crypto_binding_used) {
1354 		/* [MS-PEAP] does not define EMSK derivation */
1355 		return NULL;
1356 	}
1357 
1358 	key = os_memdup(data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN);
1359 	if (!key)
1360 		return NULL;
1361 
1362 	*len = EAP_EMSK_LEN;
1363 
1364 	return key;
1365 }
1366 
1367 
1368 static u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1369 {
1370 	struct eap_peap_data *data = priv;
1371 	u8 *id;
1372 
1373 	if (data->session_id == NULL || !data->phase2_success)
1374 		return NULL;
1375 
1376 	id = os_memdup(data->session_id, data->id_len);
1377 	if (id == NULL)
1378 		return NULL;
1379 
1380 	*len = data->id_len;
1381 
1382 	return id;
1383 }
1384 
1385 
1386 int eap_peer_peap_register(void)
1387 {
1388 	struct eap_method *eap;
1389 
1390 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1391 				    EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP");
1392 	if (eap == NULL)
1393 		return -1;
1394 
1395 	eap->init = eap_peap_init;
1396 	eap->deinit = eap_peap_deinit;
1397 	eap->process = eap_peap_process;
1398 	eap->isKeyAvailable = eap_peap_isKeyAvailable;
1399 	eap->getKey = eap_peap_getKey;
1400 	eap->get_emsk = eap_peap_get_emsk;
1401 	eap->get_status = eap_peap_get_status;
1402 	eap->has_reauth_data = eap_peap_has_reauth_data;
1403 	eap->deinit_for_reauth = eap_peap_deinit_for_reauth;
1404 	eap->init_for_reauth = eap_peap_init_for_reauth;
1405 	eap->getSessionId = eap_peap_get_session_id;
1406 
1407 	return eap_peer_method_register(eap);
1408 }
1409