xref: /freebsd/contrib/wpa/src/eap_peer/eap_ttls.c (revision 5956d97f4b3204318ceb6aa9c77bd0bc6ea87a41)
1 /*
2  * EAP peer method: EAP-TTLS (RFC 5281)
3  * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/ms_funcs.h"
13 #include "crypto/sha1.h"
14 #include "crypto/tls.h"
15 #include "eap_common/chap.h"
16 #include "eap_common/eap_ttls.h"
17 #include "mschapv2.h"
18 #include "eap_i.h"
19 #include "eap_tls_common.h"
20 #include "eap_config.h"
21 
22 
23 #define EAP_TTLS_VERSION 0
24 
25 
26 static void eap_ttls_deinit(struct eap_sm *sm, void *priv);
27 
28 
29 struct eap_ttls_data {
30 	struct eap_ssl_data ssl;
31 
32 	int ttls_version;
33 
34 	const struct eap_method *phase2_method;
35 	void *phase2_priv;
36 	int phase2_success;
37 	int phase2_start;
38 	EapDecision decision_succ;
39 
40 	enum phase2_types {
41 		EAP_TTLS_PHASE2_EAP,
42 		EAP_TTLS_PHASE2_MSCHAPV2,
43 		EAP_TTLS_PHASE2_MSCHAP,
44 		EAP_TTLS_PHASE2_PAP,
45 		EAP_TTLS_PHASE2_CHAP
46 	} phase2_type;
47 	struct eap_method_type phase2_eap_type;
48 	struct eap_method_type *phase2_eap_types;
49 	size_t num_phase2_eap_types;
50 
51 	u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN];
52 	int auth_response_valid;
53 	u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */
54 	u8 ident;
55 	int resuming; /* starting a resumed session */
56 	int reauth; /* reauthentication */
57 	u8 *key_data;
58 	u8 *session_id;
59 	size_t id_len;
60 
61 	struct wpabuf *pending_phase2_req;
62 	struct wpabuf *pending_resp;
63 
64 #ifdef EAP_TNC
65 	int ready_for_tnc;
66 	int tnc_started;
67 #endif /* EAP_TNC */
68 };
69 
70 
71 static void * eap_ttls_init(struct eap_sm *sm)
72 {
73 	struct eap_ttls_data *data;
74 	struct eap_peer_config *config = eap_get_config(sm);
75 	int selected_non_eap;
76 	char *selected;
77 
78 	data = os_zalloc(sizeof(*data));
79 	if (data == NULL)
80 		return NULL;
81 	data->ttls_version = EAP_TTLS_VERSION;
82 	selected = "EAP";
83 	selected_non_eap = 0;
84 	data->phase2_type = EAP_TTLS_PHASE2_EAP;
85 
86 	/*
87 	 * Either one auth= type or one or more autheap= methods can be
88 	 * specified.
89 	 */
90 	if (config && config->phase2) {
91 		const char *token, *last = NULL;
92 
93 		while ((token = cstr_token(config->phase2, " \t", &last))) {
94 			if (os_strncmp(token, "auth=", 5) != 0)
95 				continue;
96 			token += 5;
97 
98 			if (last - token == 8 &&
99 			    os_strncmp(token, "MSCHAPV2", 8) == 0) {
100 				selected = "MSCHAPV2";
101 				data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2;
102 			} else if (last - token == 6 &&
103 				   os_strncmp(token, "MSCHAP", 6) == 0) {
104 				selected = "MSCHAP";
105 				data->phase2_type = EAP_TTLS_PHASE2_MSCHAP;
106 			} else if (last - token == 3 &&
107 				   os_strncmp(token, "PAP", 3) == 0) {
108 				selected = "PAP";
109 				data->phase2_type = EAP_TTLS_PHASE2_PAP;
110 			} else if (last - token == 4 &&
111 				   os_strncmp(token, "CHAP", 4) == 0) {
112 				selected = "CHAP";
113 				data->phase2_type = EAP_TTLS_PHASE2_CHAP;
114 			} else {
115 				wpa_printf(MSG_ERROR,
116 					   "EAP-TTLS: Unsupported Phase2 type '%s'",
117 					   token);
118 				eap_ttls_deinit(sm, data);
119 				return NULL;
120 			}
121 
122 			if (selected_non_eap) {
123 				wpa_printf(MSG_ERROR,
124 					   "EAP-TTLS: Only one Phase2 type can be specified");
125 				eap_ttls_deinit(sm, data);
126 				return NULL;
127 			}
128 
129 			selected_non_eap = 1;
130 		}
131 
132 		if (os_strstr(config->phase2, "autheap=")) {
133 			if (selected_non_eap) {
134 				wpa_printf(MSG_ERROR,
135 					   "EAP-TTLS: Both auth= and autheap= params cannot be specified");
136 				eap_ttls_deinit(sm, data);
137 				return NULL;
138 			}
139 			selected = "EAP";
140 			data->phase2_type = EAP_TTLS_PHASE2_EAP;
141 		}
142 	}
143 
144 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected);
145 
146 	if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {
147 		if (eap_peer_select_phase2_methods(config, "autheap=",
148 						   &data->phase2_eap_types,
149 						   &data->num_phase2_eap_types,
150 						   0) < 0) {
151 			eap_ttls_deinit(sm, data);
152 			return NULL;
153 		}
154 
155 		data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
156 		data->phase2_eap_type.method = EAP_TYPE_NONE;
157 	}
158 
159 	if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) {
160 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
161 		eap_ttls_deinit(sm, data);
162 		return NULL;
163 	}
164 
165 	return data;
166 }
167 
168 
169 static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm,
170 				       struct eap_ttls_data *data)
171 {
172 	if (data->phase2_priv && data->phase2_method) {
173 		data->phase2_method->deinit(sm, data->phase2_priv);
174 		data->phase2_method = NULL;
175 		data->phase2_priv = NULL;
176 	}
177 }
178 
179 
180 static void eap_ttls_free_key(struct eap_ttls_data *data)
181 {
182 	if (data->key_data) {
183 		bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
184 		data->key_data = NULL;
185 	}
186 }
187 
188 
189 static void eap_ttls_deinit(struct eap_sm *sm, void *priv)
190 {
191 	struct eap_ttls_data *data = priv;
192 	if (data == NULL)
193 		return;
194 	eap_ttls_phase2_eap_deinit(sm, data);
195 	os_free(data->phase2_eap_types);
196 	eap_peer_tls_ssl_deinit(sm, &data->ssl);
197 	eap_ttls_free_key(data);
198 	os_free(data->session_id);
199 	wpabuf_clear_free(data->pending_phase2_req);
200 	wpabuf_clear_free(data->pending_resp);
201 	os_free(data);
202 }
203 
204 
205 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
206 			     int mandatory, size_t len)
207 {
208 	struct ttls_avp_vendor *avp;
209 	u8 flags;
210 	size_t hdrlen;
211 
212 	avp = (struct ttls_avp_vendor *) avphdr;
213 	flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
214 	if (vendor_id) {
215 		flags |= AVP_FLAGS_VENDOR;
216 		hdrlen = sizeof(*avp);
217 		avp->vendor_id = host_to_be32(vendor_id);
218 	} else {
219 		hdrlen = sizeof(struct ttls_avp);
220 	}
221 
222 	avp->avp_code = host_to_be32(avp_code);
223 	avp->avp_length = host_to_be32(((u32) flags << 24) |
224 				       (u32) (hdrlen + len));
225 
226 	return avphdr + hdrlen;
227 }
228 
229 
230 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code,
231 			     u32 vendor_id, int mandatory,
232 			     const u8 *data, size_t len)
233 {
234 	u8 *pos;
235 	pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len);
236 	os_memcpy(pos, data, len);
237 	pos += len;
238 	AVP_PAD(start, pos);
239 	return pos;
240 }
241 
242 
243 static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code,
244 				    int mandatory)
245 {
246 	struct wpabuf *msg;
247 	u8 *avp, *pos;
248 
249 	msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4);
250 	if (msg == NULL) {
251 		wpabuf_clear_free(*resp);
252 		*resp = NULL;
253 		return -1;
254 	}
255 
256 	avp = wpabuf_mhead(msg);
257 	pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp));
258 	os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp));
259 	pos += wpabuf_len(*resp);
260 	AVP_PAD(avp, pos);
261 	wpabuf_clear_free(*resp);
262 	wpabuf_put(msg, pos - avp);
263 	*resp = msg;
264 	return 0;
265 }
266 
267 
268 static int eap_ttls_v0_derive_key(struct eap_sm *sm,
269 				  struct eap_ttls_data *data)
270 {
271 	const char *label;
272 	const u8 eap_tls13_context[1] = { EAP_TYPE_TTLS };
273 	const u8 *context = NULL;
274 	size_t context_len = 0;
275 
276 	if (data->ssl.tls_v13) {
277 		label = "EXPORTER_EAP_TLS_Key_Material";
278 		context = eap_tls13_context;
279 		context_len = sizeof(eap_tls13_context);
280 	} else {
281 		label = "ttls keying material";
282 	}
283 
284 	eap_ttls_free_key(data);
285 	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label,
286 						 context, context_len,
287 						 EAP_TLS_KEY_LEN +
288 						 EAP_EMSK_LEN);
289 	if (!data->key_data) {
290 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key");
291 		return -1;
292 	}
293 
294 	wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
295 			data->key_data, EAP_TLS_KEY_LEN);
296 	wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived EMSK",
297 			data->key_data + EAP_TLS_KEY_LEN,
298 			EAP_EMSK_LEN);
299 
300 	os_free(data->session_id);
301 	data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl,
302 							  EAP_TYPE_TTLS,
303 	                                                  &data->id_len);
304 	if (data->session_id) {
305 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived Session-Id",
306 			    data->session_id, data->id_len);
307 	} else {
308 		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive Session-Id");
309 	}
310 
311 	return 0;
312 }
313 
314 
315 #ifndef CONFIG_FIPS
316 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
317 					struct eap_ttls_data *data, size_t len)
318 {
319 	return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge",
320 				       NULL, 0, len);
321 }
322 #endif /* CONFIG_FIPS */
323 
324 
325 static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data,
326 					      int vendor, enum eap_type method)
327 {
328 	size_t i;
329 	for (i = 0; i < data->num_phase2_eap_types; i++) {
330 		if (data->phase2_eap_types[i].vendor != vendor ||
331 		    data->phase2_eap_types[i].method != method)
332 			continue;
333 
334 		data->phase2_eap_type.vendor =
335 			data->phase2_eap_types[i].vendor;
336 		data->phase2_eap_type.method =
337 			data->phase2_eap_types[i].method;
338 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
339 			   "Phase 2 EAP vendor %d method %d",
340 			   data->phase2_eap_type.vendor,
341 			   data->phase2_eap_type.method);
342 		break;
343 	}
344 }
345 
346 
347 static int eap_ttls_phase2_eap_process(struct eap_sm *sm,
348 				       struct eap_ttls_data *data,
349 				       struct eap_method_ret *ret,
350 				       struct eap_hdr *hdr, size_t len,
351 				       struct wpabuf **resp)
352 {
353 	struct wpabuf msg;
354 	struct eap_method_ret iret;
355 
356 	os_memset(&iret, 0, sizeof(iret));
357 	wpabuf_set(&msg, hdr, len);
358 	*resp = data->phase2_method->process(sm, data->phase2_priv, &iret,
359 					     &msg);
360 	if ((iret.methodState == METHOD_DONE ||
361 	     iret.methodState == METHOD_MAY_CONT) &&
362 	    (iret.decision == DECISION_UNCOND_SUCC ||
363 	     iret.decision == DECISION_COND_SUCC ||
364 	     iret.decision == DECISION_FAIL)) {
365 		ret->methodState = iret.methodState;
366 		ret->decision = iret.decision;
367 	}
368 
369 	return 0;
370 }
371 
372 
373 static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm,
374 					      struct eap_ttls_data *data,
375 					      struct eap_method_ret *ret,
376 					      struct eap_hdr *hdr, size_t len,
377 					      int vendor, enum eap_type method,
378 					      struct wpabuf **resp)
379 {
380 #ifdef EAP_TNC
381 	if (data->tnc_started && data->phase2_method &&
382 	    data->phase2_priv &&
383 	    vendor == EAP_VENDOR_IETF && method == EAP_TYPE_TNC &&
384 	    data->phase2_eap_type.method == EAP_TYPE_TNC)
385 		return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len,
386 						   resp);
387 
388 	if (data->ready_for_tnc && !data->tnc_started &&
389 	    vendor == EAP_VENDOR_IETF && method == EAP_TYPE_TNC) {
390 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
391 			   "EAP method");
392 		data->tnc_started = 1;
393 	}
394 
395 	if (data->tnc_started) {
396 		if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF ||
397 		    data->phase2_eap_type.method == EAP_TYPE_TNC) {
398 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP "
399 				   "type %d for TNC", method);
400 			return -1;
401 		}
402 
403 		data->phase2_eap_type.vendor = vendor;
404 		data->phase2_eap_type.method = method;
405 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
406 			   "Phase 2 EAP vendor %d method %d (TNC)",
407 			   data->phase2_eap_type.vendor,
408 			   data->phase2_eap_type.method);
409 
410 		if (data->phase2_type == EAP_TTLS_PHASE2_EAP)
411 			eap_ttls_phase2_eap_deinit(sm, data);
412 	}
413 #endif /* EAP_TNC */
414 
415 	if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF &&
416 	    data->phase2_eap_type.method == EAP_TYPE_NONE)
417 		eap_ttls_phase2_select_eap_method(data, vendor, method);
418 
419 	if (vendor != data->phase2_eap_type.vendor ||
420 	    method != data->phase2_eap_type.method ||
421 	    (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_NONE)) {
422 		if (eap_peer_tls_phase2_nak(data->phase2_eap_types,
423 					    data->num_phase2_eap_types,
424 					    hdr, resp))
425 			return -1;
426 		return 0;
427 	}
428 
429 	if (data->phase2_priv == NULL) {
430 		data->phase2_method = eap_peer_get_eap_method(vendor, method);
431 		if (data->phase2_method) {
432 			sm->init_phase2 = 1;
433 			data->phase2_priv = data->phase2_method->init(sm);
434 			sm->init_phase2 = 0;
435 		}
436 	}
437 	if (data->phase2_priv == NULL || data->phase2_method == NULL) {
438 		wpa_printf(MSG_INFO,
439 			   "EAP-TTLS: failed to initialize Phase 2 EAP method %u:%u",
440 			   vendor, method);
441 		return -1;
442 	}
443 
444 	return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp);
445 }
446 
447 
448 static int eap_ttls_phase2_request_eap(struct eap_sm *sm,
449 				       struct eap_ttls_data *data,
450 				       struct eap_method_ret *ret,
451 				       struct eap_hdr *hdr,
452 				       struct wpabuf **resp)
453 {
454 	size_t len = be_to_host16(hdr->length);
455 	u8 *pos;
456 	struct eap_peer_config *config = eap_get_config(sm);
457 
458 	if (len <= sizeof(struct eap_hdr)) {
459 		wpa_printf(MSG_INFO, "EAP-TTLS: too short "
460 			   "Phase 2 request (len=%lu)", (unsigned long) len);
461 		return -1;
462 	}
463 	pos = (u8 *) (hdr + 1);
464 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos);
465 	switch (*pos) {
466 	case EAP_TYPE_IDENTITY:
467 		*resp = eap_sm_buildIdentity(sm, hdr->identifier, 1);
468 		break;
469 	case EAP_TYPE_EXPANDED:
470 		if (len < sizeof(struct eap_hdr) + 8) {
471 			wpa_printf(MSG_INFO,
472 				   "EAP-TTLS: Too short Phase 2 request (expanded header) (len=%lu)",
473 				   (unsigned long) len);
474 			return -1;
475 		}
476 		if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len,
477 						       WPA_GET_BE24(pos + 1),
478 						       WPA_GET_BE32(pos + 4),
479 						       resp) < 0)
480 			return -1;
481 		break;
482 	default:
483 		if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len,
484 						       EAP_VENDOR_IETF, *pos,
485 						       resp) < 0)
486 			return -1;
487 		break;
488 	}
489 
490 	if (*resp == NULL &&
491 	    (config->pending_req_identity || config->pending_req_password ||
492 	     config->pending_req_otp || config->pending_req_sim)) {
493 		return 0;
494 	}
495 
496 	if (*resp == NULL)
497 		return -1;
498 
499 	wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response",
500 			*resp);
501 	return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1);
502 }
503 
504 
505 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
506 					    struct eap_ttls_data *data,
507 					    struct eap_method_ret *ret,
508 					    struct wpabuf **resp)
509 {
510 #ifdef CONFIG_FIPS
511 	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPV2 not supported in FIPS build");
512 	return -1;
513 #else /* CONFIG_FIPS */
514 #ifdef EAP_MSCHAPv2
515 	struct wpabuf *msg;
516 	u8 *buf, *pos, *challenge, *peer_challenge;
517 	const u8 *identity, *password;
518 	size_t identity_len, password_len;
519 	int pwhash;
520 
521 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
522 
523 	identity = eap_get_config_identity(sm, &identity_len);
524 	password = eap_get_config_password2(sm, &password_len, &pwhash);
525 	if (identity == NULL || password == NULL)
526 		return -1;
527 
528 	msg = wpabuf_alloc(identity_len + 1000);
529 	if (msg == NULL) {
530 		wpa_printf(MSG_ERROR,
531 			   "EAP-TTLS/MSCHAPV2: Failed to allocate memory");
532 		return -1;
533 	}
534 	pos = buf = wpabuf_mhead(msg);
535 
536 	/* User-Name */
537 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
538 			       identity, identity_len);
539 
540 	/* MS-CHAP-Challenge */
541 	challenge = eap_ttls_implicit_challenge(
542 		sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
543 	if (challenge == NULL) {
544 		wpabuf_clear_free(msg);
545 		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
546 			   "implicit challenge");
547 		return -1;
548 	}
549 
550 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
551 			       RADIUS_VENDOR_ID_MICROSOFT, 1,
552 			       challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
553 
554 	/* MS-CHAP2-Response */
555 	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
556 			       RADIUS_VENDOR_ID_MICROSOFT, 1,
557 			       EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
558 	data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
559 	*pos++ = data->ident;
560 	*pos++ = 0; /* Flags */
561 	if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) {
562 		os_free(challenge);
563 		wpabuf_clear_free(msg);
564 		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get "
565 			   "random data for peer challenge");
566 		return -1;
567 	}
568 	peer_challenge = pos;
569 	pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
570 	os_memset(pos, 0, 8); /* Reserved, must be zero */
571 	pos += 8;
572 	if (mschapv2_derive_response(identity, identity_len, password,
573 				     password_len, pwhash, challenge,
574 				     peer_challenge, pos, data->auth_response,
575 				     data->master_key)) {
576 		os_free(challenge);
577 		wpabuf_clear_free(msg);
578 		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
579 			   "response");
580 		return -1;
581 	}
582 	data->auth_response_valid = 1;
583 
584 	pos += 24;
585 	os_free(challenge);
586 	AVP_PAD(buf, pos);
587 
588 	wpabuf_put(msg, pos - buf);
589 	*resp = msg;
590 
591 	return 0;
592 #else /* EAP_MSCHAPv2 */
593 	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
594 	return -1;
595 #endif /* EAP_MSCHAPv2 */
596 #endif /* CONFIG_FIPS */
597 }
598 
599 
600 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
601 					  struct eap_ttls_data *data,
602 					  struct eap_method_ret *ret,
603 					  struct wpabuf **resp)
604 {
605 #ifdef CONFIG_FIPS
606 	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAP not supported in FIPS build");
607 	return -1;
608 #else /* CONFIG_FIPS */
609 	struct wpabuf *msg;
610 	u8 *buf, *pos, *challenge;
611 	const u8 *identity, *password;
612 	size_t identity_len, password_len;
613 	int pwhash;
614 
615 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
616 
617 	identity = eap_get_config_identity(sm, &identity_len);
618 	password = eap_get_config_password2(sm, &password_len, &pwhash);
619 	if (identity == NULL || password == NULL)
620 		return -1;
621 
622 	msg = wpabuf_alloc(identity_len + 1000);
623 	if (msg == NULL) {
624 		wpa_printf(MSG_ERROR,
625 			   "EAP-TTLS/MSCHAP: Failed to allocate memory");
626 		return -1;
627 	}
628 	pos = buf = wpabuf_mhead(msg);
629 
630 	/* User-Name */
631 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
632 			       identity, identity_len);
633 
634 	/* MS-CHAP-Challenge */
635 	challenge = eap_ttls_implicit_challenge(
636 		sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
637 	if (challenge == NULL) {
638 		wpabuf_clear_free(msg);
639 		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
640 			   "implicit challenge");
641 		return -1;
642 	}
643 
644 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
645 			       RADIUS_VENDOR_ID_MICROSOFT, 1,
646 			       challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
647 
648 	/* MS-CHAP-Response */
649 	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
650 			       RADIUS_VENDOR_ID_MICROSOFT, 1,
651 			       EAP_TTLS_MSCHAP_RESPONSE_LEN);
652 	data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
653 	*pos++ = data->ident;
654 	*pos++ = 1; /* Flags: Use NT style passwords */
655 	os_memset(pos, 0, 24); /* LM-Response */
656 	pos += 24;
657 	if (pwhash) {
658 		/* NT-Response */
659 		if (challenge_response(challenge, password, pos)) {
660 			wpa_printf(MSG_ERROR,
661 				   "EAP-TTLS/MSCHAP: Failed derive password hash");
662 			wpabuf_clear_free(msg);
663 			os_free(challenge);
664 			return -1;
665 		}
666 
667 		wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash",
668 				password, 16);
669 	} else {
670 		/* NT-Response */
671 		if (nt_challenge_response(challenge, password, password_len,
672 					  pos)) {
673 			wpa_printf(MSG_ERROR,
674 				   "EAP-TTLS/MSCHAP: Failed derive password");
675 			wpabuf_clear_free(msg);
676 			os_free(challenge);
677 			return -1;
678 		}
679 
680 		wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
681 				      password, password_len);
682 	}
683 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
684 		    challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
685 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
686 	pos += 24;
687 	os_free(challenge);
688 	AVP_PAD(buf, pos);
689 
690 	wpabuf_put(msg, pos - buf);
691 	*resp = msg;
692 
693 	/* EAP-TTLS/MSCHAP does not provide tunneled success
694 	 * notification, so assume that Phase2 succeeds. */
695 	ret->methodState = METHOD_DONE;
696 	ret->decision = DECISION_COND_SUCC;
697 
698 	return 0;
699 #endif /* CONFIG_FIPS */
700 }
701 
702 
703 static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
704 				       struct eap_ttls_data *data,
705 				       struct eap_method_ret *ret,
706 				       struct wpabuf **resp)
707 {
708 	struct wpabuf *msg;
709 	u8 *buf, *pos;
710 	size_t pad;
711 	const u8 *identity, *password;
712 	size_t identity_len, password_len;
713 
714 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request");
715 
716 	identity = eap_get_config_identity(sm, &identity_len);
717 	password = eap_get_config_password(sm, &password_len);
718 	if (identity == NULL || password == NULL)
719 		return -1;
720 
721 	msg = wpabuf_alloc(identity_len + password_len + 100);
722 	if (msg == NULL) {
723 		wpa_printf(MSG_ERROR,
724 			   "EAP-TTLS/PAP: Failed to allocate memory");
725 		return -1;
726 	}
727 	pos = buf = wpabuf_mhead(msg);
728 
729 	/* User-Name */
730 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
731 			       identity, identity_len);
732 
733 	/* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
734 	 * the data, so no separate encryption is used in the AVP itself.
735 	 * However, the password is padded to obfuscate its length. */
736 	pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15;
737 	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
738 			       password_len + pad);
739 	os_memcpy(pos, password, password_len);
740 	pos += password_len;
741 	os_memset(pos, 0, pad);
742 	pos += pad;
743 	AVP_PAD(buf, pos);
744 
745 	wpabuf_put(msg, pos - buf);
746 	*resp = msg;
747 
748 	/* EAP-TTLS/PAP does not provide tunneled success notification,
749 	 * so assume that Phase2 succeeds. */
750 	ret->methodState = METHOD_DONE;
751 	ret->decision = DECISION_COND_SUCC;
752 
753 	return 0;
754 }
755 
756 
757 static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
758 					struct eap_ttls_data *data,
759 					struct eap_method_ret *ret,
760 					struct wpabuf **resp)
761 {
762 #ifdef CONFIG_FIPS
763 	wpa_printf(MSG_ERROR, "EAP-TTLS: CHAP not supported in FIPS build");
764 	return -1;
765 #else /* CONFIG_FIPS */
766 	struct wpabuf *msg;
767 	u8 *buf, *pos, *challenge;
768 	const u8 *identity, *password;
769 	size_t identity_len, password_len;
770 
771 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
772 
773 	identity = eap_get_config_identity(sm, &identity_len);
774 	password = eap_get_config_password(sm, &password_len);
775 	if (identity == NULL || password == NULL)
776 		return -1;
777 
778 	msg = wpabuf_alloc(identity_len + 1000);
779 	if (msg == NULL) {
780 		wpa_printf(MSG_ERROR,
781 			   "EAP-TTLS/CHAP: Failed to allocate memory");
782 		return -1;
783 	}
784 	pos = buf = wpabuf_mhead(msg);
785 
786 	/* User-Name */
787 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
788 			       identity, identity_len);
789 
790 	/* CHAP-Challenge */
791 	challenge = eap_ttls_implicit_challenge(
792 		sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
793 	if (challenge == NULL) {
794 		wpabuf_clear_free(msg);
795 		wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
796 			   "implicit challenge");
797 		return -1;
798 	}
799 
800 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
801 			       challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
802 
803 	/* CHAP-Password */
804 	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
805 			       1 + EAP_TTLS_CHAP_PASSWORD_LEN);
806 	data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
807 	*pos++ = data->ident;
808 
809 	/* MD5(Ident + Password + Challenge) */
810 	chap_md5(data->ident, password, password_len, challenge,
811 		 EAP_TTLS_CHAP_CHALLENGE_LEN, pos);
812 
813 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
814 			  identity, identity_len);
815 	wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
816 			      password, password_len);
817 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
818 		    challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
819 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
820 		    pos, EAP_TTLS_CHAP_PASSWORD_LEN);
821 	pos += EAP_TTLS_CHAP_PASSWORD_LEN;
822 	os_free(challenge);
823 	AVP_PAD(buf, pos);
824 
825 	wpabuf_put(msg, pos - buf);
826 	*resp = msg;
827 
828 	/* EAP-TTLS/CHAP does not provide tunneled success
829 	 * notification, so assume that Phase2 succeeds. */
830 	ret->methodState = METHOD_DONE;
831 	ret->decision = DECISION_COND_SUCC;
832 
833 	return 0;
834 #endif /* CONFIG_FIPS */
835 }
836 
837 
838 static int eap_ttls_phase2_request(struct eap_sm *sm,
839 				   struct eap_ttls_data *data,
840 				   struct eap_method_ret *ret,
841 				   struct eap_hdr *hdr,
842 				   struct wpabuf **resp)
843 {
844 	int res = 0;
845 	size_t len;
846 	enum phase2_types phase2_type = data->phase2_type;
847 
848 #ifdef EAP_TNC
849 	if (data->tnc_started) {
850 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC");
851 		phase2_type = EAP_TTLS_PHASE2_EAP;
852 	}
853 #endif /* EAP_TNC */
854 
855 	if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
856 	    phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
857 	    phase2_type == EAP_TTLS_PHASE2_PAP ||
858 	    phase2_type == EAP_TTLS_PHASE2_CHAP) {
859 		if (eap_get_config_identity(sm, &len) == NULL) {
860 			wpa_printf(MSG_INFO,
861 				   "EAP-TTLS: Identity not configured");
862 			eap_sm_request_identity(sm);
863 			if (eap_get_config_password(sm, &len) == NULL)
864 				eap_sm_request_password(sm);
865 			return 0;
866 		}
867 
868 		if (eap_get_config_password(sm, &len) == NULL) {
869 			wpa_printf(MSG_INFO,
870 				   "EAP-TTLS: Password not configured");
871 			eap_sm_request_password(sm);
872 			return 0;
873 		}
874 	}
875 
876 	switch (phase2_type) {
877 	case EAP_TTLS_PHASE2_EAP:
878 		res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp);
879 		break;
880 	case EAP_TTLS_PHASE2_MSCHAPV2:
881 		res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp);
882 		break;
883 	case EAP_TTLS_PHASE2_MSCHAP:
884 		res = eap_ttls_phase2_request_mschap(sm, data, ret, resp);
885 		break;
886 	case EAP_TTLS_PHASE2_PAP:
887 		res = eap_ttls_phase2_request_pap(sm, data, ret, resp);
888 		break;
889 	case EAP_TTLS_PHASE2_CHAP:
890 		res = eap_ttls_phase2_request_chap(sm, data, ret, resp);
891 		break;
892 	default:
893 		wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
894 		res = -1;
895 		break;
896 	}
897 
898 	if (res < 0) {
899 		ret->methodState = METHOD_DONE;
900 		ret->decision = DECISION_FAIL;
901 	}
902 
903 	return res;
904 }
905 
906 
907 struct ttls_parse_avp {
908 	u8 *mschapv2;
909 	u8 *eapdata;
910 	size_t eap_len;
911 	int mschapv2_error;
912 };
913 
914 
915 static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen,
916 				   struct ttls_parse_avp *parse)
917 {
918 	wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
919 	if (parse->eapdata == NULL) {
920 		parse->eapdata = os_memdup(dpos, dlen);
921 		if (parse->eapdata == NULL) {
922 			wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
923 				   "memory for Phase 2 EAP data");
924 			return -1;
925 		}
926 		parse->eap_len = dlen;
927 	} else {
928 		u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen);
929 		if (neweap == NULL) {
930 			wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
931 				   "memory for Phase 2 EAP data");
932 			return -1;
933 		}
934 		os_memcpy(neweap + parse->eap_len, dpos, dlen);
935 		parse->eapdata = neweap;
936 		parse->eap_len += dlen;
937 	}
938 
939 	return 0;
940 }
941 
942 
943 static int eap_ttls_parse_avp(u8 *pos, size_t left,
944 			      struct ttls_parse_avp *parse)
945 {
946 	struct ttls_avp *avp;
947 	u32 avp_code, avp_length, vendor_id = 0;
948 	u8 avp_flags, *dpos;
949 	size_t dlen;
950 
951 	avp = (struct ttls_avp *) pos;
952 	avp_code = be_to_host32(avp->avp_code);
953 	avp_length = be_to_host32(avp->avp_length);
954 	avp_flags = (avp_length >> 24) & 0xff;
955 	avp_length &= 0xffffff;
956 	wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
957 		   "length=%d", (int) avp_code, avp_flags,
958 		   (int) avp_length);
959 
960 	if (avp_length > left) {
961 		wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
962 			   "(len=%d, left=%lu) - dropped",
963 			   (int) avp_length, (unsigned long) left);
964 		return -1;
965 	}
966 
967 	if (avp_length < sizeof(*avp)) {
968 		wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d",
969 			   avp_length);
970 		return -1;
971 	}
972 
973 	dpos = (u8 *) (avp + 1);
974 	dlen = avp_length - sizeof(*avp);
975 	if (avp_flags & AVP_FLAGS_VENDOR) {
976 		if (dlen < 4) {
977 			wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP "
978 				   "underflow");
979 			return -1;
980 		}
981 		vendor_id = WPA_GET_BE32(dpos);
982 		wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
983 			   (int) vendor_id);
984 		dpos += 4;
985 		dlen -= 4;
986 	}
987 
988 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
989 
990 	if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
991 		if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0)
992 			return -1;
993 	} else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) {
994 		/* This is an optional message that can be displayed to
995 		 * the user. */
996 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message",
997 				  dpos, dlen);
998 	} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
999 		   avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) {
1000 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success",
1001 				  dpos, dlen);
1002 		if (dlen != 43) {
1003 			wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected "
1004 				   "MS-CHAP2-Success length "
1005 				   "(len=%lu, expected 43)",
1006 				   (unsigned long) dlen);
1007 			return -1;
1008 		}
1009 		parse->mschapv2 = dpos;
1010 	} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
1011 		   avp_code == RADIUS_ATTR_MS_CHAP_ERROR) {
1012 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error",
1013 				  dpos, dlen);
1014 		parse->mschapv2_error = 1;
1015 	} else if (avp_flags & AVP_FLAGS_MANDATORY) {
1016 		wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP "
1017 			   "code %d vendor_id %d - dropped",
1018 			   (int) avp_code, (int) vendor_id);
1019 		return -1;
1020 	} else {
1021 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP "
1022 			   "code %d vendor_id %d",
1023 			   (int) avp_code, (int) vendor_id);
1024 	}
1025 
1026 	return avp_length;
1027 }
1028 
1029 
1030 static int eap_ttls_parse_avps(struct wpabuf *in_decrypted,
1031 			       struct ttls_parse_avp *parse)
1032 {
1033 	u8 *pos;
1034 	size_t left, pad;
1035 	int avp_length;
1036 
1037 	pos = wpabuf_mhead(in_decrypted);
1038 	left = wpabuf_len(in_decrypted);
1039 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left);
1040 	if (left < sizeof(struct ttls_avp)) {
1041 		wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame"
1042 			   " len=%lu expected %lu or more - dropped",
1043 			   (unsigned long) left,
1044 			   (unsigned long) sizeof(struct ttls_avp));
1045 		return -1;
1046 	}
1047 
1048 	/* Parse AVPs */
1049 	os_memset(parse, 0, sizeof(*parse));
1050 
1051 	while (left > 0) {
1052 		avp_length = eap_ttls_parse_avp(pos, left, parse);
1053 		if (avp_length < 0)
1054 			return -1;
1055 
1056 		pad = (4 - (avp_length & 3)) & 3;
1057 		pos += avp_length + pad;
1058 		if (left < avp_length + pad)
1059 			left = 0;
1060 		else
1061 			left -= avp_length + pad;
1062 	}
1063 
1064 	return 0;
1065 }
1066 
1067 
1068 static u8 * eap_ttls_fake_identity_request(void)
1069 {
1070 	struct eap_hdr *hdr;
1071 	u8 *buf;
1072 
1073 	wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of "
1074 		   "Phase 2 - use fake EAP-Request Identity");
1075 	buf = os_malloc(sizeof(*hdr) + 1);
1076 	if (buf == NULL) {
1077 		wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate "
1078 			   "memory for fake EAP-Identity Request");
1079 		return NULL;
1080 	}
1081 
1082 	hdr = (struct eap_hdr *) buf;
1083 	hdr->code = EAP_CODE_REQUEST;
1084 	hdr->identifier = 0;
1085 	hdr->length = host_to_be16(sizeof(*hdr) + 1);
1086 	buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY;
1087 
1088 	return buf;
1089 }
1090 
1091 
1092 static int eap_ttls_encrypt_response(struct eap_sm *sm,
1093 				     struct eap_ttls_data *data,
1094 				     struct wpabuf *resp, u8 identifier,
1095 				     struct wpabuf **out_data)
1096 {
1097 	if (resp == NULL)
1098 		return 0;
1099 
1100 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data",
1101 			    resp);
1102 	if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
1103 				 data->ttls_version, identifier,
1104 				 resp, out_data)) {
1105 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 "
1106 			   "frame");
1107 		wpabuf_clear_free(resp);
1108 		return -1;
1109 	}
1110 	wpabuf_clear_free(resp);
1111 
1112 	return 0;
1113 }
1114 
1115 
1116 static int eap_ttls_process_phase2_eap(struct eap_sm *sm,
1117 				       struct eap_ttls_data *data,
1118 				       struct eap_method_ret *ret,
1119 				       struct ttls_parse_avp *parse,
1120 				       struct wpabuf **resp)
1121 {
1122 	struct eap_hdr *hdr;
1123 	size_t len;
1124 
1125 	if (parse->eapdata == NULL) {
1126 		wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the "
1127 			   "packet - dropped");
1128 		return -1;
1129 	}
1130 
1131 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP",
1132 		    parse->eapdata, parse->eap_len);
1133 	hdr = (struct eap_hdr *) parse->eapdata;
1134 
1135 	if (parse->eap_len < sizeof(*hdr)) {
1136 		wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP "
1137 			   "frame (len=%lu, expected %lu or more) - dropped",
1138 			   (unsigned long) parse->eap_len,
1139 			   (unsigned long) sizeof(*hdr));
1140 		return -1;
1141 	}
1142 	len = be_to_host16(hdr->length);
1143 	if (len > parse->eap_len) {
1144 		wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 "
1145 			   "EAP frame (EAP hdr len=%lu, EAP data len in "
1146 			   "AVP=%lu)",
1147 			   (unsigned long) len,
1148 			   (unsigned long) parse->eap_len);
1149 		return -1;
1150 	}
1151 	wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d "
1152 		   "identifier=%d length=%lu",
1153 		   hdr->code, hdr->identifier, (unsigned long) len);
1154 	switch (hdr->code) {
1155 	case EAP_CODE_REQUEST:
1156 		if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) {
1157 			wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1158 				   "processing failed");
1159 			return -1;
1160 		}
1161 		break;
1162 	default:
1163 		wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in "
1164 			   "Phase 2 EAP header", hdr->code);
1165 		return -1;
1166 	}
1167 
1168 	return 0;
1169 }
1170 
1171 
1172 static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
1173 					    struct eap_ttls_data *data,
1174 					    struct eap_method_ret *ret,
1175 					    struct ttls_parse_avp *parse)
1176 {
1177 #ifdef EAP_MSCHAPv2
1178 	if (parse->mschapv2_error) {
1179 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received "
1180 			   "MS-CHAP-Error - failed");
1181 		ret->methodState = METHOD_DONE;
1182 		ret->decision = DECISION_FAIL;
1183 		/* Reply with empty data to ACK error */
1184 		return 1;
1185 	}
1186 
1187 	if (parse->mschapv2 == NULL) {
1188 #ifdef EAP_TNC
1189 		if (data->phase2_success && parse->eapdata) {
1190 			/*
1191 			 * Allow EAP-TNC to be started after successfully
1192 			 * completed MSCHAPV2.
1193 			 */
1194 			return 1;
1195 		}
1196 #endif /* EAP_TNC */
1197 		wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP "
1198 			   "received for Phase2 MSCHAPV2");
1199 		return -1;
1200 	}
1201 	if (parse->mschapv2[0] != data->ident) {
1202 		wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 "
1203 			   "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)",
1204 			   parse->mschapv2[0], data->ident);
1205 		return -1;
1206 	}
1207 	if (!data->auth_response_valid ||
1208 	    mschapv2_verify_auth_response(data->auth_response,
1209 					  parse->mschapv2 + 1, 42)) {
1210 		wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator "
1211 			   "response in Phase 2 MSCHAPV2 success request");
1212 		return -1;
1213 	}
1214 
1215 	wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 "
1216 		   "authentication succeeded");
1217 	ret->methodState = METHOD_DONE;
1218 	ret->decision = DECISION_UNCOND_SUCC;
1219 	data->phase2_success = 1;
1220 
1221 	/*
1222 	 * Reply with empty data; authentication server will reply
1223 	 * with EAP-Success after this.
1224 	 */
1225 	return 1;
1226 #else /* EAP_MSCHAPv2 */
1227 	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
1228 	return -1;
1229 #endif /* EAP_MSCHAPv2 */
1230 }
1231 
1232 
1233 #ifdef EAP_TNC
1234 static int eap_ttls_process_tnc_start(struct eap_sm *sm,
1235 				      struct eap_ttls_data *data,
1236 				      struct eap_method_ret *ret,
1237 				      struct ttls_parse_avp *parse,
1238 				      struct wpabuf **resp)
1239 {
1240 	/* TNC uses inner EAP method after non-EAP TTLS phase 2. */
1241 	if (parse->eapdata == NULL) {
1242 		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1243 			   "unexpected tunneled data (no EAP)");
1244 		return -1;
1245 	}
1246 
1247 	if (!data->ready_for_tnc) {
1248 		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1249 			   "EAP after non-EAP, but not ready for TNC");
1250 		return -1;
1251 	}
1252 
1253 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
1254 		   "non-EAP method");
1255 	data->tnc_started = 1;
1256 
1257 	if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0)
1258 		return -1;
1259 
1260 	return 0;
1261 }
1262 #endif /* EAP_TNC */
1263 
1264 
1265 static int eap_ttls_process_decrypted(struct eap_sm *sm,
1266 				      struct eap_ttls_data *data,
1267 				      struct eap_method_ret *ret,
1268 				      u8 identifier,
1269 				      struct ttls_parse_avp *parse,
1270 				      struct wpabuf *in_decrypted,
1271 				      struct wpabuf **out_data)
1272 {
1273 	struct wpabuf *resp = NULL;
1274 	struct eap_peer_config *config = eap_get_config(sm);
1275 	int res;
1276 	enum phase2_types phase2_type = data->phase2_type;
1277 
1278 #ifdef EAP_TNC
1279 	if (data->tnc_started)
1280 		phase2_type = EAP_TTLS_PHASE2_EAP;
1281 #endif /* EAP_TNC */
1282 
1283 	switch (phase2_type) {
1284 	case EAP_TTLS_PHASE2_EAP:
1285 		if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) <
1286 		    0)
1287 			return -1;
1288 		break;
1289 	case EAP_TTLS_PHASE2_MSCHAPV2:
1290 		res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse);
1291 #ifdef EAP_TNC
1292 		if (res == 1 && parse->eapdata && data->phase2_success) {
1293 			/*
1294 			 * TNC may be required as the next
1295 			 * authentication method within the tunnel.
1296 			 */
1297 			ret->methodState = METHOD_MAY_CONT;
1298 			data->ready_for_tnc = 1;
1299 			if (eap_ttls_process_tnc_start(sm, data, ret, parse,
1300 						       &resp) == 0)
1301 				break;
1302 		}
1303 #endif /* EAP_TNC */
1304 		return res;
1305 	case EAP_TTLS_PHASE2_MSCHAP:
1306 	case EAP_TTLS_PHASE2_PAP:
1307 	case EAP_TTLS_PHASE2_CHAP:
1308 #ifdef EAP_TNC
1309 		if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) <
1310 		    0)
1311 			return -1;
1312 		break;
1313 #else /* EAP_TNC */
1314 		/* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled
1315 		 * requests to the supplicant */
1316 		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected "
1317 			   "tunneled data");
1318 		return -1;
1319 #endif /* EAP_TNC */
1320 	}
1321 
1322 	if (resp) {
1323 		if (eap_ttls_encrypt_response(sm, data, resp, identifier,
1324 					      out_data) < 0)
1325 			return -1;
1326 	} else if (config->pending_req_identity ||
1327 		   config->pending_req_password ||
1328 		   config->pending_req_otp ||
1329 		   config->pending_req_new_password ||
1330 		   config->pending_req_sim) {
1331 		wpabuf_clear_free(data->pending_phase2_req);
1332 		data->pending_phase2_req = wpabuf_dup(in_decrypted);
1333 	}
1334 
1335 	return 0;
1336 }
1337 
1338 
1339 static int eap_ttls_implicit_identity_request(struct eap_sm *sm,
1340 					      struct eap_ttls_data *data,
1341 					      struct eap_method_ret *ret,
1342 					      u8 identifier,
1343 					      struct wpabuf **out_data)
1344 {
1345 	int retval = 0;
1346 	struct eap_hdr *hdr;
1347 	struct wpabuf *resp;
1348 
1349 	hdr = (struct eap_hdr *) eap_ttls_fake_identity_request();
1350 	if (hdr == NULL) {
1351 		ret->methodState = METHOD_DONE;
1352 		ret->decision = DECISION_FAIL;
1353 		return -1;
1354 	}
1355 
1356 	resp = NULL;
1357 	if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) {
1358 		wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1359 			   "processing failed");
1360 		retval = -1;
1361 	} else {
1362 		struct eap_peer_config *config = eap_get_config(sm);
1363 		if (resp == NULL &&
1364 		    (config->pending_req_identity ||
1365 		     config->pending_req_password ||
1366 		     config->pending_req_otp ||
1367 		     config->pending_req_new_password ||
1368 		     config->pending_req_sim)) {
1369 			/*
1370 			 * Use empty buffer to force implicit request
1371 			 * processing when EAP request is re-processed after
1372 			 * user input.
1373 			 */
1374 			wpabuf_clear_free(data->pending_phase2_req);
1375 			data->pending_phase2_req = wpabuf_alloc(0);
1376 		}
1377 
1378 		retval = eap_ttls_encrypt_response(sm, data, resp, identifier,
1379 						   out_data);
1380 	}
1381 
1382 	os_free(hdr);
1383 
1384 	if (retval < 0) {
1385 		ret->methodState = METHOD_DONE;
1386 		ret->decision = DECISION_FAIL;
1387 	}
1388 
1389 	return retval;
1390 }
1391 
1392 
1393 static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data,
1394 				 struct eap_method_ret *ret, u8 identifier,
1395 				 struct wpabuf **out_data)
1396 {
1397 	data->phase2_start = 0;
1398 
1399 	/*
1400 	 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only
1401 	 * if TLS part was indeed resuming a previous session. Most
1402 	 * Authentication Servers terminate EAP-TTLS before reaching this
1403 	 * point, but some do not. Make wpa_supplicant stop phase 2 here, if
1404 	 * needed.
1405 	 */
1406 	if (data->reauth &&
1407 	    tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
1408 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - "
1409 			   "skip phase 2");
1410 		*out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS,
1411 						   data->ttls_version);
1412 		ret->methodState = METHOD_DONE;
1413 		ret->decision = DECISION_UNCOND_SUCC;
1414 		data->phase2_success = 1;
1415 		return 0;
1416 	}
1417 
1418 	return eap_ttls_implicit_identity_request(sm, data, ret, identifier,
1419 						  out_data);
1420 }
1421 
1422 
1423 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
1424 			    struct eap_method_ret *ret, u8 identifier,
1425 			    const struct wpabuf *in_data,
1426 			    struct wpabuf **out_data)
1427 {
1428 	struct wpabuf *in_decrypted = NULL;
1429 	int retval = 0;
1430 	struct ttls_parse_avp parse;
1431 
1432 	os_memset(&parse, 0, sizeof(parse));
1433 
1434 	wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1435 		   " Phase 2",
1436 		   in_data ? (unsigned long) wpabuf_len(in_data) : 0);
1437 
1438 	if (data->pending_phase2_req) {
1439 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - "
1440 			   "skip decryption and use old data");
1441 		/* Clear TLS reassembly state. */
1442 		eap_peer_tls_reset_input(&data->ssl);
1443 
1444 		in_decrypted = data->pending_phase2_req;
1445 		data->pending_phase2_req = NULL;
1446 		if (wpabuf_len(in_decrypted) == 0) {
1447 			wpabuf_clear_free(in_decrypted);
1448 			return eap_ttls_implicit_identity_request(
1449 				sm, data, ret, identifier, out_data);
1450 		}
1451 		goto continue_req;
1452 	}
1453 
1454 	if ((in_data == NULL || wpabuf_len(in_data) == 0) &&
1455 	    data->phase2_start) {
1456 start:
1457 		return eap_ttls_phase2_start(sm, data, ret, identifier,
1458 					     out_data);
1459 	}
1460 
1461 	if (in_data == NULL || wpabuf_len(in_data) == 0) {
1462 		/* Received TLS ACK - requesting more fragments */
1463 		return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
1464 					    data->ttls_version,
1465 					    identifier, NULL, out_data);
1466 	}
1467 
1468 	retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
1469 	if (retval)
1470 		goto done;
1471 	if (wpabuf_len(in_decrypted) == 0) {
1472 		wpabuf_free(in_decrypted);
1473 		goto start;
1474 	}
1475 
1476 	/* draft-ietf-emu-eap-tls13-13 Section 2.5 */
1477 	if (data->ssl.tls_v13 && wpabuf_len(in_decrypted) == 1 &&
1478 	    *wpabuf_head_u8(in_decrypted) == 0) {
1479 		wpa_printf(MSG_DEBUG,
1480 			   "EAP-TTLS: ACKing EAP-TLS Commitment Message");
1481 		eap_peer_tls_reset_output(&data->ssl);
1482 		wpabuf_free(in_decrypted);
1483 		return 1;
1484 	}
1485 
1486 continue_req:
1487 	data->phase2_start = 0;
1488 
1489 	if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) {
1490 		retval = -1;
1491 		goto done;
1492 	}
1493 
1494 	retval = eap_ttls_process_decrypted(sm, data, ret, identifier,
1495 					    &parse, in_decrypted, out_data);
1496 
1497 done:
1498 	wpabuf_clear_free(in_decrypted);
1499 	os_free(parse.eapdata);
1500 
1501 	if (retval < 0) {
1502 		ret->methodState = METHOD_DONE;
1503 		ret->decision = DECISION_FAIL;
1504 	}
1505 
1506 	return retval;
1507 }
1508 
1509 
1510 static int eap_ttls_process_handshake(struct eap_sm *sm,
1511 				      struct eap_ttls_data *data,
1512 				      struct eap_method_ret *ret,
1513 				      u8 identifier,
1514 				      const struct wpabuf *in_data,
1515 				      struct wpabuf **out_data)
1516 {
1517 	int res;
1518 
1519 	if (sm->waiting_ext_cert_check && data->pending_resp) {
1520 		struct eap_peer_config *config = eap_get_config(sm);
1521 
1522 		if (config->pending_ext_cert_check == EXT_CERT_CHECK_GOOD) {
1523 			wpa_printf(MSG_DEBUG,
1524 				   "EAP-TTLS: External certificate check succeeded - continue handshake");
1525 			*out_data = data->pending_resp;
1526 			data->pending_resp = NULL;
1527 			sm->waiting_ext_cert_check = 0;
1528 			return 0;
1529 		}
1530 
1531 		if (config->pending_ext_cert_check == EXT_CERT_CHECK_BAD) {
1532 			wpa_printf(MSG_DEBUG,
1533 				   "EAP-TTLS: External certificate check failed - force authentication failure");
1534 			ret->methodState = METHOD_DONE;
1535 			ret->decision = DECISION_FAIL;
1536 			sm->waiting_ext_cert_check = 0;
1537 			return 0;
1538 		}
1539 
1540 		wpa_printf(MSG_DEBUG,
1541 			   "EAP-TTLS: Continuing to wait external server certificate validation");
1542 		return 0;
1543 	}
1544 
1545 	res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS,
1546 					  data->ttls_version, identifier,
1547 					  in_data, out_data);
1548 	if (res < 0) {
1549 		wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS processing failed");
1550 		ret->methodState = METHOD_DONE;
1551 		ret->decision = DECISION_FAIL;
1552 		return -1;
1553 	}
1554 
1555 	if (sm->waiting_ext_cert_check) {
1556 		wpa_printf(MSG_DEBUG,
1557 			   "EAP-TTLS: Waiting external server certificate validation");
1558 		wpabuf_clear_free(data->pending_resp);
1559 		data->pending_resp = *out_data;
1560 		*out_data = NULL;
1561 		return 0;
1562 	}
1563 
1564 	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1565 		wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to "
1566 			   "Phase 2");
1567 		if (data->resuming) {
1568 			wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may "
1569 				   "skip Phase 2");
1570 			ret->decision = DECISION_COND_SUCC;
1571 			ret->methodState = METHOD_MAY_CONT;
1572 		}
1573 		data->phase2_start = 1;
1574 		eap_ttls_v0_derive_key(sm, data);
1575 
1576 		if (*out_data == NULL || wpabuf_len(*out_data) == 0) {
1577 			if (eap_ttls_decrypt(sm, data, ret, identifier,
1578 					     NULL, out_data)) {
1579 				wpa_printf(MSG_WARNING, "EAP-TTLS: "
1580 					   "failed to process early "
1581 					   "start for Phase 2");
1582 			}
1583 			res = 0;
1584 		}
1585 		data->resuming = 0;
1586 	}
1587 
1588 	if (res == 2) {
1589 		/*
1590 		 * Application data included in the handshake message.
1591 		 */
1592 		wpabuf_clear_free(data->pending_phase2_req);
1593 		data->pending_phase2_req = *out_data;
1594 		*out_data = NULL;
1595 		res = eap_ttls_decrypt(sm, data, ret, identifier, in_data,
1596 				       out_data);
1597 	}
1598 
1599 	return res;
1600 }
1601 
1602 
1603 static void eap_ttls_check_auth_status(struct eap_sm *sm,
1604 				       struct eap_ttls_data *data,
1605 				       struct eap_method_ret *ret)
1606 {
1607 	if (ret->methodState == METHOD_DONE) {
1608 		ret->allowNotifications = false;
1609 		if (ret->decision == DECISION_UNCOND_SUCC ||
1610 		    ret->decision == DECISION_COND_SUCC) {
1611 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1612 				   "completed successfully");
1613 			data->phase2_success = 1;
1614 			data->decision_succ = ret->decision;
1615 #ifdef EAP_TNC
1616 			if (!data->ready_for_tnc && !data->tnc_started) {
1617 				/*
1618 				 * TNC may be required as the next
1619 				 * authentication method within the tunnel.
1620 				 */
1621 				ret->methodState = METHOD_MAY_CONT;
1622 				data->ready_for_tnc = 1;
1623 			}
1624 #endif /* EAP_TNC */
1625 		}
1626 	} else if (ret->methodState == METHOD_MAY_CONT &&
1627 		   (ret->decision == DECISION_UNCOND_SUCC ||
1628 		    ret->decision == DECISION_COND_SUCC)) {
1629 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1630 				   "completed successfully (MAY_CONT)");
1631 			data->phase2_success = 1;
1632 			data->decision_succ = ret->decision;
1633 	} else if (data->decision_succ != DECISION_FAIL &&
1634 		   data->phase2_success &&
1635 		   !data->ssl.tls_out) {
1636 		/*
1637 		 * This is needed to cover the case where the final Phase 2
1638 		 * message gets fragmented since fragmentation clears
1639 		 * decision back to FAIL.
1640 		 */
1641 		wpa_printf(MSG_DEBUG,
1642 			   "EAP-TTLS: Restore success decision after fragmented frame sent completely");
1643 		ret->decision = data->decision_succ;
1644 	}
1645 }
1646 
1647 
1648 static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv,
1649 					struct eap_method_ret *ret,
1650 					const struct wpabuf *reqData)
1651 {
1652 	size_t left;
1653 	int res;
1654 	u8 flags, id;
1655 	struct wpabuf *resp;
1656 	const u8 *pos;
1657 	struct eap_ttls_data *data = priv;
1658 	struct wpabuf msg;
1659 
1660 	pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret,
1661 					reqData, &left, &flags);
1662 	if (pos == NULL)
1663 		return NULL;
1664 	id = eap_get_id(reqData);
1665 
1666 	if (flags & EAP_TLS_FLAGS_START) {
1667 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own "
1668 			   "ver=%d)", flags & EAP_TLS_VERSION_MASK,
1669 			   data->ttls_version);
1670 
1671 		/* RFC 5281, Ch. 9.2:
1672 		 * "This packet MAY contain additional information in the form
1673 		 * of AVPs, which may provide useful hints to the client"
1674 		 * For now, ignore any potential extra data.
1675 		 */
1676 		left = 0;
1677 	}
1678 
1679 	wpabuf_set(&msg, pos, left);
1680 
1681 	resp = NULL;
1682 	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1683 	    !data->resuming) {
1684 		res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp);
1685 	} else {
1686 		res = eap_ttls_process_handshake(sm, data, ret, id,
1687 						 &msg, &resp);
1688 	}
1689 
1690 	eap_ttls_check_auth_status(sm, data, ret);
1691 
1692 	/* FIX: what about res == -1? Could just move all error processing into
1693 	 * the other functions and get rid of this res==1 case here. */
1694 	if (res == 1) {
1695 		wpabuf_clear_free(resp);
1696 		return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS,
1697 					      data->ttls_version);
1698 	}
1699 	return resp;
1700 }
1701 
1702 
1703 static bool eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
1704 {
1705 	struct eap_ttls_data *data = priv;
1706 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1707 		data->phase2_success;
1708 }
1709 
1710 
1711 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv)
1712 {
1713 	struct eap_ttls_data *data = priv;
1714 
1715 	if (data->phase2_priv && data->phase2_method &&
1716 	    data->phase2_method->deinit_for_reauth)
1717 		data->phase2_method->deinit_for_reauth(sm, data->phase2_priv);
1718 	wpabuf_clear_free(data->pending_phase2_req);
1719 	data->pending_phase2_req = NULL;
1720 	wpabuf_clear_free(data->pending_resp);
1721 	data->pending_resp = NULL;
1722 	data->decision_succ = DECISION_FAIL;
1723 #ifdef EAP_TNC
1724 	data->ready_for_tnc = 0;
1725 	data->tnc_started = 0;
1726 #endif /* EAP_TNC */
1727 }
1728 
1729 
1730 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv)
1731 {
1732 	struct eap_ttls_data *data = priv;
1733 	eap_ttls_free_key(data);
1734 	os_free(data->session_id);
1735 	data->session_id = NULL;
1736 	if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
1737 		os_free(data);
1738 		return NULL;
1739 	}
1740 	if (data->phase2_priv && data->phase2_method &&
1741 	    data->phase2_method->init_for_reauth)
1742 		data->phase2_method->init_for_reauth(sm, data->phase2_priv);
1743 	data->phase2_start = 0;
1744 	data->phase2_success = 0;
1745 	data->resuming = 1;
1746 	data->reauth = 1;
1747 	return priv;
1748 }
1749 
1750 
1751 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf,
1752 			       size_t buflen, int verbose)
1753 {
1754 	struct eap_ttls_data *data = priv;
1755 	int len, ret;
1756 
1757 	len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
1758 	ret = os_snprintf(buf + len, buflen - len,
1759 			  "EAP-TTLSv%d Phase2 method=",
1760 			  data->ttls_version);
1761 	if (os_snprintf_error(buflen - len, ret))
1762 		return len;
1763 	len += ret;
1764 	switch (data->phase2_type) {
1765 	case EAP_TTLS_PHASE2_EAP:
1766 		ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n",
1767 				  data->phase2_method ?
1768 				  data->phase2_method->name : "?");
1769 		break;
1770 	case EAP_TTLS_PHASE2_MSCHAPV2:
1771 		ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n");
1772 		break;
1773 	case EAP_TTLS_PHASE2_MSCHAP:
1774 		ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n");
1775 		break;
1776 	case EAP_TTLS_PHASE2_PAP:
1777 		ret = os_snprintf(buf + len, buflen - len, "PAP\n");
1778 		break;
1779 	case EAP_TTLS_PHASE2_CHAP:
1780 		ret = os_snprintf(buf + len, buflen - len, "CHAP\n");
1781 		break;
1782 	default:
1783 		ret = 0;
1784 		break;
1785 	}
1786 	if (os_snprintf_error(buflen - len, ret))
1787 		return len;
1788 	len += ret;
1789 
1790 	return len;
1791 }
1792 
1793 
1794 static bool eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv)
1795 {
1796 	struct eap_ttls_data *data = priv;
1797 	return data->key_data != NULL && data->phase2_success;
1798 }
1799 
1800 
1801 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1802 {
1803 	struct eap_ttls_data *data = priv;
1804 	u8 *key;
1805 
1806 	if (data->key_data == NULL || !data->phase2_success)
1807 		return NULL;
1808 
1809 	key = os_memdup(data->key_data, EAP_TLS_KEY_LEN);
1810 	if (key == NULL)
1811 		return NULL;
1812 
1813 	*len = EAP_TLS_KEY_LEN;
1814 
1815 	return key;
1816 }
1817 
1818 
1819 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1820 {
1821 	struct eap_ttls_data *data = priv;
1822 	u8 *id;
1823 
1824 	if (data->session_id == NULL || !data->phase2_success)
1825 		return NULL;
1826 
1827 	id = os_memdup(data->session_id, data->id_len);
1828 	if (id == NULL)
1829 		return NULL;
1830 
1831 	*len = data->id_len;
1832 
1833 	return id;
1834 }
1835 
1836 
1837 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1838 {
1839 	struct eap_ttls_data *data = priv;
1840 	u8 *key;
1841 
1842 	if (data->key_data == NULL)
1843 		return NULL;
1844 
1845 	key = os_memdup(data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN);
1846 	if (key == NULL)
1847 		return NULL;
1848 
1849 	*len = EAP_EMSK_LEN;
1850 
1851 	return key;
1852 }
1853 
1854 
1855 int eap_peer_ttls_register(void)
1856 {
1857 	struct eap_method *eap;
1858 
1859 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1860 				    EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1861 	if (eap == NULL)
1862 		return -1;
1863 
1864 	eap->init = eap_ttls_init;
1865 	eap->deinit = eap_ttls_deinit;
1866 	eap->process = eap_ttls_process;
1867 	eap->isKeyAvailable = eap_ttls_isKeyAvailable;
1868 	eap->getKey = eap_ttls_getKey;
1869 	eap->getSessionId = eap_ttls_get_session_id;
1870 	eap->get_status = eap_ttls_get_status;
1871 	eap->has_reauth_data = eap_ttls_has_reauth_data;
1872 	eap->deinit_for_reauth = eap_ttls_deinit_for_reauth;
1873 	eap->init_for_reauth = eap_ttls_init_for_reauth;
1874 	eap->get_emsk = eap_ttls_get_emsk;
1875 
1876 	return eap_peer_method_register(eap);
1877 }
1878