xref: /freebsd/contrib/wpa/src/eap_peer/eap_ttls.c (revision 95eb4b873b6a8b527c5bd78d7191975dfca38998)
1 /*
2  * EAP peer method: EAP-TTLS (RFC 5281)
3  * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/ms_funcs.h"
13 #include "crypto/sha1.h"
14 #include "crypto/tls.h"
15 #include "eap_common/chap.h"
16 #include "eap_common/eap_ttls.h"
17 #include "mschapv2.h"
18 #include "eap_i.h"
19 #include "eap_tls_common.h"
20 #include "eap_config.h"
21 
22 
23 #define EAP_TTLS_VERSION 0
24 
25 
26 static void eap_ttls_deinit(struct eap_sm *sm, void *priv);
27 
28 
29 struct eap_ttls_data {
30 	struct eap_ssl_data ssl;
31 
32 	int ttls_version;
33 
34 	const struct eap_method *phase2_method;
35 	void *phase2_priv;
36 	int phase2_success;
37 	int phase2_start;
38 	EapDecision decision_succ;
39 
40 	enum phase2_types {
41 		EAP_TTLS_PHASE2_EAP,
42 		EAP_TTLS_PHASE2_MSCHAPV2,
43 		EAP_TTLS_PHASE2_MSCHAP,
44 		EAP_TTLS_PHASE2_PAP,
45 		EAP_TTLS_PHASE2_CHAP
46 	} phase2_type;
47 	struct eap_method_type phase2_eap_type;
48 	struct eap_method_type *phase2_eap_types;
49 	size_t num_phase2_eap_types;
50 
51 	u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN];
52 	int auth_response_valid;
53 	u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */
54 	u8 ident;
55 	int resuming; /* starting a resumed session */
56 	int reauth; /* reauthentication */
57 	u8 *key_data;
58 	u8 *session_id;
59 	size_t id_len;
60 
61 	struct wpabuf *pending_phase2_req;
62 	struct wpabuf *pending_resp;
63 
64 #ifdef EAP_TNC
65 	int ready_for_tnc;
66 	int tnc_started;
67 #endif /* EAP_TNC */
68 
69 	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
70 };
71 
72 
73 static void eap_ttls_parse_phase1(struct eap_ttls_data *data,
74 				  const char *phase1)
75 {
76 	if (os_strstr(phase1, "phase2_auth=0")) {
77 		data->phase2_auth = NO_AUTH;
78 		wpa_printf(MSG_DEBUG,
79 			   "EAP-TTLS: Do not require Phase 2 authentication");
80 	} else if (os_strstr(phase1, "phase2_auth=1")) {
81 		data->phase2_auth = FOR_INITIAL;
82 		wpa_printf(MSG_DEBUG,
83 			   "EAP-TTLS: Require Phase 2 authentication for initial connection");
84 	} else if (os_strstr(phase1, "phase2_auth=2")) {
85 		data->phase2_auth = ALWAYS;
86 		wpa_printf(MSG_DEBUG,
87 			   "EAP-TTLS: Require Phase 2 authentication for all cases");
88 	}
89 }
90 
91 
92 static void * eap_ttls_init(struct eap_sm *sm)
93 {
94 	struct eap_ttls_data *data;
95 	struct eap_peer_config *config = eap_get_config(sm);
96 	int selected_non_eap;
97 	char *selected;
98 
99 	data = os_zalloc(sizeof(*data));
100 	if (data == NULL)
101 		return NULL;
102 	data->ttls_version = EAP_TTLS_VERSION;
103 	selected = "EAP";
104 	selected_non_eap = 0;
105 	data->phase2_type = EAP_TTLS_PHASE2_EAP;
106 	data->phase2_auth = FOR_INITIAL;
107 
108 	if (config && config->phase1)
109 		eap_ttls_parse_phase1(data, config->phase1);
110 
111 	/*
112 	 * Either one auth= type or one or more autheap= methods can be
113 	 * specified.
114 	 */
115 	if (config && config->phase2) {
116 		const char *token, *last = NULL;
117 
118 		while ((token = cstr_token(config->phase2, " \t", &last))) {
119 			if (os_strncmp(token, "auth=", 5) != 0)
120 				continue;
121 			token += 5;
122 
123 			if (last - token == 8 &&
124 			    os_strncmp(token, "MSCHAPV2", 8) == 0) {
125 				selected = "MSCHAPV2";
126 				data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2;
127 			} else if (last - token == 6 &&
128 				   os_strncmp(token, "MSCHAP", 6) == 0) {
129 				selected = "MSCHAP";
130 				data->phase2_type = EAP_TTLS_PHASE2_MSCHAP;
131 			} else if (last - token == 3 &&
132 				   os_strncmp(token, "PAP", 3) == 0) {
133 				selected = "PAP";
134 				data->phase2_type = EAP_TTLS_PHASE2_PAP;
135 			} else if (last - token == 4 &&
136 				   os_strncmp(token, "CHAP", 4) == 0) {
137 				selected = "CHAP";
138 				data->phase2_type = EAP_TTLS_PHASE2_CHAP;
139 			} else {
140 				wpa_printf(MSG_ERROR,
141 					   "EAP-TTLS: Unsupported Phase2 type '%s'",
142 					   token);
143 				eap_ttls_deinit(sm, data);
144 				return NULL;
145 			}
146 
147 			if (selected_non_eap) {
148 				wpa_printf(MSG_ERROR,
149 					   "EAP-TTLS: Only one Phase2 type can be specified");
150 				eap_ttls_deinit(sm, data);
151 				return NULL;
152 			}
153 
154 			selected_non_eap = 1;
155 		}
156 
157 		if (os_strstr(config->phase2, "autheap=")) {
158 			if (selected_non_eap) {
159 				wpa_printf(MSG_ERROR,
160 					   "EAP-TTLS: Both auth= and autheap= params cannot be specified");
161 				eap_ttls_deinit(sm, data);
162 				return NULL;
163 			}
164 			selected = "EAP";
165 			data->phase2_type = EAP_TTLS_PHASE2_EAP;
166 		}
167 	}
168 
169 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected);
170 
171 	if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {
172 		if (eap_peer_select_phase2_methods(config, "autheap=",
173 						   &data->phase2_eap_types,
174 						   &data->num_phase2_eap_types,
175 						   0) < 0) {
176 			eap_ttls_deinit(sm, data);
177 			return NULL;
178 		}
179 
180 		data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
181 		data->phase2_eap_type.method = EAP_TYPE_NONE;
182 	}
183 
184 	if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) {
185 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
186 		eap_ttls_deinit(sm, data);
187 		return NULL;
188 	}
189 
190 	return data;
191 }
192 
193 
194 static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm,
195 				       struct eap_ttls_data *data)
196 {
197 	if (data->phase2_priv && data->phase2_method) {
198 		data->phase2_method->deinit(sm, data->phase2_priv);
199 		data->phase2_method = NULL;
200 		data->phase2_priv = NULL;
201 	}
202 }
203 
204 
205 static void eap_ttls_free_key(struct eap_ttls_data *data)
206 {
207 	if (data->key_data) {
208 		bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
209 		data->key_data = NULL;
210 	}
211 }
212 
213 
214 static void eap_ttls_deinit(struct eap_sm *sm, void *priv)
215 {
216 	struct eap_ttls_data *data = priv;
217 	if (data == NULL)
218 		return;
219 	eap_ttls_phase2_eap_deinit(sm, data);
220 	os_free(data->phase2_eap_types);
221 	eap_peer_tls_ssl_deinit(sm, &data->ssl);
222 	eap_ttls_free_key(data);
223 	os_free(data->session_id);
224 	wpabuf_clear_free(data->pending_phase2_req);
225 	wpabuf_clear_free(data->pending_resp);
226 	os_free(data);
227 }
228 
229 
230 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
231 			     int mandatory, size_t len)
232 {
233 	struct ttls_avp_vendor *avp;
234 	u8 flags;
235 	size_t hdrlen;
236 
237 	avp = (struct ttls_avp_vendor *) avphdr;
238 	flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
239 	if (vendor_id) {
240 		flags |= AVP_FLAGS_VENDOR;
241 		hdrlen = sizeof(*avp);
242 		avp->vendor_id = host_to_be32(vendor_id);
243 	} else {
244 		hdrlen = sizeof(struct ttls_avp);
245 	}
246 
247 	avp->avp_code = host_to_be32(avp_code);
248 	avp->avp_length = host_to_be32(((u32) flags << 24) |
249 				       (u32) (hdrlen + len));
250 
251 	return avphdr + hdrlen;
252 }
253 
254 
255 static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code,
256 			     u32 vendor_id, int mandatory,
257 			     const u8 *data, size_t len)
258 {
259 	u8 *pos;
260 	pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len);
261 	os_memcpy(pos, data, len);
262 	pos += len;
263 	AVP_PAD(start, pos);
264 	return pos;
265 }
266 
267 
268 static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code,
269 				    int mandatory)
270 {
271 	struct wpabuf *msg;
272 	u8 *avp, *pos;
273 
274 	msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4);
275 	if (msg == NULL) {
276 		wpabuf_clear_free(*resp);
277 		*resp = NULL;
278 		return -1;
279 	}
280 
281 	avp = wpabuf_mhead(msg);
282 	pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp));
283 	os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp));
284 	pos += wpabuf_len(*resp);
285 	AVP_PAD(avp, pos);
286 	wpabuf_clear_free(*resp);
287 	wpabuf_put(msg, pos - avp);
288 	*resp = msg;
289 	return 0;
290 }
291 
292 
293 static int eap_ttls_v0_derive_key(struct eap_sm *sm,
294 				  struct eap_ttls_data *data)
295 {
296 	const char *label;
297 	const u8 eap_tls13_context[1] = { EAP_TYPE_TTLS };
298 	const u8 *context = NULL;
299 	size_t context_len = 0;
300 
301 	if (data->ssl.tls_v13) {
302 		label = "EXPORTER_EAP_TLS_Key_Material";
303 		context = eap_tls13_context;
304 		context_len = sizeof(eap_tls13_context);
305 	} else {
306 		label = "ttls keying material";
307 	}
308 
309 	eap_ttls_free_key(data);
310 	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label,
311 						 context, context_len,
312 						 EAP_TLS_KEY_LEN +
313 						 EAP_EMSK_LEN);
314 	if (!data->key_data) {
315 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key");
316 		return -1;
317 	}
318 
319 	wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
320 			data->key_data, EAP_TLS_KEY_LEN);
321 	wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived EMSK",
322 			data->key_data + EAP_TLS_KEY_LEN,
323 			EAP_EMSK_LEN);
324 
325 	os_free(data->session_id);
326 	data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl,
327 							  EAP_TYPE_TTLS,
328 	                                                  &data->id_len);
329 	if (data->session_id) {
330 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived Session-Id",
331 			    data->session_id, data->id_len);
332 	} else {
333 		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive Session-Id");
334 	}
335 
336 	return 0;
337 }
338 
339 
340 #ifndef CONFIG_FIPS
341 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
342 					struct eap_ttls_data *data, size_t len)
343 {
344 	return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge",
345 				       NULL, 0, len);
346 }
347 #endif /* CONFIG_FIPS */
348 
349 
350 static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data,
351 					      int vendor, enum eap_type method)
352 {
353 	size_t i;
354 	for (i = 0; i < data->num_phase2_eap_types; i++) {
355 		if (data->phase2_eap_types[i].vendor != vendor ||
356 		    data->phase2_eap_types[i].method != method)
357 			continue;
358 
359 		data->phase2_eap_type.vendor =
360 			data->phase2_eap_types[i].vendor;
361 		data->phase2_eap_type.method =
362 			data->phase2_eap_types[i].method;
363 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
364 			   "Phase 2 EAP vendor %d method %d",
365 			   data->phase2_eap_type.vendor,
366 			   data->phase2_eap_type.method);
367 		break;
368 	}
369 }
370 
371 
372 static int eap_ttls_phase2_eap_process(struct eap_sm *sm,
373 				       struct eap_ttls_data *data,
374 				       struct eap_method_ret *ret,
375 				       struct eap_hdr *hdr, size_t len,
376 				       struct wpabuf **resp)
377 {
378 	struct wpabuf msg;
379 	struct eap_method_ret iret;
380 
381 	os_memset(&iret, 0, sizeof(iret));
382 	wpabuf_set(&msg, hdr, len);
383 	*resp = data->phase2_method->process(sm, data->phase2_priv, &iret,
384 					     &msg);
385 	if ((iret.methodState == METHOD_DONE ||
386 	     iret.methodState == METHOD_MAY_CONT) &&
387 	    (iret.decision == DECISION_UNCOND_SUCC ||
388 	     iret.decision == DECISION_COND_SUCC ||
389 	     iret.decision == DECISION_FAIL)) {
390 		ret->methodState = iret.methodState;
391 		ret->decision = iret.decision;
392 	}
393 
394 	return 0;
395 }
396 
397 
398 static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm,
399 					      struct eap_ttls_data *data,
400 					      struct eap_method_ret *ret,
401 					      struct eap_hdr *hdr, size_t len,
402 					      int vendor, enum eap_type method,
403 					      struct wpabuf **resp)
404 {
405 #ifdef EAP_TNC
406 	if (data->tnc_started && data->phase2_method &&
407 	    data->phase2_priv &&
408 	    vendor == EAP_VENDOR_IETF && method == EAP_TYPE_TNC &&
409 	    data->phase2_eap_type.method == EAP_TYPE_TNC)
410 		return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len,
411 						   resp);
412 
413 	if (data->ready_for_tnc && !data->tnc_started &&
414 	    vendor == EAP_VENDOR_IETF && method == EAP_TYPE_TNC) {
415 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
416 			   "EAP method");
417 		data->tnc_started = 1;
418 	}
419 
420 	if (data->tnc_started) {
421 		if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF ||
422 		    data->phase2_eap_type.method == EAP_TYPE_TNC) {
423 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP "
424 				   "type %d for TNC", method);
425 			return -1;
426 		}
427 
428 		data->phase2_eap_type.vendor = vendor;
429 		data->phase2_eap_type.method = method;
430 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
431 			   "Phase 2 EAP vendor %d method %d (TNC)",
432 			   data->phase2_eap_type.vendor,
433 			   data->phase2_eap_type.method);
434 
435 		if (data->phase2_type == EAP_TTLS_PHASE2_EAP)
436 			eap_ttls_phase2_eap_deinit(sm, data);
437 	}
438 #endif /* EAP_TNC */
439 
440 	if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF &&
441 	    data->phase2_eap_type.method == EAP_TYPE_NONE)
442 		eap_ttls_phase2_select_eap_method(data, vendor, method);
443 
444 	if (vendor != data->phase2_eap_type.vendor ||
445 	    method != data->phase2_eap_type.method ||
446 	    (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_NONE)) {
447 		if (eap_peer_tls_phase2_nak(data->phase2_eap_types,
448 					    data->num_phase2_eap_types,
449 					    hdr, resp))
450 			return -1;
451 		return 0;
452 	}
453 
454 	if (data->phase2_priv == NULL) {
455 		data->phase2_method = eap_peer_get_eap_method(vendor, method);
456 		if (data->phase2_method) {
457 			sm->init_phase2 = 1;
458 			data->phase2_priv = data->phase2_method->init(sm);
459 			sm->init_phase2 = 0;
460 		}
461 	}
462 	if (data->phase2_priv == NULL || data->phase2_method == NULL) {
463 		wpa_printf(MSG_INFO,
464 			   "EAP-TTLS: failed to initialize Phase 2 EAP method %u:%u",
465 			   vendor, method);
466 		return -1;
467 	}
468 
469 	return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp);
470 }
471 
472 
473 static int eap_ttls_phase2_request_eap(struct eap_sm *sm,
474 				       struct eap_ttls_data *data,
475 				       struct eap_method_ret *ret,
476 				       struct eap_hdr *hdr,
477 				       struct wpabuf **resp)
478 {
479 	size_t len = be_to_host16(hdr->length);
480 	u8 *pos;
481 	struct eap_peer_config *config = eap_get_config(sm);
482 
483 	if (len <= sizeof(struct eap_hdr)) {
484 		wpa_printf(MSG_INFO, "EAP-TTLS: too short "
485 			   "Phase 2 request (len=%lu)", (unsigned long) len);
486 		return -1;
487 	}
488 	pos = (u8 *) (hdr + 1);
489 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos);
490 	switch (*pos) {
491 	case EAP_TYPE_IDENTITY:
492 		*resp = eap_sm_buildIdentity(sm, hdr->identifier, 1);
493 		break;
494 	case EAP_TYPE_EXPANDED:
495 		if (len < sizeof(struct eap_hdr) + 8) {
496 			wpa_printf(MSG_INFO,
497 				   "EAP-TTLS: Too short Phase 2 request (expanded header) (len=%lu)",
498 				   (unsigned long) len);
499 			return -1;
500 		}
501 		if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len,
502 						       WPA_GET_BE24(pos + 1),
503 						       WPA_GET_BE32(pos + 4),
504 						       resp) < 0)
505 			return -1;
506 		break;
507 	default:
508 		if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len,
509 						       EAP_VENDOR_IETF, *pos,
510 						       resp) < 0)
511 			return -1;
512 		break;
513 	}
514 
515 	if (*resp == NULL &&
516 	    (config->pending_req_identity || config->pending_req_password ||
517 	     config->pending_req_otp || config->pending_req_sim)) {
518 		return 0;
519 	}
520 
521 	if (*resp == NULL)
522 		return -1;
523 
524 	wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response",
525 			*resp);
526 	return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1);
527 }
528 
529 
530 static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
531 					    struct eap_ttls_data *data,
532 					    struct eap_method_ret *ret,
533 					    struct wpabuf **resp)
534 {
535 #ifdef CONFIG_FIPS
536 	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPV2 not supported in FIPS build");
537 	return -1;
538 #else /* CONFIG_FIPS */
539 #ifdef EAP_MSCHAPv2
540 	struct wpabuf *msg;
541 	u8 *buf, *pos, *challenge, *peer_challenge;
542 	const u8 *identity, *password;
543 	size_t identity_len, password_len;
544 	int pwhash;
545 
546 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
547 
548 	identity = eap_get_config_identity(sm, &identity_len);
549 	password = eap_get_config_password2(sm, &password_len, &pwhash);
550 	if (identity == NULL || password == NULL)
551 		return -1;
552 
553 	msg = wpabuf_alloc(identity_len + 1000);
554 	if (msg == NULL) {
555 		wpa_printf(MSG_ERROR,
556 			   "EAP-TTLS/MSCHAPV2: Failed to allocate memory");
557 		return -1;
558 	}
559 	pos = buf = wpabuf_mhead(msg);
560 
561 	/* User-Name */
562 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
563 			       identity, identity_len);
564 
565 	/* MS-CHAP-Challenge */
566 	challenge = eap_ttls_implicit_challenge(
567 		sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
568 	if (challenge == NULL) {
569 		wpabuf_clear_free(msg);
570 		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
571 			   "implicit challenge");
572 		return -1;
573 	}
574 
575 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
576 			       RADIUS_VENDOR_ID_MICROSOFT, 1,
577 			       challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
578 
579 	/* MS-CHAP2-Response */
580 	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
581 			       RADIUS_VENDOR_ID_MICROSOFT, 1,
582 			       EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
583 	data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
584 	*pos++ = data->ident;
585 	*pos++ = 0; /* Flags */
586 	if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) {
587 		os_free(challenge);
588 		wpabuf_clear_free(msg);
589 		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get "
590 			   "random data for peer challenge");
591 		return -1;
592 	}
593 	peer_challenge = pos;
594 	pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
595 	os_memset(pos, 0, 8); /* Reserved, must be zero */
596 	pos += 8;
597 	if (mschapv2_derive_response(identity, identity_len, password,
598 				     password_len, pwhash, challenge,
599 				     peer_challenge, pos, data->auth_response,
600 				     data->master_key)) {
601 		os_free(challenge);
602 		wpabuf_clear_free(msg);
603 		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
604 			   "response");
605 		return -1;
606 	}
607 	data->auth_response_valid = 1;
608 
609 	pos += 24;
610 	os_free(challenge);
611 	AVP_PAD(buf, pos);
612 
613 	wpabuf_put(msg, pos - buf);
614 	*resp = msg;
615 
616 	return 0;
617 #else /* EAP_MSCHAPv2 */
618 	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
619 	return -1;
620 #endif /* EAP_MSCHAPv2 */
621 #endif /* CONFIG_FIPS */
622 }
623 
624 
625 static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
626 					  struct eap_ttls_data *data,
627 					  struct eap_method_ret *ret,
628 					  struct wpabuf **resp)
629 {
630 #ifdef CONFIG_FIPS
631 	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAP not supported in FIPS build");
632 	return -1;
633 #else /* CONFIG_FIPS */
634 	struct wpabuf *msg;
635 	u8 *buf, *pos, *challenge;
636 	const u8 *identity, *password;
637 	size_t identity_len, password_len;
638 	int pwhash;
639 
640 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
641 
642 	identity = eap_get_config_identity(sm, &identity_len);
643 	password = eap_get_config_password2(sm, &password_len, &pwhash);
644 	if (identity == NULL || password == NULL)
645 		return -1;
646 
647 	msg = wpabuf_alloc(identity_len + 1000);
648 	if (msg == NULL) {
649 		wpa_printf(MSG_ERROR,
650 			   "EAP-TTLS/MSCHAP: Failed to allocate memory");
651 		return -1;
652 	}
653 	pos = buf = wpabuf_mhead(msg);
654 
655 	/* User-Name */
656 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
657 			       identity, identity_len);
658 
659 	/* MS-CHAP-Challenge */
660 	challenge = eap_ttls_implicit_challenge(
661 		sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
662 	if (challenge == NULL) {
663 		wpabuf_clear_free(msg);
664 		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
665 			   "implicit challenge");
666 		return -1;
667 	}
668 
669 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
670 			       RADIUS_VENDOR_ID_MICROSOFT, 1,
671 			       challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
672 
673 	/* MS-CHAP-Response */
674 	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
675 			       RADIUS_VENDOR_ID_MICROSOFT, 1,
676 			       EAP_TTLS_MSCHAP_RESPONSE_LEN);
677 	data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
678 	*pos++ = data->ident;
679 	*pos++ = 1; /* Flags: Use NT style passwords */
680 	os_memset(pos, 0, 24); /* LM-Response */
681 	pos += 24;
682 	if (pwhash) {
683 		/* NT-Response */
684 		if (challenge_response(challenge, password, pos)) {
685 			wpa_printf(MSG_ERROR,
686 				   "EAP-TTLS/MSCHAP: Failed derive password hash");
687 			wpabuf_clear_free(msg);
688 			os_free(challenge);
689 			return -1;
690 		}
691 
692 		wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash",
693 				password, 16);
694 	} else {
695 		/* NT-Response */
696 		if (nt_challenge_response(challenge, password, password_len,
697 					  pos)) {
698 			wpa_printf(MSG_ERROR,
699 				   "EAP-TTLS/MSCHAP: Failed derive password");
700 			wpabuf_clear_free(msg);
701 			os_free(challenge);
702 			return -1;
703 		}
704 
705 		wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
706 				      password, password_len);
707 	}
708 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
709 		    challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
710 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
711 	pos += 24;
712 	os_free(challenge);
713 	AVP_PAD(buf, pos);
714 
715 	wpabuf_put(msg, pos - buf);
716 	*resp = msg;
717 
718 	/* EAP-TTLS/MSCHAP does not provide tunneled success
719 	 * notification, so assume that Phase2 succeeds. */
720 	ret->methodState = METHOD_DONE;
721 	ret->decision = DECISION_COND_SUCC;
722 
723 	return 0;
724 #endif /* CONFIG_FIPS */
725 }
726 
727 
728 static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
729 				       struct eap_ttls_data *data,
730 				       struct eap_method_ret *ret,
731 				       struct wpabuf **resp)
732 {
733 	struct wpabuf *msg;
734 	u8 *buf, *pos;
735 	size_t pad;
736 	const u8 *identity, *password;
737 	size_t identity_len, password_len;
738 
739 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request");
740 
741 	identity = eap_get_config_identity(sm, &identity_len);
742 	password = eap_get_config_password(sm, &password_len);
743 	if (identity == NULL || password == NULL)
744 		return -1;
745 
746 	msg = wpabuf_alloc(identity_len + password_len + 100);
747 	if (msg == NULL) {
748 		wpa_printf(MSG_ERROR,
749 			   "EAP-TTLS/PAP: Failed to allocate memory");
750 		return -1;
751 	}
752 	pos = buf = wpabuf_mhead(msg);
753 
754 	/* User-Name */
755 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
756 			       identity, identity_len);
757 
758 	/* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
759 	 * the data, so no separate encryption is used in the AVP itself.
760 	 * However, the password is padded to obfuscate its length. */
761 	pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15;
762 	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
763 			       password_len + pad);
764 	os_memcpy(pos, password, password_len);
765 	pos += password_len;
766 	os_memset(pos, 0, pad);
767 	pos += pad;
768 	AVP_PAD(buf, pos);
769 
770 	wpabuf_put(msg, pos - buf);
771 	*resp = msg;
772 
773 	/* EAP-TTLS/PAP does not provide tunneled success notification,
774 	 * so assume that Phase2 succeeds. */
775 	ret->methodState = METHOD_DONE;
776 	ret->decision = DECISION_COND_SUCC;
777 
778 	return 0;
779 }
780 
781 
782 static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
783 					struct eap_ttls_data *data,
784 					struct eap_method_ret *ret,
785 					struct wpabuf **resp)
786 {
787 #ifdef CONFIG_FIPS
788 	wpa_printf(MSG_ERROR, "EAP-TTLS: CHAP not supported in FIPS build");
789 	return -1;
790 #else /* CONFIG_FIPS */
791 	struct wpabuf *msg;
792 	u8 *buf, *pos, *challenge;
793 	const u8 *identity, *password;
794 	size_t identity_len, password_len;
795 
796 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
797 
798 	identity = eap_get_config_identity(sm, &identity_len);
799 	password = eap_get_config_password(sm, &password_len);
800 	if (identity == NULL || password == NULL)
801 		return -1;
802 
803 	msg = wpabuf_alloc(identity_len + 1000);
804 	if (msg == NULL) {
805 		wpa_printf(MSG_ERROR,
806 			   "EAP-TTLS/CHAP: Failed to allocate memory");
807 		return -1;
808 	}
809 	pos = buf = wpabuf_mhead(msg);
810 
811 	/* User-Name */
812 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
813 			       identity, identity_len);
814 
815 	/* CHAP-Challenge */
816 	challenge = eap_ttls_implicit_challenge(
817 		sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
818 	if (challenge == NULL) {
819 		wpabuf_clear_free(msg);
820 		wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
821 			   "implicit challenge");
822 		return -1;
823 	}
824 
825 	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
826 			       challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
827 
828 	/* CHAP-Password */
829 	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
830 			       1 + EAP_TTLS_CHAP_PASSWORD_LEN);
831 	data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
832 	*pos++ = data->ident;
833 
834 	/* MD5(Ident + Password + Challenge) */
835 	chap_md5(data->ident, password, password_len, challenge,
836 		 EAP_TTLS_CHAP_CHALLENGE_LEN, pos);
837 
838 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
839 			  identity, identity_len);
840 	wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
841 			      password, password_len);
842 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
843 		    challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
844 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
845 		    pos, EAP_TTLS_CHAP_PASSWORD_LEN);
846 	pos += EAP_TTLS_CHAP_PASSWORD_LEN;
847 	os_free(challenge);
848 	AVP_PAD(buf, pos);
849 
850 	wpabuf_put(msg, pos - buf);
851 	*resp = msg;
852 
853 	/* EAP-TTLS/CHAP does not provide tunneled success
854 	 * notification, so assume that Phase2 succeeds. */
855 	ret->methodState = METHOD_DONE;
856 	ret->decision = DECISION_COND_SUCC;
857 
858 	return 0;
859 #endif /* CONFIG_FIPS */
860 }
861 
862 
863 static int eap_ttls_phase2_request(struct eap_sm *sm,
864 				   struct eap_ttls_data *data,
865 				   struct eap_method_ret *ret,
866 				   struct eap_hdr *hdr,
867 				   struct wpabuf **resp)
868 {
869 	int res = 0;
870 	size_t len;
871 	enum phase2_types phase2_type = data->phase2_type;
872 
873 #ifdef EAP_TNC
874 	if (data->tnc_started) {
875 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC");
876 		phase2_type = EAP_TTLS_PHASE2_EAP;
877 	}
878 #endif /* EAP_TNC */
879 
880 	if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
881 	    phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
882 	    phase2_type == EAP_TTLS_PHASE2_PAP ||
883 	    phase2_type == EAP_TTLS_PHASE2_CHAP) {
884 		if (eap_get_config_identity(sm, &len) == NULL) {
885 			wpa_printf(MSG_INFO,
886 				   "EAP-TTLS: Identity not configured");
887 			eap_sm_request_identity(sm);
888 			if (eap_get_config_password(sm, &len) == NULL)
889 				eap_sm_request_password(sm);
890 			return 0;
891 		}
892 
893 		if (eap_get_config_password(sm, &len) == NULL) {
894 			wpa_printf(MSG_INFO,
895 				   "EAP-TTLS: Password not configured");
896 			eap_sm_request_password(sm);
897 			return 0;
898 		}
899 	}
900 
901 	switch (phase2_type) {
902 	case EAP_TTLS_PHASE2_EAP:
903 		res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp);
904 		break;
905 	case EAP_TTLS_PHASE2_MSCHAPV2:
906 		res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp);
907 		break;
908 	case EAP_TTLS_PHASE2_MSCHAP:
909 		res = eap_ttls_phase2_request_mschap(sm, data, ret, resp);
910 		break;
911 	case EAP_TTLS_PHASE2_PAP:
912 		res = eap_ttls_phase2_request_pap(sm, data, ret, resp);
913 		break;
914 	case EAP_TTLS_PHASE2_CHAP:
915 		res = eap_ttls_phase2_request_chap(sm, data, ret, resp);
916 		break;
917 	default:
918 		wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
919 		res = -1;
920 		break;
921 	}
922 
923 	if (res < 0) {
924 		ret->methodState = METHOD_DONE;
925 		ret->decision = DECISION_FAIL;
926 	}
927 
928 	return res;
929 }
930 
931 
932 struct ttls_parse_avp {
933 	u8 *mschapv2;
934 	u8 *eapdata;
935 	size_t eap_len;
936 	int mschapv2_error;
937 };
938 
939 
940 static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen,
941 				   struct ttls_parse_avp *parse)
942 {
943 	wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
944 	if (parse->eapdata == NULL) {
945 		parse->eapdata = os_memdup(dpos, dlen);
946 		if (parse->eapdata == NULL) {
947 			wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
948 				   "memory for Phase 2 EAP data");
949 			return -1;
950 		}
951 		parse->eap_len = dlen;
952 	} else {
953 		u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen);
954 		if (neweap == NULL) {
955 			wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
956 				   "memory for Phase 2 EAP data");
957 			return -1;
958 		}
959 		os_memcpy(neweap + parse->eap_len, dpos, dlen);
960 		parse->eapdata = neweap;
961 		parse->eap_len += dlen;
962 	}
963 
964 	return 0;
965 }
966 
967 
968 static int eap_ttls_parse_avp(u8 *pos, size_t left,
969 			      struct ttls_parse_avp *parse)
970 {
971 	struct ttls_avp *avp;
972 	u32 avp_code, avp_length, vendor_id = 0;
973 	u8 avp_flags, *dpos;
974 	size_t dlen;
975 
976 	avp = (struct ttls_avp *) pos;
977 	avp_code = be_to_host32(avp->avp_code);
978 	avp_length = be_to_host32(avp->avp_length);
979 	avp_flags = (avp_length >> 24) & 0xff;
980 	avp_length &= 0xffffff;
981 	wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
982 		   "length=%d", (int) avp_code, avp_flags,
983 		   (int) avp_length);
984 
985 	if (avp_length > left) {
986 		wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
987 			   "(len=%d, left=%lu) - dropped",
988 			   (int) avp_length, (unsigned long) left);
989 		return -1;
990 	}
991 
992 	if (avp_length < sizeof(*avp)) {
993 		wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d",
994 			   avp_length);
995 		return -1;
996 	}
997 
998 	dpos = (u8 *) (avp + 1);
999 	dlen = avp_length - sizeof(*avp);
1000 	if (avp_flags & AVP_FLAGS_VENDOR) {
1001 		if (dlen < 4) {
1002 			wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP "
1003 				   "underflow");
1004 			return -1;
1005 		}
1006 		vendor_id = WPA_GET_BE32(dpos);
1007 		wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
1008 			   (int) vendor_id);
1009 		dpos += 4;
1010 		dlen -= 4;
1011 	}
1012 
1013 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
1014 
1015 	if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
1016 		if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0)
1017 			return -1;
1018 	} else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) {
1019 		/* This is an optional message that can be displayed to
1020 		 * the user. */
1021 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message",
1022 				  dpos, dlen);
1023 	} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
1024 		   avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) {
1025 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success",
1026 				  dpos, dlen);
1027 		if (dlen != 43) {
1028 			wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected "
1029 				   "MS-CHAP2-Success length "
1030 				   "(len=%lu, expected 43)",
1031 				   (unsigned long) dlen);
1032 			return -1;
1033 		}
1034 		parse->mschapv2 = dpos;
1035 	} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
1036 		   avp_code == RADIUS_ATTR_MS_CHAP_ERROR) {
1037 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error",
1038 				  dpos, dlen);
1039 		parse->mschapv2_error = 1;
1040 	} else if (avp_flags & AVP_FLAGS_MANDATORY) {
1041 		wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP "
1042 			   "code %d vendor_id %d - dropped",
1043 			   (int) avp_code, (int) vendor_id);
1044 		return -1;
1045 	} else {
1046 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP "
1047 			   "code %d vendor_id %d",
1048 			   (int) avp_code, (int) vendor_id);
1049 	}
1050 
1051 	return avp_length;
1052 }
1053 
1054 
1055 static int eap_ttls_parse_avps(struct wpabuf *in_decrypted,
1056 			       struct ttls_parse_avp *parse)
1057 {
1058 	u8 *pos;
1059 	size_t left, pad;
1060 	int avp_length;
1061 
1062 	pos = wpabuf_mhead(in_decrypted);
1063 	left = wpabuf_len(in_decrypted);
1064 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left);
1065 	if (left < sizeof(struct ttls_avp)) {
1066 		wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame"
1067 			   " len=%lu expected %lu or more - dropped",
1068 			   (unsigned long) left,
1069 			   (unsigned long) sizeof(struct ttls_avp));
1070 		return -1;
1071 	}
1072 
1073 	/* Parse AVPs */
1074 	os_memset(parse, 0, sizeof(*parse));
1075 
1076 	while (left > 0) {
1077 		avp_length = eap_ttls_parse_avp(pos, left, parse);
1078 		if (avp_length < 0)
1079 			return -1;
1080 
1081 		pad = (4 - (avp_length & 3)) & 3;
1082 		pos += avp_length + pad;
1083 		if (left < avp_length + pad)
1084 			left = 0;
1085 		else
1086 			left -= avp_length + pad;
1087 	}
1088 
1089 	return 0;
1090 }
1091 
1092 
1093 static u8 * eap_ttls_fake_identity_request(void)
1094 {
1095 	struct eap_hdr *hdr;
1096 	u8 *buf;
1097 
1098 	wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of "
1099 		   "Phase 2 - use fake EAP-Request Identity");
1100 	buf = os_malloc(sizeof(*hdr) + 1);
1101 	if (buf == NULL) {
1102 		wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate "
1103 			   "memory for fake EAP-Identity Request");
1104 		return NULL;
1105 	}
1106 
1107 	hdr = (struct eap_hdr *) buf;
1108 	hdr->code = EAP_CODE_REQUEST;
1109 	hdr->identifier = 0;
1110 	hdr->length = host_to_be16(sizeof(*hdr) + 1);
1111 	buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY;
1112 
1113 	return buf;
1114 }
1115 
1116 
1117 static int eap_ttls_encrypt_response(struct eap_sm *sm,
1118 				     struct eap_ttls_data *data,
1119 				     struct wpabuf *resp, u8 identifier,
1120 				     struct wpabuf **out_data)
1121 {
1122 	if (resp == NULL)
1123 		return 0;
1124 
1125 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data",
1126 			    resp);
1127 	if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
1128 				 data->ttls_version, identifier,
1129 				 resp, out_data)) {
1130 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 "
1131 			   "frame");
1132 		wpabuf_clear_free(resp);
1133 		return -1;
1134 	}
1135 	wpabuf_clear_free(resp);
1136 
1137 	return 0;
1138 }
1139 
1140 
1141 static int eap_ttls_process_phase2_eap(struct eap_sm *sm,
1142 				       struct eap_ttls_data *data,
1143 				       struct eap_method_ret *ret,
1144 				       struct ttls_parse_avp *parse,
1145 				       struct wpabuf **resp)
1146 {
1147 	struct eap_hdr *hdr;
1148 	size_t len;
1149 
1150 	if (parse->eapdata == NULL) {
1151 		wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the "
1152 			   "packet - dropped");
1153 		return -1;
1154 	}
1155 
1156 	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP",
1157 		    parse->eapdata, parse->eap_len);
1158 	hdr = (struct eap_hdr *) parse->eapdata;
1159 
1160 	if (parse->eap_len < sizeof(*hdr)) {
1161 		wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP "
1162 			   "frame (len=%lu, expected %lu or more) - dropped",
1163 			   (unsigned long) parse->eap_len,
1164 			   (unsigned long) sizeof(*hdr));
1165 		return -1;
1166 	}
1167 	len = be_to_host16(hdr->length);
1168 	if (len > parse->eap_len) {
1169 		wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 "
1170 			   "EAP frame (EAP hdr len=%lu, EAP data len in "
1171 			   "AVP=%lu)",
1172 			   (unsigned long) len,
1173 			   (unsigned long) parse->eap_len);
1174 		return -1;
1175 	}
1176 	wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d "
1177 		   "identifier=%d length=%lu",
1178 		   hdr->code, hdr->identifier, (unsigned long) len);
1179 	switch (hdr->code) {
1180 	case EAP_CODE_REQUEST:
1181 		if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) {
1182 			wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1183 				   "processing failed");
1184 			return -1;
1185 		}
1186 		break;
1187 	default:
1188 		wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in "
1189 			   "Phase 2 EAP header", hdr->code);
1190 		return -1;
1191 	}
1192 
1193 	return 0;
1194 }
1195 
1196 
1197 static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
1198 					    struct eap_ttls_data *data,
1199 					    struct eap_method_ret *ret,
1200 					    struct ttls_parse_avp *parse)
1201 {
1202 #ifdef EAP_MSCHAPv2
1203 	if (parse->mschapv2_error) {
1204 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received "
1205 			   "MS-CHAP-Error - failed");
1206 		ret->methodState = METHOD_DONE;
1207 		ret->decision = DECISION_FAIL;
1208 		/* Reply with empty data to ACK error */
1209 		return 1;
1210 	}
1211 
1212 	if (parse->mschapv2 == NULL) {
1213 #ifdef EAP_TNC
1214 		if (data->phase2_success && parse->eapdata) {
1215 			/*
1216 			 * Allow EAP-TNC to be started after successfully
1217 			 * completed MSCHAPV2.
1218 			 */
1219 			return 1;
1220 		}
1221 #endif /* EAP_TNC */
1222 		wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP "
1223 			   "received for Phase2 MSCHAPV2");
1224 		return -1;
1225 	}
1226 	if (parse->mschapv2[0] != data->ident) {
1227 		wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 "
1228 			   "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)",
1229 			   parse->mschapv2[0], data->ident);
1230 		return -1;
1231 	}
1232 	if (!data->auth_response_valid ||
1233 	    mschapv2_verify_auth_response(data->auth_response,
1234 					  parse->mschapv2 + 1, 42)) {
1235 		wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator "
1236 			   "response in Phase 2 MSCHAPV2 success request");
1237 		return -1;
1238 	}
1239 
1240 	wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 "
1241 		   "authentication succeeded");
1242 	ret->methodState = METHOD_DONE;
1243 	ret->decision = DECISION_UNCOND_SUCC;
1244 	data->phase2_success = 1;
1245 
1246 	/*
1247 	 * Reply with empty data; authentication server will reply
1248 	 * with EAP-Success after this.
1249 	 */
1250 	return 1;
1251 #else /* EAP_MSCHAPv2 */
1252 	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
1253 	return -1;
1254 #endif /* EAP_MSCHAPv2 */
1255 }
1256 
1257 
1258 #ifdef EAP_TNC
1259 static int eap_ttls_process_tnc_start(struct eap_sm *sm,
1260 				      struct eap_ttls_data *data,
1261 				      struct eap_method_ret *ret,
1262 				      struct ttls_parse_avp *parse,
1263 				      struct wpabuf **resp)
1264 {
1265 	/* TNC uses inner EAP method after non-EAP TTLS phase 2. */
1266 	if (parse->eapdata == NULL) {
1267 		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1268 			   "unexpected tunneled data (no EAP)");
1269 		return -1;
1270 	}
1271 
1272 	if (!data->ready_for_tnc) {
1273 		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1274 			   "EAP after non-EAP, but not ready for TNC");
1275 		return -1;
1276 	}
1277 
1278 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
1279 		   "non-EAP method");
1280 	data->tnc_started = 1;
1281 
1282 	if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0)
1283 		return -1;
1284 
1285 	return 0;
1286 }
1287 #endif /* EAP_TNC */
1288 
1289 
1290 static int eap_ttls_process_decrypted(struct eap_sm *sm,
1291 				      struct eap_ttls_data *data,
1292 				      struct eap_method_ret *ret,
1293 				      u8 identifier,
1294 				      struct ttls_parse_avp *parse,
1295 				      struct wpabuf *in_decrypted,
1296 				      struct wpabuf **out_data)
1297 {
1298 	struct wpabuf *resp = NULL;
1299 	struct eap_peer_config *config = eap_get_config(sm);
1300 	int res;
1301 	enum phase2_types phase2_type = data->phase2_type;
1302 
1303 #ifdef EAP_TNC
1304 	if (data->tnc_started)
1305 		phase2_type = EAP_TTLS_PHASE2_EAP;
1306 #endif /* EAP_TNC */
1307 
1308 	switch (phase2_type) {
1309 	case EAP_TTLS_PHASE2_EAP:
1310 		if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) <
1311 		    0)
1312 			return -1;
1313 		break;
1314 	case EAP_TTLS_PHASE2_MSCHAPV2:
1315 		res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse);
1316 #ifdef EAP_TNC
1317 		if (res == 1 && parse->eapdata && data->phase2_success) {
1318 			/*
1319 			 * TNC may be required as the next
1320 			 * authentication method within the tunnel.
1321 			 */
1322 			ret->methodState = METHOD_MAY_CONT;
1323 			data->ready_for_tnc = 1;
1324 			if (eap_ttls_process_tnc_start(sm, data, ret, parse,
1325 						       &resp) == 0)
1326 				break;
1327 		}
1328 #endif /* EAP_TNC */
1329 		return res;
1330 	case EAP_TTLS_PHASE2_MSCHAP:
1331 	case EAP_TTLS_PHASE2_PAP:
1332 	case EAP_TTLS_PHASE2_CHAP:
1333 #ifdef EAP_TNC
1334 		if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) <
1335 		    0)
1336 			return -1;
1337 		break;
1338 #else /* EAP_TNC */
1339 		/* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled
1340 		 * requests to the supplicant */
1341 		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected "
1342 			   "tunneled data");
1343 		return -1;
1344 #endif /* EAP_TNC */
1345 	}
1346 
1347 	if (resp) {
1348 		if (eap_ttls_encrypt_response(sm, data, resp, identifier,
1349 					      out_data) < 0)
1350 			return -1;
1351 	} else if (config->pending_req_identity ||
1352 		   config->pending_req_password ||
1353 		   config->pending_req_otp ||
1354 		   config->pending_req_new_password ||
1355 		   config->pending_req_sim) {
1356 		wpabuf_clear_free(data->pending_phase2_req);
1357 		data->pending_phase2_req = wpabuf_dup(in_decrypted);
1358 	}
1359 
1360 	return 0;
1361 }
1362 
1363 
1364 static int eap_ttls_implicit_identity_request(struct eap_sm *sm,
1365 					      struct eap_ttls_data *data,
1366 					      struct eap_method_ret *ret,
1367 					      u8 identifier,
1368 					      struct wpabuf **out_data)
1369 {
1370 	int retval = 0;
1371 	struct eap_hdr *hdr;
1372 	struct wpabuf *resp;
1373 
1374 	hdr = (struct eap_hdr *) eap_ttls_fake_identity_request();
1375 	if (hdr == NULL) {
1376 		ret->methodState = METHOD_DONE;
1377 		ret->decision = DECISION_FAIL;
1378 		return -1;
1379 	}
1380 
1381 	resp = NULL;
1382 	if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) {
1383 		wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1384 			   "processing failed");
1385 		retval = -1;
1386 	} else {
1387 		struct eap_peer_config *config = eap_get_config(sm);
1388 		if (resp == NULL &&
1389 		    (config->pending_req_identity ||
1390 		     config->pending_req_password ||
1391 		     config->pending_req_otp ||
1392 		     config->pending_req_new_password ||
1393 		     config->pending_req_sim)) {
1394 			/*
1395 			 * Use empty buffer to force implicit request
1396 			 * processing when EAP request is re-processed after
1397 			 * user input.
1398 			 */
1399 			wpabuf_clear_free(data->pending_phase2_req);
1400 			data->pending_phase2_req = wpabuf_alloc(0);
1401 		}
1402 
1403 		retval = eap_ttls_encrypt_response(sm, data, resp, identifier,
1404 						   out_data);
1405 	}
1406 
1407 	os_free(hdr);
1408 
1409 	if (retval < 0) {
1410 		ret->methodState = METHOD_DONE;
1411 		ret->decision = DECISION_FAIL;
1412 	}
1413 
1414 	return retval;
1415 }
1416 
1417 
1418 static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data,
1419 				 struct eap_method_ret *ret, u8 identifier,
1420 				 struct wpabuf **out_data)
1421 {
1422 	data->phase2_start = 0;
1423 
1424 	/*
1425 	 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only
1426 	 * if TLS part was indeed resuming a previous session. Most
1427 	 * Authentication Servers terminate EAP-TTLS before reaching this
1428 	 * point, but some do not. Make wpa_supplicant stop phase 2 here, if
1429 	 * needed.
1430 	 */
1431 	if (data->reauth &&
1432 	    tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
1433 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - "
1434 			   "skip phase 2");
1435 		*out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS,
1436 						   data->ttls_version);
1437 		ret->methodState = METHOD_DONE;
1438 		ret->decision = DECISION_UNCOND_SUCC;
1439 		data->phase2_success = 1;
1440 		return 0;
1441 	}
1442 
1443 	return eap_ttls_implicit_identity_request(sm, data, ret, identifier,
1444 						  out_data);
1445 }
1446 
1447 
1448 static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
1449 			    struct eap_method_ret *ret, u8 identifier,
1450 			    const struct wpabuf *in_data,
1451 			    struct wpabuf **out_data)
1452 {
1453 	struct wpabuf *in_decrypted = NULL;
1454 	int retval = 0;
1455 	struct ttls_parse_avp parse;
1456 
1457 	os_memset(&parse, 0, sizeof(parse));
1458 
1459 	wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1460 		   " Phase 2",
1461 		   in_data ? (unsigned long) wpabuf_len(in_data) : 0);
1462 
1463 	if (data->pending_phase2_req) {
1464 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - "
1465 			   "skip decryption and use old data");
1466 		/* Clear TLS reassembly state. */
1467 		eap_peer_tls_reset_input(&data->ssl);
1468 
1469 		in_decrypted = data->pending_phase2_req;
1470 		data->pending_phase2_req = NULL;
1471 		if (wpabuf_len(in_decrypted) == 0) {
1472 			wpabuf_clear_free(in_decrypted);
1473 			return eap_ttls_implicit_identity_request(
1474 				sm, data, ret, identifier, out_data);
1475 		}
1476 		goto continue_req;
1477 	}
1478 
1479 	if ((in_data == NULL || wpabuf_len(in_data) == 0) &&
1480 	    data->phase2_start) {
1481 start:
1482 		return eap_ttls_phase2_start(sm, data, ret, identifier,
1483 					     out_data);
1484 	}
1485 
1486 	if (in_data == NULL || wpabuf_len(in_data) == 0) {
1487 		/* Received TLS ACK - requesting more fragments */
1488 		return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
1489 					    data->ttls_version,
1490 					    identifier, NULL, out_data);
1491 	}
1492 
1493 	retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
1494 	if (retval)
1495 		goto done;
1496 	if (wpabuf_len(in_decrypted) == 0) {
1497 		wpabuf_free(in_decrypted);
1498 		goto start;
1499 	}
1500 
1501 	/* RFC 9190 Section 2.5 */
1502 	if (data->ssl.tls_v13 && wpabuf_len(in_decrypted) == 1 &&
1503 	    *wpabuf_head_u8(in_decrypted) == 0) {
1504 		wpa_printf(MSG_DEBUG,
1505 			   "EAP-TLS: ACKing protected success indication (appl data 0x00)");
1506 		eap_peer_tls_reset_output(&data->ssl);
1507 		wpabuf_free(in_decrypted);
1508 		return 1;
1509 	}
1510 
1511 continue_req:
1512 	data->phase2_start = 0;
1513 
1514 	if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) {
1515 		retval = -1;
1516 		goto done;
1517 	}
1518 
1519 	retval = eap_ttls_process_decrypted(sm, data, ret, identifier,
1520 					    &parse, in_decrypted, out_data);
1521 
1522 done:
1523 	wpabuf_clear_free(in_decrypted);
1524 	os_free(parse.eapdata);
1525 
1526 	if (retval < 0) {
1527 		ret->methodState = METHOD_DONE;
1528 		ret->decision = DECISION_FAIL;
1529 	}
1530 
1531 	return retval;
1532 }
1533 
1534 
1535 static int eap_ttls_process_handshake(struct eap_sm *sm,
1536 				      struct eap_ttls_data *data,
1537 				      struct eap_method_ret *ret,
1538 				      u8 identifier,
1539 				      const struct wpabuf *in_data,
1540 				      struct wpabuf **out_data)
1541 {
1542 	int res;
1543 
1544 	if (sm->waiting_ext_cert_check && data->pending_resp) {
1545 		struct eap_peer_config *config = eap_get_config(sm);
1546 
1547 		if (config->pending_ext_cert_check == EXT_CERT_CHECK_GOOD) {
1548 			wpa_printf(MSG_DEBUG,
1549 				   "EAP-TTLS: External certificate check succeeded - continue handshake");
1550 			*out_data = data->pending_resp;
1551 			data->pending_resp = NULL;
1552 			sm->waiting_ext_cert_check = 0;
1553 			return 0;
1554 		}
1555 
1556 		if (config->pending_ext_cert_check == EXT_CERT_CHECK_BAD) {
1557 			wpa_printf(MSG_DEBUG,
1558 				   "EAP-TTLS: External certificate check failed - force authentication failure");
1559 			ret->methodState = METHOD_DONE;
1560 			ret->decision = DECISION_FAIL;
1561 			sm->waiting_ext_cert_check = 0;
1562 			return 0;
1563 		}
1564 
1565 		wpa_printf(MSG_DEBUG,
1566 			   "EAP-TTLS: Continuing to wait external server certificate validation");
1567 		return 0;
1568 	}
1569 
1570 	res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS,
1571 					  data->ttls_version, identifier,
1572 					  in_data, out_data);
1573 	if (res < 0) {
1574 		wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS processing failed");
1575 		ret->methodState = METHOD_DONE;
1576 		ret->decision = DECISION_FAIL;
1577 		return -1;
1578 	}
1579 
1580 	if (sm->waiting_ext_cert_check) {
1581 		wpa_printf(MSG_DEBUG,
1582 			   "EAP-TTLS: Waiting external server certificate validation");
1583 		wpabuf_clear_free(data->pending_resp);
1584 		data->pending_resp = *out_data;
1585 		*out_data = NULL;
1586 		return 0;
1587 	}
1588 
1589 	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1590 		wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to "
1591 			   "Phase 2");
1592 		if (data->resuming) {
1593 			wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may "
1594 				   "skip Phase 2");
1595 			ret->decision = DECISION_COND_SUCC;
1596 			ret->methodState = METHOD_MAY_CONT;
1597 		}
1598 		data->phase2_start = 1;
1599 		eap_ttls_v0_derive_key(sm, data);
1600 
1601 		if (*out_data == NULL || wpabuf_len(*out_data) == 0) {
1602 			if (eap_ttls_decrypt(sm, data, ret, identifier,
1603 					     NULL, out_data)) {
1604 				wpa_printf(MSG_WARNING, "EAP-TTLS: "
1605 					   "failed to process early "
1606 					   "start for Phase 2");
1607 			}
1608 			res = 0;
1609 		}
1610 		data->resuming = 0;
1611 	}
1612 
1613 	if (res == 2) {
1614 		/*
1615 		 * Application data included in the handshake message.
1616 		 */
1617 		wpabuf_clear_free(data->pending_phase2_req);
1618 		data->pending_phase2_req = *out_data;
1619 		*out_data = NULL;
1620 		res = eap_ttls_decrypt(sm, data, ret, identifier, in_data,
1621 				       out_data);
1622 	}
1623 
1624 	return res;
1625 }
1626 
1627 
1628 static void eap_ttls_check_auth_status(struct eap_sm *sm,
1629 				       struct eap_ttls_data *data,
1630 				       struct eap_method_ret *ret)
1631 {
1632 	if (ret->methodState == METHOD_DONE) {
1633 		ret->allowNotifications = false;
1634 		if (ret->decision == DECISION_UNCOND_SUCC ||
1635 		    ret->decision == DECISION_COND_SUCC) {
1636 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1637 				   "completed successfully");
1638 			data->phase2_success = 1;
1639 			data->decision_succ = ret->decision;
1640 #ifdef EAP_TNC
1641 			if (!data->ready_for_tnc && !data->tnc_started) {
1642 				/*
1643 				 * TNC may be required as the next
1644 				 * authentication method within the tunnel.
1645 				 */
1646 				ret->methodState = METHOD_MAY_CONT;
1647 				data->ready_for_tnc = 1;
1648 			}
1649 #endif /* EAP_TNC */
1650 		}
1651 	} else if (ret->methodState == METHOD_MAY_CONT &&
1652 		   (ret->decision == DECISION_UNCOND_SUCC ||
1653 		    ret->decision == DECISION_COND_SUCC)) {
1654 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1655 				   "completed successfully (MAY_CONT)");
1656 			data->phase2_success = 1;
1657 			data->decision_succ = ret->decision;
1658 	} else if (data->decision_succ != DECISION_FAIL &&
1659 		   data->phase2_success &&
1660 		   !data->ssl.tls_out) {
1661 		/*
1662 		 * This is needed to cover the case where the final Phase 2
1663 		 * message gets fragmented since fragmentation clears
1664 		 * decision back to FAIL.
1665 		 */
1666 		wpa_printf(MSG_DEBUG,
1667 			   "EAP-TTLS: Restore success decision after fragmented frame sent completely");
1668 		ret->decision = data->decision_succ;
1669 	}
1670 }
1671 
1672 
1673 static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv,
1674 					struct eap_method_ret *ret,
1675 					const struct wpabuf *reqData)
1676 {
1677 	size_t left;
1678 	int res;
1679 	u8 flags, id;
1680 	struct wpabuf *resp;
1681 	const u8 *pos;
1682 	struct eap_ttls_data *data = priv;
1683 	struct wpabuf msg;
1684 
1685 	pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret,
1686 					reqData, &left, &flags);
1687 	if (pos == NULL)
1688 		return NULL;
1689 	id = eap_get_id(reqData);
1690 
1691 	if (flags & EAP_TLS_FLAGS_START) {
1692 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own "
1693 			   "ver=%d)", flags & EAP_TLS_VERSION_MASK,
1694 			   data->ttls_version);
1695 
1696 		/* RFC 5281, Ch. 9.2:
1697 		 * "This packet MAY contain additional information in the form
1698 		 * of AVPs, which may provide useful hints to the client"
1699 		 * For now, ignore any potential extra data.
1700 		 */
1701 		left = 0;
1702 	}
1703 
1704 	wpabuf_set(&msg, pos, left);
1705 
1706 	resp = NULL;
1707 	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1708 	    !data->resuming) {
1709 		res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp);
1710 	} else {
1711 		res = eap_ttls_process_handshake(sm, data, ret, id,
1712 						 &msg, &resp);
1713 	}
1714 
1715 	eap_ttls_check_auth_status(sm, data, ret);
1716 
1717 	/* FIX: what about res == -1? Could just move all error processing into
1718 	 * the other functions and get rid of this res==1 case here. */
1719 	if (res == 1) {
1720 		wpabuf_clear_free(resp);
1721 		return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS,
1722 					      data->ttls_version);
1723 	}
1724 	return resp;
1725 }
1726 
1727 
1728 static bool eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
1729 {
1730 	struct eap_ttls_data *data = priv;
1731 
1732 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1733 		data->phase2_success && data->phase2_auth != ALWAYS;
1734 }
1735 
1736 
1737 static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv)
1738 {
1739 	struct eap_ttls_data *data = priv;
1740 
1741 	if (data->phase2_priv && data->phase2_method &&
1742 	    data->phase2_method->deinit_for_reauth)
1743 		data->phase2_method->deinit_for_reauth(sm, data->phase2_priv);
1744 	wpabuf_clear_free(data->pending_phase2_req);
1745 	data->pending_phase2_req = NULL;
1746 	wpabuf_clear_free(data->pending_resp);
1747 	data->pending_resp = NULL;
1748 	data->decision_succ = DECISION_FAIL;
1749 #ifdef EAP_TNC
1750 	data->ready_for_tnc = 0;
1751 	data->tnc_started = 0;
1752 #endif /* EAP_TNC */
1753 }
1754 
1755 
1756 static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv)
1757 {
1758 	struct eap_ttls_data *data = priv;
1759 	eap_ttls_free_key(data);
1760 	os_free(data->session_id);
1761 	data->session_id = NULL;
1762 	if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
1763 		os_free(data);
1764 		return NULL;
1765 	}
1766 	if (data->phase2_priv && data->phase2_method &&
1767 	    data->phase2_method->init_for_reauth)
1768 		data->phase2_method->init_for_reauth(sm, data->phase2_priv);
1769 	data->phase2_start = 0;
1770 	data->phase2_success = 0;
1771 	data->resuming = 1;
1772 	data->reauth = 1;
1773 	return priv;
1774 }
1775 
1776 
1777 static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf,
1778 			       size_t buflen, int verbose)
1779 {
1780 	struct eap_ttls_data *data = priv;
1781 	int len, ret;
1782 
1783 	len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
1784 	ret = os_snprintf(buf + len, buflen - len,
1785 			  "EAP-TTLSv%d Phase2 method=",
1786 			  data->ttls_version);
1787 	if (os_snprintf_error(buflen - len, ret))
1788 		return len;
1789 	len += ret;
1790 	switch (data->phase2_type) {
1791 	case EAP_TTLS_PHASE2_EAP:
1792 		ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n",
1793 				  data->phase2_method ?
1794 				  data->phase2_method->name : "?");
1795 		break;
1796 	case EAP_TTLS_PHASE2_MSCHAPV2:
1797 		ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n");
1798 		break;
1799 	case EAP_TTLS_PHASE2_MSCHAP:
1800 		ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n");
1801 		break;
1802 	case EAP_TTLS_PHASE2_PAP:
1803 		ret = os_snprintf(buf + len, buflen - len, "PAP\n");
1804 		break;
1805 	case EAP_TTLS_PHASE2_CHAP:
1806 		ret = os_snprintf(buf + len, buflen - len, "CHAP\n");
1807 		break;
1808 	default:
1809 		ret = 0;
1810 		break;
1811 	}
1812 	if (os_snprintf_error(buflen - len, ret))
1813 		return len;
1814 	len += ret;
1815 
1816 	return len;
1817 }
1818 
1819 
1820 static bool eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv)
1821 {
1822 	struct eap_ttls_data *data = priv;
1823 	return data->key_data != NULL && data->phase2_success;
1824 }
1825 
1826 
1827 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1828 {
1829 	struct eap_ttls_data *data = priv;
1830 	u8 *key;
1831 
1832 	if (data->key_data == NULL || !data->phase2_success)
1833 		return NULL;
1834 
1835 	key = os_memdup(data->key_data, EAP_TLS_KEY_LEN);
1836 	if (key == NULL)
1837 		return NULL;
1838 
1839 	*len = EAP_TLS_KEY_LEN;
1840 
1841 	return key;
1842 }
1843 
1844 
1845 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1846 {
1847 	struct eap_ttls_data *data = priv;
1848 	u8 *id;
1849 
1850 	if (data->session_id == NULL || !data->phase2_success)
1851 		return NULL;
1852 
1853 	id = os_memdup(data->session_id, data->id_len);
1854 	if (id == NULL)
1855 		return NULL;
1856 
1857 	*len = data->id_len;
1858 
1859 	return id;
1860 }
1861 
1862 
1863 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1864 {
1865 	struct eap_ttls_data *data = priv;
1866 	u8 *key;
1867 
1868 	if (data->key_data == NULL)
1869 		return NULL;
1870 
1871 	key = os_memdup(data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN);
1872 	if (key == NULL)
1873 		return NULL;
1874 
1875 	*len = EAP_EMSK_LEN;
1876 
1877 	return key;
1878 }
1879 
1880 
1881 int eap_peer_ttls_register(void)
1882 {
1883 	struct eap_method *eap;
1884 
1885 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1886 				    EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1887 	if (eap == NULL)
1888 		return -1;
1889 
1890 	eap->init = eap_ttls_init;
1891 	eap->deinit = eap_ttls_deinit;
1892 	eap->process = eap_ttls_process;
1893 	eap->isKeyAvailable = eap_ttls_isKeyAvailable;
1894 	eap->getKey = eap_ttls_getKey;
1895 	eap->getSessionId = eap_ttls_get_session_id;
1896 	eap->get_status = eap_ttls_get_status;
1897 	eap->has_reauth_data = eap_ttls_has_reauth_data;
1898 	eap->deinit_for_reauth = eap_ttls_deinit_for_reauth;
1899 	eap->init_for_reauth = eap_ttls_init_for_reauth;
1900 	eap->get_emsk = eap_ttls_get_emsk;
1901 
1902 	return eap_peer_method_register(eap);
1903 }
1904