xref: /freebsd/contrib/wpa/src/eap_server/eap_server_peap.c (revision 190cef3d52236565eb22e18b33e9e865ec634aa3)
1 /*
2  * hostapd / EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt)
3  * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "crypto/random.h"
15 #include "eap_i.h"
16 #include "eap_tls_common.h"
17 #include "eap_common/eap_tlv_common.h"
18 #include "eap_common/eap_peap_common.h"
19 #include "tncs.h"
20 
21 
22 /* Maximum supported PEAP version
23  * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
24  * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
25  */
26 #define EAP_PEAP_VERSION 1
27 
28 
29 static void eap_peap_reset(struct eap_sm *sm, void *priv);
30 
31 
32 struct eap_peap_data {
33 	struct eap_ssl_data ssl;
34 	enum {
35 		START, PHASE1, PHASE1_ID2, PHASE2_START, PHASE2_ID,
36 		PHASE2_METHOD, PHASE2_SOH,
37 		PHASE2_TLV, SUCCESS_REQ, FAILURE_REQ, SUCCESS, FAILURE
38 	} state;
39 
40 	int peap_version;
41 	int recv_version;
42 	const struct eap_method *phase2_method;
43 	void *phase2_priv;
44 	int force_version;
45 	struct wpabuf *pending_phase2_resp;
46 	enum { TLV_REQ_NONE, TLV_REQ_SUCCESS, TLV_REQ_FAILURE } tlv_request;
47 	int crypto_binding_sent;
48 	int crypto_binding_used;
49 	enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding;
50 	u8 binding_nonce[32];
51 	u8 ipmk[40];
52 	u8 cmk[20];
53 	u8 *phase2_key;
54 	size_t phase2_key_len;
55 	struct wpabuf *soh_response;
56 };
57 
58 
59 static const char * eap_peap_state_txt(int state)
60 {
61 	switch (state) {
62 	case START:
63 		return "START";
64 	case PHASE1:
65 		return "PHASE1";
66 	case PHASE1_ID2:
67 		return "PHASE1_ID2";
68 	case PHASE2_START:
69 		return "PHASE2_START";
70 	case PHASE2_ID:
71 		return "PHASE2_ID";
72 	case PHASE2_METHOD:
73 		return "PHASE2_METHOD";
74 	case PHASE2_SOH:
75 		return "PHASE2_SOH";
76 	case PHASE2_TLV:
77 		return "PHASE2_TLV";
78 	case SUCCESS_REQ:
79 		return "SUCCESS_REQ";
80 	case FAILURE_REQ:
81 		return "FAILURE_REQ";
82 	case SUCCESS:
83 		return "SUCCESS";
84 	case FAILURE:
85 		return "FAILURE";
86 	default:
87 		return "Unknown?!";
88 	}
89 }
90 
91 
92 static void eap_peap_state(struct eap_peap_data *data, int state)
93 {
94 	wpa_printf(MSG_DEBUG, "EAP-PEAP: %s -> %s",
95 		   eap_peap_state_txt(data->state),
96 		   eap_peap_state_txt(state));
97 	data->state = state;
98 	if (state == FAILURE || state == FAILURE_REQ)
99 		tls_connection_remove_session(data->ssl.conn);
100 }
101 
102 
103 static void eap_peap_valid_session(struct eap_sm *sm,
104 				   struct eap_peap_data *data)
105 {
106 	struct wpabuf *buf;
107 
108 	if (!sm->tls_session_lifetime ||
109 	    tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
110 		return;
111 
112 	buf = wpabuf_alloc(1 + 1 + sm->identity_len);
113 	if (!buf)
114 		return;
115 	wpabuf_put_u8(buf, EAP_TYPE_PEAP);
116 	if (sm->identity) {
117 		u8 id_len;
118 
119 		if (sm->identity_len <= 255)
120 			id_len = sm->identity_len;
121 		else
122 			id_len = 255;
123 		wpabuf_put_u8(buf, id_len);
124 		wpabuf_put_data(buf, sm->identity, id_len);
125 	} else {
126 		wpabuf_put_u8(buf, 0);
127 	}
128 	tls_connection_set_success_data(data->ssl.conn, buf);
129 }
130 
131 
132 static void eap_peap_req_success(struct eap_sm *sm,
133 				 struct eap_peap_data *data)
134 {
135 	if (data->state == FAILURE || data->state == FAILURE_REQ) {
136 		eap_peap_state(data, FAILURE);
137 		return;
138 	}
139 
140 	if (data->peap_version == 0) {
141 		data->tlv_request = TLV_REQ_SUCCESS;
142 		eap_peap_state(data, PHASE2_TLV);
143 	} else {
144 		eap_peap_state(data, SUCCESS_REQ);
145 	}
146 }
147 
148 
149 static void eap_peap_req_failure(struct eap_sm *sm,
150 				 struct eap_peap_data *data)
151 {
152 	if (data->state == FAILURE || data->state == FAILURE_REQ ||
153 	    data->state == SUCCESS_REQ || data->tlv_request != TLV_REQ_NONE) {
154 		eap_peap_state(data, FAILURE);
155 		return;
156 	}
157 
158 	if (data->peap_version == 0) {
159 		data->tlv_request = TLV_REQ_FAILURE;
160 		eap_peap_state(data, PHASE2_TLV);
161 	} else {
162 		eap_peap_state(data, FAILURE_REQ);
163 	}
164 }
165 
166 
167 static void * eap_peap_init(struct eap_sm *sm)
168 {
169 	struct eap_peap_data *data;
170 
171 	data = os_zalloc(sizeof(*data));
172 	if (data == NULL)
173 		return NULL;
174 	data->peap_version = EAP_PEAP_VERSION;
175 	data->force_version = -1;
176 	if (sm->user && sm->user->force_version >= 0) {
177 		data->force_version = sm->user->force_version;
178 		wpa_printf(MSG_DEBUG, "EAP-PEAP: forcing version %d",
179 			   data->force_version);
180 		data->peap_version = data->force_version;
181 	}
182 	data->state = START;
183 	data->crypto_binding = OPTIONAL_BINDING;
184 
185 	if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_PEAP)) {
186 		wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
187 		eap_peap_reset(sm, data);
188 		return NULL;
189 	}
190 
191 	return data;
192 }
193 
194 
195 static void eap_peap_reset(struct eap_sm *sm, void *priv)
196 {
197 	struct eap_peap_data *data = priv;
198 	if (data == NULL)
199 		return;
200 	if (data->phase2_priv && data->phase2_method)
201 		data->phase2_method->reset(sm, data->phase2_priv);
202 	eap_server_tls_ssl_deinit(sm, &data->ssl);
203 	wpabuf_free(data->pending_phase2_resp);
204 	os_free(data->phase2_key);
205 	wpabuf_free(data->soh_response);
206 	bin_clear_free(data, sizeof(*data));
207 }
208 
209 
210 static struct wpabuf * eap_peap_build_start(struct eap_sm *sm,
211 					    struct eap_peap_data *data, u8 id)
212 {
213 	struct wpabuf *req;
214 
215 	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PEAP, 1,
216 			    EAP_CODE_REQUEST, id);
217 	if (req == NULL) {
218 		wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to allocate memory for"
219 			   " request");
220 		eap_peap_state(data, FAILURE);
221 		return NULL;
222 	}
223 
224 	wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->peap_version);
225 
226 	eap_peap_state(data, PHASE1);
227 
228 	return req;
229 }
230 
231 
232 static struct wpabuf * eap_peap_build_phase2_req(struct eap_sm *sm,
233 						 struct eap_peap_data *data,
234 						 u8 id)
235 {
236 	struct wpabuf *buf, *encr_req, msgbuf;
237 	const u8 *req;
238 	size_t req_len;
239 
240 	if (data->phase2_method == NULL || data->phase2_priv == NULL) {
241 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 method not ready");
242 		return NULL;
243 	}
244 	buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
245 	if (buf == NULL)
246 		return NULL;
247 
248 	req = wpabuf_head(buf);
249 	req_len = wpabuf_len(buf);
250 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
251 			req, req_len);
252 
253 	if (data->peap_version == 0 &&
254 	    data->phase2_method->method != EAP_TYPE_TLV) {
255 		req += sizeof(struct eap_hdr);
256 		req_len -= sizeof(struct eap_hdr);
257 	}
258 
259 	wpabuf_set(&msgbuf, req, req_len);
260 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
261 	wpabuf_free(buf);
262 
263 	return encr_req;
264 }
265 
266 
267 #ifdef EAP_SERVER_TNC
268 static struct wpabuf * eap_peap_build_phase2_soh(struct eap_sm *sm,
269 						 struct eap_peap_data *data,
270 						 u8 id)
271 {
272 	struct wpabuf *buf1, *buf, *encr_req, msgbuf;
273 	const u8 *req;
274 	size_t req_len;
275 
276 	buf1 = tncs_build_soh_request();
277 	if (buf1 == NULL)
278 		return NULL;
279 
280 	buf = eap_msg_alloc(EAP_VENDOR_MICROSOFT, 0x21, wpabuf_len(buf1),
281 			    EAP_CODE_REQUEST, id);
282 	if (buf == NULL) {
283 		wpabuf_free(buf1);
284 		return NULL;
285 	}
286 	wpabuf_put_buf(buf, buf1);
287 	wpabuf_free(buf1);
288 
289 	req = wpabuf_head(buf);
290 	req_len = wpabuf_len(buf);
291 
292 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 SOH data",
293 			req, req_len);
294 
295 	req += sizeof(struct eap_hdr);
296 	req_len -= sizeof(struct eap_hdr);
297 	wpabuf_set(&msgbuf, req, req_len);
298 
299 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
300 	wpabuf_free(buf);
301 
302 	return encr_req;
303 }
304 #endif /* EAP_SERVER_TNC */
305 
306 
307 static void eap_peap_get_isk(struct eap_peap_data *data,
308 			     u8 *isk, size_t isk_len)
309 {
310 	size_t key_len;
311 
312 	os_memset(isk, 0, isk_len);
313 	if (data->phase2_key == NULL)
314 		return;
315 
316 	key_len = data->phase2_key_len;
317 	if (key_len > isk_len)
318 		key_len = isk_len;
319 	os_memcpy(isk, data->phase2_key, key_len);
320 }
321 
322 
323 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
324 {
325 	u8 *tk;
326 	u8 isk[32], imck[60];
327 
328 	/*
329 	 * Tunnel key (TK) is the first 60 octets of the key generated by
330 	 * phase 1 of PEAP (based on TLS).
331 	 */
332 	tk = eap_server_tls_derive_key(sm, &data->ssl, "client EAP encryption",
333 				       EAP_TLS_KEY_LEN);
334 	if (tk == NULL)
335 		return -1;
336 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
337 
338 	if (tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
339 		/* Fast-connect: IPMK|CMK = TK */
340 		os_memcpy(data->ipmk, tk, 40);
341 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK",
342 				data->ipmk, 40);
343 		os_memcpy(data->cmk, tk + 40, 20);
344 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK from TK",
345 				data->cmk, 20);
346 		os_free(tk);
347 		return 0;
348 	}
349 
350 	eap_peap_get_isk(data, isk, sizeof(isk));
351 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk));
352 
353 	/*
354 	 * IPMK Seed = "Inner Methods Compound Keys" | ISK
355 	 * TempKey = First 40 octets of TK
356 	 * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60)
357 	 * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space
358 	 * in the end of the label just before ISK; is that just a typo?)
359 	 */
360 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40);
361 	if (peap_prfplus(data->peap_version, tk, 40,
362 			 "Inner Methods Compound Keys",
363 			 isk, sizeof(isk), imck, sizeof(imck)) < 0) {
364 		os_free(tk);
365 		return -1;
366 	}
367 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
368 			imck, sizeof(imck));
369 
370 	os_free(tk);
371 
372 	os_memcpy(data->ipmk, imck, 40);
373 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
374 	os_memcpy(data->cmk, imck + 40, 20);
375 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20);
376 
377 	return 0;
378 }
379 
380 
381 static struct wpabuf * eap_peap_build_phase2_tlv(struct eap_sm *sm,
382 						 struct eap_peap_data *data,
383 						 u8 id)
384 {
385 	struct wpabuf *buf, *encr_req;
386 	size_t mlen;
387 
388 	mlen = 6; /* Result TLV */
389 	if (data->peap_version == 0 && data->tlv_request == TLV_REQ_SUCCESS &&
390 	    data->crypto_binding != NO_BINDING) {
391 		mlen += 60; /* Cryptobinding TLV */
392 #ifdef EAP_SERVER_TNC
393 		if (data->soh_response)
394 			mlen += wpabuf_len(data->soh_response);
395 #endif /* EAP_SERVER_TNC */
396 	}
397 
398 	buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, mlen,
399 			    EAP_CODE_REQUEST, id);
400 	if (buf == NULL)
401 		return NULL;
402 
403 	wpabuf_put_u8(buf, 0x80); /* Mandatory */
404 	wpabuf_put_u8(buf, EAP_TLV_RESULT_TLV);
405 	/* Length */
406 	wpabuf_put_be16(buf, 2);
407 	/* Status */
408 	wpabuf_put_be16(buf, data->tlv_request == TLV_REQ_SUCCESS ?
409 			EAP_TLV_RESULT_SUCCESS : EAP_TLV_RESULT_FAILURE);
410 
411 	if (data->peap_version == 0 && data->tlv_request == TLV_REQ_SUCCESS &&
412 	    data->crypto_binding != NO_BINDING) {
413 		u8 *mac;
414 		u8 eap_type = EAP_TYPE_PEAP;
415 		const u8 *addr[2];
416 		size_t len[2];
417 		u16 tlv_type;
418 
419 #ifdef EAP_SERVER_TNC
420 		if (data->soh_response) {
421 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Adding MS-SOH "
422 				   "Response TLV");
423 			wpabuf_put_buf(buf, data->soh_response);
424 			wpabuf_free(data->soh_response);
425 			data->soh_response = NULL;
426 		}
427 #endif /* EAP_SERVER_TNC */
428 
429 		if (eap_peap_derive_cmk(sm, data) < 0 ||
430 		    random_get_bytes(data->binding_nonce, 32)) {
431 			wpabuf_free(buf);
432 			return NULL;
433 		}
434 
435 		/* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
436 		addr[0] = wpabuf_put(buf, 0);
437 		len[0] = 60;
438 		addr[1] = &eap_type;
439 		len[1] = 1;
440 
441 		tlv_type = EAP_TLV_CRYPTO_BINDING_TLV;
442 		wpabuf_put_be16(buf, tlv_type);
443 		wpabuf_put_be16(buf, 56);
444 
445 		wpabuf_put_u8(buf, 0); /* Reserved */
446 		wpabuf_put_u8(buf, data->peap_version); /* Version */
447 		wpabuf_put_u8(buf, data->recv_version); /* RecvVersion */
448 		wpabuf_put_u8(buf, 0); /* SubType: 0 = Request, 1 = Response */
449 		wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */
450 		mac = wpabuf_put(buf, 20); /* Compound_MAC */
451 		wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK",
452 			    data->cmk, 20);
453 		wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1",
454 			    addr[0], len[0]);
455 		wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2",
456 			    addr[1], len[1]);
457 		hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac);
458 		wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC",
459 			    mac, SHA1_MAC_LEN);
460 		data->crypto_binding_sent = 1;
461 	}
462 
463 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 TLV data",
464 			    buf);
465 
466 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
467 	wpabuf_free(buf);
468 
469 	return encr_req;
470 }
471 
472 
473 static struct wpabuf * eap_peap_build_phase2_term(struct eap_sm *sm,
474 						  struct eap_peap_data *data,
475 						  u8 id, int success)
476 {
477 	struct wpabuf *encr_req, msgbuf;
478 	size_t req_len;
479 	struct eap_hdr *hdr;
480 
481 	req_len = sizeof(*hdr);
482 	hdr = os_zalloc(req_len);
483 	if (hdr == NULL)
484 		return NULL;
485 
486 	hdr->code = success ? EAP_CODE_SUCCESS : EAP_CODE_FAILURE;
487 	hdr->identifier = id;
488 	hdr->length = host_to_be16(req_len);
489 
490 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
491 			(u8 *) hdr, req_len);
492 
493 	wpabuf_set(&msgbuf, hdr, req_len);
494 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
495 	os_free(hdr);
496 
497 	return encr_req;
498 }
499 
500 
501 static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
502 {
503 	struct eap_peap_data *data = priv;
504 
505 	if (data->ssl.state == FRAG_ACK) {
506 		return eap_server_tls_build_ack(id, EAP_TYPE_PEAP,
507 						data->peap_version);
508 	}
509 
510 	if (data->ssl.state == WAIT_FRAG_ACK) {
511 		return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
512 						data->peap_version, id);
513 	}
514 
515 	switch (data->state) {
516 	case START:
517 		return eap_peap_build_start(sm, data, id);
518 	case PHASE1:
519 	case PHASE1_ID2:
520 		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
521 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, "
522 				   "starting Phase2");
523 			eap_peap_state(data, PHASE2_START);
524 		}
525 		break;
526 	case PHASE2_ID:
527 	case PHASE2_METHOD:
528 		wpabuf_free(data->ssl.tls_out);
529 		data->ssl.tls_out_pos = 0;
530 		data->ssl.tls_out = eap_peap_build_phase2_req(sm, data, id);
531 		break;
532 #ifdef EAP_SERVER_TNC
533 	case PHASE2_SOH:
534 		wpabuf_free(data->ssl.tls_out);
535 		data->ssl.tls_out_pos = 0;
536 		data->ssl.tls_out = eap_peap_build_phase2_soh(sm, data, id);
537 		break;
538 #endif /* EAP_SERVER_TNC */
539 	case PHASE2_TLV:
540 		wpabuf_free(data->ssl.tls_out);
541 		data->ssl.tls_out_pos = 0;
542 		data->ssl.tls_out = eap_peap_build_phase2_tlv(sm, data, id);
543 		break;
544 	case SUCCESS_REQ:
545 		wpabuf_free(data->ssl.tls_out);
546 		data->ssl.tls_out_pos = 0;
547 		data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
548 							       1);
549 		break;
550 	case FAILURE_REQ:
551 		wpabuf_free(data->ssl.tls_out);
552 		data->ssl.tls_out_pos = 0;
553 		data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
554 							       0);
555 		break;
556 	default:
557 		wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
558 			   __func__, data->state);
559 		return NULL;
560 	}
561 
562 	return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
563 					data->peap_version, id);
564 }
565 
566 
567 static Boolean eap_peap_check(struct eap_sm *sm, void *priv,
568 			      struct wpabuf *respData)
569 {
570 	const u8 *pos;
571 	size_t len;
572 
573 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData, &len);
574 	if (pos == NULL || len < 1) {
575 		wpa_printf(MSG_INFO, "EAP-PEAP: Invalid frame");
576 		return TRUE;
577 	}
578 
579 	return FALSE;
580 }
581 
582 
583 static int eap_peap_phase2_init(struct eap_sm *sm, struct eap_peap_data *data,
584 				int vendor, EapType eap_type)
585 {
586 	if (data->phase2_priv && data->phase2_method) {
587 		data->phase2_method->reset(sm, data->phase2_priv);
588 		data->phase2_method = NULL;
589 		data->phase2_priv = NULL;
590 	}
591 	data->phase2_method = eap_server_get_eap_method(vendor, eap_type);
592 	if (!data->phase2_method)
593 		return -1;
594 
595 	sm->init_phase2 = 1;
596 	data->phase2_priv = data->phase2_method->init(sm);
597 	sm->init_phase2 = 0;
598 	return 0;
599 }
600 
601 
602 static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
603 					  struct eap_peap_data *data,
604 					  const u8 *crypto_tlv,
605 					  size_t crypto_tlv_len)
606 {
607 	u8 buf[61], mac[SHA1_MAC_LEN];
608 	const u8 *pos;
609 
610 	if (crypto_tlv_len != 4 + 56) {
611 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV "
612 			   "length %d", (int) crypto_tlv_len);
613 		return -1;
614 	}
615 
616 	pos = crypto_tlv;
617 	pos += 4; /* TLV header */
618 	if (pos[1] != data->peap_version) {
619 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version "
620 			   "mismatch (was %d; expected %d)",
621 			   pos[1], data->peap_version);
622 		return -1;
623 	}
624 
625 	if (pos[3] != 1) {
626 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV "
627 			   "SubType %d", pos[3]);
628 		return -1;
629 	}
630 	pos += 4;
631 	pos += 32; /* Nonce */
632 
633 	/* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
634 	os_memcpy(buf, crypto_tlv, 60);
635 	os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */
636 	buf[60] = EAP_TYPE_PEAP;
637 	hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac);
638 
639 	if (os_memcmp_const(mac, pos, SHA1_MAC_LEN) != 0) {
640 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in "
641 			   "cryptobinding TLV");
642 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK", data->cmk, 20);
643 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding seed data",
644 			    buf, 61);
645 		return -1;
646 	}
647 
648 	wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received");
649 
650 	return 0;
651 }
652 
653 
654 static void eap_peap_process_phase2_tlv(struct eap_sm *sm,
655 					struct eap_peap_data *data,
656 					struct wpabuf *in_data)
657 {
658 	const u8 *pos;
659 	size_t left;
660 	const u8 *result_tlv = NULL, *crypto_tlv = NULL;
661 	size_t result_tlv_len = 0, crypto_tlv_len = 0;
662 	int tlv_type, mandatory, tlv_len;
663 
664 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, in_data, &left);
665 	if (pos == NULL) {
666 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid EAP-TLV header");
667 		return;
668 	}
669 
670 	/* Parse TLVs */
671 	wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs", pos, left);
672 	while (left >= 4) {
673 		mandatory = !!(pos[0] & 0x80);
674 		tlv_type = pos[0] & 0x3f;
675 		tlv_type = (tlv_type << 8) | pos[1];
676 		tlv_len = ((int) pos[2] << 8) | pos[3];
677 		pos += 4;
678 		left -= 4;
679 		if ((size_t) tlv_len > left) {
680 			wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
681 				   "(tlv_len=%d left=%lu)", tlv_len,
682 				   (unsigned long) left);
683 			eap_peap_state(data, FAILURE);
684 			return;
685 		}
686 		switch (tlv_type) {
687 		case EAP_TLV_RESULT_TLV:
688 			result_tlv = pos;
689 			result_tlv_len = tlv_len;
690 			break;
691 		case EAP_TLV_CRYPTO_BINDING_TLV:
692 			crypto_tlv = pos;
693 			crypto_tlv_len = tlv_len;
694 			break;
695 		default:
696 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
697 				   "%d%s", tlv_type,
698 				   mandatory ? " (mandatory)" : "");
699 			if (mandatory) {
700 				eap_peap_state(data, FAILURE);
701 				return;
702 			}
703 			/* Ignore this TLV, but process other TLVs */
704 			break;
705 		}
706 
707 		pos += tlv_len;
708 		left -= tlv_len;
709 	}
710 	if (left) {
711 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
712 			   "Request (left=%lu)", (unsigned long) left);
713 		eap_peap_state(data, FAILURE);
714 		return;
715 	}
716 
717 	/* Process supported TLVs */
718 	if (crypto_tlv && data->crypto_binding_sent) {
719 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV",
720 			    crypto_tlv, crypto_tlv_len);
721 		if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4,
722 						   crypto_tlv_len + 4) < 0) {
723 			eap_peap_state(data, FAILURE);
724 			return;
725 		}
726 		data->crypto_binding_used = 1;
727 	} else if (!crypto_tlv && data->crypto_binding_sent &&
728 		   data->crypto_binding == REQUIRE_BINDING) {
729 		wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV");
730 		eap_peap_state(data, FAILURE);
731 		return;
732 	}
733 
734 	if (result_tlv) {
735 		int status;
736 		const char *requested;
737 
738 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Result TLV",
739 			    result_tlv, result_tlv_len);
740 		if (result_tlv_len < 2) {
741 			wpa_printf(MSG_INFO, "EAP-PEAP: Too short Result TLV "
742 				   "(len=%lu)",
743 				   (unsigned long) result_tlv_len);
744 			eap_peap_state(data, FAILURE);
745 			return;
746 		}
747 		requested = data->tlv_request == TLV_REQ_SUCCESS ? "Success" :
748 			"Failure";
749 		status = WPA_GET_BE16(result_tlv);
750 		if (status == EAP_TLV_RESULT_SUCCESS) {
751 			wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Success "
752 				   "- requested %s", requested);
753 			if (data->tlv_request == TLV_REQ_SUCCESS) {
754 				eap_peap_state(data, SUCCESS);
755 				eap_peap_valid_session(sm, data);
756 			} else {
757 				eap_peap_state(data, FAILURE);
758 			}
759 
760 		} else if (status == EAP_TLV_RESULT_FAILURE) {
761 			wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Failure "
762 				   "- requested %s", requested);
763 			eap_peap_state(data, FAILURE);
764 		} else {
765 			wpa_printf(MSG_INFO, "EAP-PEAP: Unknown TLV Result "
766 				   "Status %d", status);
767 			eap_peap_state(data, FAILURE);
768 		}
769 	}
770 }
771 
772 
773 #ifdef EAP_SERVER_TNC
774 static void eap_peap_process_phase2_soh(struct eap_sm *sm,
775 					struct eap_peap_data *data,
776 					struct wpabuf *in_data)
777 {
778 	const u8 *pos, *vpos;
779 	size_t left;
780 	const u8 *soh_tlv = NULL;
781 	size_t soh_tlv_len = 0;
782 	int tlv_type, mandatory, tlv_len, vtlv_len;
783 	u32 next_type;
784 	u32 vendor_id;
785 
786 	pos = eap_hdr_validate(EAP_VENDOR_MICROSOFT, 0x21, in_data, &left);
787 	if (pos == NULL) {
788 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Not a valid SoH EAP "
789 			   "Extensions Method header - skip TNC");
790 		goto auth_method;
791 	}
792 
793 	/* Parse TLVs */
794 	wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs (SoH)", pos, left);
795 	while (left >= 4) {
796 		mandatory = !!(pos[0] & 0x80);
797 		tlv_type = pos[0] & 0x3f;
798 		tlv_type = (tlv_type << 8) | pos[1];
799 		tlv_len = ((int) pos[2] << 8) | pos[3];
800 		pos += 4;
801 		left -= 4;
802 		if ((size_t) tlv_len > left) {
803 			wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
804 				   "(tlv_len=%d left=%lu)", tlv_len,
805 				   (unsigned long) left);
806 			eap_peap_state(data, FAILURE);
807 			return;
808 		}
809 		switch (tlv_type) {
810 		case EAP_TLV_VENDOR_SPECIFIC_TLV:
811 			if (tlv_len < 4) {
812 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Too short "
813 					   "vendor specific TLV (len=%d)",
814 					   (int) tlv_len);
815 				eap_peap_state(data, FAILURE);
816 				return;
817 			}
818 
819 			vendor_id = WPA_GET_BE32(pos);
820 			if (vendor_id != EAP_VENDOR_MICROSOFT) {
821 				if (mandatory) {
822 					eap_peap_state(data, FAILURE);
823 					return;
824 				}
825 				break;
826 			}
827 
828 			vpos = pos + 4;
829 			mandatory = !!(vpos[0] & 0x80);
830 			tlv_type = vpos[0] & 0x3f;
831 			tlv_type = (tlv_type << 8) | vpos[1];
832 			vtlv_len = ((int) vpos[2] << 8) | vpos[3];
833 			vpos += 4;
834 			if (vpos + vtlv_len > pos + left) {
835 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Vendor TLV "
836 					   "underrun");
837 				eap_peap_state(data, FAILURE);
838 				return;
839 			}
840 
841 			if (tlv_type == 1) {
842 				soh_tlv = vpos;
843 				soh_tlv_len = vtlv_len;
844 				break;
845 			}
846 
847 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported MS-TLV "
848 				   "Type %d%s", tlv_type,
849 				   mandatory ? " (mandatory)" : "");
850 			if (mandatory) {
851 				eap_peap_state(data, FAILURE);
852 				return;
853 			}
854 			/* Ignore this TLV, but process other TLVs */
855 			break;
856 		default:
857 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
858 				   "%d%s", tlv_type,
859 				   mandatory ? " (mandatory)" : "");
860 			if (mandatory) {
861 				eap_peap_state(data, FAILURE);
862 				return;
863 			}
864 			/* Ignore this TLV, but process other TLVs */
865 			break;
866 		}
867 
868 		pos += tlv_len;
869 		left -= tlv_len;
870 	}
871 	if (left) {
872 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
873 			   "Request (left=%lu)", (unsigned long) left);
874 		eap_peap_state(data, FAILURE);
875 		return;
876 	}
877 
878 	/* Process supported TLVs */
879 	if (soh_tlv) {
880 		int failure = 0;
881 		wpabuf_free(data->soh_response);
882 		data->soh_response = tncs_process_soh(soh_tlv, soh_tlv_len,
883 						      &failure);
884 		if (failure) {
885 			eap_peap_state(data, FAILURE);
886 			return;
887 		}
888 	} else {
889 		wpa_printf(MSG_DEBUG, "EAP-PEAP: No SoH TLV received");
890 		eap_peap_state(data, FAILURE);
891 		return;
892 	}
893 
894 auth_method:
895 	eap_peap_state(data, PHASE2_METHOD);
896 	next_type = sm->user->methods[0].method;
897 	sm->user_eap_method_index = 1;
898 	wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP vendor %d type %d",
899 		   sm->user->methods[0].vendor, next_type);
900 	eap_peap_phase2_init(sm, data, sm->user->methods[0].vendor, next_type);
901 }
902 #endif /* EAP_SERVER_TNC */
903 
904 
905 static void eap_peap_process_phase2_response(struct eap_sm *sm,
906 					     struct eap_peap_data *data,
907 					     struct wpabuf *in_data)
908 {
909 	int next_vendor = EAP_VENDOR_IETF;
910 	u32 next_type = EAP_TYPE_NONE;
911 	const struct eap_hdr *hdr;
912 	const u8 *pos;
913 	size_t left;
914 
915 	if (data->state == PHASE2_TLV) {
916 		eap_peap_process_phase2_tlv(sm, data, in_data);
917 		return;
918 	}
919 
920 #ifdef EAP_SERVER_TNC
921 	if (data->state == PHASE2_SOH) {
922 		eap_peap_process_phase2_soh(sm, data, in_data);
923 		return;
924 	}
925 #endif /* EAP_SERVER_TNC */
926 
927 	if (data->phase2_priv == NULL) {
928 		wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - Phase2 not "
929 			   "initialized?!", __func__);
930 		return;
931 	}
932 
933 	hdr = wpabuf_head(in_data);
934 	pos = (const u8 *) (hdr + 1);
935 
936 	if (wpabuf_len(in_data) > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
937 		left = wpabuf_len(in_data) - sizeof(*hdr);
938 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Phase2 type Nak'ed; "
939 			    "allowed types", pos + 1, left - 1);
940 		eap_sm_process_nak(sm, pos + 1, left - 1);
941 		if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
942 		    (sm->user->methods[sm->user_eap_method_index].vendor !=
943 		     EAP_VENDOR_IETF ||
944 		     sm->user->methods[sm->user_eap_method_index].method !=
945 		     EAP_TYPE_NONE)) {
946 			next_vendor = sm->user->methods[
947 				sm->user_eap_method_index].vendor;
948 			next_type = sm->user->methods[
949 				sm->user_eap_method_index++].method;
950 			wpa_printf(MSG_DEBUG,
951 				   "EAP-PEAP: try EAP vendor %d type 0x%x",
952 				   next_vendor, next_type);
953 		} else {
954 			eap_peap_req_failure(sm, data);
955 			next_vendor = EAP_VENDOR_IETF;
956 			next_type = EAP_TYPE_NONE;
957 		}
958 		eap_peap_phase2_init(sm, data, next_vendor, next_type);
959 		return;
960 	}
961 
962 	if (data->phase2_method->check(sm, data->phase2_priv, in_data)) {
963 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 check() asked to "
964 			   "ignore the packet");
965 		return;
966 	}
967 
968 	data->phase2_method->process(sm, data->phase2_priv, in_data);
969 
970 	if (sm->method_pending == METHOD_PENDING_WAIT) {
971 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method is in "
972 			   "pending wait state - save decrypted response");
973 		wpabuf_free(data->pending_phase2_resp);
974 		data->pending_phase2_resp = wpabuf_dup(in_data);
975 	}
976 
977 	if (!data->phase2_method->isDone(sm, data->phase2_priv))
978 		return;
979 
980 	if (!data->phase2_method->isSuccess(sm, data->phase2_priv)) {
981 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method failed");
982 		eap_peap_req_failure(sm, data);
983 		next_vendor = EAP_VENDOR_IETF;
984 		next_type = EAP_TYPE_NONE;
985 		eap_peap_phase2_init(sm, data, next_vendor, next_type);
986 		return;
987 	}
988 
989 	os_free(data->phase2_key);
990 	if (data->phase2_method->getKey) {
991 		data->phase2_key = data->phase2_method->getKey(
992 			sm, data->phase2_priv, &data->phase2_key_len);
993 		if (data->phase2_key == NULL) {
994 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 getKey "
995 				   "failed");
996 			eap_peap_req_failure(sm, data);
997 			eap_peap_phase2_init(sm, data, EAP_VENDOR_IETF,
998 					     EAP_TYPE_NONE);
999 			return;
1000 		}
1001 	}
1002 
1003 	switch (data->state) {
1004 	case PHASE1_ID2:
1005 	case PHASE2_ID:
1006 	case PHASE2_SOH:
1007 		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1008 			wpa_hexdump_ascii(MSG_DEBUG, "EAP_PEAP: Phase2 "
1009 					  "Identity not found in the user "
1010 					  "database",
1011 					  sm->identity, sm->identity_len);
1012 			eap_peap_req_failure(sm, data);
1013 			next_vendor = EAP_VENDOR_IETF;
1014 			next_type = EAP_TYPE_NONE;
1015 			break;
1016 		}
1017 
1018 #ifdef EAP_SERVER_TNC
1019 		if (data->state != PHASE2_SOH && sm->tnc &&
1020 		    data->peap_version == 0) {
1021 			eap_peap_state(data, PHASE2_SOH);
1022 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Try to initialize "
1023 				   "TNC (NAP SOH)");
1024 			next_vendor = EAP_VENDOR_IETF;
1025 			next_type = EAP_TYPE_NONE;
1026 			break;
1027 		}
1028 #endif /* EAP_SERVER_TNC */
1029 
1030 		eap_peap_state(data, PHASE2_METHOD);
1031 		next_vendor = sm->user->methods[0].vendor;
1032 		next_type = sm->user->methods[0].method;
1033 		sm->user_eap_method_index = 1;
1034 		wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP vendor %d type 0x%x",
1035 			   next_vendor, next_type);
1036 		break;
1037 	case PHASE2_METHOD:
1038 		eap_peap_req_success(sm, data);
1039 		next_vendor = EAP_VENDOR_IETF;
1040 		next_type = EAP_TYPE_NONE;
1041 		break;
1042 	case FAILURE:
1043 		break;
1044 	default:
1045 		wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
1046 			   __func__, data->state);
1047 		break;
1048 	}
1049 
1050 	eap_peap_phase2_init(sm, data, next_vendor, next_type);
1051 }
1052 
1053 
1054 static void eap_peap_process_phase2(struct eap_sm *sm,
1055 				    struct eap_peap_data *data,
1056 				    const struct wpabuf *respData,
1057 				    struct wpabuf *in_buf)
1058 {
1059 	struct wpabuf *in_decrypted;
1060 	const struct eap_hdr *hdr;
1061 	size_t len;
1062 
1063 	wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
1064 		   " Phase 2", (unsigned long) wpabuf_len(in_buf));
1065 
1066 	if (data->pending_phase2_resp) {
1067 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
1068 			   "skip decryption and use old data");
1069 		eap_peap_process_phase2_response(sm, data,
1070 						 data->pending_phase2_resp);
1071 		wpabuf_free(data->pending_phase2_resp);
1072 		data->pending_phase2_resp = NULL;
1073 		return;
1074 	}
1075 
1076 	in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1077 					      in_buf);
1078 	if (in_decrypted == NULL) {
1079 		wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
1080 			   "data");
1081 		eap_peap_state(data, FAILURE);
1082 		return;
1083 	}
1084 
1085 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
1086 			    in_decrypted);
1087 
1088 	if (data->peap_version == 0 && data->state != PHASE2_TLV) {
1089 		const struct eap_hdr *resp;
1090 		struct eap_hdr *nhdr;
1091 		struct wpabuf *nbuf =
1092 			wpabuf_alloc(sizeof(struct eap_hdr) +
1093 				     wpabuf_len(in_decrypted));
1094 		if (nbuf == NULL) {
1095 			wpabuf_free(in_decrypted);
1096 			return;
1097 		}
1098 
1099 		resp = wpabuf_head(respData);
1100 		nhdr = wpabuf_put(nbuf, sizeof(*nhdr));
1101 		nhdr->code = resp->code;
1102 		nhdr->identifier = resp->identifier;
1103 		nhdr->length = host_to_be16(sizeof(struct eap_hdr) +
1104 					    wpabuf_len(in_decrypted));
1105 		wpabuf_put_buf(nbuf, in_decrypted);
1106 		wpabuf_free(in_decrypted);
1107 
1108 		in_decrypted = nbuf;
1109 	}
1110 
1111 	hdr = wpabuf_head(in_decrypted);
1112 	if (wpabuf_len(in_decrypted) < (int) sizeof(*hdr)) {
1113 		wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 "
1114 			   "EAP frame (len=%lu)",
1115 			   (unsigned long) wpabuf_len(in_decrypted));
1116 		wpabuf_free(in_decrypted);
1117 		eap_peap_req_failure(sm, data);
1118 		return;
1119 	}
1120 	len = be_to_host16(hdr->length);
1121 	if (len > wpabuf_len(in_decrypted)) {
1122 		wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in "
1123 			   "Phase 2 EAP frame (len=%lu hdr->length=%lu)",
1124 			   (unsigned long) wpabuf_len(in_decrypted),
1125 			   (unsigned long) len);
1126 		wpabuf_free(in_decrypted);
1127 		eap_peap_req_failure(sm, data);
1128 		return;
1129 	}
1130 	wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d "
1131 		   "identifier=%d length=%lu", hdr->code, hdr->identifier,
1132 		   (unsigned long) len);
1133 	switch (hdr->code) {
1134 	case EAP_CODE_RESPONSE:
1135 		eap_peap_process_phase2_response(sm, data, in_decrypted);
1136 		break;
1137 	case EAP_CODE_SUCCESS:
1138 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success");
1139 		if (data->state == SUCCESS_REQ) {
1140 			eap_peap_state(data, SUCCESS);
1141 			eap_peap_valid_session(sm, data);
1142 		}
1143 		break;
1144 	case EAP_CODE_FAILURE:
1145 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure");
1146 		eap_peap_state(data, FAILURE);
1147 		break;
1148 	default:
1149 		wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in "
1150 			   "Phase 2 EAP header", hdr->code);
1151 		break;
1152 	}
1153 
1154 	wpabuf_free(in_decrypted);
1155 }
1156 
1157 
1158 static int eap_peap_process_version(struct eap_sm *sm, void *priv,
1159 				    int peer_version)
1160 {
1161 	struct eap_peap_data *data = priv;
1162 
1163 	data->recv_version = peer_version;
1164 	if (data->force_version >= 0 && peer_version != data->force_version) {
1165 		wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
1166 			   " version (forced=%d peer=%d) - reject",
1167 			   data->force_version, peer_version);
1168 		return -1;
1169 	}
1170 	if (peer_version < data->peap_version) {
1171 		wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; "
1172 			   "use version %d",
1173 			   peer_version, data->peap_version, peer_version);
1174 		data->peap_version = peer_version;
1175 	}
1176 
1177 	return 0;
1178 }
1179 
1180 
1181 static void eap_peap_process_msg(struct eap_sm *sm, void *priv,
1182 				 const struct wpabuf *respData)
1183 {
1184 	struct eap_peap_data *data = priv;
1185 
1186 	switch (data->state) {
1187 	case PHASE1:
1188 		if (eap_server_tls_phase1(sm, &data->ssl) < 0) {
1189 			eap_peap_state(data, FAILURE);
1190 			break;
1191 		}
1192 		break;
1193 	case PHASE2_START:
1194 		eap_peap_state(data, PHASE2_ID);
1195 		eap_peap_phase2_init(sm, data, EAP_VENDOR_IETF,
1196 				     EAP_TYPE_IDENTITY);
1197 		break;
1198 	case PHASE1_ID2:
1199 	case PHASE2_ID:
1200 	case PHASE2_METHOD:
1201 	case PHASE2_SOH:
1202 	case PHASE2_TLV:
1203 		eap_peap_process_phase2(sm, data, respData, data->ssl.tls_in);
1204 		break;
1205 	case SUCCESS_REQ:
1206 		eap_peap_state(data, SUCCESS);
1207 		eap_peap_valid_session(sm, data);
1208 		break;
1209 	case FAILURE_REQ:
1210 		eap_peap_state(data, FAILURE);
1211 		break;
1212 	default:
1213 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected state %d in %s",
1214 			   data->state, __func__);
1215 		break;
1216 	}
1217 }
1218 
1219 
1220 static void eap_peap_process(struct eap_sm *sm, void *priv,
1221 			     struct wpabuf *respData)
1222 {
1223 	struct eap_peap_data *data = priv;
1224 	const struct wpabuf *buf;
1225 	const u8 *pos;
1226 	u8 id_len;
1227 
1228 	if (eap_server_tls_process(sm, &data->ssl, respData, data,
1229 				   EAP_TYPE_PEAP, eap_peap_process_version,
1230 				   eap_peap_process_msg) < 0) {
1231 		eap_peap_state(data, FAILURE);
1232 		return;
1233 	}
1234 
1235 	if (data->state == SUCCESS ||
1236 	    !tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
1237 	    !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
1238 		return;
1239 
1240 	buf = tls_connection_get_success_data(data->ssl.conn);
1241 	if (!buf || wpabuf_len(buf) < 2) {
1242 		wpa_printf(MSG_DEBUG,
1243 			   "EAP-PEAP: No success data in resumed session - reject attempt");
1244 		eap_peap_state(data, FAILURE);
1245 		return;
1246 	}
1247 
1248 	pos = wpabuf_head(buf);
1249 	if (*pos != EAP_TYPE_PEAP) {
1250 		wpa_printf(MSG_DEBUG,
1251 			   "EAP-PEAP: Resumed session for another EAP type (%u) - reject attempt",
1252 			   *pos);
1253 		eap_peap_state(data, FAILURE);
1254 		return;
1255 	}
1256 
1257 	pos++;
1258 	id_len = *pos++;
1259 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-PEAP: Identity from cached session",
1260 			  pos, id_len);
1261 	os_free(sm->identity);
1262 	sm->identity = os_malloc(id_len ? id_len : 1);
1263 	if (!sm->identity) {
1264 		sm->identity_len = 0;
1265 		eap_peap_state(data, FAILURE);
1266 		return;
1267 	}
1268 
1269 	os_memcpy(sm->identity, pos, id_len);
1270 	sm->identity_len = id_len;
1271 
1272 	if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1273 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-PEAP: Phase2 Identity not found in the user database",
1274 				  sm->identity, sm->identity_len);
1275 		eap_peap_state(data, FAILURE);
1276 		return;
1277 	}
1278 
1279 	wpa_printf(MSG_DEBUG,
1280 		   "EAP-PEAP: Resuming previous session - skip Phase2");
1281 	eap_peap_req_success(sm, data);
1282 	if (data->state == SUCCESS_REQ)
1283 		tls_connection_set_success_data_resumed(data->ssl.conn);
1284 }
1285 
1286 
1287 static Boolean eap_peap_isDone(struct eap_sm *sm, void *priv)
1288 {
1289 	struct eap_peap_data *data = priv;
1290 	return data->state == SUCCESS || data->state == FAILURE;
1291 }
1292 
1293 
1294 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
1295 {
1296 	struct eap_peap_data *data = priv;
1297 	u8 *eapKeyData;
1298 
1299 	if (data->state != SUCCESS)
1300 		return NULL;
1301 
1302 	if (data->crypto_binding_used) {
1303 		u8 csk[128];
1304 		/*
1305 		 * Note: It looks like Microsoft implementation requires null
1306 		 * termination for this label while the one used for deriving
1307 		 * IPMK|CMK did not use null termination.
1308 		 */
1309 		if (peap_prfplus(data->peap_version, data->ipmk, 40,
1310 				 "Session Key Generating Function",
1311 				 (u8 *) "\00", 1, csk, sizeof(csk)) < 0)
1312 			return NULL;
1313 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
1314 		eapKeyData = os_malloc(EAP_TLS_KEY_LEN);
1315 		if (eapKeyData) {
1316 			os_memcpy(eapKeyData, csk, EAP_TLS_KEY_LEN);
1317 			*len = EAP_TLS_KEY_LEN;
1318 			wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1319 				    eapKeyData, EAP_TLS_KEY_LEN);
1320 		} else {
1321 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive "
1322 				   "key");
1323 		}
1324 
1325 		return eapKeyData;
1326 	}
1327 
1328 	/* TODO: PEAPv1 - different label in some cases */
1329 	eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1330 					       "client EAP encryption",
1331 					       EAP_TLS_KEY_LEN);
1332 	if (eapKeyData) {
1333 		*len = EAP_TLS_KEY_LEN;
1334 		wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1335 			    eapKeyData, EAP_TLS_KEY_LEN);
1336 	} else {
1337 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive key");
1338 	}
1339 
1340 	return eapKeyData;
1341 }
1342 
1343 
1344 static Boolean eap_peap_isSuccess(struct eap_sm *sm, void *priv)
1345 {
1346 	struct eap_peap_data *data = priv;
1347 	return data->state == SUCCESS;
1348 }
1349 
1350 
1351 static u8 * eap_peap_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1352 {
1353 	struct eap_peap_data *data = priv;
1354 
1355 	if (data->state != SUCCESS)
1356 		return NULL;
1357 
1358 	return eap_server_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_PEAP,
1359 						len);
1360 }
1361 
1362 
1363 int eap_server_peap_register(void)
1364 {
1365 	struct eap_method *eap;
1366 
1367 	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1368 				      EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP");
1369 	if (eap == NULL)
1370 		return -1;
1371 
1372 	eap->init = eap_peap_init;
1373 	eap->reset = eap_peap_reset;
1374 	eap->buildReq = eap_peap_buildReq;
1375 	eap->check = eap_peap_check;
1376 	eap->process = eap_peap_process;
1377 	eap->isDone = eap_peap_isDone;
1378 	eap->getKey = eap_peap_getKey;
1379 	eap->isSuccess = eap_peap_isSuccess;
1380 	eap->getSessionId = eap_peap_get_session_id;
1381 
1382 	return eap_server_method_register(eap);
1383 }
1384