xref: /freebsd/contrib/wpa/src/eap_server/eap_server_teap.c (revision 9bc300465e48e19d794d88d0c158a2adb92c7197)
1 /*
2  * EAP-TEAP server (RFC 7170)
3  * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/aes_wrap.h"
13 #include "crypto/tls.h"
14 #include "crypto/random.h"
15 #include "eap_common/eap_teap_common.h"
16 #include "eap_i.h"
17 #include "eap_tls_common.h"
18 
19 
20 static void eap_teap_reset(struct eap_sm *sm, void *priv);
21 
22 
23 /* Private PAC-Opaque TLV types */
24 #define PAC_OPAQUE_TYPE_PAD 0
25 #define PAC_OPAQUE_TYPE_KEY 1
26 #define PAC_OPAQUE_TYPE_LIFETIME 2
27 #define PAC_OPAQUE_TYPE_IDENTITY 3
28 
29 struct eap_teap_data {
30 	struct eap_ssl_data ssl;
31 	enum {
32 		START, PHASE1, PHASE1B, PHASE2_START, PHASE2_ID,
33 		PHASE2_BASIC_AUTH, PHASE2_METHOD, CRYPTO_BINDING, REQUEST_PAC,
34 		FAILURE_SEND_RESULT, SUCCESS_SEND_RESULT, SUCCESS, FAILURE
35 	} state;
36 
37 	u8 teap_version;
38 	u8 peer_version;
39 	u16 tls_cs;
40 
41 	const struct eap_method *phase2_method;
42 	void *phase2_priv;
43 
44 	u8 crypto_binding_nonce[32];
45 	int final_result;
46 
47 	u8 simck_msk[EAP_TEAP_SIMCK_LEN];
48 	u8 cmk_msk[EAP_TEAP_CMK_LEN];
49 	u8 simck_emsk[EAP_TEAP_SIMCK_LEN];
50 	u8 cmk_emsk[EAP_TEAP_CMK_LEN];
51 	int simck_idx;
52 	int cmk_emsk_available;
53 
54 	u8 pac_opaque_encr[16];
55 	u8 *srv_id;
56 	size_t srv_id_len;
57 	char *srv_id_info;
58 
59 	unsigned int basic_auth_not_done:1;
60 	unsigned int inner_eap_not_done:1;
61 	int anon_provisioning;
62 	int skipped_inner_auth;
63 	int send_new_pac; /* server triggered re-keying of Tunnel PAC */
64 	struct wpabuf *pending_phase2_resp;
65 	struct wpabuf *server_outer_tlvs;
66 	struct wpabuf *peer_outer_tlvs;
67 	u8 *identity; /* from PAC-Opaque or client certificate */
68 	size_t identity_len;
69 	int eap_seq;
70 	int tnc_started;
71 
72 	int pac_key_lifetime;
73 	int pac_key_refresh_time;
74 
75 	enum teap_error_codes error_code;
76 	enum teap_identity_types cur_id_type;
77 
78 	bool check_crypto_binding;
79 };
80 
81 
82 static int eap_teap_process_phase2_start(struct eap_sm *sm,
83 					 struct eap_teap_data *data);
84 static int eap_teap_phase2_init(struct eap_sm *sm, struct eap_teap_data *data,
85 				int vendor, enum eap_type eap_type);
86 
87 
88 static const char * eap_teap_state_txt(int state)
89 {
90 	switch (state) {
91 	case START:
92 		return "START";
93 	case PHASE1:
94 		return "PHASE1";
95 	case PHASE1B:
96 		return "PHASE1B";
97 	case PHASE2_START:
98 		return "PHASE2_START";
99 	case PHASE2_ID:
100 		return "PHASE2_ID";
101 	case PHASE2_BASIC_AUTH:
102 		return "PHASE2_BASIC_AUTH";
103 	case PHASE2_METHOD:
104 		return "PHASE2_METHOD";
105 	case CRYPTO_BINDING:
106 		return "CRYPTO_BINDING";
107 	case REQUEST_PAC:
108 		return "REQUEST_PAC";
109 	case FAILURE_SEND_RESULT:
110 		return "FAILURE_SEND_RESULT";
111 	case SUCCESS_SEND_RESULT:
112 		return "SUCCESS_SEND_RESULT";
113 	case SUCCESS:
114 		return "SUCCESS";
115 	case FAILURE:
116 		return "FAILURE";
117 	default:
118 		return "Unknown?!";
119 	}
120 }
121 
122 
123 static void eap_teap_state(struct eap_teap_data *data, int state)
124 {
125 	wpa_printf(MSG_DEBUG, "EAP-TEAP: %s -> %s",
126 		   eap_teap_state_txt(data->state),
127 		   eap_teap_state_txt(state));
128 	data->state = state;
129 }
130 
131 
132 static enum eap_type eap_teap_req_failure(struct eap_teap_data *data,
133 					  enum teap_error_codes error)
134 {
135 	eap_teap_state(data, FAILURE_SEND_RESULT);
136 	return EAP_TYPE_NONE;
137 }
138 
139 
140 static int eap_teap_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
141 				      const u8 *client_random,
142 				      const u8 *server_random,
143 				      u8 *master_secret)
144 {
145 	struct eap_teap_data *data = ctx;
146 	const u8 *pac_opaque;
147 	size_t pac_opaque_len;
148 	u8 *buf, *pos, *end, *pac_key = NULL;
149 	os_time_t lifetime = 0;
150 	struct os_time now;
151 	u8 *identity = NULL;
152 	size_t identity_len = 0;
153 
154 	wpa_printf(MSG_DEBUG, "EAP-TEAP: SessionTicket callback");
155 	wpa_hexdump(MSG_DEBUG, "EAP-TEAP: SessionTicket (PAC-Opaque)",
156 		    ticket, len);
157 
158 	if (len < 4 || WPA_GET_BE16(ticket) != PAC_TYPE_PAC_OPAQUE) {
159 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Ignore invalid SessionTicket");
160 		return 0;
161 	}
162 
163 	pac_opaque_len = WPA_GET_BE16(ticket + 2);
164 	pac_opaque = ticket + 4;
165 	if (pac_opaque_len < 8 || pac_opaque_len % 8 ||
166 	    pac_opaque_len > len - 4) {
167 		wpa_printf(MSG_DEBUG,
168 			   "EAP-TEAP: Ignore invalid PAC-Opaque (len=%lu left=%lu)",
169 			   (unsigned long) pac_opaque_len,
170 			   (unsigned long) len);
171 		return 0;
172 	}
173 	wpa_hexdump(MSG_DEBUG, "EAP-TEAP: Received PAC-Opaque",
174 		    pac_opaque, pac_opaque_len);
175 
176 	buf = os_malloc(pac_opaque_len - 8);
177 	if (!buf) {
178 		wpa_printf(MSG_DEBUG,
179 			   "EAP-TEAP: Failed to allocate memory for decrypting PAC-Opaque");
180 		return 0;
181 	}
182 
183 	if (aes_unwrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr),
184 		       (pac_opaque_len - 8) / 8, pac_opaque, buf) < 0) {
185 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Failed to decrypt PAC-Opaque");
186 		os_free(buf);
187 		/*
188 		 * This may have been caused by server changing the PAC-Opaque
189 		 * encryption key, so just ignore this PAC-Opaque instead of
190 		 * failing the authentication completely. Provisioning can now
191 		 * be used to provision a new PAC.
192 		 */
193 		return 0;
194 	}
195 
196 	end = buf + pac_opaque_len - 8;
197 	wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: Decrypted PAC-Opaque",
198 			buf, end - buf);
199 
200 	pos = buf;
201 	while (end - pos > 1) {
202 		u8 id, elen;
203 
204 		id = *pos++;
205 		elen = *pos++;
206 		if (elen > end - pos)
207 			break;
208 
209 		switch (id) {
210 		case PAC_OPAQUE_TYPE_PAD:
211 			goto done;
212 		case PAC_OPAQUE_TYPE_KEY:
213 			if (elen != EAP_TEAP_PAC_KEY_LEN) {
214 				wpa_printf(MSG_DEBUG,
215 					   "EAP-TEAP: Invalid PAC-Key length %d",
216 					   elen);
217 				os_free(buf);
218 				return -1;
219 			}
220 			pac_key = pos;
221 			wpa_hexdump_key(MSG_DEBUG,
222 					"EAP-TEAP: PAC-Key from decrypted PAC-Opaque",
223 					pac_key, EAP_TEAP_PAC_KEY_LEN);
224 			break;
225 		case PAC_OPAQUE_TYPE_LIFETIME:
226 			if (elen != 4) {
227 				wpa_printf(MSG_DEBUG,
228 					   "EAP-TEAP: Invalid PAC-Key lifetime length %d",
229 					   elen);
230 				os_free(buf);
231 				return -1;
232 			}
233 			lifetime = WPA_GET_BE32(pos);
234 			break;
235 		case PAC_OPAQUE_TYPE_IDENTITY:
236 			identity = pos;
237 			identity_len = elen;
238 			break;
239 		}
240 
241 		pos += elen;
242 	}
243 done:
244 
245 	if (!pac_key) {
246 		wpa_printf(MSG_DEBUG,
247 			   "EAP-TEAP: No PAC-Key included in PAC-Opaque");
248 		os_free(buf);
249 		return -1;
250 	}
251 
252 	if (identity) {
253 		wpa_hexdump_ascii(MSG_DEBUG,
254 				  "EAP-TEAP: Identity from PAC-Opaque",
255 				  identity, identity_len);
256 		os_free(data->identity);
257 		data->identity = os_malloc(identity_len);
258 		if (data->identity) {
259 			os_memcpy(data->identity, identity, identity_len);
260 			data->identity_len = identity_len;
261 		}
262 	}
263 
264 	if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) {
265 		wpa_printf(MSG_DEBUG,
266 			   "EAP-TEAP: PAC-Key not valid anymore (lifetime=%ld now=%ld)",
267 			   lifetime, now.sec);
268 		data->send_new_pac = 2;
269 		/*
270 		 * Allow PAC to be used to allow a PAC update with some level
271 		 * of server authentication (i.e., do not fall back to full TLS
272 		 * handshake since we cannot be sure that the peer would be
273 		 * able to validate server certificate now). However, reject
274 		 * the authentication since the PAC was not valid anymore. Peer
275 		 * can connect again with the newly provisioned PAC after this.
276 		 */
277 	} else if (lifetime - now.sec < data->pac_key_refresh_time) {
278 		wpa_printf(MSG_DEBUG,
279 			   "EAP-TEAP: PAC-Key soft timeout; send an update if authentication succeeds");
280 		data->send_new_pac = 1;
281 	}
282 
283 	/* EAP-TEAP uses PAC-Key as the TLS master_secret */
284 	os_memcpy(master_secret, pac_key, EAP_TEAP_PAC_KEY_LEN);
285 
286 	os_free(buf);
287 
288 	return 1;
289 }
290 
291 
292 static int eap_teap_derive_key_auth(struct eap_sm *sm,
293 				    struct eap_teap_data *data)
294 {
295 	int res;
296 
297 	/* RFC 7170, Section 5.1 */
298 	res = tls_connection_export_key(sm->cfg->ssl_ctx, data->ssl.conn,
299 					TEAP_TLS_EXPORTER_LABEL_SKS, NULL, 0,
300 					data->simck_msk, EAP_TEAP_SIMCK_LEN);
301 	if (res)
302 		return res;
303 	wpa_hexdump_key(MSG_DEBUG,
304 			"EAP-TEAP: session_key_seed (S-IMCK[0])",
305 			data->simck_msk, EAP_TEAP_SIMCK_LEN);
306 	os_memcpy(data->simck_emsk, data->simck_msk, EAP_TEAP_SIMCK_LEN);
307 	data->simck_idx = 0;
308 	return 0;
309 }
310 
311 
312 static int eap_teap_update_icmk(struct eap_sm *sm, struct eap_teap_data *data)
313 {
314 	u8 *msk = NULL, *emsk = NULL;
315 	size_t msk_len = 0, emsk_len = 0;
316 	int res;
317 
318 	wpa_printf(MSG_DEBUG, "EAP-TEAP: Deriving ICMK[%d] (S-IMCK and CMK)",
319 		   data->simck_idx + 1);
320 
321 	if (sm->cfg->eap_teap_auth == 1)
322 		return eap_teap_derive_cmk_basic_pw_auth(data->tls_cs,
323 							 data->simck_msk,
324 							 data->cmk_msk);
325 
326 	if (!data->phase2_method || !data->phase2_priv) {
327 		wpa_printf(MSG_INFO, "EAP-TEAP: Phase 2 method not available");
328 		return -1;
329 	}
330 
331 	if (data->phase2_method->getKey) {
332 		msk = data->phase2_method->getKey(sm, data->phase2_priv,
333 						  &msk_len);
334 		if (!msk) {
335 			wpa_printf(MSG_INFO,
336 				   "EAP-TEAP: Could not fetch Phase 2 MSK");
337 			return -1;
338 		}
339 	}
340 
341 	if (data->phase2_method->get_emsk) {
342 		emsk = data->phase2_method->get_emsk(sm, data->phase2_priv,
343 						     &emsk_len);
344 	}
345 
346 	res = eap_teap_derive_imck(data->tls_cs,
347 				   data->simck_msk, data->simck_emsk,
348 				   msk, msk_len, emsk, emsk_len,
349 				   data->simck_msk, data->cmk_msk,
350 				   data->simck_emsk, data->cmk_emsk);
351 	bin_clear_free(msk, msk_len);
352 	bin_clear_free(emsk, emsk_len);
353 	if (res == 0) {
354 		data->simck_idx++;
355 		if (emsk)
356 			data->cmk_emsk_available = 1;
357 	}
358 	return 0;
359 }
360 
361 
362 static void * eap_teap_init(struct eap_sm *sm)
363 {
364 	struct eap_teap_data *data;
365 
366 	data = os_zalloc(sizeof(*data));
367 	if (!data)
368 		return NULL;
369 	data->teap_version = EAP_TEAP_VERSION;
370 	data->state = START;
371 
372 	if (eap_server_tls_ssl_init(sm, &data->ssl,
373 				    sm->cfg->eap_teap_auth == 2 ? 2 : 0,
374 				    EAP_TYPE_TEAP)) {
375 		wpa_printf(MSG_INFO, "EAP-TEAP: Failed to initialize SSL.");
376 		eap_teap_reset(sm, data);
377 		return NULL;
378 	}
379 
380 	/* TODO: Add anon-DH TLS cipher suites (and if one is negotiated,
381 	 * enforce inner EAP with mutual authentication to be used) */
382 
383 	if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx,
384 						 data->ssl.conn,
385 						 eap_teap_session_ticket_cb,
386 						 data) < 0) {
387 		wpa_printf(MSG_INFO,
388 			   "EAP-TEAP: Failed to set SessionTicket callback");
389 		eap_teap_reset(sm, data);
390 		return NULL;
391 	}
392 
393 	if (!sm->cfg->pac_opaque_encr_key) {
394 		wpa_printf(MSG_INFO,
395 			   "EAP-TEAP: No PAC-Opaque encryption key configured");
396 		eap_teap_reset(sm, data);
397 		return NULL;
398 	}
399 	os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key,
400 		  sizeof(data->pac_opaque_encr));
401 
402 	if (!sm->cfg->eap_fast_a_id) {
403 		wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID configured");
404 		eap_teap_reset(sm, data);
405 		return NULL;
406 	}
407 	data->srv_id = os_malloc(sm->cfg->eap_fast_a_id_len);
408 	if (!data->srv_id) {
409 		eap_teap_reset(sm, data);
410 		return NULL;
411 	}
412 	os_memcpy(data->srv_id, sm->cfg->eap_fast_a_id,
413 		  sm->cfg->eap_fast_a_id_len);
414 	data->srv_id_len = sm->cfg->eap_fast_a_id_len;
415 
416 	if (!sm->cfg->eap_fast_a_id_info) {
417 		wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID-Info configured");
418 		eap_teap_reset(sm, data);
419 		return NULL;
420 	}
421 	data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info);
422 	if (!data->srv_id_info) {
423 		eap_teap_reset(sm, data);
424 		return NULL;
425 	}
426 
427 	/* PAC-Key lifetime in seconds (hard limit) */
428 	data->pac_key_lifetime = sm->cfg->pac_key_lifetime;
429 
430 	/*
431 	 * PAC-Key refresh time in seconds (soft limit on remaining hard
432 	 * limit). The server will generate a new PAC-Key when this number of
433 	 * seconds (or fewer) of the lifetime remains.
434 	 */
435 	data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time;
436 
437 	return data;
438 }
439 
440 
441 static void eap_teap_reset(struct eap_sm *sm, void *priv)
442 {
443 	struct eap_teap_data *data = priv;
444 
445 	if (!data)
446 		return;
447 	if (data->phase2_priv && data->phase2_method)
448 		data->phase2_method->reset(sm, data->phase2_priv);
449 	eap_server_tls_ssl_deinit(sm, &data->ssl);
450 	os_free(data->srv_id);
451 	os_free(data->srv_id_info);
452 	wpabuf_free(data->pending_phase2_resp);
453 	wpabuf_free(data->server_outer_tlvs);
454 	wpabuf_free(data->peer_outer_tlvs);
455 	os_free(data->identity);
456 	forced_memzero(data->simck_msk, EAP_TEAP_SIMCK_LEN);
457 	forced_memzero(data->simck_emsk, EAP_TEAP_SIMCK_LEN);
458 	forced_memzero(data->cmk_msk, EAP_TEAP_CMK_LEN);
459 	forced_memzero(data->cmk_emsk, EAP_TEAP_CMK_LEN);
460 	forced_memzero(data->pac_opaque_encr, sizeof(data->pac_opaque_encr));
461 	bin_clear_free(data, sizeof(*data));
462 }
463 
464 
465 static struct wpabuf * eap_teap_build_start(struct eap_sm *sm,
466 					    struct eap_teap_data *data, u8 id)
467 {
468 	struct wpabuf *req;
469 	size_t outer_tlv_len = sizeof(struct teap_tlv_hdr) + data->srv_id_len;
470 	const u8 *start, *end;
471 
472 	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TEAP,
473 			    1 + 4 + outer_tlv_len, EAP_CODE_REQUEST, id);
474 	if (!req) {
475 		wpa_printf(MSG_ERROR,
476 			   "EAP-TEAP: Failed to allocate memory for request");
477 		eap_teap_state(data, FAILURE);
478 		return NULL;
479 	}
480 
481 	wpabuf_put_u8(req, EAP_TLS_FLAGS_START | EAP_TEAP_FLAGS_OUTER_TLV_LEN |
482 		      data->teap_version);
483 	wpabuf_put_be32(req, outer_tlv_len);
484 
485 	start = wpabuf_put(req, 0);
486 
487 	/* RFC 7170, Section 4.2.2: Authority-ID TLV */
488 	eap_teap_put_tlv(req, TEAP_TLV_AUTHORITY_ID,
489 			 data->srv_id, data->srv_id_len);
490 
491 	end = wpabuf_put(req, 0);
492 	wpabuf_free(data->server_outer_tlvs);
493 	data->server_outer_tlvs = wpabuf_alloc_copy(start, end - start);
494 	if (!data->server_outer_tlvs) {
495 		eap_teap_state(data, FAILURE);
496 		return NULL;
497 	}
498 
499 	eap_teap_state(data, PHASE1);
500 
501 	return req;
502 }
503 
504 
505 static int eap_teap_phase1_done(struct eap_sm *sm, struct eap_teap_data *data)
506 {
507 	char cipher[64];
508 
509 	wpa_printf(MSG_DEBUG, "EAP-TEAP: Phase 1 done, starting Phase 2");
510 
511 	if (!data->identity && sm->cfg->eap_teap_auth == 2) {
512 		const char *subject;
513 
514 		subject = tls_connection_get_peer_subject(data->ssl.conn);
515 		if (subject) {
516 			wpa_printf(MSG_DEBUG,
517 				   "EAP-TEAP: Peer subject from Phase 1 client certificate: '%s'",
518 				   subject);
519 			data->identity = (u8 *) os_strdup(subject);
520 			data->identity_len = os_strlen(subject);
521 		}
522 	}
523 
524 	data->tls_cs = tls_connection_get_cipher_suite(data->ssl.conn);
525 	wpa_printf(MSG_DEBUG, "EAP-TEAP: TLS cipher suite 0x%04x",
526 		   data->tls_cs);
527 
528 	if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn,
529 			   cipher, sizeof(cipher)) < 0) {
530 		wpa_printf(MSG_DEBUG,
531 			   "EAP-TEAP: Failed to get cipher information");
532 		eap_teap_state(data, FAILURE);
533 		return -1;
534 	}
535 	data->anon_provisioning = os_strstr(cipher, "ADH") != NULL;
536 
537 	if (data->anon_provisioning)
538 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Anonymous provisioning");
539 
540 	if (eap_teap_derive_key_auth(sm, data) < 0) {
541 		eap_teap_state(data, FAILURE);
542 		return -1;
543 	}
544 
545 	eap_teap_state(data, PHASE2_START);
546 
547 	return 0;
548 }
549 
550 
551 static struct wpabuf * eap_teap_build_phase2_req(struct eap_sm *sm,
552 						 struct eap_teap_data *data,
553 						 u8 id)
554 {
555 	struct wpabuf *req, *id_tlv = NULL;
556 
557 	if (sm->cfg->eap_teap_auth == 1 ||
558 	    (data->phase2_priv && data->phase2_method &&
559 	     data->phase2_method->vendor == EAP_VENDOR_IETF &&
560 	     data->phase2_method->method == EAP_TYPE_IDENTITY)) {
561 		switch (sm->cfg->eap_teap_id) {
562 		case EAP_TEAP_ID_ALLOW_ANY:
563 			break;
564 		case EAP_TEAP_ID_REQUIRE_USER:
565 		case EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE:
566 			data->cur_id_type = TEAP_IDENTITY_TYPE_USER;
567 			id_tlv = eap_teap_tlv_identity_type(data->cur_id_type);
568 			break;
569 		case EAP_TEAP_ID_REQUIRE_MACHINE:
570 		case EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER:
571 			data->cur_id_type = TEAP_IDENTITY_TYPE_MACHINE;
572 			id_tlv = eap_teap_tlv_identity_type(data->cur_id_type);
573 			break;
574 		case EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE:
575 			if (data->cur_id_type == TEAP_IDENTITY_TYPE_USER)
576 				data->cur_id_type = TEAP_IDENTITY_TYPE_MACHINE;
577 			else
578 				data->cur_id_type = TEAP_IDENTITY_TYPE_USER;
579 			id_tlv = eap_teap_tlv_identity_type(data->cur_id_type);
580 			break;
581 		}
582 	}
583 
584 	if (sm->cfg->eap_teap_auth == 1) {
585 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate Basic-Password-Auth");
586 		data->basic_auth_not_done = 1;
587 		req = wpabuf_alloc(sizeof(struct teap_tlv_hdr));
588 		if (!req) {
589 			wpabuf_free(id_tlv);
590 			return NULL;
591 		}
592 		eap_teap_put_tlv_hdr(req, TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, 0);
593 		return wpabuf_concat(req, id_tlv);
594 	}
595 
596 	wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate inner EAP method");
597 	data->inner_eap_not_done = 1;
598 	if (!data->phase2_priv) {
599 		wpa_printf(MSG_DEBUG,
600 			   "EAP-TEAP: Phase 2 method not initialized");
601 		wpabuf_free(id_tlv);
602 		return NULL;
603 	}
604 
605 	req = data->phase2_method->buildReq(sm, data->phase2_priv, id);
606 	if (!req) {
607 		wpabuf_free(id_tlv);
608 		return NULL;
609 	}
610 
611 	wpa_hexdump_buf_key(MSG_MSGDUMP, "EAP-TEAP: Phase 2 EAP-Request", req);
612 
613 	return wpabuf_concat(eap_teap_tlv_eap_payload(req), id_tlv);
614 }
615 
616 
617 static struct wpabuf * eap_teap_build_crypto_binding(
618 	struct eap_sm *sm, struct eap_teap_data *data)
619 {
620 	struct wpabuf *buf;
621 	struct teap_tlv_result *result;
622 	struct teap_tlv_crypto_binding *cb;
623 	u8 subtype, flags;
624 
625 	buf = wpabuf_alloc(2 * sizeof(*result) + sizeof(*cb));
626 	if (!buf)
627 		return NULL;
628 
629 	if (data->send_new_pac || data->anon_provisioning ||
630 	    data->basic_auth_not_done || data->inner_eap_not_done ||
631 	    data->phase2_method || sm->cfg->eap_teap_separate_result)
632 		data->final_result = 0;
633 	else
634 		data->final_result = 1;
635 
636 	if (!data->final_result || data->eap_seq > 0 ||
637 	    sm->cfg->eap_teap_auth == 1) {
638 		/* Intermediate-Result */
639 		wpa_printf(MSG_DEBUG,
640 			   "EAP-TEAP: Add Intermediate-Result TLV (status=SUCCESS)");
641 		result = wpabuf_put(buf, sizeof(*result));
642 		result->tlv_type = host_to_be16(TEAP_TLV_MANDATORY |
643 						TEAP_TLV_INTERMEDIATE_RESULT);
644 		result->length = host_to_be16(2);
645 		result->status = host_to_be16(TEAP_STATUS_SUCCESS);
646 	}
647 
648 	if (data->final_result) {
649 		/* Result TLV */
650 		wpa_printf(MSG_DEBUG,
651 			   "EAP-TEAP: Add Result TLV (status=SUCCESS)");
652 		result = wpabuf_put(buf, sizeof(*result));
653 		result->tlv_type = host_to_be16(TEAP_TLV_MANDATORY |
654 						TEAP_TLV_RESULT);
655 		result->length = host_to_be16(2);
656 		result->status = host_to_be16(TEAP_STATUS_SUCCESS);
657 	}
658 
659 	/* Crypto-Binding TLV */
660 	cb = wpabuf_put(buf, sizeof(*cb));
661 	cb->tlv_type = host_to_be16(TEAP_TLV_MANDATORY |
662 				    TEAP_TLV_CRYPTO_BINDING);
663 	cb->length = host_to_be16(sizeof(*cb) - sizeof(struct teap_tlv_hdr));
664 	cb->version = EAP_TEAP_VERSION;
665 	cb->received_version = data->peer_version;
666 	/* FIX: RFC 7170 is not clear on which Flags value to use when
667 	 * Crypto-Binding TLV is used with Basic-Password-Auth */
668 	flags = data->cmk_emsk_available ?
669 		TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC :
670 		TEAP_CRYPTO_BINDING_MSK_CMAC;
671 	subtype = TEAP_CRYPTO_BINDING_SUBTYPE_REQUEST;
672 	cb->subtype = (flags << 4) | subtype;
673 	if (random_get_bytes(cb->nonce, sizeof(cb->nonce)) < 0) {
674 		wpabuf_free(buf);
675 		return NULL;
676 	}
677 
678 	/*
679 	 * RFC 7170, Section 4.2.13:
680 	 * The nonce in a request MUST have its least significant bit set to 0.
681 	 */
682 	cb->nonce[sizeof(cb->nonce) - 1] &= ~0x01;
683 
684 	os_memcpy(data->crypto_binding_nonce, cb->nonce, sizeof(cb->nonce));
685 
686 	if (eap_teap_compound_mac(data->tls_cs, cb, data->server_outer_tlvs,
687 				  data->peer_outer_tlvs, data->cmk_msk,
688 				  cb->msk_compound_mac) < 0) {
689 		wpabuf_free(buf);
690 		return NULL;
691 	}
692 
693 	if (data->cmk_emsk_available &&
694 	    eap_teap_compound_mac(data->tls_cs, cb, data->server_outer_tlvs,
695 				  data->peer_outer_tlvs, data->cmk_emsk,
696 				  cb->emsk_compound_mac) < 0) {
697 		wpabuf_free(buf);
698 		return NULL;
699 	}
700 
701 	wpa_printf(MSG_DEBUG,
702 		   "EAP-TEAP: Add Crypto-Binding TLV: Version %u Received Version %u Flags %u Sub-Type %u",
703 		   cb->version, cb->received_version, flags, subtype);
704 	wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Nonce",
705 		    cb->nonce, sizeof(cb->nonce));
706 	wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: EMSK Compound MAC",
707 		    cb->emsk_compound_mac, sizeof(cb->emsk_compound_mac));
708 	wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: MSK Compound MAC",
709 		    cb->msk_compound_mac, sizeof(cb->msk_compound_mac));
710 
711 	data->check_crypto_binding = true;
712 
713 	return buf;
714 }
715 
716 
717 static struct wpabuf * eap_teap_build_pac(struct eap_sm *sm,
718 					  struct eap_teap_data *data)
719 {
720 	u8 pac_key[EAP_TEAP_PAC_KEY_LEN];
721 	u8 *pac_buf, *pac_opaque;
722 	struct wpabuf *buf;
723 	u8 *pos;
724 	size_t buf_len, srv_id_info_len, pac_len;
725 	struct teap_tlv_hdr *pac_tlv;
726 	struct pac_attr_hdr *pac_info;
727 	struct teap_tlv_result *result;
728 	struct os_time now;
729 
730 	wpa_printf(MSG_DEBUG, "EAP-TEAP: Build a new PAC");
731 
732 	if (random_get_bytes(pac_key, EAP_TEAP_PAC_KEY_LEN) < 0 ||
733 	    os_get_time(&now) < 0)
734 		return NULL;
735 	wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: Generated PAC-Key",
736 			pac_key, EAP_TEAP_PAC_KEY_LEN);
737 
738 	pac_len = (2 + EAP_TEAP_PAC_KEY_LEN) + (2 + 4) +
739 		(2 + sm->identity_len) + 8;
740 	pac_buf = os_malloc(pac_len);
741 	if (!pac_buf)
742 		return NULL;
743 
744 	srv_id_info_len = os_strlen(data->srv_id_info);
745 
746 	pos = pac_buf;
747 	*pos++ = PAC_OPAQUE_TYPE_KEY;
748 	*pos++ = EAP_TEAP_PAC_KEY_LEN;
749 	os_memcpy(pos, pac_key, EAP_TEAP_PAC_KEY_LEN);
750 	pos += EAP_TEAP_PAC_KEY_LEN;
751 
752 	wpa_printf(MSG_DEBUG, "EAP-TEAP: PAC-Key lifetime: %u seconds",
753 		   data->pac_key_lifetime);
754 	*pos++ = PAC_OPAQUE_TYPE_LIFETIME;
755 	*pos++ = 4;
756 	WPA_PUT_BE32(pos, now.sec + data->pac_key_lifetime);
757 	pos += 4;
758 
759 	if (sm->identity) {
760 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TEAP: PAC-Opaque Identity",
761 				  sm->identity, sm->identity_len);
762 		*pos++ = PAC_OPAQUE_TYPE_IDENTITY;
763 		*pos++ = sm->identity_len;
764 		os_memcpy(pos, sm->identity, sm->identity_len);
765 		pos += sm->identity_len;
766 	}
767 
768 	pac_len = pos - pac_buf;
769 	while (pac_len % 8) {
770 		*pos++ = PAC_OPAQUE_TYPE_PAD;
771 		pac_len++;
772 	}
773 
774 	pac_opaque = os_malloc(pac_len + 8);
775 	if (!pac_opaque) {
776 		os_free(pac_buf);
777 		return NULL;
778 	}
779 	if (aes_wrap(data->pac_opaque_encr, sizeof(data->pac_opaque_encr),
780 		     pac_len / 8, pac_buf, pac_opaque) < 0) {
781 		os_free(pac_buf);
782 		os_free(pac_opaque);
783 		return NULL;
784 	}
785 	os_free(pac_buf);
786 
787 	pac_len += 8;
788 	wpa_hexdump(MSG_DEBUG, "EAP-TEAP: PAC-Opaque", pac_opaque, pac_len);
789 
790 	buf_len = sizeof(*pac_tlv) +
791 		sizeof(struct pac_attr_hdr) + EAP_TEAP_PAC_KEY_LEN +
792 		sizeof(struct pac_attr_hdr) + pac_len +
793 		data->srv_id_len + srv_id_info_len + 100 + sizeof(*result);
794 	buf = wpabuf_alloc(buf_len);
795 	if (!buf) {
796 		os_free(pac_opaque);
797 		return NULL;
798 	}
799 
800 	/* Result TLV */
801 	wpa_printf(MSG_DEBUG, "EAP-TEAP: Add Result TLV (status=SUCCESS)");
802 	result = wpabuf_put(buf, sizeof(*result));
803 	WPA_PUT_BE16((u8 *) &result->tlv_type,
804 		     TEAP_TLV_MANDATORY | TEAP_TLV_RESULT);
805 	WPA_PUT_BE16((u8 *) &result->length, 2);
806 	WPA_PUT_BE16((u8 *) &result->status, TEAP_STATUS_SUCCESS);
807 
808 	/* PAC TLV */
809 	wpa_printf(MSG_DEBUG, "EAP-TEAP: Add PAC TLV");
810 	pac_tlv = wpabuf_put(buf, sizeof(*pac_tlv));
811 	pac_tlv->tlv_type = host_to_be16(TEAP_TLV_MANDATORY | TEAP_TLV_PAC);
812 
813 	/* PAC-Key */
814 	eap_teap_put_tlv(buf, PAC_TYPE_PAC_KEY, pac_key, EAP_TEAP_PAC_KEY_LEN);
815 
816 	/* PAC-Opaque */
817 	eap_teap_put_tlv(buf, PAC_TYPE_PAC_OPAQUE, pac_opaque, pac_len);
818 	os_free(pac_opaque);
819 
820 	/* PAC-Info */
821 	pac_info = wpabuf_put(buf, sizeof(*pac_info));
822 	pac_info->type = host_to_be16(PAC_TYPE_PAC_INFO);
823 
824 	/* PAC-Lifetime (inside PAC-Info) */
825 	eap_teap_put_tlv_hdr(buf, PAC_TYPE_CRED_LIFETIME, 4);
826 	wpabuf_put_be32(buf, now.sec + data->pac_key_lifetime);
827 
828 	/* A-ID (inside PAC-Info) */
829 	eap_teap_put_tlv(buf, PAC_TYPE_A_ID, data->srv_id, data->srv_id_len);
830 
831 	/* Note: headers may be misaligned after A-ID */
832 
833 	if (sm->identity) {
834 		eap_teap_put_tlv(buf, PAC_TYPE_I_ID, sm->identity,
835 				 sm->identity_len);
836 	}
837 
838 	/* A-ID-Info (inside PAC-Info) */
839 	eap_teap_put_tlv(buf, PAC_TYPE_A_ID_INFO, data->srv_id_info,
840 			 srv_id_info_len);
841 
842 	/* PAC-Type (inside PAC-Info) */
843 	eap_teap_put_tlv_hdr(buf, PAC_TYPE_PAC_TYPE, 2);
844 	wpabuf_put_be16(buf, PAC_TYPE_TUNNEL_PAC);
845 
846 	/* Update PAC-Info and PAC TLV Length fields */
847 	pos = wpabuf_put(buf, 0);
848 	pac_info->len = host_to_be16(pos - (u8 *) (pac_info + 1));
849 	pac_tlv->length = host_to_be16(pos - (u8 *) (pac_tlv + 1));
850 
851 	return buf;
852 }
853 
854 
855 static int eap_teap_encrypt_phase2(struct eap_sm *sm,
856 				   struct eap_teap_data *data,
857 				   struct wpabuf *plain, int piggyback)
858 {
859 	struct wpabuf *encr;
860 
861 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TEAP: Encrypting Phase 2 TLVs",
862 			    plain);
863 	encr = eap_server_tls_encrypt(sm, &data->ssl, plain);
864 	wpabuf_free(plain);
865 
866 	if (!encr)
867 		return -1;
868 
869 	if (data->ssl.tls_out && piggyback) {
870 		wpa_printf(MSG_DEBUG,
871 			   "EAP-TEAP: Piggyback Phase 2 data (len=%d) with last Phase 1 Message (len=%d used=%d)",
872 			   (int) wpabuf_len(encr),
873 			   (int) wpabuf_len(data->ssl.tls_out),
874 			   (int) data->ssl.tls_out_pos);
875 		if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) {
876 			wpa_printf(MSG_WARNING,
877 				   "EAP-TEAP: Failed to resize output buffer");
878 			wpabuf_free(encr);
879 			return -1;
880 		}
881 		wpabuf_put_buf(data->ssl.tls_out, encr);
882 		wpabuf_free(encr);
883 	} else {
884 		wpabuf_free(data->ssl.tls_out);
885 		data->ssl.tls_out_pos = 0;
886 		data->ssl.tls_out = encr;
887 	}
888 
889 	return 0;
890 }
891 
892 
893 static struct wpabuf * eap_teap_buildReq(struct eap_sm *sm, void *priv, u8 id)
894 {
895 	struct eap_teap_data *data = priv;
896 	struct wpabuf *req = NULL;
897 	int piggyback = 0;
898 	bool move_to_method = true;
899 
900 	if (data->ssl.state == FRAG_ACK) {
901 		return eap_server_tls_build_ack(id, EAP_TYPE_TEAP,
902 						data->teap_version);
903 	}
904 
905 	if (data->ssl.state == WAIT_FRAG_ACK) {
906 		return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TEAP,
907 						data->teap_version, id);
908 	}
909 
910 	switch (data->state) {
911 	case START:
912 		return eap_teap_build_start(sm, data, id);
913 	case PHASE1B:
914 		if (tls_connection_established(sm->cfg->ssl_ctx,
915 					       data->ssl.conn)) {
916 			if (eap_teap_phase1_done(sm, data) < 0)
917 				return NULL;
918 			if (data->state == PHASE2_START) {
919 				int res;
920 
921 				/*
922 				 * Try to generate Phase 2 data to piggyback
923 				 * with the end of Phase 1 to avoid extra
924 				 * roundtrip.
925 				 */
926 				wpa_printf(MSG_DEBUG,
927 					   "EAP-TEAP: Try to start Phase 2");
928 				res = eap_teap_process_phase2_start(sm, data);
929 				if (res == 1) {
930 					req = eap_teap_build_crypto_binding(
931 						sm, data);
932 					piggyback = 1;
933 					break;
934 				}
935 
936 				if (res)
937 					break;
938 				req = eap_teap_build_phase2_req(sm, data, id);
939 				piggyback = 1;
940 			}
941 		}
942 		break;
943 	case PHASE2_ID:
944 	case PHASE2_BASIC_AUTH:
945 	case PHASE2_METHOD:
946 		req = eap_teap_build_phase2_req(sm, data, id);
947 		break;
948 	case CRYPTO_BINDING:
949 		req = eap_teap_build_crypto_binding(sm, data);
950 		if (req && sm->cfg->eap_teap_auth == 0 &&
951 		    data->inner_eap_not_done &&
952 		    !data->phase2_method &&
953 		    sm->cfg->eap_teap_method_sequence == 0) {
954 			wpa_printf(MSG_DEBUG,
955 				   "EAP-TEAP: Continue with inner EAP authentication for second credential (optimized)");
956 			eap_teap_state(data, PHASE2_ID);
957 			if (eap_teap_phase2_init(sm, data, EAP_VENDOR_IETF,
958 						 EAP_TYPE_IDENTITY) < 0) {
959 				eap_teap_state(data, FAILURE);
960 				wpabuf_free(req);
961 				return NULL;
962 			}
963 			move_to_method = false;
964 		}
965 		if (data->phase2_method) {
966 			/*
967 			 * Include the start of the next EAP method in the
968 			 * sequence in the same message with Crypto-Binding to
969 			 * save a round-trip.
970 			 */
971 			struct wpabuf *eap;
972 
973 			eap = eap_teap_build_phase2_req(sm, data, id);
974 			req = wpabuf_concat(req, eap);
975 			if (move_to_method)
976 				eap_teap_state(data, PHASE2_METHOD);
977 		}
978 		break;
979 	case REQUEST_PAC:
980 		req = eap_teap_build_pac(sm, data);
981 		break;
982 	case FAILURE_SEND_RESULT:
983 		req = eap_teap_tlv_result(TEAP_STATUS_FAILURE, 0);
984 		if (data->error_code)
985 			req = wpabuf_concat(
986 				req, eap_teap_tlv_error(data->error_code));
987 		break;
988 	case SUCCESS_SEND_RESULT:
989 		req = eap_teap_tlv_result(TEAP_STATUS_SUCCESS, 0);
990 		data->final_result = 1;
991 		break;
992 	default:
993 		wpa_printf(MSG_DEBUG, "EAP-TEAP: %s - unexpected state %d",
994 			   __func__, data->state);
995 		return NULL;
996 	}
997 
998 	if (req && eap_teap_encrypt_phase2(sm, data, req, piggyback) < 0)
999 		return NULL;
1000 
1001 	return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TEAP,
1002 					data->teap_version, id);
1003 }
1004 
1005 
1006 static bool eap_teap_check(struct eap_sm *sm, void *priv,
1007 			   struct wpabuf *respData)
1008 {
1009 	const u8 *pos;
1010 	size_t len;
1011 
1012 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TEAP, respData, &len);
1013 	if (!pos || len < 1) {
1014 		wpa_printf(MSG_INFO, "EAP-TEAP: Invalid frame");
1015 		return true;
1016 	}
1017 
1018 	return false;
1019 }
1020 
1021 
1022 static int eap_teap_phase2_init(struct eap_sm *sm, struct eap_teap_data *data,
1023 				int vendor, enum eap_type eap_type)
1024 {
1025 	if (data->phase2_priv && data->phase2_method) {
1026 		data->phase2_method->reset(sm, data->phase2_priv);
1027 		data->phase2_method = NULL;
1028 		data->phase2_priv = NULL;
1029 	}
1030 	data->phase2_method = eap_server_get_eap_method(vendor, eap_type);
1031 	if (!data->phase2_method)
1032 		return -1;
1033 
1034 	/* While RFC 7170 does not describe this, EAP-TEAP has been deployed
1035 	 * with implementations that use the EAP-FAST-MSCHAPv2, instead of the
1036 	 * EAP-MSCHAPv2, way of deriving the MSK for IMSK. Use that design here
1037 	 * to interoperate.
1038 	 */
1039 	sm->eap_fast_mschapv2 = true;
1040 
1041 	sm->init_phase2 = 1;
1042 	data->phase2_priv = data->phase2_method->init(sm);
1043 	sm->init_phase2 = 0;
1044 
1045 	return data->phase2_priv ? 0 : -1;
1046 }
1047 
1048 
1049 static int eap_teap_valid_id_type(struct eap_sm *sm, struct eap_teap_data *data,
1050 				  enum teap_identity_types id_type)
1051 {
1052 	if (sm->cfg->eap_teap_id == EAP_TEAP_ID_REQUIRE_USER &&
1053 	    id_type != TEAP_IDENTITY_TYPE_USER)
1054 		return 0;
1055 	if (sm->cfg->eap_teap_id == EAP_TEAP_ID_REQUIRE_MACHINE &&
1056 	    id_type != TEAP_IDENTITY_TYPE_MACHINE)
1057 		return 0;
1058 	if (sm->cfg->eap_teap_id == EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE &&
1059 	    id_type != data->cur_id_type)
1060 		return 0;
1061 	if (sm->cfg->eap_teap_id != EAP_TEAP_ID_ALLOW_ANY &&
1062 	    id_type != TEAP_IDENTITY_TYPE_USER &&
1063 	    id_type != TEAP_IDENTITY_TYPE_MACHINE)
1064 		return 0;
1065 	return 1;
1066 }
1067 
1068 
1069 static void eap_teap_process_phase2_response(struct eap_sm *sm,
1070 					     struct eap_teap_data *data,
1071 					     u8 *in_data, size_t in_len,
1072 					     enum teap_identity_types id_type)
1073 {
1074 	int next_vendor = EAP_VENDOR_IETF;
1075 	enum eap_type next_type = EAP_TYPE_NONE;
1076 	struct eap_hdr *hdr;
1077 	u8 *pos;
1078 	size_t left;
1079 	struct wpabuf buf;
1080 	const struct eap_method *m = data->phase2_method;
1081 	void *priv = data->phase2_priv;
1082 
1083 	if (!priv) {
1084 		wpa_printf(MSG_DEBUG,
1085 			   "EAP-TEAP: %s - Phase 2 not initialized?!",
1086 			   __func__);
1087 		return;
1088 	}
1089 
1090 	hdr = (struct eap_hdr *) in_data;
1091 	pos = (u8 *) (hdr + 1);
1092 
1093 	if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
1094 		left = in_len - sizeof(*hdr);
1095 		wpa_hexdump(MSG_DEBUG,
1096 			    "EAP-TEAP: Phase 2 type Nak'ed; allowed types",
1097 			    pos + 1, left - 1);
1098 #ifdef EAP_SERVER_TNC
1099 		if (m && m->vendor == EAP_VENDOR_IETF &&
1100 		    m->method == EAP_TYPE_TNC) {
1101 			wpa_printf(MSG_DEBUG,
1102 				   "EAP-TEAP: Peer Nak'ed required TNC negotiation");
1103 			next_vendor = EAP_VENDOR_IETF;
1104 			next_type = eap_teap_req_failure(data, 0);
1105 			eap_teap_phase2_init(sm, data, next_vendor, next_type);
1106 			return;
1107 		}
1108 #endif /* EAP_SERVER_TNC */
1109 		eap_sm_process_nak(sm, pos + 1, left - 1);
1110 		if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
1111 		    sm->user->methods[sm->user_eap_method_index].method !=
1112 		    EAP_TYPE_NONE) {
1113 			next_vendor = sm->user->methods[
1114 				sm->user_eap_method_index].vendor;
1115 			next_type = sm->user->methods[
1116 				sm->user_eap_method_index++].method;
1117 			wpa_printf(MSG_DEBUG, "EAP-TEAP: try EAP type %u:%u",
1118 				   next_vendor, next_type);
1119 		} else {
1120 			next_vendor = EAP_VENDOR_IETF;
1121 			next_type = eap_teap_req_failure(data, 0);
1122 		}
1123 		eap_teap_phase2_init(sm, data, next_vendor, next_type);
1124 		return;
1125 	}
1126 
1127 	wpabuf_set(&buf, in_data, in_len);
1128 
1129 	if (m->check(sm, priv, &buf)) {
1130 		wpa_printf(MSG_DEBUG,
1131 			   "EAP-TEAP: Phase 2 check() asked to ignore the packet");
1132 		eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD);
1133 		return;
1134 	}
1135 
1136 	m->process(sm, priv, &buf);
1137 
1138 	if (!m->isDone(sm, priv))
1139 		return;
1140 
1141 	if (!m->isSuccess(sm, priv)) {
1142 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Phase 2 method failed");
1143 		next_vendor = EAP_VENDOR_IETF;
1144 		next_type = eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD);
1145 		eap_teap_phase2_init(sm, data, next_vendor, next_type);
1146 		return;
1147 	}
1148 
1149 	switch (data->state) {
1150 	case PHASE2_ID:
1151 		if (!eap_teap_valid_id_type(sm, data, id_type)) {
1152 			wpa_printf(MSG_DEBUG,
1153 				   "EAP-TEAP: Provided Identity-Type %u not allowed",
1154 				   id_type);
1155 			eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD);
1156 			break;
1157 		}
1158 		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1159 			wpa_hexdump_ascii(MSG_DEBUG,
1160 					  "EAP-TEAP: Phase 2 Identity not found in the user database",
1161 					  sm->identity, sm->identity_len);
1162 			next_vendor = EAP_VENDOR_IETF;
1163 			next_type = eap_teap_req_failure(
1164 				data, TEAP_ERROR_INNER_METHOD);
1165 			break;
1166 		}
1167 
1168 		eap_teap_state(data, PHASE2_METHOD);
1169 		if (data->anon_provisioning) {
1170 			/* TODO: Allow any inner EAP method that provides
1171 			 * mutual authentication and EMSK derivation (i.e.,
1172 			 * EAP-pwd or EAP-EKE). */
1173 			next_vendor = EAP_VENDOR_IETF;
1174 			next_type = EAP_TYPE_PWD;
1175 			sm->user_eap_method_index = 0;
1176 		} else {
1177 			next_vendor = sm->user->methods[0].vendor;
1178 			next_type = sm->user->methods[0].method;
1179 			sm->user_eap_method_index = 1;
1180 		}
1181 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Try EAP type %u:%u",
1182 			   next_vendor, next_type);
1183 		break;
1184 	case PHASE2_METHOD:
1185 	case CRYPTO_BINDING:
1186 		eap_teap_update_icmk(sm, data);
1187 		if (data->state == PHASE2_METHOD &&
1188 		    (sm->cfg->eap_teap_id !=
1189 		     EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE ||
1190 		     data->cur_id_type == TEAP_IDENTITY_TYPE_MACHINE))
1191 			data->inner_eap_not_done = 0;
1192 		eap_teap_state(data, CRYPTO_BINDING);
1193 		data->eap_seq++;
1194 		next_vendor = EAP_VENDOR_IETF;
1195 		next_type = EAP_TYPE_NONE;
1196 #ifdef EAP_SERVER_TNC
1197 		if (sm->cfg->tnc && !data->tnc_started) {
1198 			wpa_printf(MSG_DEBUG, "EAP-TEAP: Initialize TNC");
1199 			next_vendor = EAP_VENDOR_IETF;
1200 			next_type = EAP_TYPE_TNC;
1201 			data->tnc_started = 1;
1202 		}
1203 #endif /* EAP_SERVER_TNC */
1204 		break;
1205 	case FAILURE:
1206 		break;
1207 	default:
1208 		wpa_printf(MSG_DEBUG, "EAP-TEAP: %s - unexpected state %d",
1209 			   __func__, data->state);
1210 		break;
1211 	}
1212 
1213 	eap_teap_phase2_init(sm, data, next_vendor, next_type);
1214 }
1215 
1216 
1217 static void eap_teap_process_phase2_eap(struct eap_sm *sm,
1218 					struct eap_teap_data *data,
1219 					u8 *in_data, size_t in_len,
1220 					enum teap_identity_types id_type)
1221 {
1222 	struct eap_hdr *hdr;
1223 	size_t len;
1224 
1225 	hdr = (struct eap_hdr *) in_data;
1226 	if (in_len < (int) sizeof(*hdr)) {
1227 		wpa_printf(MSG_INFO,
1228 			   "EAP-TEAP: Too short Phase 2 EAP frame (len=%lu)",
1229 			   (unsigned long) in_len);
1230 		eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD);
1231 		return;
1232 	}
1233 	len = be_to_host16(hdr->length);
1234 	if (len > in_len) {
1235 		wpa_printf(MSG_INFO,
1236 			   "EAP-TEAP: Length mismatch in Phase 2 EAP frame (len=%lu hdr->length=%lu)",
1237 			   (unsigned long) in_len, (unsigned long) len);
1238 		eap_teap_req_failure(data, TEAP_ERROR_INNER_METHOD);
1239 		return;
1240 	}
1241 	wpa_printf(MSG_DEBUG,
1242 		   "EAP-TEAP: Received Phase 2: code=%d identifier=%d length=%lu",
1243 		   hdr->code, hdr->identifier,
1244 		   (unsigned long) len);
1245 	switch (hdr->code) {
1246 	case EAP_CODE_RESPONSE:
1247 		eap_teap_process_phase2_response(sm, data, (u8 *) hdr, len,
1248 						 id_type);
1249 		break;
1250 	default:
1251 		wpa_printf(MSG_INFO,
1252 			   "EAP-TEAP: Unexpected code=%d in Phase 2 EAP header",
1253 			   hdr->code);
1254 		break;
1255 	}
1256 }
1257 
1258 
1259 static void eap_teap_process_basic_auth_resp(struct eap_sm *sm,
1260 					     struct eap_teap_data *data,
1261 					     u8 *in_data, size_t in_len,
1262 					     enum teap_identity_types id_type)
1263 {
1264 	u8 *pos, *end, *username, *password, *new_id;
1265 	u8 userlen, passlen;
1266 
1267 	if (!eap_teap_valid_id_type(sm, data, id_type)) {
1268 		wpa_printf(MSG_DEBUG,
1269 			   "EAP-TEAP: Provided Identity-Type %u not allowed",
1270 			   id_type);
1271 		eap_teap_req_failure(data, 0);
1272 		return;
1273 	}
1274 
1275 	pos = in_data;
1276 	end = pos + in_len;
1277 
1278 	if (end - pos < 1) {
1279 		wpa_printf(MSG_DEBUG,
1280 			   "EAP-TEAP: No room for Basic-Password-Auth-Resp Userlen field");
1281 		eap_teap_req_failure(data, 0);
1282 		return;
1283 	}
1284 	userlen = *pos++;
1285 	if (end - pos < userlen) {
1286 		wpa_printf(MSG_DEBUG,
1287 			   "EAP-TEAP: Truncated Basic-Password-Auth-Resp Username field");
1288 		eap_teap_req_failure(data, 0);
1289 		return;
1290 	}
1291 	username = pos;
1292 	pos += userlen;
1293 	wpa_hexdump_ascii(MSG_DEBUG,
1294 			  "EAP-TEAP: Basic-Password-Auth-Resp Username",
1295 			  username, userlen);
1296 
1297 	if (end - pos < 1) {
1298 		wpa_printf(MSG_DEBUG,
1299 			   "EAP-TEAP: No room for Basic-Password-Auth-Resp Passlen field");
1300 		eap_teap_req_failure(data, 0);
1301 		return;
1302 	}
1303 	passlen = *pos++;
1304 	if (end - pos < passlen) {
1305 		wpa_printf(MSG_DEBUG,
1306 			   "EAP-TEAP: Truncated Basic-Password-Auth-Resp Password field");
1307 		eap_teap_req_failure(data, 0);
1308 		return;
1309 	}
1310 	password = pos;
1311 	pos += passlen;
1312 	wpa_hexdump_ascii_key(MSG_DEBUG,
1313 			      "EAP-TEAP: Basic-Password-Auth-Resp Password",
1314 			      password, passlen);
1315 
1316 	if (end > pos) {
1317 		wpa_printf(MSG_DEBUG,
1318 			   "EAP-TEAP: Unexpected %d extra octet(s) at the end of Basic-Password-Auth-Resp TLV",
1319 			   (int) (end - pos));
1320 		eap_teap_req_failure(data, 0);
1321 		return;
1322 	}
1323 
1324 	if (eap_user_get(sm, username, userlen, 1) != 0) {
1325 		wpa_printf(MSG_DEBUG,
1326 			   "EAP-TEAP: Username not found in the user database");
1327 		eap_teap_req_failure(data, 0);
1328 		return;
1329 	}
1330 
1331 	if (!sm->user || !sm->user->password || sm->user->password_hash) {
1332 		wpa_printf(MSG_DEBUG,
1333 			   "EAP-TEAP: No plaintext user password configured");
1334 		eap_teap_req_failure(data, 0);
1335 		return;
1336 	}
1337 
1338 	if (sm->user->password_len != passlen ||
1339 	    os_memcmp_const(sm->user->password, password, passlen) != 0) {
1340 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Invalid password");
1341 		eap_teap_req_failure(data, 0);
1342 		return;
1343 	}
1344 
1345 	wpa_printf(MSG_DEBUG, "EAP-TEAP: Correct password");
1346 	new_id = os_memdup(username, userlen);
1347 	if (new_id) {
1348 		os_free(sm->identity);
1349 		sm->identity = new_id;
1350 		sm->identity_len = userlen;
1351 	}
1352 	if (sm->cfg->eap_teap_id != EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE ||
1353 	    data->cur_id_type == TEAP_IDENTITY_TYPE_MACHINE)
1354 		data->basic_auth_not_done = 0;
1355 	eap_teap_state(data, CRYPTO_BINDING);
1356 	eap_teap_update_icmk(sm, data);
1357 }
1358 
1359 
1360 static int eap_teap_parse_tlvs(struct wpabuf *data,
1361 			       struct eap_teap_tlv_parse *tlv)
1362 {
1363 	u16 tlv_type;
1364 	int mandatory, res;
1365 	size_t len;
1366 	u8 *pos, *end;
1367 
1368 	os_memset(tlv, 0, sizeof(*tlv));
1369 
1370 	pos = wpabuf_mhead(data);
1371 	end = pos + wpabuf_len(data);
1372 	while (end - pos > 4) {
1373 		mandatory = pos[0] & 0x80;
1374 		tlv_type = WPA_GET_BE16(pos) & 0x3fff;
1375 		pos += 2;
1376 		len = WPA_GET_BE16(pos);
1377 		pos += 2;
1378 		if (len > (size_t) (end - pos)) {
1379 			wpa_printf(MSG_INFO, "EAP-TEAP: TLV overflow");
1380 			return -1;
1381 		}
1382 		wpa_printf(MSG_DEBUG,
1383 			   "EAP-TEAP: Received Phase 2: TLV type %u (%s) length %u%s",
1384 			   tlv_type, eap_teap_tlv_type_str(tlv_type),
1385 			   (unsigned int) len,
1386 			   mandatory ? " (mandatory)" : "");
1387 
1388 		res = eap_teap_parse_tlv(tlv, tlv_type, pos, len);
1389 		if (res == -2)
1390 			break;
1391 		if (res < 0) {
1392 			if (mandatory) {
1393 				wpa_printf(MSG_DEBUG,
1394 					   "EAP-TEAP: NAK unknown mandatory TLV type %u",
1395 					   tlv_type);
1396 				/* TODO: generate NAK TLV */
1397 				break;
1398 			}
1399 
1400 			wpa_printf(MSG_DEBUG,
1401 				   "EAP-TEAP: Ignore unknown optional TLV type %u",
1402 				   tlv_type);
1403 		}
1404 
1405 		pos += len;
1406 	}
1407 
1408 	return 0;
1409 }
1410 
1411 
1412 static int eap_teap_validate_crypto_binding(
1413 	struct eap_teap_data *data, const struct teap_tlv_crypto_binding *cb,
1414 	size_t bind_len)
1415 {
1416 	u8 flags, subtype;
1417 
1418 	subtype = cb->subtype & 0x0f;
1419 	flags = cb->subtype >> 4;
1420 
1421 	wpa_printf(MSG_DEBUG,
1422 		   "EAP-TEAP: Reply Crypto-Binding TLV: Version %u Received Version %u Flags %u Sub-Type %u",
1423 		   cb->version, cb->received_version, flags, subtype);
1424 	wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Nonce",
1425 		    cb->nonce, sizeof(cb->nonce));
1426 	wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: EMSK Compound MAC",
1427 		    cb->emsk_compound_mac, sizeof(cb->emsk_compound_mac));
1428 	wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: MSK Compound MAC",
1429 		    cb->msk_compound_mac, sizeof(cb->msk_compound_mac));
1430 
1431 	if (cb->version != EAP_TEAP_VERSION ||
1432 	    cb->received_version != data->peer_version) {
1433 		wpa_printf(MSG_DEBUG,
1434 			   "EAP-TEAP: Unexpected version in Crypto-Binding: Version %u Received Version %u",
1435 			   cb->version, cb->received_version);
1436 		return -1;
1437 	}
1438 
1439 	if (flags < 1 || flags > 3) {
1440 		wpa_printf(MSG_DEBUG,
1441 			   "EAP-TEAP: Unexpected Flags in Crypto-Binding: %u",
1442 			   flags);
1443 		return -1;
1444 	}
1445 
1446 	if (subtype != TEAP_CRYPTO_BINDING_SUBTYPE_RESPONSE) {
1447 		wpa_printf(MSG_DEBUG,
1448 			   "EAP-TEAP: Unexpected Sub-Type in Crypto-Binding: %u",
1449 			   subtype);
1450 		return -1;
1451 	}
1452 
1453 	if (os_memcmp_const(data->crypto_binding_nonce, cb->nonce,
1454 			    EAP_TEAP_NONCE_LEN - 1) != 0 ||
1455 	    (data->crypto_binding_nonce[EAP_TEAP_NONCE_LEN - 1] | 1) !=
1456 	    cb->nonce[EAP_TEAP_NONCE_LEN - 1]) {
1457 		wpa_printf(MSG_DEBUG,
1458 			   "EAP-TEAP: Invalid Nonce in Crypto-Binding");
1459 		return -1;
1460 	}
1461 
1462 	if (flags == TEAP_CRYPTO_BINDING_MSK_CMAC ||
1463 	    flags == TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC) {
1464 		u8 msk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN];
1465 
1466 		if (eap_teap_compound_mac(data->tls_cs, cb,
1467 					  data->server_outer_tlvs,
1468 					  data->peer_outer_tlvs, data->cmk_msk,
1469 					  msk_compound_mac) < 0)
1470 			return -1;
1471 		if (os_memcmp_const(msk_compound_mac, cb->msk_compound_mac,
1472 				    EAP_TEAP_COMPOUND_MAC_LEN) != 0) {
1473 			wpa_hexdump(MSG_DEBUG,
1474 				    "EAP-TEAP: Calculated MSK Compound MAC",
1475 				    msk_compound_mac,
1476 				    EAP_TEAP_COMPOUND_MAC_LEN);
1477 			wpa_printf(MSG_INFO,
1478 				   "EAP-TEAP: MSK Compound MAC did not match");
1479 			return -1;
1480 		}
1481 	}
1482 
1483 	if ((flags == TEAP_CRYPTO_BINDING_EMSK_CMAC ||
1484 	     flags == TEAP_CRYPTO_BINDING_EMSK_AND_MSK_CMAC) &&
1485 	    data->cmk_emsk_available) {
1486 		u8 emsk_compound_mac[EAP_TEAP_COMPOUND_MAC_LEN];
1487 
1488 		if (eap_teap_compound_mac(data->tls_cs, cb,
1489 					  data->server_outer_tlvs,
1490 					  data->peer_outer_tlvs, data->cmk_emsk,
1491 					  emsk_compound_mac) < 0)
1492 			return -1;
1493 		if (os_memcmp_const(emsk_compound_mac, cb->emsk_compound_mac,
1494 				    EAP_TEAP_COMPOUND_MAC_LEN) != 0) {
1495 			wpa_hexdump(MSG_DEBUG,
1496 				    "EAP-TEAP: Calculated EMSK Compound MAC",
1497 				    emsk_compound_mac,
1498 				    EAP_TEAP_COMPOUND_MAC_LEN);
1499 			wpa_printf(MSG_INFO,
1500 				   "EAP-TEAP: EMSK Compound MAC did not match");
1501 			return -1;
1502 		}
1503 	}
1504 
1505 	if (flags == TEAP_CRYPTO_BINDING_EMSK_CMAC &&
1506 	    !data->cmk_emsk_available) {
1507 		wpa_printf(MSG_INFO,
1508 			   "EAP-TEAP: Peer included only EMSK Compound MAC, but no locally generated inner EAP EMSK to validate this");
1509 		return -1;
1510 	}
1511 
1512 	return 0;
1513 }
1514 
1515 
1516 static int eap_teap_pac_type(u8 *pac, size_t len, u16 type)
1517 {
1518 	struct teap_attr_pac_type *tlv;
1519 
1520 	if (!pac || len != sizeof(*tlv))
1521 		return 0;
1522 
1523 	tlv = (struct teap_attr_pac_type *) pac;
1524 
1525 	return be_to_host16(tlv->type) == PAC_TYPE_PAC_TYPE &&
1526 		be_to_host16(tlv->length) == 2 &&
1527 		be_to_host16(tlv->pac_type) == type;
1528 }
1529 
1530 
1531 static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
1532 					 struct eap_teap_data *data,
1533 					 struct wpabuf *in_data)
1534 {
1535 	struct eap_teap_tlv_parse tlv;
1536 	bool check_crypto_binding = data->state == CRYPTO_BINDING ||
1537 		data->check_crypto_binding;
1538 
1539 	if (eap_teap_parse_tlvs(in_data, &tlv) < 0) {
1540 		wpa_printf(MSG_DEBUG,
1541 			   "EAP-TEAP: Failed to parse received Phase 2 TLVs");
1542 		return;
1543 	}
1544 
1545 	if (tlv.result == TEAP_STATUS_FAILURE) {
1546 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Result TLV indicated failure");
1547 		eap_teap_state(data, FAILURE);
1548 		return;
1549 	}
1550 
1551 	if (tlv.nak) {
1552 		wpa_printf(MSG_DEBUG,
1553 			   "EAP-TEAP: Peer NAK'ed Vendor-Id %u NAK-Type %u",
1554 			   WPA_GET_BE32(tlv.nak), WPA_GET_BE16(tlv.nak + 4));
1555 		eap_teap_state(data, FAILURE_SEND_RESULT);
1556 		return;
1557 	}
1558 
1559 	if (data->state == REQUEST_PAC) {
1560 		u16 type, len, res;
1561 
1562 		if (!tlv.pac || tlv.pac_len < 6) {
1563 			wpa_printf(MSG_DEBUG,
1564 				   "EAP-TEAP: No PAC Acknowledgement received");
1565 			eap_teap_state(data, FAILURE);
1566 			return;
1567 		}
1568 
1569 		type = WPA_GET_BE16(tlv.pac);
1570 		len = WPA_GET_BE16(tlv.pac + 2);
1571 		res = WPA_GET_BE16(tlv.pac + 4);
1572 
1573 		if (type != PAC_TYPE_PAC_ACKNOWLEDGEMENT || len != 2 ||
1574 		    res != TEAP_STATUS_SUCCESS) {
1575 			wpa_printf(MSG_DEBUG,
1576 				   "EAP-TEAP: PAC TLV did not contain acknowledgement");
1577 			eap_teap_state(data, FAILURE);
1578 			return;
1579 		}
1580 
1581 		wpa_printf(MSG_DEBUG,
1582 			   "EAP-TEAP: PAC-Acknowledgement received - PAC provisioning succeeded");
1583 		eap_teap_state(data, SUCCESS);
1584 		return;
1585 	}
1586 
1587 	if (check_crypto_binding) {
1588 		if (!tlv.crypto_binding) {
1589 			wpa_printf(MSG_DEBUG,
1590 				   "EAP-TEAP: No Crypto-Binding TLV received");
1591 			eap_teap_state(data, FAILURE);
1592 			return;
1593 		}
1594 
1595 		if (data->final_result &&
1596 		    tlv.result != TEAP_STATUS_SUCCESS) {
1597 			wpa_printf(MSG_DEBUG,
1598 				   "EAP-TEAP: Crypto-Binding TLV without Success Result");
1599 			eap_teap_state(data, FAILURE);
1600 			return;
1601 		}
1602 
1603 		if (sm->cfg->eap_teap_auth != 1 &&
1604 		    !data->skipped_inner_auth &&
1605 		    tlv.iresult != TEAP_STATUS_SUCCESS) {
1606 			wpa_printf(MSG_DEBUG,
1607 				   "EAP-TEAP: Crypto-Binding TLV without intermediate Success Result");
1608 			eap_teap_state(data, FAILURE);
1609 			return;
1610 		}
1611 
1612 		if (eap_teap_validate_crypto_binding(data, tlv.crypto_binding,
1613 						     tlv.crypto_binding_len)) {
1614 			eap_teap_state(data, FAILURE);
1615 			return;
1616 		}
1617 
1618 		wpa_printf(MSG_DEBUG,
1619 			   "EAP-TEAP: Valid Crypto-Binding TLV received");
1620 		data->check_crypto_binding = false;
1621 		if (data->final_result) {
1622 			wpa_printf(MSG_DEBUG,
1623 				   "EAP-TEAP: Authentication completed successfully");
1624 		}
1625 
1626 		if (data->anon_provisioning &&
1627 		    sm->cfg->eap_fast_prov != ANON_PROV &&
1628 		    sm->cfg->eap_fast_prov != BOTH_PROV) {
1629 			wpa_printf(MSG_DEBUG,
1630 				   "EAP-TEAP: Client is trying to use unauthenticated provisioning which is disabled");
1631 			eap_teap_state(data, FAILURE);
1632 			return;
1633 		}
1634 
1635 		if (sm->cfg->eap_fast_prov != AUTH_PROV &&
1636 		    sm->cfg->eap_fast_prov != BOTH_PROV &&
1637 		    tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV &&
1638 		    eap_teap_pac_type(tlv.pac, tlv.pac_len,
1639 				      PAC_TYPE_TUNNEL_PAC)) {
1640 			wpa_printf(MSG_DEBUG,
1641 				   "EAP-TEAP: Client is trying to use authenticated provisioning which is disabled");
1642 			eap_teap_state(data, FAILURE);
1643 			return;
1644 		}
1645 
1646 		if (data->anon_provisioning ||
1647 		    (tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV &&
1648 		     eap_teap_pac_type(tlv.pac, tlv.pac_len,
1649 				       PAC_TYPE_TUNNEL_PAC))) {
1650 			wpa_printf(MSG_DEBUG,
1651 				   "EAP-TEAP: Requested a new Tunnel PAC");
1652 			eap_teap_state(data, REQUEST_PAC);
1653 		} else if (data->send_new_pac) {
1654 			wpa_printf(MSG_DEBUG,
1655 				   "EAP-TEAP: Server triggered re-keying of Tunnel PAC");
1656 			eap_teap_state(data, REQUEST_PAC);
1657 		} else if (data->final_result) {
1658 			eap_teap_state(data, SUCCESS);
1659 		} else if (sm->cfg->eap_teap_separate_result) {
1660 			eap_teap_state(data, SUCCESS_SEND_RESULT);
1661 		}
1662 	}
1663 
1664 	if (tlv.basic_auth_resp) {
1665 		if (sm->cfg->eap_teap_auth != 1) {
1666 			wpa_printf(MSG_DEBUG,
1667 				   "EAP-TEAP: Unexpected Basic-Password-Auth-Resp when trying to use inner EAP");
1668 			eap_teap_state(data, FAILURE);
1669 			return;
1670 		}
1671 		eap_teap_process_basic_auth_resp(sm, data, tlv.basic_auth_resp,
1672 						 tlv.basic_auth_resp_len,
1673 						 tlv.identity_type);
1674 	}
1675 
1676 	if (tlv.eap_payload_tlv) {
1677 		if (sm->cfg->eap_teap_auth == 1) {
1678 			wpa_printf(MSG_DEBUG,
1679 				   "EAP-TEAP: Unexpected EAP Payload TLV when trying to use Basic-Password-Auth");
1680 			eap_teap_state(data, FAILURE);
1681 			return;
1682 		}
1683 		eap_teap_process_phase2_eap(sm, data, tlv.eap_payload_tlv,
1684 					    tlv.eap_payload_tlv_len,
1685 					    tlv.identity_type);
1686 	}
1687 
1688 	if (data->state == SUCCESS_SEND_RESULT &&
1689 	    tlv.result == TEAP_STATUS_SUCCESS) {
1690 		wpa_printf(MSG_DEBUG,
1691 			   "EAP-TEAP: Peer agreed with final success - authentication completed");
1692 		eap_teap_state(data, SUCCESS);
1693 	} else if (check_crypto_binding && data->state == CRYPTO_BINDING &&
1694 		   sm->cfg->eap_teap_auth == 1 && data->basic_auth_not_done) {
1695 		wpa_printf(MSG_DEBUG,
1696 			   "EAP-TEAP: Continue with basic password authentication for second credential");
1697 		eap_teap_state(data, PHASE2_BASIC_AUTH);
1698 	} else if (check_crypto_binding && data->state == CRYPTO_BINDING &&
1699 		   sm->cfg->eap_teap_auth == 0 && data->inner_eap_not_done &&
1700 		   sm->cfg->eap_teap_method_sequence == 1) {
1701 		wpa_printf(MSG_DEBUG,
1702 			   "EAP-TEAP: Continue with inner EAP authentication for second credential");
1703 		eap_teap_state(data, PHASE2_ID);
1704 		if (eap_teap_phase2_init(sm, data, EAP_VENDOR_IETF,
1705 					 EAP_TYPE_IDENTITY) < 0)
1706 			eap_teap_state(data, FAILURE);
1707 	}
1708 }
1709 
1710 
1711 static void eap_teap_process_phase2(struct eap_sm *sm,
1712 				    struct eap_teap_data *data,
1713 				    struct wpabuf *in_buf)
1714 {
1715 	struct wpabuf *in_decrypted;
1716 
1717 	wpa_printf(MSG_DEBUG,
1718 		   "EAP-TEAP: Received %lu bytes encrypted data for Phase 2",
1719 		   (unsigned long) wpabuf_len(in_buf));
1720 
1721 	if (data->pending_phase2_resp) {
1722 		wpa_printf(MSG_DEBUG,
1723 			   "EAP-TEAP: Pending Phase 2 response - skip decryption and use old data");
1724 		eap_teap_process_phase2_tlvs(sm, data,
1725 					     data->pending_phase2_resp);
1726 		wpabuf_free(data->pending_phase2_resp);
1727 		data->pending_phase2_resp = NULL;
1728 		return;
1729 	}
1730 
1731 	in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
1732 					      in_buf);
1733 	if (!in_decrypted) {
1734 		wpa_printf(MSG_INFO,
1735 			   "EAP-TEAP: Failed to decrypt Phase 2 data");
1736 		eap_teap_state(data, FAILURE);
1737 		return;
1738 	}
1739 
1740 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TEAP: Decrypted Phase 2 TLVs",
1741 			    in_decrypted);
1742 
1743 	eap_teap_process_phase2_tlvs(sm, data, in_decrypted);
1744 
1745 	if (sm->method_pending == METHOD_PENDING_WAIT) {
1746 		wpa_printf(MSG_DEBUG,
1747 			   "EAP-TEAP: Phase 2 method is in pending wait state - save decrypted response");
1748 		wpabuf_free(data->pending_phase2_resp);
1749 		data->pending_phase2_resp = in_decrypted;
1750 		return;
1751 	}
1752 
1753 	wpabuf_free(in_decrypted);
1754 }
1755 
1756 
1757 static int eap_teap_process_version(struct eap_sm *sm, void *priv,
1758 				    int peer_version)
1759 {
1760 	struct eap_teap_data *data = priv;
1761 
1762 	if (peer_version < 1) {
1763 		/* Version 1 was the first defined version, so reject 0 */
1764 		wpa_printf(MSG_INFO,
1765 			   "EAP-TEAP: Peer used unknown TEAP version %u",
1766 			   peer_version);
1767 		return -1;
1768 	}
1769 
1770 	if (peer_version < data->teap_version) {
1771 		wpa_printf(MSG_DEBUG, "EAP-TEAP: peer ver=%u, own ver=%u; "
1772 			   "use version %u",
1773 			   peer_version, data->teap_version, peer_version);
1774 		data->teap_version = peer_version;
1775 	}
1776 
1777 	data->peer_version = peer_version;
1778 
1779 	return 0;
1780 }
1781 
1782 
1783 static int eap_teap_process_phase1(struct eap_sm *sm,
1784 				   struct eap_teap_data *data)
1785 {
1786 	if (eap_server_tls_phase1(sm, &data->ssl) < 0) {
1787 		wpa_printf(MSG_INFO, "EAP-TEAP: TLS processing failed");
1788 		eap_teap_state(data, FAILURE);
1789 		return -1;
1790 	}
1791 
1792 	if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
1793 	    wpabuf_len(data->ssl.tls_out) > 0)
1794 		return 1;
1795 
1796 	/*
1797 	 * Phase 1 was completed with the received message (e.g., when using
1798 	 * abbreviated handshake), so Phase 2 can be started immediately
1799 	 * without having to send through an empty message to the peer.
1800 	 */
1801 
1802 	return eap_teap_phase1_done(sm, data);
1803 }
1804 
1805 
1806 static int eap_teap_process_phase2_start(struct eap_sm *sm,
1807 					 struct eap_teap_data *data)
1808 {
1809 	int next_vendor;
1810 	enum eap_type next_type;
1811 
1812 	if (data->identity) {
1813 		/* Used PAC and identity is from PAC-Opaque */
1814 		os_free(sm->identity);
1815 		sm->identity = data->identity;
1816 		data->identity = NULL;
1817 		sm->identity_len = data->identity_len;
1818 		data->identity_len = 0;
1819 		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1820 			wpa_hexdump_ascii(MSG_DEBUG,
1821 					  "EAP-TEAP: Phase 2 Identity not found in the user database",
1822 					  sm->identity, sm->identity_len);
1823 			next_vendor = EAP_VENDOR_IETF;
1824 			next_type = EAP_TYPE_NONE;
1825 			eap_teap_state(data, PHASE2_METHOD);
1826 		} else if (sm->cfg->eap_teap_pac_no_inner ||
1827 			sm->cfg->eap_teap_auth == 2) {
1828 			wpa_printf(MSG_DEBUG,
1829 				   "EAP-TEAP: Used PAC or client certificate and identity already known - skip inner auth");
1830 			data->skipped_inner_auth = 1;
1831 			/* FIX: Need to derive CMK here. However, how is that
1832 			 * supposed to be done? RFC 7170 does not tell that for
1833 			 * the no-inner-auth case. */
1834 			eap_teap_derive_cmk_basic_pw_auth(data->tls_cs,
1835 							  data->simck_msk,
1836 							  data->cmk_msk);
1837 			eap_teap_state(data, CRYPTO_BINDING);
1838 			return 1;
1839 		} else if (sm->cfg->eap_teap_auth == 1) {
1840 			eap_teap_state(data, PHASE2_BASIC_AUTH);
1841 			return 1;
1842 		} else {
1843 			wpa_printf(MSG_DEBUG,
1844 				   "EAP-TEAP: Identity already known - skip Phase 2 Identity Request");
1845 			next_vendor = sm->user->methods[0].vendor;
1846 			next_type = sm->user->methods[0].method;
1847 			sm->user_eap_method_index = 1;
1848 			eap_teap_state(data, PHASE2_METHOD);
1849 		}
1850 
1851 	} else if (sm->cfg->eap_teap_auth == 1) {
1852 		eap_teap_state(data, PHASE2_BASIC_AUTH);
1853 		return 0;
1854 	} else {
1855 		eap_teap_state(data, PHASE2_ID);
1856 		next_vendor = EAP_VENDOR_IETF;
1857 		next_type = EAP_TYPE_IDENTITY;
1858 	}
1859 
1860 	return eap_teap_phase2_init(sm, data, next_vendor, next_type);
1861 }
1862 
1863 
1864 static void eap_teap_process_msg(struct eap_sm *sm, void *priv,
1865 				 const struct wpabuf *respData)
1866 {
1867 	struct eap_teap_data *data = priv;
1868 
1869 	switch (data->state) {
1870 	case PHASE1:
1871 	case PHASE1B:
1872 		if (eap_teap_process_phase1(sm, data))
1873 			break;
1874 
1875 		/* fall through */
1876 	case PHASE2_START:
1877 		eap_teap_process_phase2_start(sm, data);
1878 		break;
1879 	case PHASE2_ID:
1880 	case PHASE2_BASIC_AUTH:
1881 	case PHASE2_METHOD:
1882 	case CRYPTO_BINDING:
1883 	case REQUEST_PAC:
1884 	case SUCCESS_SEND_RESULT:
1885 		eap_teap_process_phase2(sm, data, data->ssl.tls_in);
1886 		break;
1887 	case FAILURE_SEND_RESULT:
1888 		/* Protected failure result indication completed. Ignore the
1889 		 * received message (which is supposed to include Result TLV
1890 		 * indicating failure) and terminate exchange with cleartext
1891 		 * EAP-Failure. */
1892 		eap_teap_state(data, FAILURE);
1893 		break;
1894 	default:
1895 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Unexpected state %d in %s",
1896 			   data->state, __func__);
1897 		break;
1898 	}
1899 }
1900 
1901 
1902 static void eap_teap_process(struct eap_sm *sm, void *priv,
1903 			     struct wpabuf *respData)
1904 {
1905 	struct eap_teap_data *data = priv;
1906 	const u8 *pos;
1907 	size_t len;
1908 	struct wpabuf *resp = respData;
1909 	u8 flags;
1910 
1911 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TEAP, respData, &len);
1912 	if (!pos || len < 1)
1913 		return;
1914 
1915 	flags = *pos++;
1916 	len--;
1917 
1918 	if (flags & EAP_TEAP_FLAGS_OUTER_TLV_LEN) {
1919 		/* Extract Outer TLVs from the message before common TLS
1920 		 * processing */
1921 		u32 message_len = 0, outer_tlv_len;
1922 		const u8 *hdr;
1923 
1924 		if (data->state != PHASE1) {
1925 			wpa_printf(MSG_INFO,
1926 				   "EAP-TEAP: Unexpected Outer TLVs in a message that is not the first message from the peer");
1927 			return;
1928 		}
1929 
1930 		if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
1931 			if (len < 4) {
1932 				wpa_printf(MSG_INFO,
1933 					   "EAP-TEAP: Too short message to include Message Length field");
1934 				return;
1935 			}
1936 
1937 			message_len = WPA_GET_BE32(pos);
1938 			pos += 4;
1939 			len -= 4;
1940 			if (message_len < 4) {
1941 				wpa_printf(MSG_INFO,
1942 					   "EAP-TEAP: Message Length field has too msall value to include Outer TLV Length field");
1943 				return;
1944 			}
1945 		}
1946 
1947 		if (len < 4) {
1948 			wpa_printf(MSG_INFO,
1949 				   "EAP-TEAP: Too short message to include Outer TLVs Length field");
1950 			return;
1951 		}
1952 
1953 		outer_tlv_len = WPA_GET_BE32(pos);
1954 		pos += 4;
1955 		len -= 4;
1956 
1957 		wpa_printf(MSG_DEBUG,
1958 			   "EAP-TEAP: Message Length %u Outer TLV Length %u",
1959 			  message_len, outer_tlv_len);
1960 		if (len < outer_tlv_len) {
1961 			wpa_printf(MSG_INFO,
1962 				   "EAP-TEAP: Too short message to include Outer TLVs field");
1963 			return;
1964 		}
1965 
1966 		if (message_len &&
1967 		    (message_len < outer_tlv_len ||
1968 		     message_len < 4 + outer_tlv_len)) {
1969 			wpa_printf(MSG_INFO,
1970 				   "EAP-TEAP: Message Length field has too small value to include Outer TLVs");
1971 			return;
1972 		}
1973 
1974 		if (wpabuf_len(respData) < 4 + outer_tlv_len ||
1975 		    len < outer_tlv_len)
1976 			return;
1977 		resp = wpabuf_alloc(wpabuf_len(respData) - 4 - outer_tlv_len);
1978 		if (!resp)
1979 			return;
1980 		hdr = wpabuf_head(respData);
1981 		wpabuf_put_u8(resp, *hdr++); /* Code */
1982 		wpabuf_put_u8(resp, *hdr++); /* Identifier */
1983 		wpabuf_put_be16(resp, WPA_GET_BE16(hdr) - 4 - outer_tlv_len);
1984 		hdr += 2;
1985 		wpabuf_put_u8(resp, *hdr++); /* Type */
1986 		/* Flags | Ver */
1987 		wpabuf_put_u8(resp, flags & ~EAP_TEAP_FLAGS_OUTER_TLV_LEN);
1988 
1989 		if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
1990 			wpabuf_put_be32(resp, message_len - 4 - outer_tlv_len);
1991 
1992 		wpabuf_put_data(resp, pos, len - outer_tlv_len);
1993 		pos += len - outer_tlv_len;
1994 		wpabuf_free(data->peer_outer_tlvs);
1995 		data->peer_outer_tlvs = wpabuf_alloc_copy(pos, outer_tlv_len);
1996 		if (!data->peer_outer_tlvs)
1997 			return;
1998 		wpa_hexdump_buf(MSG_DEBUG, "EAP-TEAP: Outer TLVs",
1999 				data->peer_outer_tlvs);
2000 
2001 		wpa_hexdump_buf(MSG_DEBUG,
2002 				"EAP-TEAP: TLS Data message after Outer TLV removal",
2003 				resp);
2004 		pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TEAP, resp,
2005 				       &len);
2006 		if (!pos || len < 1) {
2007 			wpa_printf(MSG_INFO,
2008 				   "EAP-TEAP: Invalid frame after Outer TLV removal");
2009 			return;
2010 		}
2011 	}
2012 
2013 	if (data->state == PHASE1)
2014 		eap_teap_state(data, PHASE1B);
2015 
2016 	if (eap_server_tls_process(sm, &data->ssl, resp, data,
2017 				   EAP_TYPE_TEAP, eap_teap_process_version,
2018 				   eap_teap_process_msg) < 0)
2019 		eap_teap_state(data, FAILURE);
2020 
2021 	if (resp != respData)
2022 		wpabuf_free(resp);
2023 }
2024 
2025 
2026 static bool eap_teap_isDone(struct eap_sm *sm, void *priv)
2027 {
2028 	struct eap_teap_data *data = priv;
2029 
2030 	return data->state == SUCCESS || data->state == FAILURE;
2031 }
2032 
2033 
2034 static u8 * eap_teap_getKey(struct eap_sm *sm, void *priv, size_t *len)
2035 {
2036 	struct eap_teap_data *data = priv;
2037 	u8 *eapKeyData;
2038 
2039 	if (data->state != SUCCESS)
2040 		return NULL;
2041 
2042 	eapKeyData = os_malloc(EAP_TEAP_KEY_LEN);
2043 	if (!eapKeyData)
2044 		return NULL;
2045 
2046 	/* FIX: RFC 7170 does not describe whether MSK or EMSK based S-IMCK[j]
2047 	 * is used in this derivation */
2048 	if (eap_teap_derive_eap_msk(data->tls_cs, data->simck_msk,
2049 				    eapKeyData) < 0) {
2050 		os_free(eapKeyData);
2051 		return NULL;
2052 	}
2053 	*len = EAP_TEAP_KEY_LEN;
2054 
2055 	return eapKeyData;
2056 }
2057 
2058 
2059 static u8 * eap_teap_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
2060 {
2061 	struct eap_teap_data *data = priv;
2062 	u8 *eapKeyData;
2063 
2064 	if (data->state != SUCCESS)
2065 		return NULL;
2066 
2067 	eapKeyData = os_malloc(EAP_EMSK_LEN);
2068 	if (!eapKeyData)
2069 		return NULL;
2070 
2071 	/* FIX: RFC 7170 does not describe whether MSK or EMSK based S-IMCK[j]
2072 	 * is used in this derivation */
2073 	if (eap_teap_derive_eap_emsk(data->tls_cs, data->simck_msk,
2074 				     eapKeyData) < 0) {
2075 		os_free(eapKeyData);
2076 		return NULL;
2077 	}
2078 	*len = EAP_EMSK_LEN;
2079 
2080 	return eapKeyData;
2081 }
2082 
2083 
2084 static bool eap_teap_isSuccess(struct eap_sm *sm, void *priv)
2085 {
2086 	struct eap_teap_data *data = priv;
2087 
2088 	return data->state == SUCCESS;
2089 }
2090 
2091 
2092 static u8 * eap_teap_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
2093 {
2094 	struct eap_teap_data *data = priv;
2095 	const size_t max_id_len = 100;
2096 	int res;
2097 	u8 *id;
2098 
2099 	if (data->state != SUCCESS)
2100 		return NULL;
2101 
2102 	id = os_malloc(max_id_len);
2103 	if (!id)
2104 		return NULL;
2105 
2106 	id[0] = EAP_TYPE_TEAP;
2107 	res = tls_get_tls_unique(data->ssl.conn, id + 1, max_id_len - 1);
2108 	if (res < 0) {
2109 		os_free(id);
2110 		wpa_printf(MSG_ERROR, "EAP-TEAP: Failed to derive Session-Id");
2111 		return NULL;
2112 	}
2113 
2114 	*len = 1 + res;
2115 	wpa_hexdump(MSG_DEBUG, "EAP-TEAP: Derived Session-Id", id, *len);
2116 	return id;
2117 }
2118 
2119 
2120 int eap_server_teap_register(void)
2121 {
2122 	struct eap_method *eap;
2123 
2124 	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
2125 				      EAP_VENDOR_IETF, EAP_TYPE_TEAP, "TEAP");
2126 	if (!eap)
2127 		return -1;
2128 
2129 	eap->init = eap_teap_init;
2130 	eap->reset = eap_teap_reset;
2131 	eap->buildReq = eap_teap_buildReq;
2132 	eap->check = eap_teap_check;
2133 	eap->process = eap_teap_process;
2134 	eap->isDone = eap_teap_isDone;
2135 	eap->getKey = eap_teap_getKey;
2136 	eap->get_emsk = eap_teap_get_emsk;
2137 	eap->isSuccess = eap_teap_isSuccess;
2138 	eap->getSessionId = eap_teap_get_session_id;
2139 
2140 	return eap_server_method_register(eap);
2141 }
2142