xref: /freebsd/contrib/wpa/src/eap_server/eap_server_ttls.c (revision 924226fba12cc9a228c73b956e1b7fa24c60b055)
1 /*
2  * hostapd / EAP-TTLS (RFC 5281)
3  * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/ms_funcs.h"
13 #include "crypto/sha1.h"
14 #include "crypto/tls.h"
15 #include "eap_server/eap_i.h"
16 #include "eap_server/eap_tls_common.h"
17 #include "eap_common/chap.h"
18 #include "eap_common/eap_ttls.h"
19 
20 
21 #define EAP_TTLS_VERSION 0
22 
23 
24 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
25 
26 
27 struct eap_ttls_data {
28 	struct eap_ssl_data ssl;
29 	enum {
30 		START, PHASE1, PHASE2_START, PHASE2_METHOD,
31 		PHASE2_MSCHAPV2_RESP, SUCCESS, FAILURE
32 	} state;
33 
34 	int ttls_version;
35 	const struct eap_method *phase2_method;
36 	void *phase2_priv;
37 	int mschapv2_resp_ok;
38 	u8 mschapv2_auth_response[20];
39 	u8 mschapv2_ident;
40 	struct wpabuf *pending_phase2_eap_resp;
41 	int tnc_started;
42 };
43 
44 
45 static const char * eap_ttls_state_txt(int state)
46 {
47 	switch (state) {
48 	case START:
49 		return "START";
50 	case PHASE1:
51 		return "PHASE1";
52 	case PHASE2_START:
53 		return "PHASE2_START";
54 	case PHASE2_METHOD:
55 		return "PHASE2_METHOD";
56 	case PHASE2_MSCHAPV2_RESP:
57 		return "PHASE2_MSCHAPV2_RESP";
58 	case SUCCESS:
59 		return "SUCCESS";
60 	case FAILURE:
61 		return "FAILURE";
62 	default:
63 		return "Unknown?!";
64 	}
65 }
66 
67 
68 static void eap_ttls_state(struct eap_ttls_data *data, int state)
69 {
70 	wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
71 		   eap_ttls_state_txt(data->state),
72 		   eap_ttls_state_txt(state));
73 	data->state = state;
74 	if (state == FAILURE)
75 		tls_connection_remove_session(data->ssl.conn);
76 }
77 
78 
79 static void eap_ttls_valid_session(struct eap_sm *sm,
80 				   struct eap_ttls_data *data)
81 {
82 	struct wpabuf *buf;
83 
84 	if (!sm->cfg->tls_session_lifetime)
85 		return;
86 
87 	buf = wpabuf_alloc(1 + 1 + sm->identity_len);
88 	if (!buf)
89 		return;
90 	wpabuf_put_u8(buf, EAP_TYPE_TTLS);
91 	if (sm->identity) {
92 		u8 id_len;
93 
94 		if (sm->identity_len <= 255)
95 			id_len = sm->identity_len;
96 		else
97 			id_len = 255;
98 		wpabuf_put_u8(buf, id_len);
99 		wpabuf_put_data(buf, sm->identity, id_len);
100 	} else {
101 		wpabuf_put_u8(buf, 0);
102 	}
103 	tls_connection_set_success_data(data->ssl.conn, buf);
104 }
105 
106 
107 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
108 			     int mandatory, size_t len)
109 {
110 	struct ttls_avp_vendor *avp;
111 	u8 flags;
112 	size_t hdrlen;
113 
114 	avp = (struct ttls_avp_vendor *) avphdr;
115 	flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
116 	if (vendor_id) {
117 		flags |= AVP_FLAGS_VENDOR;
118 		hdrlen = sizeof(*avp);
119 		avp->vendor_id = host_to_be32(vendor_id);
120 	} else {
121 		hdrlen = sizeof(struct ttls_avp);
122 	}
123 
124 	avp->avp_code = host_to_be32(avp_code);
125 	avp->avp_length = host_to_be32(((u32) flags << 24) |
126 				       ((u32) (hdrlen + len)));
127 
128 	return avphdr + hdrlen;
129 }
130 
131 
132 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
133 						u32 avp_code, int mandatory)
134 {
135 	struct wpabuf *avp;
136 	u8 *pos;
137 
138 	avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
139 	if (avp == NULL) {
140 		wpabuf_free(resp);
141 		return NULL;
142 	}
143 
144 	pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
145 			       wpabuf_len(resp));
146 	os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
147 	pos += wpabuf_len(resp);
148 	AVP_PAD((const u8 *) wpabuf_head(avp), pos);
149 	wpabuf_free(resp);
150 	wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
151 	return avp;
152 }
153 
154 
155 struct eap_ttls_avp {
156 	 /* Note: eap is allocated memory; caller is responsible for freeing
157 	  * it. All the other pointers are pointing to the packet data, i.e.,
158 	  * they must not be freed separately. */
159 	u8 *eap;
160 	size_t eap_len;
161 	u8 *user_name;
162 	size_t user_name_len;
163 	u8 *user_password;
164 	size_t user_password_len;
165 	u8 *chap_challenge;
166 	size_t chap_challenge_len;
167 	u8 *chap_password;
168 	size_t chap_password_len;
169 	u8 *mschap_challenge;
170 	size_t mschap_challenge_len;
171 	u8 *mschap_response;
172 	size_t mschap_response_len;
173 	u8 *mschap2_response;
174 	size_t mschap2_response_len;
175 };
176 
177 
178 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse)
179 {
180 	struct ttls_avp *avp;
181 	u8 *pos;
182 	int left;
183 
184 	pos = wpabuf_mhead(buf);
185 	left = wpabuf_len(buf);
186 	os_memset(parse, 0, sizeof(*parse));
187 
188 	while (left > 0) {
189 		u32 avp_code, avp_length, vendor_id = 0;
190 		u8 avp_flags, *dpos;
191 		size_t pad, dlen;
192 		avp = (struct ttls_avp *) pos;
193 		avp_code = be_to_host32(avp->avp_code);
194 		avp_length = be_to_host32(avp->avp_length);
195 		avp_flags = (avp_length >> 24) & 0xff;
196 		avp_length &= 0xffffff;
197 		wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
198 			   "length=%d", (int) avp_code, avp_flags,
199 			   (int) avp_length);
200 		if ((int) avp_length > left) {
201 			wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
202 				   "(len=%d, left=%d) - dropped",
203 				   (int) avp_length, left);
204 			goto fail;
205 		}
206 		if (avp_length < sizeof(*avp)) {
207 			wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
208 				   "%d", avp_length);
209 			goto fail;
210 		}
211 		dpos = (u8 *) (avp + 1);
212 		dlen = avp_length - sizeof(*avp);
213 		if (avp_flags & AVP_FLAGS_VENDOR) {
214 			if (dlen < 4) {
215 				wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
216 					   "underflow");
217 				goto fail;
218 			}
219 			vendor_id = be_to_host32(* (be32 *) dpos);
220 			wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
221 				   (int) vendor_id);
222 			dpos += 4;
223 			dlen -= 4;
224 		}
225 
226 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
227 
228 		if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
229 			wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
230 			if (parse->eap == NULL) {
231 				parse->eap = os_memdup(dpos, dlen);
232 				if (parse->eap == NULL) {
233 					wpa_printf(MSG_WARNING, "EAP-TTLS: "
234 						   "failed to allocate memory "
235 						   "for Phase 2 EAP data");
236 					goto fail;
237 				}
238 				parse->eap_len = dlen;
239 			} else {
240 				u8 *neweap = os_realloc(parse->eap,
241 							parse->eap_len + dlen);
242 				if (neweap == NULL) {
243 					wpa_printf(MSG_WARNING, "EAP-TTLS: "
244 						   "failed to allocate memory "
245 						   "for Phase 2 EAP data");
246 					goto fail;
247 				}
248 				os_memcpy(neweap + parse->eap_len, dpos, dlen);
249 				parse->eap = neweap;
250 				parse->eap_len += dlen;
251 			}
252 		} else if (vendor_id == 0 &&
253 			   avp_code == RADIUS_ATTR_USER_NAME) {
254 			wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
255 					  dpos, dlen);
256 			parse->user_name = dpos;
257 			parse->user_name_len = dlen;
258 		} else if (vendor_id == 0 &&
259 			   avp_code == RADIUS_ATTR_USER_PASSWORD) {
260 			u8 *password = dpos;
261 			size_t password_len = dlen;
262 			while (password_len > 0 &&
263 			       password[password_len - 1] == '\0') {
264 				password_len--;
265 			}
266 			wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
267 					      "User-Password (PAP)",
268 					      password, password_len);
269 			parse->user_password = password;
270 			parse->user_password_len = password_len;
271 		} else if (vendor_id == 0 &&
272 			   avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
273 			wpa_hexdump(MSG_DEBUG,
274 				    "EAP-TTLS: CHAP-Challenge (CHAP)",
275 				    dpos, dlen);
276 			parse->chap_challenge = dpos;
277 			parse->chap_challenge_len = dlen;
278 		} else if (vendor_id == 0 &&
279 			   avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
280 			wpa_hexdump(MSG_DEBUG,
281 				    "EAP-TTLS: CHAP-Password (CHAP)",
282 				    dpos, dlen);
283 			parse->chap_password = dpos;
284 			parse->chap_password_len = dlen;
285 		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
286 			   avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
287 			wpa_hexdump(MSG_DEBUG,
288 				    "EAP-TTLS: MS-CHAP-Challenge",
289 				    dpos, dlen);
290 			parse->mschap_challenge = dpos;
291 			parse->mschap_challenge_len = dlen;
292 		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
293 			   avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
294 			wpa_hexdump(MSG_DEBUG,
295 				    "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
296 				    dpos, dlen);
297 			parse->mschap_response = dpos;
298 			parse->mschap_response_len = dlen;
299 		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
300 			   avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
301 			wpa_hexdump(MSG_DEBUG,
302 				    "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
303 				    dpos, dlen);
304 			parse->mschap2_response = dpos;
305 			parse->mschap2_response_len = dlen;
306 		} else if (avp_flags & AVP_FLAGS_MANDATORY) {
307 			wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
308 				   "mandatory AVP code %d vendor_id %d - "
309 				   "dropped", (int) avp_code, (int) vendor_id);
310 			goto fail;
311 		} else {
312 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
313 				   "AVP code %d vendor_id %d",
314 				   (int) avp_code, (int) vendor_id);
315 		}
316 
317 		pad = (4 - (avp_length & 3)) & 3;
318 		pos += avp_length + pad;
319 		left -= avp_length + pad;
320 	}
321 
322 	return 0;
323 
324 fail:
325 	os_free(parse->eap);
326 	parse->eap = NULL;
327 	return -1;
328 }
329 
330 
331 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
332 					struct eap_ttls_data *data, size_t len)
333 {
334 	return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge",
335 					 NULL, 0, len);
336 }
337 
338 
339 static void * eap_ttls_init(struct eap_sm *sm)
340 {
341 	struct eap_ttls_data *data;
342 
343 	data = os_zalloc(sizeof(*data));
344 	if (data == NULL)
345 		return NULL;
346 	data->ttls_version = EAP_TTLS_VERSION;
347 	data->state = START;
348 
349 	if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) {
350 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
351 		eap_ttls_reset(sm, data);
352 		return NULL;
353 	}
354 
355 	return data;
356 }
357 
358 
359 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
360 {
361 	struct eap_ttls_data *data = priv;
362 	if (data == NULL)
363 		return;
364 	if (data->phase2_priv && data->phase2_method)
365 		data->phase2_method->reset(sm, data->phase2_priv);
366 	eap_server_tls_ssl_deinit(sm, &data->ssl);
367 	wpabuf_free(data->pending_phase2_eap_resp);
368 	bin_clear_free(data, sizeof(*data));
369 }
370 
371 
372 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
373 					    struct eap_ttls_data *data, u8 id)
374 {
375 	struct wpabuf *req;
376 
377 	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
378 			    EAP_CODE_REQUEST, id);
379 	if (req == NULL) {
380 		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
381 			   " request");
382 		eap_ttls_state(data, FAILURE);
383 		return NULL;
384 	}
385 
386 	wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
387 
388 	eap_ttls_state(data, PHASE1);
389 
390 	return req;
391 }
392 
393 
394 static struct wpabuf * eap_ttls_build_phase2_eap_req(
395 	struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
396 {
397 	struct wpabuf *buf, *encr_req;
398 
399 
400 	buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
401 	if (buf == NULL)
402 		return NULL;
403 
404 	wpa_hexdump_buf_key(MSG_DEBUG,
405 			    "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
406 
407 	buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
408 	if (buf == NULL) {
409 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
410 			   "packet");
411 		return NULL;
412 	}
413 
414 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated "
415 			    "Phase 2 data", buf);
416 
417 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
418 	wpabuf_free(buf);
419 
420 	return encr_req;
421 }
422 
423 
424 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
425 	struct eap_sm *sm, struct eap_ttls_data *data)
426 {
427 	struct wpabuf *encr_req, msgbuf;
428 	u8 *req, *pos, *end;
429 	int ret;
430 
431 	pos = req = os_malloc(100);
432 	if (req == NULL)
433 		return NULL;
434 	end = req + 100;
435 
436 	if (data->mschapv2_resp_ok) {
437 		pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
438 				       RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
439 		*pos++ = data->mschapv2_ident;
440 		ret = os_snprintf((char *) pos, end - pos, "S=");
441 		if (!os_snprintf_error(end - pos, ret))
442 			pos += ret;
443 		pos += wpa_snprintf_hex_uppercase(
444 			(char *) pos, end - pos, data->mschapv2_auth_response,
445 			sizeof(data->mschapv2_auth_response));
446 	} else {
447 		pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
448 				       RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
449 		os_memcpy(pos, "Failed", 6);
450 		pos += 6;
451 		AVP_PAD(req, pos);
452 	}
453 
454 	wpabuf_set(&msgbuf, req, pos - req);
455 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
456 			    "data", &msgbuf);
457 
458 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
459 	os_free(req);
460 
461 	return encr_req;
462 }
463 
464 
465 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
466 {
467 	struct eap_ttls_data *data = priv;
468 
469 	if (data->ssl.state == FRAG_ACK) {
470 		return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
471 						data->ttls_version);
472 	}
473 
474 	if (data->ssl.state == WAIT_FRAG_ACK) {
475 		return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
476 						data->ttls_version, id);
477 	}
478 
479 	switch (data->state) {
480 	case START:
481 		return eap_ttls_build_start(sm, data, id);
482 	case PHASE1:
483 		if (tls_connection_established(sm->cfg->ssl_ctx,
484 					       data->ssl.conn)) {
485 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
486 				   "starting Phase2");
487 			eap_ttls_state(data, PHASE2_START);
488 		}
489 		break;
490 	case PHASE2_METHOD:
491 		wpabuf_free(data->ssl.tls_out);
492 		data->ssl.tls_out_pos = 0;
493 		data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
494 								  id);
495 		break;
496 	case PHASE2_MSCHAPV2_RESP:
497 		wpabuf_free(data->ssl.tls_out);
498 		data->ssl.tls_out_pos = 0;
499 		data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
500 		break;
501 	default:
502 		wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
503 			   __func__, data->state);
504 		return NULL;
505 	}
506 
507 	return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
508 					data->ttls_version, id);
509 }
510 
511 
512 static bool eap_ttls_check(struct eap_sm *sm, void *priv,
513 			   struct wpabuf *respData)
514 {
515 	const u8 *pos;
516 	size_t len;
517 
518 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
519 	if (pos == NULL || len < 1) {
520 		wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
521 		return true;
522 	}
523 
524 	return false;
525 }
526 
527 
528 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
529 					struct eap_ttls_data *data,
530 					const u8 *user_password,
531 					size_t user_password_len)
532 {
533 	if (!sm->user || !sm->user->password || sm->user->password_hash ||
534 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
535 		wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
536 			   "password configured");
537 		eap_ttls_state(data, FAILURE);
538 		return;
539 	}
540 
541 	if (sm->user->password_len != user_password_len ||
542 	    os_memcmp_const(sm->user->password, user_password,
543 			    user_password_len) != 0) {
544 		wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
545 		eap_ttls_state(data, FAILURE);
546 		return;
547 	}
548 
549 	wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
550 	eap_ttls_state(data, SUCCESS);
551 	eap_ttls_valid_session(sm, data);
552 }
553 
554 
555 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
556 					 struct eap_ttls_data *data,
557 					 const u8 *challenge,
558 					 size_t challenge_len,
559 					 const u8 *password,
560 					 size_t password_len)
561 {
562 	u8 *chal, hash[CHAP_MD5_LEN];
563 
564 	if (challenge == NULL || password == NULL ||
565 	    challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
566 	    password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
567 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
568 			   "(challenge len %lu password len %lu)",
569 			   (unsigned long) challenge_len,
570 			   (unsigned long) password_len);
571 		eap_ttls_state(data, FAILURE);
572 		return;
573 	}
574 
575 	if (!sm->user || !sm->user->password || sm->user->password_hash ||
576 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
577 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
578 			   "password configured");
579 		eap_ttls_state(data, FAILURE);
580 		return;
581 	}
582 
583 	chal = eap_ttls_implicit_challenge(sm, data,
584 					   EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
585 	if (chal == NULL) {
586 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
587 			   "challenge from TLS data");
588 		eap_ttls_state(data, FAILURE);
589 		return;
590 	}
591 
592 	if (os_memcmp_const(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN)
593 	    != 0 ||
594 	    password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
595 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
596 		os_free(chal);
597 		eap_ttls_state(data, FAILURE);
598 		return;
599 	}
600 	os_free(chal);
601 
602 	/* MD5(Ident + Password + Challenge) */
603 	chap_md5(password[0], sm->user->password, sm->user->password_len,
604 		 challenge, challenge_len, hash);
605 
606 	if (os_memcmp_const(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) ==
607 	    0) {
608 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
609 		eap_ttls_state(data, SUCCESS);
610 		eap_ttls_valid_session(sm, data);
611 	} else {
612 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
613 		eap_ttls_state(data, FAILURE);
614 	}
615 }
616 
617 
618 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
619 					   struct eap_ttls_data *data,
620 					   u8 *challenge, size_t challenge_len,
621 					   u8 *response, size_t response_len)
622 {
623 	u8 *chal, nt_response[24];
624 
625 	if (challenge == NULL || response == NULL ||
626 	    challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
627 	    response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
628 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
629 			   "attributes (challenge len %lu response len %lu)",
630 			   (unsigned long) challenge_len,
631 			   (unsigned long) response_len);
632 		eap_ttls_state(data, FAILURE);
633 		return;
634 	}
635 
636 	if (!sm->user || !sm->user->password ||
637 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
638 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
639 			   "configured");
640 		eap_ttls_state(data, FAILURE);
641 		return;
642 	}
643 
644 	chal = eap_ttls_implicit_challenge(sm, data,
645 					   EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
646 	if (chal == NULL) {
647 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
648 			   "challenge from TLS data");
649 		eap_ttls_state(data, FAILURE);
650 		return;
651 	}
652 
653 #ifdef CONFIG_TESTING_OPTIONS
654 	eap_server_mschap_rx_callback(sm, "TTLS-MSCHAP",
655 				      sm->identity, sm->identity_len,
656 				      challenge, response + 2 + 24);
657 #endif /* CONFIG_TESTING_OPTIONS */
658 
659 	if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN)
660 	    != 0 ||
661 	    response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
662 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
663 		os_free(chal);
664 		eap_ttls_state(data, FAILURE);
665 		return;
666 	}
667 	os_free(chal);
668 
669 	if ((sm->user->password_hash &&
670 	     challenge_response(challenge, sm->user->password, nt_response)) ||
671 	    (!sm->user->password_hash &&
672 	     nt_challenge_response(challenge, sm->user->password,
673 				   sm->user->password_len, nt_response))) {
674 		eap_ttls_state(data, FAILURE);
675 		return;
676 	}
677 
678 	if (os_memcmp_const(nt_response, response + 2 + 24, 24) == 0) {
679 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
680 		eap_ttls_state(data, SUCCESS);
681 		eap_ttls_valid_session(sm, data);
682 	} else {
683 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
684 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
685 			    response + 2 + 24, 24);
686 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
687 			    nt_response, 24);
688 		eap_ttls_state(data, FAILURE);
689 	}
690 }
691 
692 
693 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
694 					     struct eap_ttls_data *data,
695 					     u8 *challenge,
696 					     size_t challenge_len,
697 					     u8 *response, size_t response_len)
698 {
699 	u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
700 		*auth_challenge;
701 	size_t username_len, i;
702 
703 	if (challenge == NULL || response == NULL ||
704 	    challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
705 	    response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
706 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
707 			   "attributes (challenge len %lu response len %lu)",
708 			   (unsigned long) challenge_len,
709 			   (unsigned long) response_len);
710 		eap_ttls_state(data, FAILURE);
711 		return;
712 	}
713 
714 	if (!sm->user || !sm->user->password ||
715 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
716 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
717 			   "configured");
718 		eap_ttls_state(data, FAILURE);
719 		return;
720 	}
721 
722 	if (sm->identity == NULL) {
723 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
724 			   "known");
725 		eap_ttls_state(data, FAILURE);
726 		return;
727 	}
728 
729 	/* MSCHAPv2 does not include optional domain name in the
730 	 * challenge-response calculation, so remove domain prefix
731 	 * (if present). */
732 	username = sm->identity;
733 	username_len = sm->identity_len;
734 	for (i = 0; i < username_len; i++) {
735 		if (username[i] == '\\') {
736 			username_len -= i + 1;
737 			username += i + 1;
738 			break;
739 		}
740 	}
741 
742 	chal = eap_ttls_implicit_challenge(
743 		sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
744 	if (chal == NULL) {
745 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
746 			   "challenge from TLS data");
747 		eap_ttls_state(data, FAILURE);
748 		return;
749 	}
750 
751 	if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN)
752 	    != 0 ||
753 	    response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
754 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
755 		os_free(chal);
756 		eap_ttls_state(data, FAILURE);
757 		return;
758 	}
759 	os_free(chal);
760 
761 	auth_challenge = challenge;
762 	peer_challenge = response + 2;
763 
764 	wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
765 			  username, username_len);
766 	wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
767 		    auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
768 	wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
769 		    peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
770 
771 	if (sm->user->password_hash) {
772 		generate_nt_response_pwhash(auth_challenge, peer_challenge,
773 					    username, username_len,
774 					    sm->user->password,
775 					    nt_response);
776 	} else {
777 		generate_nt_response(auth_challenge, peer_challenge,
778 				     username, username_len,
779 				     sm->user->password,
780 				     sm->user->password_len,
781 				     nt_response);
782 	}
783 
784 	rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
785 #ifdef CONFIG_TESTING_OPTIONS
786 	{
787 		u8 challenge2[8];
788 
789 		if (challenge_hash(peer_challenge, auth_challenge,
790 				   username, username_len, challenge2) == 0) {
791 			eap_server_mschap_rx_callback(sm, "TTLS-MSCHAPV2",
792 						      username, username_len,
793 						      challenge2, rx_resp);
794 		}
795 	}
796 #endif /* CONFIG_TESTING_OPTIONS */
797 	if (os_memcmp_const(nt_response, rx_resp, 24) == 0) {
798 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
799 			   "NT-Response");
800 		data->mschapv2_resp_ok = 1;
801 
802 		if (sm->user->password_hash) {
803 			generate_authenticator_response_pwhash(
804 				sm->user->password,
805 				peer_challenge, auth_challenge,
806 				username, username_len, nt_response,
807 				data->mschapv2_auth_response);
808 		} else {
809 			generate_authenticator_response(
810 				sm->user->password, sm->user->password_len,
811 				peer_challenge, auth_challenge,
812 				username, username_len, nt_response,
813 				data->mschapv2_auth_response);
814 		}
815 	} else {
816 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
817 			   "NT-Response");
818 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
819 			    rx_resp, 24);
820 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
821 			    nt_response, 24);
822 		data->mschapv2_resp_ok = 0;
823 	}
824 	eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
825 	data->mschapv2_ident = response[0];
826 }
827 
828 
829 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
830 				    struct eap_ttls_data *data,
831 				    int vendor, enum eap_type eap_type)
832 {
833 	if (data->phase2_priv && data->phase2_method) {
834 		data->phase2_method->reset(sm, data->phase2_priv);
835 		data->phase2_method = NULL;
836 		data->phase2_priv = NULL;
837 	}
838 	data->phase2_method = eap_server_get_eap_method(vendor, eap_type);
839 	if (!data->phase2_method)
840 		return -1;
841 
842 	sm->init_phase2 = 1;
843 	data->phase2_priv = data->phase2_method->init(sm);
844 	sm->init_phase2 = 0;
845 	return data->phase2_priv == NULL ? -1 : 0;
846 }
847 
848 
849 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
850 						 struct eap_ttls_data *data,
851 						 u8 *in_data, size_t in_len)
852 {
853 	int next_vendor = EAP_VENDOR_IETF;
854 	enum eap_type next_type = EAP_TYPE_NONE;
855 	struct eap_hdr *hdr;
856 	u8 *pos;
857 	size_t left;
858 	struct wpabuf buf;
859 	const struct eap_method *m = data->phase2_method;
860 	void *priv = data->phase2_priv;
861 
862 	if (priv == NULL) {
863 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
864 			   "initialized?!", __func__);
865 		return;
866 	}
867 
868 	hdr = (struct eap_hdr *) in_data;
869 	pos = (u8 *) (hdr + 1);
870 
871 	if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
872 		left = in_len - sizeof(*hdr);
873 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
874 			    "allowed types", pos + 1, left - 1);
875 		eap_sm_process_nak(sm, pos + 1, left - 1);
876 		if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
877 		    sm->user->methods[sm->user_eap_method_index].method !=
878 		    EAP_TYPE_NONE) {
879 			next_vendor = sm->user->methods[
880 				sm->user_eap_method_index].vendor;
881 			next_type = sm->user->methods[
882 				sm->user_eap_method_index++].method;
883 			wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %u:%u",
884 				   next_vendor, next_type);
885 			if (eap_ttls_phase2_eap_init(sm, data, next_vendor,
886 						     next_type)) {
887 				wpa_printf(MSG_DEBUG,
888 					   "EAP-TTLS: Failed to initialize EAP type %u:%u",
889 					   next_vendor, next_type);
890 				eap_ttls_state(data, FAILURE);
891 				return;
892 			}
893 		} else {
894 			eap_ttls_state(data, FAILURE);
895 		}
896 		return;
897 	}
898 
899 	wpabuf_set(&buf, in_data, in_len);
900 
901 	if (m->check(sm, priv, &buf)) {
902 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
903 			   "ignore the packet");
904 		return;
905 	}
906 
907 	m->process(sm, priv, &buf);
908 
909 	if (sm->method_pending == METHOD_PENDING_WAIT) {
910 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
911 			   "pending wait state - save decrypted response");
912 		wpabuf_free(data->pending_phase2_eap_resp);
913 		data->pending_phase2_eap_resp = wpabuf_dup(&buf);
914 	}
915 
916 	if (!m->isDone(sm, priv))
917 		return;
918 
919 	if (!m->isSuccess(sm, priv)) {
920 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
921 		eap_ttls_state(data, FAILURE);
922 		return;
923 	}
924 
925 	switch (data->state) {
926 	case PHASE2_START:
927 		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
928 			wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
929 					  "Identity not found in the user "
930 					  "database",
931 					  sm->identity, sm->identity_len);
932 			eap_ttls_state(data, FAILURE);
933 			break;
934 		}
935 
936 		eap_ttls_state(data, PHASE2_METHOD);
937 		next_vendor = sm->user->methods[0].vendor;
938 		next_type = sm->user->methods[0].method;
939 		sm->user_eap_method_index = 1;
940 		wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %u:%u",
941 			   next_vendor, next_type);
942 		if (eap_ttls_phase2_eap_init(sm, data, next_vendor,
943 					     next_type)) {
944 			wpa_printf(MSG_DEBUG,
945 				   "EAP-TTLS: Failed to initialize EAP type %u:%u",
946 				   next_vendor, next_type);
947 			eap_ttls_state(data, FAILURE);
948 		}
949 		break;
950 	case PHASE2_METHOD:
951 		eap_ttls_state(data, SUCCESS);
952 		eap_ttls_valid_session(sm, data);
953 		break;
954 	case FAILURE:
955 		break;
956 	default:
957 		wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
958 			   __func__, data->state);
959 		break;
960 	}
961 }
962 
963 
964 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
965 					struct eap_ttls_data *data,
966 					const u8 *eap, size_t eap_len)
967 {
968 	struct eap_hdr *hdr;
969 	size_t len;
970 
971 	if (data->state == PHASE2_START) {
972 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
973 		if (eap_ttls_phase2_eap_init(sm, data, EAP_VENDOR_IETF,
974 					     EAP_TYPE_IDENTITY) < 0) {
975 			wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
976 				   "initialize EAP-Identity");
977 			return;
978 		}
979 	}
980 
981 	if (eap_len < sizeof(*hdr)) {
982 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
983 			   "packet (len=%lu)", (unsigned long) eap_len);
984 		return;
985 	}
986 
987 	hdr = (struct eap_hdr *) eap;
988 	len = be_to_host16(hdr->length);
989 	wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
990 		   "identifier=%d length=%lu", hdr->code, hdr->identifier,
991 		   (unsigned long) len);
992 	if (len > eap_len) {
993 		wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
994 			   " EAP frame (hdr len=%lu, data len in AVP=%lu)",
995 			   (unsigned long) len, (unsigned long) eap_len);
996 		return;
997 	}
998 
999 	switch (hdr->code) {
1000 	case EAP_CODE_RESPONSE:
1001 		eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
1002 						     len);
1003 		break;
1004 	default:
1005 		wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
1006 			   "Phase 2 EAP header", hdr->code);
1007 		break;
1008 	}
1009 }
1010 
1011 
1012 static void eap_ttls_process_phase2(struct eap_sm *sm,
1013 				    struct eap_ttls_data *data,
1014 				    struct wpabuf *in_buf)
1015 {
1016 	struct wpabuf *in_decrypted;
1017 	struct eap_ttls_avp parse;
1018 
1019 	wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1020 		   " Phase 2", (unsigned long) wpabuf_len(in_buf));
1021 
1022 	if (data->pending_phase2_eap_resp) {
1023 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
1024 			   "- skip decryption and use old data");
1025 		eap_ttls_process_phase2_eap(
1026 			sm, data, wpabuf_head(data->pending_phase2_eap_resp),
1027 			wpabuf_len(data->pending_phase2_eap_resp));
1028 		wpabuf_free(data->pending_phase2_eap_resp);
1029 		data->pending_phase2_eap_resp = NULL;
1030 		return;
1031 	}
1032 
1033 	in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
1034 					      in_buf);
1035 	if (in_decrypted == NULL) {
1036 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1037 			   "data");
1038 		eap_ttls_state(data, FAILURE);
1039 		return;
1040 	}
1041 
1042 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
1043 			    in_decrypted);
1044 
1045 	if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) {
1046 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
1047 		wpabuf_free(in_decrypted);
1048 		eap_ttls_state(data, FAILURE);
1049 		return;
1050 	}
1051 
1052 	if (parse.user_name) {
1053 		char *nbuf;
1054 		nbuf = os_malloc(parse.user_name_len * 4 + 1);
1055 		if (nbuf) {
1056 			printf_encode(nbuf, parse.user_name_len * 4 + 1,
1057 				      parse.user_name,
1058 				      parse.user_name_len);
1059 			eap_log_msg(sm, "TTLS-User-Name '%s'", nbuf);
1060 			os_free(nbuf);
1061 		}
1062 
1063 		os_free(sm->identity);
1064 		sm->identity = os_memdup(parse.user_name, parse.user_name_len);
1065 		if (sm->identity == NULL) {
1066 			eap_ttls_state(data, FAILURE);
1067 			goto done;
1068 		}
1069 		sm->identity_len = parse.user_name_len;
1070 		if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1071 		    != 0) {
1072 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1073 				   "found in the user database");
1074 			eap_ttls_state(data, FAILURE);
1075 			goto done;
1076 		}
1077 	}
1078 
1079 #ifdef EAP_SERVER_TNC
1080 	if (data->tnc_started && parse.eap == NULL) {
1081 		wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1082 			   "response from peer");
1083 		eap_ttls_state(data, FAILURE);
1084 		goto done;
1085 	}
1086 #endif /* EAP_SERVER_TNC */
1087 
1088 	if (parse.eap) {
1089 		eap_ttls_process_phase2_eap(sm, data, parse.eap,
1090 					    parse.eap_len);
1091 	} else if (parse.user_password) {
1092 		eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1093 					    parse.user_password_len);
1094 	} else if (parse.chap_password) {
1095 		eap_ttls_process_phase2_chap(sm, data,
1096 					     parse.chap_challenge,
1097 					     parse.chap_challenge_len,
1098 					     parse.chap_password,
1099 					     parse.chap_password_len);
1100 	} else if (parse.mschap_response) {
1101 		eap_ttls_process_phase2_mschap(sm, data,
1102 					       parse.mschap_challenge,
1103 					       parse.mschap_challenge_len,
1104 					       parse.mschap_response,
1105 					       parse.mschap_response_len);
1106 	} else if (parse.mschap2_response) {
1107 		eap_ttls_process_phase2_mschapv2(sm, data,
1108 						 parse.mschap_challenge,
1109 						 parse.mschap_challenge_len,
1110 						 parse.mschap2_response,
1111 						 parse.mschap2_response_len);
1112 	}
1113 
1114 done:
1115 	wpabuf_free(in_decrypted);
1116 	os_free(parse.eap);
1117 }
1118 
1119 
1120 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1121 {
1122 #ifdef EAP_SERVER_TNC
1123 	if (!sm->cfg->tnc || data->state != SUCCESS || data->tnc_started)
1124 		return;
1125 
1126 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1127 	if (eap_ttls_phase2_eap_init(sm, data, EAP_VENDOR_IETF, EAP_TYPE_TNC)) {
1128 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1129 		eap_ttls_state(data, FAILURE);
1130 		return;
1131 	}
1132 
1133 	data->tnc_started = 1;
1134 	eap_ttls_state(data, PHASE2_METHOD);
1135 #endif /* EAP_SERVER_TNC */
1136 }
1137 
1138 
1139 static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
1140 				    int peer_version)
1141 {
1142 	struct eap_ttls_data *data = priv;
1143 	if (peer_version < data->ttls_version) {
1144 		wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1145 			   "use version %d",
1146 			   peer_version, data->ttls_version, peer_version);
1147 		data->ttls_version = peer_version;
1148 	}
1149 
1150 	return 0;
1151 }
1152 
1153 
1154 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
1155 				 const struct wpabuf *respData)
1156 {
1157 	struct eap_ttls_data *data = priv;
1158 
1159 	switch (data->state) {
1160 	case PHASE1:
1161 		if (eap_server_tls_phase1(sm, &data->ssl) < 0)
1162 			eap_ttls_state(data, FAILURE);
1163 		break;
1164 	case PHASE2_START:
1165 	case PHASE2_METHOD:
1166 		eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
1167 		eap_ttls_start_tnc(sm, data);
1168 		break;
1169 	case PHASE2_MSCHAPV2_RESP:
1170 		if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
1171 		    0) {
1172 			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1173 				   "acknowledged response");
1174 			eap_ttls_state(data, SUCCESS);
1175 			eap_ttls_valid_session(sm, data);
1176 		} else if (!data->mschapv2_resp_ok) {
1177 			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1178 				   "acknowledged error");
1179 			eap_ttls_state(data, FAILURE);
1180 		} else {
1181 			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1182 				   "frame from peer (payload len %lu, "
1183 				   "expected empty frame)",
1184 				   (unsigned long)
1185 				   wpabuf_len(data->ssl.tls_in));
1186 			eap_ttls_state(data, FAILURE);
1187 		}
1188 		eap_ttls_start_tnc(sm, data);
1189 		break;
1190 	default:
1191 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1192 			   data->state, __func__);
1193 		break;
1194 	}
1195 }
1196 
1197 
1198 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1199 			     struct wpabuf *respData)
1200 {
1201 	struct eap_ttls_data *data = priv;
1202 	const struct wpabuf *buf;
1203 	const u8 *pos;
1204 	u8 id_len;
1205 
1206 	if (eap_server_tls_process(sm, &data->ssl, respData, data,
1207 				   EAP_TYPE_TTLS, eap_ttls_process_version,
1208 				   eap_ttls_process_msg) < 0) {
1209 		eap_ttls_state(data, FAILURE);
1210 		return;
1211 	}
1212 
1213 	if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
1214 	    !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
1215 		return;
1216 
1217 	buf = tls_connection_get_success_data(data->ssl.conn);
1218 	if (!buf || wpabuf_len(buf) < 1) {
1219 		wpa_printf(MSG_DEBUG,
1220 			   "EAP-TTLS: No success data in resumed session - reject attempt");
1221 		eap_ttls_state(data, FAILURE);
1222 		return;
1223 	}
1224 
1225 	pos = wpabuf_head(buf);
1226 	if (*pos != EAP_TYPE_TTLS) {
1227 		wpa_printf(MSG_DEBUG,
1228 			   "EAP-TTLS: Resumed session for another EAP type (%u) - reject attempt",
1229 			   *pos);
1230 		eap_ttls_state(data, FAILURE);
1231 		return;
1232 	}
1233 
1234 	pos++;
1235 	id_len = *pos++;
1236 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: Identity from cached session",
1237 			  pos, id_len);
1238 	os_free(sm->identity);
1239 	sm->identity = os_malloc(id_len ? id_len : 1);
1240 	if (!sm->identity) {
1241 		sm->identity_len = 0;
1242 		eap_ttls_state(data, FAILURE);
1243 		return;
1244 	}
1245 
1246 	os_memcpy(sm->identity, pos, id_len);
1247 	sm->identity_len = id_len;
1248 
1249 	if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1250 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not found in the user database",
1251 				  sm->identity, sm->identity_len);
1252 		eap_ttls_state(data, FAILURE);
1253 		return;
1254 	}
1255 
1256 	wpa_printf(MSG_DEBUG,
1257 		   "EAP-TTLS: Resuming previous session - skip Phase2");
1258 	eap_ttls_state(data, SUCCESS);
1259 	tls_connection_set_success_data_resumed(data->ssl.conn);
1260 }
1261 
1262 
1263 static bool eap_ttls_isDone(struct eap_sm *sm, void *priv)
1264 {
1265 	struct eap_ttls_data *data = priv;
1266 	return data->state == SUCCESS || data->state == FAILURE;
1267 }
1268 
1269 
1270 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1271 {
1272 	struct eap_ttls_data *data = priv;
1273 	u8 *eapKeyData;
1274 	const char *label;
1275 	const u8 eap_tls13_context[1] = { EAP_TYPE_TTLS };
1276 	const u8 *context = NULL;
1277 	size_t context_len = 0;
1278 
1279 	if (data->state != SUCCESS)
1280 		return NULL;
1281 
1282 	if (data->ssl.tls_v13) {
1283 		label = "EXPORTER_EAP_TLS_Key_Material";
1284 		context = eap_tls13_context;
1285 		context_len = sizeof(eap_tls13_context);
1286 	} else {
1287 		label = "ttls keying material";
1288 	}
1289 
1290 	eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1291 					       label, context, context_len,
1292 					       EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
1293 	if (eapKeyData) {
1294 		*len = EAP_TLS_KEY_LEN;
1295 		wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1296 				eapKeyData, EAP_TLS_KEY_LEN);
1297 	} else {
1298 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1299 	}
1300 
1301 	return eapKeyData;
1302 }
1303 
1304 
1305 static bool eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1306 {
1307 	struct eap_ttls_data *data = priv;
1308 	return data->state == SUCCESS;
1309 }
1310 
1311 
1312 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1313 {
1314 	struct eap_ttls_data *data = priv;
1315 
1316 	if (data->state != SUCCESS)
1317 		return NULL;
1318 
1319 	return eap_server_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_TTLS,
1320 						len);
1321 }
1322 
1323 
1324 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1325 {
1326 	struct eap_ttls_data *data = priv;
1327 	u8 *eapKeyData, *emsk;
1328 	const char *label;
1329 	const u8 eap_tls13_context[1] = { EAP_TYPE_TTLS };
1330 	const u8 *context = NULL;
1331 	size_t context_len = 0;
1332 
1333 	if (data->state != SUCCESS)
1334 		return NULL;
1335 
1336 	if (data->ssl.tls_v13) {
1337 		label = "EXPORTER_EAP_TLS_Key_Material";
1338 		context = eap_tls13_context;
1339 		context_len = sizeof(eap_tls13_context);
1340 	} else {
1341 		label = "ttls keying material";
1342 	}
1343 
1344 	eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1345 					       label, context, context_len,
1346 					       EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
1347 	if (eapKeyData) {
1348 		emsk = os_malloc(EAP_EMSK_LEN);
1349 		if (emsk)
1350 			os_memcpy(emsk, eapKeyData + EAP_TLS_KEY_LEN,
1351 				  EAP_EMSK_LEN);
1352 		bin_clear_free(eapKeyData, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
1353 	} else
1354 		emsk = NULL;
1355 
1356 	if (emsk) {
1357 		*len = EAP_EMSK_LEN;
1358 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived EMSK",
1359 			    emsk, EAP_EMSK_LEN);
1360 	} else {
1361 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive EMSK");
1362 	}
1363 
1364 	return emsk;
1365 }
1366 
1367 
1368 int eap_server_ttls_register(void)
1369 {
1370 	struct eap_method *eap;
1371 
1372 	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1373 				      EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1374 	if (eap == NULL)
1375 		return -1;
1376 
1377 	eap->init = eap_ttls_init;
1378 	eap->reset = eap_ttls_reset;
1379 	eap->buildReq = eap_ttls_buildReq;
1380 	eap->check = eap_ttls_check;
1381 	eap->process = eap_ttls_process;
1382 	eap->isDone = eap_ttls_isDone;
1383 	eap->getKey = eap_ttls_getKey;
1384 	eap->isSuccess = eap_ttls_isSuccess;
1385 	eap->getSessionId = eap_ttls_get_session_id;
1386 	eap->get_emsk = eap_ttls_get_emsk;
1387 
1388 	return eap_server_method_register(eap);
1389 }
1390