xref: /freebsd/contrib/wpa/src/eap_server/eap_server_ttls.c (revision 952364486a4b9d135e4b28f7f88a8703a74eae6f)
1 /*
2  * hostapd / EAP-TTLS (RFC 5281)
3  * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/ms_funcs.h"
13 #include "crypto/sha1.h"
14 #include "crypto/tls.h"
15 #include "eap_server/eap_i.h"
16 #include "eap_server/eap_tls_common.h"
17 #include "eap_common/chap.h"
18 #include "eap_common/eap_ttls.h"
19 
20 
21 #define EAP_TTLS_VERSION 0
22 
23 
24 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
25 
26 
27 struct eap_ttls_data {
28 	struct eap_ssl_data ssl;
29 	enum {
30 		START, PHASE1, PHASE2_START, PHASE2_METHOD,
31 		PHASE2_MSCHAPV2_RESP, SUCCESS, FAILURE
32 	} state;
33 
34 	int ttls_version;
35 	const struct eap_method *phase2_method;
36 	void *phase2_priv;
37 	int mschapv2_resp_ok;
38 	u8 mschapv2_auth_response[20];
39 	u8 mschapv2_ident;
40 	struct wpabuf *pending_phase2_eap_resp;
41 	int tnc_started;
42 };
43 
44 
45 static const char * eap_ttls_state_txt(int state)
46 {
47 	switch (state) {
48 	case START:
49 		return "START";
50 	case PHASE1:
51 		return "PHASE1";
52 	case PHASE2_START:
53 		return "PHASE2_START";
54 	case PHASE2_METHOD:
55 		return "PHASE2_METHOD";
56 	case PHASE2_MSCHAPV2_RESP:
57 		return "PHASE2_MSCHAPV2_RESP";
58 	case SUCCESS:
59 		return "SUCCESS";
60 	case FAILURE:
61 		return "FAILURE";
62 	default:
63 		return "Unknown?!";
64 	}
65 }
66 
67 
68 static void eap_ttls_state(struct eap_ttls_data *data, int state)
69 {
70 	wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
71 		   eap_ttls_state_txt(data->state),
72 		   eap_ttls_state_txt(state));
73 	data->state = state;
74 }
75 
76 
77 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
78 			     int mandatory, size_t len)
79 {
80 	struct ttls_avp_vendor *avp;
81 	u8 flags;
82 	size_t hdrlen;
83 
84 	avp = (struct ttls_avp_vendor *) avphdr;
85 	flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
86 	if (vendor_id) {
87 		flags |= AVP_FLAGS_VENDOR;
88 		hdrlen = sizeof(*avp);
89 		avp->vendor_id = host_to_be32(vendor_id);
90 	} else {
91 		hdrlen = sizeof(struct ttls_avp);
92 	}
93 
94 	avp->avp_code = host_to_be32(avp_code);
95 	avp->avp_length = host_to_be32(((u32) flags << 24) |
96 				       ((u32) (hdrlen + len)));
97 
98 	return avphdr + hdrlen;
99 }
100 
101 
102 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
103 						u32 avp_code, int mandatory)
104 {
105 	struct wpabuf *avp;
106 	u8 *pos;
107 
108 	avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
109 	if (avp == NULL) {
110 		wpabuf_free(resp);
111 		return NULL;
112 	}
113 
114 	pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
115 			       wpabuf_len(resp));
116 	os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
117 	pos += wpabuf_len(resp);
118 	AVP_PAD((const u8 *) wpabuf_head(avp), pos);
119 	wpabuf_free(resp);
120 	wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
121 	return avp;
122 }
123 
124 
125 struct eap_ttls_avp {
126 	 /* Note: eap is allocated memory; caller is responsible for freeing
127 	  * it. All the other pointers are pointing to the packet data, i.e.,
128 	  * they must not be freed separately. */
129 	u8 *eap;
130 	size_t eap_len;
131 	u8 *user_name;
132 	size_t user_name_len;
133 	u8 *user_password;
134 	size_t user_password_len;
135 	u8 *chap_challenge;
136 	size_t chap_challenge_len;
137 	u8 *chap_password;
138 	size_t chap_password_len;
139 	u8 *mschap_challenge;
140 	size_t mschap_challenge_len;
141 	u8 *mschap_response;
142 	size_t mschap_response_len;
143 	u8 *mschap2_response;
144 	size_t mschap2_response_len;
145 };
146 
147 
148 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse)
149 {
150 	struct ttls_avp *avp;
151 	u8 *pos;
152 	int left;
153 
154 	pos = wpabuf_mhead(buf);
155 	left = wpabuf_len(buf);
156 	os_memset(parse, 0, sizeof(*parse));
157 
158 	while (left > 0) {
159 		u32 avp_code, avp_length, vendor_id = 0;
160 		u8 avp_flags, *dpos;
161 		size_t pad, dlen;
162 		avp = (struct ttls_avp *) pos;
163 		avp_code = be_to_host32(avp->avp_code);
164 		avp_length = be_to_host32(avp->avp_length);
165 		avp_flags = (avp_length >> 24) & 0xff;
166 		avp_length &= 0xffffff;
167 		wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
168 			   "length=%d", (int) avp_code, avp_flags,
169 			   (int) avp_length);
170 		if ((int) avp_length > left) {
171 			wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
172 				   "(len=%d, left=%d) - dropped",
173 				   (int) avp_length, left);
174 			goto fail;
175 		}
176 		if (avp_length < sizeof(*avp)) {
177 			wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
178 				   "%d", avp_length);
179 			goto fail;
180 		}
181 		dpos = (u8 *) (avp + 1);
182 		dlen = avp_length - sizeof(*avp);
183 		if (avp_flags & AVP_FLAGS_VENDOR) {
184 			if (dlen < 4) {
185 				wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
186 					   "underflow");
187 				goto fail;
188 			}
189 			vendor_id = be_to_host32(* (be32 *) dpos);
190 			wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
191 				   (int) vendor_id);
192 			dpos += 4;
193 			dlen -= 4;
194 		}
195 
196 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
197 
198 		if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
199 			wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
200 			if (parse->eap == NULL) {
201 				parse->eap = os_malloc(dlen);
202 				if (parse->eap == NULL) {
203 					wpa_printf(MSG_WARNING, "EAP-TTLS: "
204 						   "failed to allocate memory "
205 						   "for Phase 2 EAP data");
206 					goto fail;
207 				}
208 				os_memcpy(parse->eap, dpos, dlen);
209 				parse->eap_len = dlen;
210 			} else {
211 				u8 *neweap = os_realloc(parse->eap,
212 							parse->eap_len + dlen);
213 				if (neweap == NULL) {
214 					wpa_printf(MSG_WARNING, "EAP-TTLS: "
215 						   "failed to allocate memory "
216 						   "for Phase 2 EAP data");
217 					goto fail;
218 				}
219 				os_memcpy(neweap + parse->eap_len, dpos, dlen);
220 				parse->eap = neweap;
221 				parse->eap_len += dlen;
222 			}
223 		} else if (vendor_id == 0 &&
224 			   avp_code == RADIUS_ATTR_USER_NAME) {
225 			wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
226 					  dpos, dlen);
227 			parse->user_name = dpos;
228 			parse->user_name_len = dlen;
229 		} else if (vendor_id == 0 &&
230 			   avp_code == RADIUS_ATTR_USER_PASSWORD) {
231 			u8 *password = dpos;
232 			size_t password_len = dlen;
233 			while (password_len > 0 &&
234 			       password[password_len - 1] == '\0') {
235 				password_len--;
236 			}
237 			wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
238 					      "User-Password (PAP)",
239 					      password, password_len);
240 			parse->user_password = password;
241 			parse->user_password_len = password_len;
242 		} else if (vendor_id == 0 &&
243 			   avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
244 			wpa_hexdump(MSG_DEBUG,
245 				    "EAP-TTLS: CHAP-Challenge (CHAP)",
246 				    dpos, dlen);
247 			parse->chap_challenge = dpos;
248 			parse->chap_challenge_len = dlen;
249 		} else if (vendor_id == 0 &&
250 			   avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
251 			wpa_hexdump(MSG_DEBUG,
252 				    "EAP-TTLS: CHAP-Password (CHAP)",
253 				    dpos, dlen);
254 			parse->chap_password = dpos;
255 			parse->chap_password_len = dlen;
256 		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
257 			   avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
258 			wpa_hexdump(MSG_DEBUG,
259 				    "EAP-TTLS: MS-CHAP-Challenge",
260 				    dpos, dlen);
261 			parse->mschap_challenge = dpos;
262 			parse->mschap_challenge_len = dlen;
263 		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
264 			   avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
265 			wpa_hexdump(MSG_DEBUG,
266 				    "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
267 				    dpos, dlen);
268 			parse->mschap_response = dpos;
269 			parse->mschap_response_len = dlen;
270 		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
271 			   avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
272 			wpa_hexdump(MSG_DEBUG,
273 				    "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
274 				    dpos, dlen);
275 			parse->mschap2_response = dpos;
276 			parse->mschap2_response_len = dlen;
277 		} else if (avp_flags & AVP_FLAGS_MANDATORY) {
278 			wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
279 				   "mandatory AVP code %d vendor_id %d - "
280 				   "dropped", (int) avp_code, (int) vendor_id);
281 			goto fail;
282 		} else {
283 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
284 				   "AVP code %d vendor_id %d",
285 				   (int) avp_code, (int) vendor_id);
286 		}
287 
288 		pad = (4 - (avp_length & 3)) & 3;
289 		pos += avp_length + pad;
290 		left -= avp_length + pad;
291 	}
292 
293 	return 0;
294 
295 fail:
296 	os_free(parse->eap);
297 	parse->eap = NULL;
298 	return -1;
299 }
300 
301 
302 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
303 					struct eap_ttls_data *data, size_t len)
304 {
305 	return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge",
306 					 len);
307 }
308 
309 
310 static void * eap_ttls_init(struct eap_sm *sm)
311 {
312 	struct eap_ttls_data *data;
313 
314 	data = os_zalloc(sizeof(*data));
315 	if (data == NULL)
316 		return NULL;
317 	data->ttls_version = EAP_TTLS_VERSION;
318 	data->state = START;
319 
320 	if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
321 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
322 		eap_ttls_reset(sm, data);
323 		return NULL;
324 	}
325 
326 	return data;
327 }
328 
329 
330 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
331 {
332 	struct eap_ttls_data *data = priv;
333 	if (data == NULL)
334 		return;
335 	if (data->phase2_priv && data->phase2_method)
336 		data->phase2_method->reset(sm, data->phase2_priv);
337 	eap_server_tls_ssl_deinit(sm, &data->ssl);
338 	wpabuf_free(data->pending_phase2_eap_resp);
339 	bin_clear_free(data, sizeof(*data));
340 }
341 
342 
343 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
344 					    struct eap_ttls_data *data, u8 id)
345 {
346 	struct wpabuf *req;
347 
348 	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
349 			    EAP_CODE_REQUEST, id);
350 	if (req == NULL) {
351 		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
352 			   " request");
353 		eap_ttls_state(data, FAILURE);
354 		return NULL;
355 	}
356 
357 	wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
358 
359 	eap_ttls_state(data, PHASE1);
360 
361 	return req;
362 }
363 
364 
365 static struct wpabuf * eap_ttls_build_phase2_eap_req(
366 	struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
367 {
368 	struct wpabuf *buf, *encr_req;
369 
370 
371 	buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
372 	if (buf == NULL)
373 		return NULL;
374 
375 	wpa_hexdump_buf_key(MSG_DEBUG,
376 			    "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
377 
378 	buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
379 	if (buf == NULL) {
380 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
381 			   "packet");
382 		return NULL;
383 	}
384 
385 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated "
386 			    "Phase 2 data", buf);
387 
388 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
389 	wpabuf_free(buf);
390 
391 	return encr_req;
392 }
393 
394 
395 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
396 	struct eap_sm *sm, struct eap_ttls_data *data)
397 {
398 	struct wpabuf *encr_req, msgbuf;
399 	u8 *req, *pos, *end;
400 	int ret;
401 
402 	pos = req = os_malloc(100);
403 	if (req == NULL)
404 		return NULL;
405 	end = req + 100;
406 
407 	if (data->mschapv2_resp_ok) {
408 		pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
409 				       RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
410 		*pos++ = data->mschapv2_ident;
411 		ret = os_snprintf((char *) pos, end - pos, "S=");
412 		if (!os_snprintf_error(end - pos, ret))
413 			pos += ret;
414 		pos += wpa_snprintf_hex_uppercase(
415 			(char *) pos, end - pos, data->mschapv2_auth_response,
416 			sizeof(data->mschapv2_auth_response));
417 	} else {
418 		pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
419 				       RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
420 		os_memcpy(pos, "Failed", 6);
421 		pos += 6;
422 		AVP_PAD(req, pos);
423 	}
424 
425 	wpabuf_set(&msgbuf, req, pos - req);
426 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
427 			    "data", &msgbuf);
428 
429 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
430 	os_free(req);
431 
432 	return encr_req;
433 }
434 
435 
436 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
437 {
438 	struct eap_ttls_data *data = priv;
439 
440 	if (data->ssl.state == FRAG_ACK) {
441 		return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
442 						data->ttls_version);
443 	}
444 
445 	if (data->ssl.state == WAIT_FRAG_ACK) {
446 		return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
447 						data->ttls_version, id);
448 	}
449 
450 	switch (data->state) {
451 	case START:
452 		return eap_ttls_build_start(sm, data, id);
453 	case PHASE1:
454 		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
455 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
456 				   "starting Phase2");
457 			eap_ttls_state(data, PHASE2_START);
458 		}
459 		break;
460 	case PHASE2_METHOD:
461 		wpabuf_free(data->ssl.tls_out);
462 		data->ssl.tls_out_pos = 0;
463 		data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
464 								  id);
465 		break;
466 	case PHASE2_MSCHAPV2_RESP:
467 		wpabuf_free(data->ssl.tls_out);
468 		data->ssl.tls_out_pos = 0;
469 		data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
470 		break;
471 	default:
472 		wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
473 			   __func__, data->state);
474 		return NULL;
475 	}
476 
477 	return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
478 					data->ttls_version, id);
479 }
480 
481 
482 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
483 			      struct wpabuf *respData)
484 {
485 	const u8 *pos;
486 	size_t len;
487 
488 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
489 	if (pos == NULL || len < 1) {
490 		wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
491 		return TRUE;
492 	}
493 
494 	return FALSE;
495 }
496 
497 
498 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
499 					struct eap_ttls_data *data,
500 					const u8 *user_password,
501 					size_t user_password_len)
502 {
503 	if (!sm->user || !sm->user->password || sm->user->password_hash ||
504 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
505 		wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
506 			   "password configured");
507 		eap_ttls_state(data, FAILURE);
508 		return;
509 	}
510 
511 	if (sm->user->password_len != user_password_len ||
512 	    os_memcmp_const(sm->user->password, user_password,
513 			    user_password_len) != 0) {
514 		wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
515 		eap_ttls_state(data, FAILURE);
516 		return;
517 	}
518 
519 	wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
520 	eap_ttls_state(data, SUCCESS);
521 }
522 
523 
524 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
525 					 struct eap_ttls_data *data,
526 					 const u8 *challenge,
527 					 size_t challenge_len,
528 					 const u8 *password,
529 					 size_t password_len)
530 {
531 	u8 *chal, hash[CHAP_MD5_LEN];
532 
533 	if (challenge == NULL || password == NULL ||
534 	    challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
535 	    password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
536 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
537 			   "(challenge len %lu password len %lu)",
538 			   (unsigned long) challenge_len,
539 			   (unsigned long) password_len);
540 		eap_ttls_state(data, FAILURE);
541 		return;
542 	}
543 
544 	if (!sm->user || !sm->user->password || sm->user->password_hash ||
545 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
546 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
547 			   "password configured");
548 		eap_ttls_state(data, FAILURE);
549 		return;
550 	}
551 
552 	chal = eap_ttls_implicit_challenge(sm, data,
553 					   EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
554 	if (chal == NULL) {
555 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
556 			   "challenge from TLS data");
557 		eap_ttls_state(data, FAILURE);
558 		return;
559 	}
560 
561 	if (os_memcmp_const(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN)
562 	    != 0 ||
563 	    password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
564 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
565 		os_free(chal);
566 		eap_ttls_state(data, FAILURE);
567 		return;
568 	}
569 	os_free(chal);
570 
571 	/* MD5(Ident + Password + Challenge) */
572 	chap_md5(password[0], sm->user->password, sm->user->password_len,
573 		 challenge, challenge_len, hash);
574 
575 	if (os_memcmp_const(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) ==
576 	    0) {
577 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
578 		eap_ttls_state(data, SUCCESS);
579 	} else {
580 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
581 		eap_ttls_state(data, FAILURE);
582 	}
583 }
584 
585 
586 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
587 					   struct eap_ttls_data *data,
588 					   u8 *challenge, size_t challenge_len,
589 					   u8 *response, size_t response_len)
590 {
591 	u8 *chal, nt_response[24];
592 
593 	if (challenge == NULL || response == NULL ||
594 	    challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
595 	    response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
596 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
597 			   "attributes (challenge len %lu response len %lu)",
598 			   (unsigned long) challenge_len,
599 			   (unsigned long) response_len);
600 		eap_ttls_state(data, FAILURE);
601 		return;
602 	}
603 
604 	if (!sm->user || !sm->user->password ||
605 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
606 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
607 			   "configured");
608 		eap_ttls_state(data, FAILURE);
609 		return;
610 	}
611 
612 	chal = eap_ttls_implicit_challenge(sm, data,
613 					   EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
614 	if (chal == NULL) {
615 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
616 			   "challenge from TLS data");
617 		eap_ttls_state(data, FAILURE);
618 		return;
619 	}
620 
621 	if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN)
622 	    != 0 ||
623 	    response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
624 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
625 		os_free(chal);
626 		eap_ttls_state(data, FAILURE);
627 		return;
628 	}
629 	os_free(chal);
630 
631 	if (sm->user->password_hash)
632 		challenge_response(challenge, sm->user->password, nt_response);
633 	else
634 		nt_challenge_response(challenge, sm->user->password,
635 				      sm->user->password_len, nt_response);
636 
637 	if (os_memcmp_const(nt_response, response + 2 + 24, 24) == 0) {
638 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
639 		eap_ttls_state(data, SUCCESS);
640 	} else {
641 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
642 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
643 			    response + 2 + 24, 24);
644 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
645 			    nt_response, 24);
646 		eap_ttls_state(data, FAILURE);
647 	}
648 }
649 
650 
651 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
652 					     struct eap_ttls_data *data,
653 					     u8 *challenge,
654 					     size_t challenge_len,
655 					     u8 *response, size_t response_len)
656 {
657 	u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
658 		*auth_challenge;
659 	size_t username_len, i;
660 
661 	if (challenge == NULL || response == NULL ||
662 	    challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
663 	    response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
664 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
665 			   "attributes (challenge len %lu response len %lu)",
666 			   (unsigned long) challenge_len,
667 			   (unsigned long) response_len);
668 		eap_ttls_state(data, FAILURE);
669 		return;
670 	}
671 
672 	if (!sm->user || !sm->user->password ||
673 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
674 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
675 			   "configured");
676 		eap_ttls_state(data, FAILURE);
677 		return;
678 	}
679 
680 	if (sm->identity == NULL) {
681 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
682 			   "known");
683 		eap_ttls_state(data, FAILURE);
684 		return;
685 	}
686 
687 	/* MSCHAPv2 does not include optional domain name in the
688 	 * challenge-response calculation, so remove domain prefix
689 	 * (if present). */
690 	username = sm->identity;
691 	username_len = sm->identity_len;
692 	for (i = 0; i < username_len; i++) {
693 		if (username[i] == '\\') {
694 			username_len -= i + 1;
695 			username += i + 1;
696 			break;
697 		}
698 	}
699 
700 	chal = eap_ttls_implicit_challenge(
701 		sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
702 	if (chal == NULL) {
703 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
704 			   "challenge from TLS data");
705 		eap_ttls_state(data, FAILURE);
706 		return;
707 	}
708 
709 	if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN)
710 	    != 0 ||
711 	    response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
712 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
713 		os_free(chal);
714 		eap_ttls_state(data, FAILURE);
715 		return;
716 	}
717 	os_free(chal);
718 
719 	auth_challenge = challenge;
720 	peer_challenge = response + 2;
721 
722 	wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
723 			  username, username_len);
724 	wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
725 		    auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
726 	wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
727 		    peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
728 
729 	if (sm->user->password_hash) {
730 		generate_nt_response_pwhash(auth_challenge, peer_challenge,
731 					    username, username_len,
732 					    sm->user->password,
733 					    nt_response);
734 	} else {
735 		generate_nt_response(auth_challenge, peer_challenge,
736 				     username, username_len,
737 				     sm->user->password,
738 				     sm->user->password_len,
739 				     nt_response);
740 	}
741 
742 	rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
743 	if (os_memcmp_const(nt_response, rx_resp, 24) == 0) {
744 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
745 			   "NT-Response");
746 		data->mschapv2_resp_ok = 1;
747 
748 		if (sm->user->password_hash) {
749 			generate_authenticator_response_pwhash(
750 				sm->user->password,
751 				peer_challenge, auth_challenge,
752 				username, username_len, nt_response,
753 				data->mschapv2_auth_response);
754 		} else {
755 			generate_authenticator_response(
756 				sm->user->password, sm->user->password_len,
757 				peer_challenge, auth_challenge,
758 				username, username_len, nt_response,
759 				data->mschapv2_auth_response);
760 		}
761 	} else {
762 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
763 			   "NT-Response");
764 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
765 			    rx_resp, 24);
766 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
767 			    nt_response, 24);
768 		data->mschapv2_resp_ok = 0;
769 	}
770 	eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
771 	data->mschapv2_ident = response[0];
772 }
773 
774 
775 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
776 				    struct eap_ttls_data *data,
777 				    EapType eap_type)
778 {
779 	if (data->phase2_priv && data->phase2_method) {
780 		data->phase2_method->reset(sm, data->phase2_priv);
781 		data->phase2_method = NULL;
782 		data->phase2_priv = NULL;
783 	}
784 	data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
785 							eap_type);
786 	if (!data->phase2_method)
787 		return -1;
788 
789 	sm->init_phase2 = 1;
790 	data->phase2_priv = data->phase2_method->init(sm);
791 	sm->init_phase2 = 0;
792 	return data->phase2_priv == NULL ? -1 : 0;
793 }
794 
795 
796 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
797 						 struct eap_ttls_data *data,
798 						 u8 *in_data, size_t in_len)
799 {
800 	u8 next_type = EAP_TYPE_NONE;
801 	struct eap_hdr *hdr;
802 	u8 *pos;
803 	size_t left;
804 	struct wpabuf buf;
805 	const struct eap_method *m = data->phase2_method;
806 	void *priv = data->phase2_priv;
807 
808 	if (priv == NULL) {
809 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
810 			   "initialized?!", __func__);
811 		return;
812 	}
813 
814 	hdr = (struct eap_hdr *) in_data;
815 	pos = (u8 *) (hdr + 1);
816 
817 	if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
818 		left = in_len - sizeof(*hdr);
819 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
820 			    "allowed types", pos + 1, left - 1);
821 		eap_sm_process_nak(sm, pos + 1, left - 1);
822 		if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
823 		    sm->user->methods[sm->user_eap_method_index].method !=
824 		    EAP_TYPE_NONE) {
825 			next_type = sm->user->methods[
826 				sm->user_eap_method_index++].method;
827 			wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
828 				   next_type);
829 			if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
830 				wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to "
831 					   "initialize EAP type %d",
832 					   next_type);
833 				eap_ttls_state(data, FAILURE);
834 				return;
835 			}
836 		} else {
837 			eap_ttls_state(data, FAILURE);
838 		}
839 		return;
840 	}
841 
842 	wpabuf_set(&buf, in_data, in_len);
843 
844 	if (m->check(sm, priv, &buf)) {
845 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
846 			   "ignore the packet");
847 		return;
848 	}
849 
850 	m->process(sm, priv, &buf);
851 
852 	if (sm->method_pending == METHOD_PENDING_WAIT) {
853 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
854 			   "pending wait state - save decrypted response");
855 		wpabuf_free(data->pending_phase2_eap_resp);
856 		data->pending_phase2_eap_resp = wpabuf_dup(&buf);
857 	}
858 
859 	if (!m->isDone(sm, priv))
860 		return;
861 
862 	if (!m->isSuccess(sm, priv)) {
863 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
864 		eap_ttls_state(data, FAILURE);
865 		return;
866 	}
867 
868 	switch (data->state) {
869 	case PHASE2_START:
870 		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
871 			wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
872 					  "Identity not found in the user "
873 					  "database",
874 					  sm->identity, sm->identity_len);
875 			eap_ttls_state(data, FAILURE);
876 			break;
877 		}
878 
879 		eap_ttls_state(data, PHASE2_METHOD);
880 		next_type = sm->user->methods[0].method;
881 		sm->user_eap_method_index = 1;
882 		wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
883 		if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
884 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize "
885 				   "EAP type %d", next_type);
886 			eap_ttls_state(data, FAILURE);
887 		}
888 		break;
889 	case PHASE2_METHOD:
890 		eap_ttls_state(data, SUCCESS);
891 		break;
892 	case FAILURE:
893 		break;
894 	default:
895 		wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
896 			   __func__, data->state);
897 		break;
898 	}
899 }
900 
901 
902 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
903 					struct eap_ttls_data *data,
904 					const u8 *eap, size_t eap_len)
905 {
906 	struct eap_hdr *hdr;
907 	size_t len;
908 
909 	if (data->state == PHASE2_START) {
910 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
911 		if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
912 		{
913 			wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
914 				   "initialize EAP-Identity");
915 			return;
916 		}
917 	}
918 
919 	if (eap_len < sizeof(*hdr)) {
920 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
921 			   "packet (len=%lu)", (unsigned long) eap_len);
922 		return;
923 	}
924 
925 	hdr = (struct eap_hdr *) eap;
926 	len = be_to_host16(hdr->length);
927 	wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
928 		   "identifier=%d length=%lu", hdr->code, hdr->identifier,
929 		   (unsigned long) len);
930 	if (len > eap_len) {
931 		wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
932 			   " EAP frame (hdr len=%lu, data len in AVP=%lu)",
933 			   (unsigned long) len, (unsigned long) eap_len);
934 		return;
935 	}
936 
937 	switch (hdr->code) {
938 	case EAP_CODE_RESPONSE:
939 		eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
940 						     len);
941 		break;
942 	default:
943 		wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
944 			   "Phase 2 EAP header", hdr->code);
945 		break;
946 	}
947 }
948 
949 
950 static void eap_ttls_process_phase2(struct eap_sm *sm,
951 				    struct eap_ttls_data *data,
952 				    struct wpabuf *in_buf)
953 {
954 	struct wpabuf *in_decrypted;
955 	struct eap_ttls_avp parse;
956 
957 	wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
958 		   " Phase 2", (unsigned long) wpabuf_len(in_buf));
959 
960 	if (data->pending_phase2_eap_resp) {
961 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
962 			   "- skip decryption and use old data");
963 		eap_ttls_process_phase2_eap(
964 			sm, data, wpabuf_head(data->pending_phase2_eap_resp),
965 			wpabuf_len(data->pending_phase2_eap_resp));
966 		wpabuf_free(data->pending_phase2_eap_resp);
967 		data->pending_phase2_eap_resp = NULL;
968 		return;
969 	}
970 
971 	in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
972 					      in_buf);
973 	if (in_decrypted == NULL) {
974 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
975 			   "data");
976 		eap_ttls_state(data, FAILURE);
977 		return;
978 	}
979 
980 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
981 			    in_decrypted);
982 
983 	if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) {
984 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
985 		wpabuf_free(in_decrypted);
986 		eap_ttls_state(data, FAILURE);
987 		return;
988 	}
989 
990 	if (parse.user_name) {
991 		char *nbuf;
992 		nbuf = os_malloc(parse.user_name_len * 4 + 1);
993 		if (nbuf) {
994 			printf_encode(nbuf, parse.user_name_len * 4 + 1,
995 				      parse.user_name,
996 				      parse.user_name_len);
997 			eap_log_msg(sm, "TTLS-User-Name '%s'", nbuf);
998 			os_free(nbuf);
999 		}
1000 
1001 		os_free(sm->identity);
1002 		sm->identity = os_malloc(parse.user_name_len);
1003 		if (sm->identity == NULL) {
1004 			eap_ttls_state(data, FAILURE);
1005 			goto done;
1006 		}
1007 		os_memcpy(sm->identity, parse.user_name, parse.user_name_len);
1008 		sm->identity_len = parse.user_name_len;
1009 		if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1010 		    != 0) {
1011 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1012 				   "found in the user database");
1013 			eap_ttls_state(data, FAILURE);
1014 			goto done;
1015 		}
1016 	}
1017 
1018 #ifdef EAP_SERVER_TNC
1019 	if (data->tnc_started && parse.eap == NULL) {
1020 		wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1021 			   "response from peer");
1022 		eap_ttls_state(data, FAILURE);
1023 		goto done;
1024 	}
1025 #endif /* EAP_SERVER_TNC */
1026 
1027 	if (parse.eap) {
1028 		eap_ttls_process_phase2_eap(sm, data, parse.eap,
1029 					    parse.eap_len);
1030 	} else if (parse.user_password) {
1031 		eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1032 					    parse.user_password_len);
1033 	} else if (parse.chap_password) {
1034 		eap_ttls_process_phase2_chap(sm, data,
1035 					     parse.chap_challenge,
1036 					     parse.chap_challenge_len,
1037 					     parse.chap_password,
1038 					     parse.chap_password_len);
1039 	} else if (parse.mschap_response) {
1040 		eap_ttls_process_phase2_mschap(sm, data,
1041 					       parse.mschap_challenge,
1042 					       parse.mschap_challenge_len,
1043 					       parse.mschap_response,
1044 					       parse.mschap_response_len);
1045 	} else if (parse.mschap2_response) {
1046 		eap_ttls_process_phase2_mschapv2(sm, data,
1047 						 parse.mschap_challenge,
1048 						 parse.mschap_challenge_len,
1049 						 parse.mschap2_response,
1050 						 parse.mschap2_response_len);
1051 	}
1052 
1053 done:
1054 	wpabuf_free(in_decrypted);
1055 	os_free(parse.eap);
1056 }
1057 
1058 
1059 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1060 {
1061 #ifdef EAP_SERVER_TNC
1062 	if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
1063 		return;
1064 
1065 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1066 	if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) {
1067 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1068 		eap_ttls_state(data, FAILURE);
1069 		return;
1070 	}
1071 
1072 	data->tnc_started = 1;
1073 	eap_ttls_state(data, PHASE2_METHOD);
1074 #endif /* EAP_SERVER_TNC */
1075 }
1076 
1077 
1078 static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
1079 				    int peer_version)
1080 {
1081 	struct eap_ttls_data *data = priv;
1082 	if (peer_version < data->ttls_version) {
1083 		wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1084 			   "use version %d",
1085 			   peer_version, data->ttls_version, peer_version);
1086 		data->ttls_version = peer_version;
1087 	}
1088 
1089 	return 0;
1090 }
1091 
1092 
1093 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
1094 				 const struct wpabuf *respData)
1095 {
1096 	struct eap_ttls_data *data = priv;
1097 
1098 	switch (data->state) {
1099 	case PHASE1:
1100 		if (eap_server_tls_phase1(sm, &data->ssl) < 0)
1101 			eap_ttls_state(data, FAILURE);
1102 		break;
1103 	case PHASE2_START:
1104 	case PHASE2_METHOD:
1105 		eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
1106 		eap_ttls_start_tnc(sm, data);
1107 		break;
1108 	case PHASE2_MSCHAPV2_RESP:
1109 		if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
1110 		    0) {
1111 			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1112 				   "acknowledged response");
1113 			eap_ttls_state(data, SUCCESS);
1114 		} else if (!data->mschapv2_resp_ok) {
1115 			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1116 				   "acknowledged error");
1117 			eap_ttls_state(data, FAILURE);
1118 		} else {
1119 			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1120 				   "frame from peer (payload len %lu, "
1121 				   "expected empty frame)",
1122 				   (unsigned long)
1123 				   wpabuf_len(data->ssl.tls_in));
1124 			eap_ttls_state(data, FAILURE);
1125 		}
1126 		eap_ttls_start_tnc(sm, data);
1127 		break;
1128 	default:
1129 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1130 			   data->state, __func__);
1131 		break;
1132 	}
1133 }
1134 
1135 
1136 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1137 			     struct wpabuf *respData)
1138 {
1139 	struct eap_ttls_data *data = priv;
1140 	if (eap_server_tls_process(sm, &data->ssl, respData, data,
1141 				   EAP_TYPE_TTLS, eap_ttls_process_version,
1142 				   eap_ttls_process_msg) < 0)
1143 		eap_ttls_state(data, FAILURE);
1144 }
1145 
1146 
1147 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1148 {
1149 	struct eap_ttls_data *data = priv;
1150 	return data->state == SUCCESS || data->state == FAILURE;
1151 }
1152 
1153 
1154 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1155 {
1156 	struct eap_ttls_data *data = priv;
1157 	u8 *eapKeyData;
1158 
1159 	if (data->state != SUCCESS)
1160 		return NULL;
1161 
1162 	eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1163 					       "ttls keying material",
1164 					       EAP_TLS_KEY_LEN);
1165 	if (eapKeyData) {
1166 		*len = EAP_TLS_KEY_LEN;
1167 		wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1168 				eapKeyData, EAP_TLS_KEY_LEN);
1169 	} else {
1170 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1171 	}
1172 
1173 	return eapKeyData;
1174 }
1175 
1176 
1177 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1178 {
1179 	struct eap_ttls_data *data = priv;
1180 	return data->state == SUCCESS;
1181 }
1182 
1183 
1184 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1185 {
1186 	struct eap_ttls_data *data = priv;
1187 
1188 	if (data->state != SUCCESS)
1189 		return NULL;
1190 
1191 	return eap_server_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_TTLS,
1192 						len);
1193 }
1194 
1195 
1196 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1197 {
1198 	struct eap_ttls_data *data = priv;
1199 	u8 *eapKeyData, *emsk;
1200 
1201 	if (data->state != SUCCESS)
1202 		return NULL;
1203 
1204 	eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1205 					       "ttls keying material",
1206 					       EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
1207 	if (eapKeyData) {
1208 		emsk = os_malloc(EAP_EMSK_LEN);
1209 		if (emsk)
1210 			os_memcpy(emsk, eapKeyData + EAP_TLS_KEY_LEN,
1211 				  EAP_EMSK_LEN);
1212 		bin_clear_free(eapKeyData, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
1213 	} else
1214 		emsk = NULL;
1215 
1216 	if (emsk) {
1217 		*len = EAP_EMSK_LEN;
1218 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived EMSK",
1219 			    emsk, EAP_EMSK_LEN);
1220 	} else {
1221 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive EMSK");
1222 	}
1223 
1224 	return emsk;
1225 }
1226 
1227 
1228 int eap_server_ttls_register(void)
1229 {
1230 	struct eap_method *eap;
1231 	int ret;
1232 
1233 	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1234 				      EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1235 	if (eap == NULL)
1236 		return -1;
1237 
1238 	eap->init = eap_ttls_init;
1239 	eap->reset = eap_ttls_reset;
1240 	eap->buildReq = eap_ttls_buildReq;
1241 	eap->check = eap_ttls_check;
1242 	eap->process = eap_ttls_process;
1243 	eap->isDone = eap_ttls_isDone;
1244 	eap->getKey = eap_ttls_getKey;
1245 	eap->isSuccess = eap_ttls_isSuccess;
1246 	eap->getSessionId = eap_ttls_get_session_id;
1247 	eap->get_emsk = eap_ttls_get_emsk;
1248 
1249 	ret = eap_server_method_register(eap);
1250 	if (ret)
1251 		eap_server_method_free(eap);
1252 	return ret;
1253 }
1254