xref: /freebsd/contrib/wpa/src/eap_server/eap_server_ttls.c (revision fab66680b3df4792fb0d3d13b2c9cdd88538d3d2)
1 /*
2  * hostapd / EAP-TTLS (RFC 5281)
3  * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/ms_funcs.h"
13 #include "crypto/sha1.h"
14 #include "crypto/tls.h"
15 #include "eap_server/eap_i.h"
16 #include "eap_server/eap_tls_common.h"
17 #include "eap_common/chap.h"
18 #include "eap_common/eap_ttls.h"
19 
20 
21 #define EAP_TTLS_VERSION 0
22 
23 
24 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
25 
26 
27 struct eap_ttls_data {
28 	struct eap_ssl_data ssl;
29 	enum {
30 		START, PHASE1, PHASE2_START, PHASE2_METHOD,
31 		PHASE2_MSCHAPV2_RESP, SUCCESS, FAILURE
32 	} state;
33 
34 	int ttls_version;
35 	const struct eap_method *phase2_method;
36 	void *phase2_priv;
37 	int mschapv2_resp_ok;
38 	u8 mschapv2_auth_response[20];
39 	u8 mschapv2_ident;
40 	struct wpabuf *pending_phase2_eap_resp;
41 	int tnc_started;
42 };
43 
44 
45 static const char * eap_ttls_state_txt(int state)
46 {
47 	switch (state) {
48 	case START:
49 		return "START";
50 	case PHASE1:
51 		return "PHASE1";
52 	case PHASE2_START:
53 		return "PHASE2_START";
54 	case PHASE2_METHOD:
55 		return "PHASE2_METHOD";
56 	case PHASE2_MSCHAPV2_RESP:
57 		return "PHASE2_MSCHAPV2_RESP";
58 	case SUCCESS:
59 		return "SUCCESS";
60 	case FAILURE:
61 		return "FAILURE";
62 	default:
63 		return "Unknown?!";
64 	}
65 }
66 
67 
68 static void eap_ttls_state(struct eap_ttls_data *data, int state)
69 {
70 	wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
71 		   eap_ttls_state_txt(data->state),
72 		   eap_ttls_state_txt(state));
73 	data->state = state;
74 	if (state == FAILURE)
75 		tls_connection_remove_session(data->ssl.conn);
76 }
77 
78 
79 static void eap_ttls_valid_session(struct eap_sm *sm,
80 				   struct eap_ttls_data *data)
81 {
82 	struct wpabuf *buf;
83 
84 	if (!sm->tls_session_lifetime)
85 		return;
86 
87 	buf = wpabuf_alloc(1 + 1 + sm->identity_len);
88 	if (!buf)
89 		return;
90 	wpabuf_put_u8(buf, EAP_TYPE_TTLS);
91 	if (sm->identity) {
92 		u8 id_len;
93 
94 		if (sm->identity_len <= 255)
95 			id_len = sm->identity_len;
96 		else
97 			id_len = 255;
98 		wpabuf_put_u8(buf, id_len);
99 		wpabuf_put_data(buf, sm->identity, id_len);
100 	} else {
101 		wpabuf_put_u8(buf, 0);
102 	}
103 	tls_connection_set_success_data(data->ssl.conn, buf);
104 }
105 
106 
107 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
108 			     int mandatory, size_t len)
109 {
110 	struct ttls_avp_vendor *avp;
111 	u8 flags;
112 	size_t hdrlen;
113 
114 	avp = (struct ttls_avp_vendor *) avphdr;
115 	flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
116 	if (vendor_id) {
117 		flags |= AVP_FLAGS_VENDOR;
118 		hdrlen = sizeof(*avp);
119 		avp->vendor_id = host_to_be32(vendor_id);
120 	} else {
121 		hdrlen = sizeof(struct ttls_avp);
122 	}
123 
124 	avp->avp_code = host_to_be32(avp_code);
125 	avp->avp_length = host_to_be32(((u32) flags << 24) |
126 				       ((u32) (hdrlen + len)));
127 
128 	return avphdr + hdrlen;
129 }
130 
131 
132 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
133 						u32 avp_code, int mandatory)
134 {
135 	struct wpabuf *avp;
136 	u8 *pos;
137 
138 	avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
139 	if (avp == NULL) {
140 		wpabuf_free(resp);
141 		return NULL;
142 	}
143 
144 	pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
145 			       wpabuf_len(resp));
146 	os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
147 	pos += wpabuf_len(resp);
148 	AVP_PAD((const u8 *) wpabuf_head(avp), pos);
149 	wpabuf_free(resp);
150 	wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
151 	return avp;
152 }
153 
154 
155 struct eap_ttls_avp {
156 	 /* Note: eap is allocated memory; caller is responsible for freeing
157 	  * it. All the other pointers are pointing to the packet data, i.e.,
158 	  * they must not be freed separately. */
159 	u8 *eap;
160 	size_t eap_len;
161 	u8 *user_name;
162 	size_t user_name_len;
163 	u8 *user_password;
164 	size_t user_password_len;
165 	u8 *chap_challenge;
166 	size_t chap_challenge_len;
167 	u8 *chap_password;
168 	size_t chap_password_len;
169 	u8 *mschap_challenge;
170 	size_t mschap_challenge_len;
171 	u8 *mschap_response;
172 	size_t mschap_response_len;
173 	u8 *mschap2_response;
174 	size_t mschap2_response_len;
175 };
176 
177 
178 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse)
179 {
180 	struct ttls_avp *avp;
181 	u8 *pos;
182 	int left;
183 
184 	pos = wpabuf_mhead(buf);
185 	left = wpabuf_len(buf);
186 	os_memset(parse, 0, sizeof(*parse));
187 
188 	while (left > 0) {
189 		u32 avp_code, avp_length, vendor_id = 0;
190 		u8 avp_flags, *dpos;
191 		size_t pad, dlen;
192 		avp = (struct ttls_avp *) pos;
193 		avp_code = be_to_host32(avp->avp_code);
194 		avp_length = be_to_host32(avp->avp_length);
195 		avp_flags = (avp_length >> 24) & 0xff;
196 		avp_length &= 0xffffff;
197 		wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
198 			   "length=%d", (int) avp_code, avp_flags,
199 			   (int) avp_length);
200 		if ((int) avp_length > left) {
201 			wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
202 				   "(len=%d, left=%d) - dropped",
203 				   (int) avp_length, left);
204 			goto fail;
205 		}
206 		if (avp_length < sizeof(*avp)) {
207 			wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
208 				   "%d", avp_length);
209 			goto fail;
210 		}
211 		dpos = (u8 *) (avp + 1);
212 		dlen = avp_length - sizeof(*avp);
213 		if (avp_flags & AVP_FLAGS_VENDOR) {
214 			if (dlen < 4) {
215 				wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
216 					   "underflow");
217 				goto fail;
218 			}
219 			vendor_id = be_to_host32(* (be32 *) dpos);
220 			wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
221 				   (int) vendor_id);
222 			dpos += 4;
223 			dlen -= 4;
224 		}
225 
226 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
227 
228 		if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
229 			wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
230 			if (parse->eap == NULL) {
231 				parse->eap = os_memdup(dpos, dlen);
232 				if (parse->eap == NULL) {
233 					wpa_printf(MSG_WARNING, "EAP-TTLS: "
234 						   "failed to allocate memory "
235 						   "for Phase 2 EAP data");
236 					goto fail;
237 				}
238 				parse->eap_len = dlen;
239 			} else {
240 				u8 *neweap = os_realloc(parse->eap,
241 							parse->eap_len + dlen);
242 				if (neweap == NULL) {
243 					wpa_printf(MSG_WARNING, "EAP-TTLS: "
244 						   "failed to allocate memory "
245 						   "for Phase 2 EAP data");
246 					goto fail;
247 				}
248 				os_memcpy(neweap + parse->eap_len, dpos, dlen);
249 				parse->eap = neweap;
250 				parse->eap_len += dlen;
251 			}
252 		} else if (vendor_id == 0 &&
253 			   avp_code == RADIUS_ATTR_USER_NAME) {
254 			wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
255 					  dpos, dlen);
256 			parse->user_name = dpos;
257 			parse->user_name_len = dlen;
258 		} else if (vendor_id == 0 &&
259 			   avp_code == RADIUS_ATTR_USER_PASSWORD) {
260 			u8 *password = dpos;
261 			size_t password_len = dlen;
262 			while (password_len > 0 &&
263 			       password[password_len - 1] == '\0') {
264 				password_len--;
265 			}
266 			wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
267 					      "User-Password (PAP)",
268 					      password, password_len);
269 			parse->user_password = password;
270 			parse->user_password_len = password_len;
271 		} else if (vendor_id == 0 &&
272 			   avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
273 			wpa_hexdump(MSG_DEBUG,
274 				    "EAP-TTLS: CHAP-Challenge (CHAP)",
275 				    dpos, dlen);
276 			parse->chap_challenge = dpos;
277 			parse->chap_challenge_len = dlen;
278 		} else if (vendor_id == 0 &&
279 			   avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
280 			wpa_hexdump(MSG_DEBUG,
281 				    "EAP-TTLS: CHAP-Password (CHAP)",
282 				    dpos, dlen);
283 			parse->chap_password = dpos;
284 			parse->chap_password_len = dlen;
285 		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
286 			   avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
287 			wpa_hexdump(MSG_DEBUG,
288 				    "EAP-TTLS: MS-CHAP-Challenge",
289 				    dpos, dlen);
290 			parse->mschap_challenge = dpos;
291 			parse->mschap_challenge_len = dlen;
292 		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
293 			   avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
294 			wpa_hexdump(MSG_DEBUG,
295 				    "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
296 				    dpos, dlen);
297 			parse->mschap_response = dpos;
298 			parse->mschap_response_len = dlen;
299 		} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
300 			   avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
301 			wpa_hexdump(MSG_DEBUG,
302 				    "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
303 				    dpos, dlen);
304 			parse->mschap2_response = dpos;
305 			parse->mschap2_response_len = dlen;
306 		} else if (avp_flags & AVP_FLAGS_MANDATORY) {
307 			wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
308 				   "mandatory AVP code %d vendor_id %d - "
309 				   "dropped", (int) avp_code, (int) vendor_id);
310 			goto fail;
311 		} else {
312 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
313 				   "AVP code %d vendor_id %d",
314 				   (int) avp_code, (int) vendor_id);
315 		}
316 
317 		pad = (4 - (avp_length & 3)) & 3;
318 		pos += avp_length + pad;
319 		left -= avp_length + pad;
320 	}
321 
322 	return 0;
323 
324 fail:
325 	os_free(parse->eap);
326 	parse->eap = NULL;
327 	return -1;
328 }
329 
330 
331 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
332 					struct eap_ttls_data *data, size_t len)
333 {
334 	return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge",
335 					 NULL, 0, len);
336 }
337 
338 
339 static void * eap_ttls_init(struct eap_sm *sm)
340 {
341 	struct eap_ttls_data *data;
342 
343 	data = os_zalloc(sizeof(*data));
344 	if (data == NULL)
345 		return NULL;
346 	data->ttls_version = EAP_TTLS_VERSION;
347 	data->state = START;
348 
349 	if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) {
350 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
351 		eap_ttls_reset(sm, data);
352 		return NULL;
353 	}
354 
355 	return data;
356 }
357 
358 
359 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
360 {
361 	struct eap_ttls_data *data = priv;
362 	if (data == NULL)
363 		return;
364 	if (data->phase2_priv && data->phase2_method)
365 		data->phase2_method->reset(sm, data->phase2_priv);
366 	eap_server_tls_ssl_deinit(sm, &data->ssl);
367 	wpabuf_free(data->pending_phase2_eap_resp);
368 	bin_clear_free(data, sizeof(*data));
369 }
370 
371 
372 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
373 					    struct eap_ttls_data *data, u8 id)
374 {
375 	struct wpabuf *req;
376 
377 	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
378 			    EAP_CODE_REQUEST, id);
379 	if (req == NULL) {
380 		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
381 			   " request");
382 		eap_ttls_state(data, FAILURE);
383 		return NULL;
384 	}
385 
386 	wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
387 
388 	eap_ttls_state(data, PHASE1);
389 
390 	return req;
391 }
392 
393 
394 static struct wpabuf * eap_ttls_build_phase2_eap_req(
395 	struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
396 {
397 	struct wpabuf *buf, *encr_req;
398 
399 
400 	buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
401 	if (buf == NULL)
402 		return NULL;
403 
404 	wpa_hexdump_buf_key(MSG_DEBUG,
405 			    "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
406 
407 	buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
408 	if (buf == NULL) {
409 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
410 			   "packet");
411 		return NULL;
412 	}
413 
414 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated "
415 			    "Phase 2 data", buf);
416 
417 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
418 	wpabuf_free(buf);
419 
420 	return encr_req;
421 }
422 
423 
424 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
425 	struct eap_sm *sm, struct eap_ttls_data *data)
426 {
427 	struct wpabuf *encr_req, msgbuf;
428 	u8 *req, *pos, *end;
429 	int ret;
430 
431 	pos = req = os_malloc(100);
432 	if (req == NULL)
433 		return NULL;
434 	end = req + 100;
435 
436 	if (data->mschapv2_resp_ok) {
437 		pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
438 				       RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
439 		*pos++ = data->mschapv2_ident;
440 		ret = os_snprintf((char *) pos, end - pos, "S=");
441 		if (!os_snprintf_error(end - pos, ret))
442 			pos += ret;
443 		pos += wpa_snprintf_hex_uppercase(
444 			(char *) pos, end - pos, data->mschapv2_auth_response,
445 			sizeof(data->mschapv2_auth_response));
446 	} else {
447 		pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
448 				       RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
449 		os_memcpy(pos, "Failed", 6);
450 		pos += 6;
451 		AVP_PAD(req, pos);
452 	}
453 
454 	wpabuf_set(&msgbuf, req, pos - req);
455 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
456 			    "data", &msgbuf);
457 
458 	encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
459 	os_free(req);
460 
461 	return encr_req;
462 }
463 
464 
465 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
466 {
467 	struct eap_ttls_data *data = priv;
468 
469 	if (data->ssl.state == FRAG_ACK) {
470 		return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
471 						data->ttls_version);
472 	}
473 
474 	if (data->ssl.state == WAIT_FRAG_ACK) {
475 		return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
476 						data->ttls_version, id);
477 	}
478 
479 	switch (data->state) {
480 	case START:
481 		return eap_ttls_build_start(sm, data, id);
482 	case PHASE1:
483 		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
484 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
485 				   "starting Phase2");
486 			eap_ttls_state(data, PHASE2_START);
487 		}
488 		break;
489 	case PHASE2_METHOD:
490 		wpabuf_free(data->ssl.tls_out);
491 		data->ssl.tls_out_pos = 0;
492 		data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
493 								  id);
494 		break;
495 	case PHASE2_MSCHAPV2_RESP:
496 		wpabuf_free(data->ssl.tls_out);
497 		data->ssl.tls_out_pos = 0;
498 		data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
499 		break;
500 	default:
501 		wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
502 			   __func__, data->state);
503 		return NULL;
504 	}
505 
506 	return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
507 					data->ttls_version, id);
508 }
509 
510 
511 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
512 			      struct wpabuf *respData)
513 {
514 	const u8 *pos;
515 	size_t len;
516 
517 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
518 	if (pos == NULL || len < 1) {
519 		wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
520 		return TRUE;
521 	}
522 
523 	return FALSE;
524 }
525 
526 
527 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
528 					struct eap_ttls_data *data,
529 					const u8 *user_password,
530 					size_t user_password_len)
531 {
532 	if (!sm->user || !sm->user->password || sm->user->password_hash ||
533 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
534 		wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
535 			   "password configured");
536 		eap_ttls_state(data, FAILURE);
537 		return;
538 	}
539 
540 	if (sm->user->password_len != user_password_len ||
541 	    os_memcmp_const(sm->user->password, user_password,
542 			    user_password_len) != 0) {
543 		wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
544 		eap_ttls_state(data, FAILURE);
545 		return;
546 	}
547 
548 	wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
549 	eap_ttls_state(data, SUCCESS);
550 	eap_ttls_valid_session(sm, data);
551 }
552 
553 
554 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
555 					 struct eap_ttls_data *data,
556 					 const u8 *challenge,
557 					 size_t challenge_len,
558 					 const u8 *password,
559 					 size_t password_len)
560 {
561 	u8 *chal, hash[CHAP_MD5_LEN];
562 
563 	if (challenge == NULL || password == NULL ||
564 	    challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
565 	    password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
566 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
567 			   "(challenge len %lu password len %lu)",
568 			   (unsigned long) challenge_len,
569 			   (unsigned long) password_len);
570 		eap_ttls_state(data, FAILURE);
571 		return;
572 	}
573 
574 	if (!sm->user || !sm->user->password || sm->user->password_hash ||
575 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
576 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
577 			   "password configured");
578 		eap_ttls_state(data, FAILURE);
579 		return;
580 	}
581 
582 	chal = eap_ttls_implicit_challenge(sm, data,
583 					   EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
584 	if (chal == NULL) {
585 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
586 			   "challenge from TLS data");
587 		eap_ttls_state(data, FAILURE);
588 		return;
589 	}
590 
591 	if (os_memcmp_const(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN)
592 	    != 0 ||
593 	    password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
594 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
595 		os_free(chal);
596 		eap_ttls_state(data, FAILURE);
597 		return;
598 	}
599 	os_free(chal);
600 
601 	/* MD5(Ident + Password + Challenge) */
602 	chap_md5(password[0], sm->user->password, sm->user->password_len,
603 		 challenge, challenge_len, hash);
604 
605 	if (os_memcmp_const(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) ==
606 	    0) {
607 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
608 		eap_ttls_state(data, SUCCESS);
609 		eap_ttls_valid_session(sm, data);
610 	} else {
611 		wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
612 		eap_ttls_state(data, FAILURE);
613 	}
614 }
615 
616 
617 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
618 					   struct eap_ttls_data *data,
619 					   u8 *challenge, size_t challenge_len,
620 					   u8 *response, size_t response_len)
621 {
622 	u8 *chal, nt_response[24];
623 
624 	if (challenge == NULL || response == NULL ||
625 	    challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
626 	    response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
627 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
628 			   "attributes (challenge len %lu response len %lu)",
629 			   (unsigned long) challenge_len,
630 			   (unsigned long) response_len);
631 		eap_ttls_state(data, FAILURE);
632 		return;
633 	}
634 
635 	if (!sm->user || !sm->user->password ||
636 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
637 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
638 			   "configured");
639 		eap_ttls_state(data, FAILURE);
640 		return;
641 	}
642 
643 	chal = eap_ttls_implicit_challenge(sm, data,
644 					   EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
645 	if (chal == NULL) {
646 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
647 			   "challenge from TLS data");
648 		eap_ttls_state(data, FAILURE);
649 		return;
650 	}
651 
652 #ifdef CONFIG_TESTING_OPTIONS
653 	eap_server_mschap_rx_callback(sm, "TTLS-MSCHAP",
654 				      sm->identity, sm->identity_len,
655 				      challenge, response + 2 + 24);
656 #endif /* CONFIG_TESTING_OPTIONS */
657 
658 	if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN)
659 	    != 0 ||
660 	    response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
661 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
662 		os_free(chal);
663 		eap_ttls_state(data, FAILURE);
664 		return;
665 	}
666 	os_free(chal);
667 
668 	if ((sm->user->password_hash &&
669 	     challenge_response(challenge, sm->user->password, nt_response)) ||
670 	    (!sm->user->password_hash &&
671 	     nt_challenge_response(challenge, sm->user->password,
672 				   sm->user->password_len, nt_response))) {
673 		eap_ttls_state(data, FAILURE);
674 		return;
675 	}
676 
677 	if (os_memcmp_const(nt_response, response + 2 + 24, 24) == 0) {
678 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
679 		eap_ttls_state(data, SUCCESS);
680 		eap_ttls_valid_session(sm, data);
681 	} else {
682 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
683 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
684 			    response + 2 + 24, 24);
685 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
686 			    nt_response, 24);
687 		eap_ttls_state(data, FAILURE);
688 	}
689 }
690 
691 
692 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
693 					     struct eap_ttls_data *data,
694 					     u8 *challenge,
695 					     size_t challenge_len,
696 					     u8 *response, size_t response_len)
697 {
698 	u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
699 		*auth_challenge;
700 	size_t username_len, i;
701 
702 	if (challenge == NULL || response == NULL ||
703 	    challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
704 	    response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
705 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
706 			   "attributes (challenge len %lu response len %lu)",
707 			   (unsigned long) challenge_len,
708 			   (unsigned long) response_len);
709 		eap_ttls_state(data, FAILURE);
710 		return;
711 	}
712 
713 	if (!sm->user || !sm->user->password ||
714 	    !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
715 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
716 			   "configured");
717 		eap_ttls_state(data, FAILURE);
718 		return;
719 	}
720 
721 	if (sm->identity == NULL) {
722 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
723 			   "known");
724 		eap_ttls_state(data, FAILURE);
725 		return;
726 	}
727 
728 	/* MSCHAPv2 does not include optional domain name in the
729 	 * challenge-response calculation, so remove domain prefix
730 	 * (if present). */
731 	username = sm->identity;
732 	username_len = sm->identity_len;
733 	for (i = 0; i < username_len; i++) {
734 		if (username[i] == '\\') {
735 			username_len -= i + 1;
736 			username += i + 1;
737 			break;
738 		}
739 	}
740 
741 	chal = eap_ttls_implicit_challenge(
742 		sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
743 	if (chal == NULL) {
744 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
745 			   "challenge from TLS data");
746 		eap_ttls_state(data, FAILURE);
747 		return;
748 	}
749 
750 	if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN)
751 	    != 0 ||
752 	    response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
753 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
754 		os_free(chal);
755 		eap_ttls_state(data, FAILURE);
756 		return;
757 	}
758 	os_free(chal);
759 
760 	auth_challenge = challenge;
761 	peer_challenge = response + 2;
762 
763 	wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
764 			  username, username_len);
765 	wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
766 		    auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
767 	wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
768 		    peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
769 
770 	if (sm->user->password_hash) {
771 		generate_nt_response_pwhash(auth_challenge, peer_challenge,
772 					    username, username_len,
773 					    sm->user->password,
774 					    nt_response);
775 	} else {
776 		generate_nt_response(auth_challenge, peer_challenge,
777 				     username, username_len,
778 				     sm->user->password,
779 				     sm->user->password_len,
780 				     nt_response);
781 	}
782 
783 	rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
784 #ifdef CONFIG_TESTING_OPTIONS
785 	{
786 		u8 challenge2[8];
787 
788 		if (challenge_hash(peer_challenge, auth_challenge,
789 				   username, username_len, challenge2) == 0) {
790 			eap_server_mschap_rx_callback(sm, "TTLS-MSCHAPV2",
791 						      username, username_len,
792 						      challenge2, rx_resp);
793 		}
794 	}
795 #endif /* CONFIG_TESTING_OPTIONS */
796 	if (os_memcmp_const(nt_response, rx_resp, 24) == 0) {
797 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
798 			   "NT-Response");
799 		data->mschapv2_resp_ok = 1;
800 
801 		if (sm->user->password_hash) {
802 			generate_authenticator_response_pwhash(
803 				sm->user->password,
804 				peer_challenge, auth_challenge,
805 				username, username_len, nt_response,
806 				data->mschapv2_auth_response);
807 		} else {
808 			generate_authenticator_response(
809 				sm->user->password, sm->user->password_len,
810 				peer_challenge, auth_challenge,
811 				username, username_len, nt_response,
812 				data->mschapv2_auth_response);
813 		}
814 	} else {
815 		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
816 			   "NT-Response");
817 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
818 			    rx_resp, 24);
819 		wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
820 			    nt_response, 24);
821 		data->mschapv2_resp_ok = 0;
822 	}
823 	eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
824 	data->mschapv2_ident = response[0];
825 }
826 
827 
828 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
829 				    struct eap_ttls_data *data,
830 				    EapType eap_type)
831 {
832 	if (data->phase2_priv && data->phase2_method) {
833 		data->phase2_method->reset(sm, data->phase2_priv);
834 		data->phase2_method = NULL;
835 		data->phase2_priv = NULL;
836 	}
837 	data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
838 							eap_type);
839 	if (!data->phase2_method)
840 		return -1;
841 
842 	sm->init_phase2 = 1;
843 	data->phase2_priv = data->phase2_method->init(sm);
844 	sm->init_phase2 = 0;
845 	return data->phase2_priv == NULL ? -1 : 0;
846 }
847 
848 
849 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
850 						 struct eap_ttls_data *data,
851 						 u8 *in_data, size_t in_len)
852 {
853 	u8 next_type = EAP_TYPE_NONE;
854 	struct eap_hdr *hdr;
855 	u8 *pos;
856 	size_t left;
857 	struct wpabuf buf;
858 	const struct eap_method *m = data->phase2_method;
859 	void *priv = data->phase2_priv;
860 
861 	if (priv == NULL) {
862 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
863 			   "initialized?!", __func__);
864 		return;
865 	}
866 
867 	hdr = (struct eap_hdr *) in_data;
868 	pos = (u8 *) (hdr + 1);
869 
870 	if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
871 		left = in_len - sizeof(*hdr);
872 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
873 			    "allowed types", pos + 1, left - 1);
874 		eap_sm_process_nak(sm, pos + 1, left - 1);
875 		if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
876 		    sm->user->methods[sm->user_eap_method_index].method !=
877 		    EAP_TYPE_NONE) {
878 			next_type = sm->user->methods[
879 				sm->user_eap_method_index++].method;
880 			wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
881 				   next_type);
882 			if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
883 				wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to "
884 					   "initialize EAP type %d",
885 					   next_type);
886 				eap_ttls_state(data, FAILURE);
887 				return;
888 			}
889 		} else {
890 			eap_ttls_state(data, FAILURE);
891 		}
892 		return;
893 	}
894 
895 	wpabuf_set(&buf, in_data, in_len);
896 
897 	if (m->check(sm, priv, &buf)) {
898 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
899 			   "ignore the packet");
900 		return;
901 	}
902 
903 	m->process(sm, priv, &buf);
904 
905 	if (sm->method_pending == METHOD_PENDING_WAIT) {
906 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
907 			   "pending wait state - save decrypted response");
908 		wpabuf_free(data->pending_phase2_eap_resp);
909 		data->pending_phase2_eap_resp = wpabuf_dup(&buf);
910 	}
911 
912 	if (!m->isDone(sm, priv))
913 		return;
914 
915 	if (!m->isSuccess(sm, priv)) {
916 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
917 		eap_ttls_state(data, FAILURE);
918 		return;
919 	}
920 
921 	switch (data->state) {
922 	case PHASE2_START:
923 		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
924 			wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
925 					  "Identity not found in the user "
926 					  "database",
927 					  sm->identity, sm->identity_len);
928 			eap_ttls_state(data, FAILURE);
929 			break;
930 		}
931 
932 		eap_ttls_state(data, PHASE2_METHOD);
933 		next_type = sm->user->methods[0].method;
934 		sm->user_eap_method_index = 1;
935 		wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
936 		if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
937 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize "
938 				   "EAP type %d", next_type);
939 			eap_ttls_state(data, FAILURE);
940 		}
941 		break;
942 	case PHASE2_METHOD:
943 		eap_ttls_state(data, SUCCESS);
944 		eap_ttls_valid_session(sm, data);
945 		break;
946 	case FAILURE:
947 		break;
948 	default:
949 		wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
950 			   __func__, data->state);
951 		break;
952 	}
953 }
954 
955 
956 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
957 					struct eap_ttls_data *data,
958 					const u8 *eap, size_t eap_len)
959 {
960 	struct eap_hdr *hdr;
961 	size_t len;
962 
963 	if (data->state == PHASE2_START) {
964 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
965 		if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
966 		{
967 			wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
968 				   "initialize EAP-Identity");
969 			return;
970 		}
971 	}
972 
973 	if (eap_len < sizeof(*hdr)) {
974 		wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
975 			   "packet (len=%lu)", (unsigned long) eap_len);
976 		return;
977 	}
978 
979 	hdr = (struct eap_hdr *) eap;
980 	len = be_to_host16(hdr->length);
981 	wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
982 		   "identifier=%d length=%lu", hdr->code, hdr->identifier,
983 		   (unsigned long) len);
984 	if (len > eap_len) {
985 		wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
986 			   " EAP frame (hdr len=%lu, data len in AVP=%lu)",
987 			   (unsigned long) len, (unsigned long) eap_len);
988 		return;
989 	}
990 
991 	switch (hdr->code) {
992 	case EAP_CODE_RESPONSE:
993 		eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
994 						     len);
995 		break;
996 	default:
997 		wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
998 			   "Phase 2 EAP header", hdr->code);
999 		break;
1000 	}
1001 }
1002 
1003 
1004 static void eap_ttls_process_phase2(struct eap_sm *sm,
1005 				    struct eap_ttls_data *data,
1006 				    struct wpabuf *in_buf)
1007 {
1008 	struct wpabuf *in_decrypted;
1009 	struct eap_ttls_avp parse;
1010 
1011 	wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1012 		   " Phase 2", (unsigned long) wpabuf_len(in_buf));
1013 
1014 	if (data->pending_phase2_eap_resp) {
1015 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
1016 			   "- skip decryption and use old data");
1017 		eap_ttls_process_phase2_eap(
1018 			sm, data, wpabuf_head(data->pending_phase2_eap_resp),
1019 			wpabuf_len(data->pending_phase2_eap_resp));
1020 		wpabuf_free(data->pending_phase2_eap_resp);
1021 		data->pending_phase2_eap_resp = NULL;
1022 		return;
1023 	}
1024 
1025 	in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1026 					      in_buf);
1027 	if (in_decrypted == NULL) {
1028 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1029 			   "data");
1030 		eap_ttls_state(data, FAILURE);
1031 		return;
1032 	}
1033 
1034 	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
1035 			    in_decrypted);
1036 
1037 	if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) {
1038 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
1039 		wpabuf_free(in_decrypted);
1040 		eap_ttls_state(data, FAILURE);
1041 		return;
1042 	}
1043 
1044 	if (parse.user_name) {
1045 		char *nbuf;
1046 		nbuf = os_malloc(parse.user_name_len * 4 + 1);
1047 		if (nbuf) {
1048 			printf_encode(nbuf, parse.user_name_len * 4 + 1,
1049 				      parse.user_name,
1050 				      parse.user_name_len);
1051 			eap_log_msg(sm, "TTLS-User-Name '%s'", nbuf);
1052 			os_free(nbuf);
1053 		}
1054 
1055 		os_free(sm->identity);
1056 		sm->identity = os_memdup(parse.user_name, parse.user_name_len);
1057 		if (sm->identity == NULL) {
1058 			eap_ttls_state(data, FAILURE);
1059 			goto done;
1060 		}
1061 		sm->identity_len = parse.user_name_len;
1062 		if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1063 		    != 0) {
1064 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1065 				   "found in the user database");
1066 			eap_ttls_state(data, FAILURE);
1067 			goto done;
1068 		}
1069 	}
1070 
1071 #ifdef EAP_SERVER_TNC
1072 	if (data->tnc_started && parse.eap == NULL) {
1073 		wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1074 			   "response from peer");
1075 		eap_ttls_state(data, FAILURE);
1076 		goto done;
1077 	}
1078 #endif /* EAP_SERVER_TNC */
1079 
1080 	if (parse.eap) {
1081 		eap_ttls_process_phase2_eap(sm, data, parse.eap,
1082 					    parse.eap_len);
1083 	} else if (parse.user_password) {
1084 		eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1085 					    parse.user_password_len);
1086 	} else if (parse.chap_password) {
1087 		eap_ttls_process_phase2_chap(sm, data,
1088 					     parse.chap_challenge,
1089 					     parse.chap_challenge_len,
1090 					     parse.chap_password,
1091 					     parse.chap_password_len);
1092 	} else if (parse.mschap_response) {
1093 		eap_ttls_process_phase2_mschap(sm, data,
1094 					       parse.mschap_challenge,
1095 					       parse.mschap_challenge_len,
1096 					       parse.mschap_response,
1097 					       parse.mschap_response_len);
1098 	} else if (parse.mschap2_response) {
1099 		eap_ttls_process_phase2_mschapv2(sm, data,
1100 						 parse.mschap_challenge,
1101 						 parse.mschap_challenge_len,
1102 						 parse.mschap2_response,
1103 						 parse.mschap2_response_len);
1104 	}
1105 
1106 done:
1107 	wpabuf_free(in_decrypted);
1108 	os_free(parse.eap);
1109 }
1110 
1111 
1112 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1113 {
1114 #ifdef EAP_SERVER_TNC
1115 	if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
1116 		return;
1117 
1118 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1119 	if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) {
1120 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1121 		eap_ttls_state(data, FAILURE);
1122 		return;
1123 	}
1124 
1125 	data->tnc_started = 1;
1126 	eap_ttls_state(data, PHASE2_METHOD);
1127 #endif /* EAP_SERVER_TNC */
1128 }
1129 
1130 
1131 static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
1132 				    int peer_version)
1133 {
1134 	struct eap_ttls_data *data = priv;
1135 	if (peer_version < data->ttls_version) {
1136 		wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1137 			   "use version %d",
1138 			   peer_version, data->ttls_version, peer_version);
1139 		data->ttls_version = peer_version;
1140 	}
1141 
1142 	return 0;
1143 }
1144 
1145 
1146 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
1147 				 const struct wpabuf *respData)
1148 {
1149 	struct eap_ttls_data *data = priv;
1150 
1151 	switch (data->state) {
1152 	case PHASE1:
1153 		if (eap_server_tls_phase1(sm, &data->ssl) < 0)
1154 			eap_ttls_state(data, FAILURE);
1155 		break;
1156 	case PHASE2_START:
1157 	case PHASE2_METHOD:
1158 		eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
1159 		eap_ttls_start_tnc(sm, data);
1160 		break;
1161 	case PHASE2_MSCHAPV2_RESP:
1162 		if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
1163 		    0) {
1164 			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1165 				   "acknowledged response");
1166 			eap_ttls_state(data, SUCCESS);
1167 			eap_ttls_valid_session(sm, data);
1168 		} else if (!data->mschapv2_resp_ok) {
1169 			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1170 				   "acknowledged error");
1171 			eap_ttls_state(data, FAILURE);
1172 		} else {
1173 			wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1174 				   "frame from peer (payload len %lu, "
1175 				   "expected empty frame)",
1176 				   (unsigned long)
1177 				   wpabuf_len(data->ssl.tls_in));
1178 			eap_ttls_state(data, FAILURE);
1179 		}
1180 		eap_ttls_start_tnc(sm, data);
1181 		break;
1182 	default:
1183 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1184 			   data->state, __func__);
1185 		break;
1186 	}
1187 }
1188 
1189 
1190 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1191 			     struct wpabuf *respData)
1192 {
1193 	struct eap_ttls_data *data = priv;
1194 	const struct wpabuf *buf;
1195 	const u8 *pos;
1196 	u8 id_len;
1197 
1198 	if (eap_server_tls_process(sm, &data->ssl, respData, data,
1199 				   EAP_TYPE_TTLS, eap_ttls_process_version,
1200 				   eap_ttls_process_msg) < 0) {
1201 		eap_ttls_state(data, FAILURE);
1202 		return;
1203 	}
1204 
1205 	if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
1206 	    !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
1207 		return;
1208 
1209 	buf = tls_connection_get_success_data(data->ssl.conn);
1210 	if (!buf || wpabuf_len(buf) < 1) {
1211 		wpa_printf(MSG_DEBUG,
1212 			   "EAP-TTLS: No success data in resumed session - reject attempt");
1213 		eap_ttls_state(data, FAILURE);
1214 		return;
1215 	}
1216 
1217 	pos = wpabuf_head(buf);
1218 	if (*pos != EAP_TYPE_TTLS) {
1219 		wpa_printf(MSG_DEBUG,
1220 			   "EAP-TTLS: Resumed session for another EAP type (%u) - reject attempt",
1221 			   *pos);
1222 		eap_ttls_state(data, FAILURE);
1223 		return;
1224 	}
1225 
1226 	pos++;
1227 	id_len = *pos++;
1228 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: Identity from cached session",
1229 			  pos, id_len);
1230 	os_free(sm->identity);
1231 	sm->identity = os_malloc(id_len ? id_len : 1);
1232 	if (!sm->identity) {
1233 		sm->identity_len = 0;
1234 		eap_ttls_state(data, FAILURE);
1235 		return;
1236 	}
1237 
1238 	os_memcpy(sm->identity, pos, id_len);
1239 	sm->identity_len = id_len;
1240 
1241 	if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1242 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not found in the user database",
1243 				  sm->identity, sm->identity_len);
1244 		eap_ttls_state(data, FAILURE);
1245 		return;
1246 	}
1247 
1248 	wpa_printf(MSG_DEBUG,
1249 		   "EAP-TTLS: Resuming previous session - skip Phase2");
1250 	eap_ttls_state(data, SUCCESS);
1251 	tls_connection_set_success_data_resumed(data->ssl.conn);
1252 }
1253 
1254 
1255 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1256 {
1257 	struct eap_ttls_data *data = priv;
1258 	return data->state == SUCCESS || data->state == FAILURE;
1259 }
1260 
1261 
1262 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1263 {
1264 	struct eap_ttls_data *data = priv;
1265 	u8 *eapKeyData;
1266 
1267 	if (data->state != SUCCESS)
1268 		return NULL;
1269 
1270 	eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1271 					       "ttls keying material", NULL, 0,
1272 					       EAP_TLS_KEY_LEN);
1273 	if (eapKeyData) {
1274 		*len = EAP_TLS_KEY_LEN;
1275 		wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1276 				eapKeyData, EAP_TLS_KEY_LEN);
1277 	} else {
1278 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1279 	}
1280 
1281 	return eapKeyData;
1282 }
1283 
1284 
1285 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1286 {
1287 	struct eap_ttls_data *data = priv;
1288 	return data->state == SUCCESS;
1289 }
1290 
1291 
1292 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1293 {
1294 	struct eap_ttls_data *data = priv;
1295 
1296 	if (data->state != SUCCESS)
1297 		return NULL;
1298 
1299 	return eap_server_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_TTLS,
1300 						len);
1301 }
1302 
1303 
1304 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1305 {
1306 	struct eap_ttls_data *data = priv;
1307 	u8 *eapKeyData, *emsk;
1308 
1309 	if (data->state != SUCCESS)
1310 		return NULL;
1311 
1312 	eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1313 					       "ttls keying material", NULL, 0,
1314 					       EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
1315 	if (eapKeyData) {
1316 		emsk = os_malloc(EAP_EMSK_LEN);
1317 		if (emsk)
1318 			os_memcpy(emsk, eapKeyData + EAP_TLS_KEY_LEN,
1319 				  EAP_EMSK_LEN);
1320 		bin_clear_free(eapKeyData, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
1321 	} else
1322 		emsk = NULL;
1323 
1324 	if (emsk) {
1325 		*len = EAP_EMSK_LEN;
1326 		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived EMSK",
1327 			    emsk, EAP_EMSK_LEN);
1328 	} else {
1329 		wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive EMSK");
1330 	}
1331 
1332 	return emsk;
1333 }
1334 
1335 
1336 int eap_server_ttls_register(void)
1337 {
1338 	struct eap_method *eap;
1339 
1340 	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1341 				      EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1342 	if (eap == NULL)
1343 		return -1;
1344 
1345 	eap->init = eap_ttls_init;
1346 	eap->reset = eap_ttls_reset;
1347 	eap->buildReq = eap_ttls_buildReq;
1348 	eap->check = eap_ttls_check;
1349 	eap->process = eap_ttls_process;
1350 	eap->isDone = eap_ttls_isDone;
1351 	eap->getKey = eap_ttls_getKey;
1352 	eap->isSuccess = eap_ttls_isSuccess;
1353 	eap->getSessionId = eap_ttls_get_session_id;
1354 	eap->get_emsk = eap_ttls_get_emsk;
1355 
1356 	return eap_server_method_register(eap);
1357 }
1358