contrib/wpa/src/eap_server/eap_server_ttls.c

   1 /*
   2  * hostapd / EAP-TTLS (RFC 5281)
   3  * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/ms_funcs.h"
  13 #include "crypto/sha1.h"
  14 #include "crypto/tls.h"
  15 #include "eap_server/eap_i.h"
  16 #include "eap_server/eap_tls_common.h"
  17 #include "eap_common/chap.h"
  18 #include "eap_common/eap_ttls.h"
  19
  20
  21 #define EAP_TTLS_VERSION 0
  22
  23
  24 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
  25
  26
  27 struct eap_ttls_data {
  28         struct eap_ssl_data ssl;
  29         enum {
  30                 START, PHASE1, PHASE2_START, PHASE2_METHOD,
  31                 PHASE2_MSCHAPV2_RESP, SUCCESS, FAILURE
  32         } state;
  33
  34         int ttls_version;
  35         const struct eap_method *phase2_method;
  36         void *phase2_priv;
  37         int mschapv2_resp_ok;
  38         u8 mschapv2_auth_response[20];
  39         u8 mschapv2_ident;
  40         struct wpabuf *pending_phase2_eap_resp;
  41         int tnc_started;
  42 };
  43
  44
  45 static const char * eap_ttls_state_txt(int state)
  46 {
  47         switch (state) {
  48         case START:
  49                 return "START";
  50         case PHASE1:
  51                 return "PHASE1";
  52         case PHASE2_START:
  53                 return "PHASE2_START";
  54         case PHASE2_METHOD:
  55                 return "PHASE2_METHOD";
  56         case PHASE2_MSCHAPV2_RESP:
  57                 return "PHASE2_MSCHAPV2_RESP";
  58         case SUCCESS:
  59                 return "SUCCESS";
  60         case FAILURE:
  61                 return "FAILURE";
  62         default:
  63                 return "Unknown?!";
  64         }
  65 }
  66
  67
  68 static void eap_ttls_state(struct eap_ttls_data *data, int state)
  69 {
  70         wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
  71                    eap_ttls_state_txt(data->state),
  72                    eap_ttls_state_txt(state));
  73         data->state = state;
  74         if (state == FAILURE)
  75                 tls_connection_remove_session(data->ssl.conn);
  76 }
  77
  78
  79 static void eap_ttls_valid_session(struct eap_sm *sm,
  80                                    struct eap_ttls_data *data)
  81 {
  82         struct wpabuf *buf;
  83
  84         if (!sm->tls_session_lifetime)
  85                 return;
  86
  87         buf = wpabuf_alloc(1 + 1 + sm->identity_len);
  88         if (!buf)
  89                 return;
  90         wpabuf_put_u8(buf, EAP_TYPE_TTLS);
  91         if (sm->identity) {
  92                 u8 id_len;
  93
  94                 if (sm->identity_len <= 255)
  95                         id_len = sm->identity_len;
  96                 else
  97                         id_len = 255;
  98                 wpabuf_put_u8(buf, id_len);
  99                 wpabuf_put_data(buf, sm->identity, id_len);
 100         } else {
 101                 wpabuf_put_u8(buf, 0);
 102         }
 103         tls_connection_set_success_data(data->ssl.conn, buf);
 104 }
 105
 106
 107 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
 108                              int mandatory, size_t len)
 109 {
 110         struct ttls_avp_vendor *avp;
 111         u8 flags;
 112         size_t hdrlen;
 113
 114         avp = (struct ttls_avp_vendor *) avphdr;
 115         flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
 116         if (vendor_id) {
 117                 flags |= AVP_FLAGS_VENDOR;
 118                 hdrlen = sizeof(*avp);
 119                 avp->vendor_id = host_to_be32(vendor_id);
 120         } else {
 121                 hdrlen = sizeof(struct ttls_avp);
 122         }
 123
 124         avp->avp_code = host_to_be32(avp_code);
 125         avp->avp_length = host_to_be32(((u32) flags << 24) |
 126                                        ((u32) (hdrlen + len)));
 127
 128         return avphdr + hdrlen;
 129 }
 130
 131
 132 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
 133                                                 u32 avp_code, int mandatory)
 134 {
 135         struct wpabuf *avp;
 136         u8 *pos;
 137
 138         avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
 139         if (avp == NULL) {
 140                 wpabuf_free(resp);
 141                 return NULL;
 142         }
 143
 144         pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
 145                                wpabuf_len(resp));
 146         os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
 147         pos += wpabuf_len(resp);
 148         AVP_PAD((const u8 *) wpabuf_head(avp), pos);
 149         wpabuf_free(resp);
 150         wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
 151         return avp;
 152 }
 153
 154
 155 struct eap_ttls_avp {
 156          /* Note: eap is allocated memory; caller is responsible for freeing
 157           * it. All the other pointers are pointing to the packet data, i.e.,
 158           * they must not be freed separately. */
 159         u8 *eap;
 160         size_t eap_len;
 161         u8 *user_name;
 162         size_t user_name_len;
 163         u8 *user_password;
 164         size_t user_password_len;
 165         u8 *chap_challenge;
 166         size_t chap_challenge_len;
 167         u8 *chap_password;
 168         size_t chap_password_len;
 169         u8 *mschap_challenge;
 170         size_t mschap_challenge_len;
 171         u8 *mschap_response;
 172         size_t mschap_response_len;
 173         u8 *mschap2_response;
 174         size_t mschap2_response_len;
 175 };
 176
 177
 178 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse)
 179 {
 180         struct ttls_avp *avp;
 181         u8 *pos;
 182         int left;
 183
 184         pos = wpabuf_mhead(buf);
 185         left = wpabuf_len(buf);
 186         os_memset(parse, 0, sizeof(*parse));
 187
 188         while (left > 0) {
 189                 u32 avp_code, avp_length, vendor_id = 0;
 190                 u8 avp_flags, *dpos;
 191                 size_t pad, dlen;
 192                 avp = (struct ttls_avp *) pos;
 193                 avp_code = be_to_host32(avp->avp_code);
 194                 avp_length = be_to_host32(avp->avp_length);
 195                 avp_flags = (avp_length >> 24) & 0xff;
 196                 avp_length &= 0xffffff;
 197                 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
 198                            "length=%d", (int) avp_code, avp_flags,
 199                            (int) avp_length);
 200                 if ((int) avp_length > left) {
 201                         wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
 202                                    "(len=%d, left=%d) - dropped",
 203                                    (int) avp_length, left);
 204                         goto fail;
 205                 }
 206                 if (avp_length < sizeof(*avp)) {
 207                         wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
 208                                    "%d", avp_length);
 209                         goto fail;
 210                 }
 211                 dpos = (u8 *) (avp + 1);
 212                 dlen = avp_length - sizeof(*avp);
 213                 if (avp_flags & AVP_FLAGS_VENDOR) {
 214                         if (dlen < 4) {
 215                                 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
 216                                            "underflow");
 217                                 goto fail;
 218                         }
 219                         vendor_id = be_to_host32(* (be32 *) dpos);
 220                         wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
 221                                    (int) vendor_id);
 222                         dpos += 4;
 223                         dlen -= 4;
 224                 }
 225
 226                 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
 227
 228                 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
 229                         wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
 230                         if (parse->eap == NULL) {
 231                                 parse->eap = os_memdup(dpos, dlen);
 232                                 if (parse->eap == NULL) {
 233                                         wpa_printf(MSG_WARNING, "EAP-TTLS: "
 234                                                    "failed to allocate memory "
 235                                                    "for Phase 2 EAP data");
 236                                         goto fail;
 237                                 }
 238                                 parse->eap_len = dlen;
 239                         } else {
 240                                 u8 *neweap = os_realloc(parse->eap,
 241                                                         parse->eap_len + dlen);
 242                                 if (neweap == NULL) {
 243                                         wpa_printf(MSG_WARNING, "EAP-TTLS: "
 244                                                    "failed to allocate memory "
 245                                                    "for Phase 2 EAP data");
 246                                         goto fail;
 247                                 }
 248                                 os_memcpy(neweap + parse->eap_len, dpos, dlen);
 249                                 parse->eap = neweap;
 250                                 parse->eap_len += dlen;
 251                         }
 252                 } else if (vendor_id == 0 &&
 253                            avp_code == RADIUS_ATTR_USER_NAME) {
 254                         wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
 255                                           dpos, dlen);
 256                         parse->user_name = dpos;
 257                         parse->user_name_len = dlen;
 258                 } else if (vendor_id == 0 &&
 259                            avp_code == RADIUS_ATTR_USER_PASSWORD) {
 260                         u8 *password = dpos;
 261                         size_t password_len = dlen;
 262                         while (password_len > 0 &&
 263                                password[password_len - 1] == '\0') {
 264                                 password_len--;
 265                         }
 266                         wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
 267                                               "User-Password (PAP)",
 268                                               password, password_len);
 269                         parse->user_password = password;
 270                         parse->user_password_len = password_len;
 271                 } else if (vendor_id == 0 &&
 272                            avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
 273                         wpa_hexdump(MSG_DEBUG,
 274                                     "EAP-TTLS: CHAP-Challenge (CHAP)",
 275                                     dpos, dlen);
 276                         parse->chap_challenge = dpos;
 277                         parse->chap_challenge_len = dlen;
 278                 } else if (vendor_id == 0 &&
 279                            avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
 280                         wpa_hexdump(MSG_DEBUG,
 281                                     "EAP-TTLS: CHAP-Password (CHAP)",
 282                                     dpos, dlen);
 283                         parse->chap_password = dpos;
 284                         parse->chap_password_len = dlen;
 285                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
 286                            avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
 287                         wpa_hexdump(MSG_DEBUG,
 288                                     "EAP-TTLS: MS-CHAP-Challenge",
 289                                     dpos, dlen);
 290                         parse->mschap_challenge = dpos;
 291                         parse->mschap_challenge_len = dlen;
 292                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
 293                            avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
 294                         wpa_hexdump(MSG_DEBUG,
 295                                     "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
 296                                     dpos, dlen);
 297                         parse->mschap_response = dpos;
 298                         parse->mschap_response_len = dlen;
 299                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
 300                            avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
 301                         wpa_hexdump(MSG_DEBUG,
 302                                     "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
 303                                     dpos, dlen);
 304                         parse->mschap2_response = dpos;
 305                         parse->mschap2_response_len = dlen;
 306                 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
 307                         wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
 308                                    "mandatory AVP code %d vendor_id %d - "
 309                                    "dropped", (int) avp_code, (int) vendor_id);
 310                         goto fail;
 311                 } else {
 312                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
 313                                    "AVP code %d vendor_id %d",
 314                                    (int) avp_code, (int) vendor_id);
 315                 }
 316
 317                 pad = (4 - (avp_length & 3)) & 3;
 318                 pos += avp_length + pad;
 319                 left -= avp_length + pad;
 320         }
 321
 322         return 0;
 323
 324 fail:
 325         os_free(parse->eap);
 326         parse->eap = NULL;
 327         return -1;
 328 }
 329
 330
 331 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
 332                                         struct eap_ttls_data *data, size_t len)
 333 {
 334         return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge",
 335                                          NULL, 0, len);
 336 }
 337
 338
 339 static void * eap_ttls_init(struct eap_sm *sm)
 340 {
 341         struct eap_ttls_data *data;
 342
 343         data = os_zalloc(sizeof(*data));
 344         if (data == NULL)
 345                 return NULL;
 346         data->ttls_version = EAP_TTLS_VERSION;
 347         data->state = START;
 348
 349         if (eap_server_tls_ssl_init(sm, &data->ssl, 0, EAP_TYPE_TTLS)) {
 350                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
 351                 eap_ttls_reset(sm, data);
 352                 return NULL;
 353         }
 354
 355         return data;
 356 }
 357
 358
 359 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
 360 {
 361         struct eap_ttls_data *data = priv;
 362         if (data == NULL)
 363                 return;
 364         if (data->phase2_priv && data->phase2_method)
 365                 data->phase2_method->reset(sm, data->phase2_priv);
 366         eap_server_tls_ssl_deinit(sm, &data->ssl);
 367         wpabuf_free(data->pending_phase2_eap_resp);
 368         bin_clear_free(data, sizeof(*data));
 369 }
 370
 371
 372 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
 373                                             struct eap_ttls_data *data, u8 id)
 374 {
 375         struct wpabuf *req;
 376
 377         req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
 378                             EAP_CODE_REQUEST, id);
 379         if (req == NULL) {
 380                 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
 381                            " request");
 382                 eap_ttls_state(data, FAILURE);
 383                 return NULL;
 384         }
 385
 386         wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
 387
 388         eap_ttls_state(data, PHASE1);
 389
 390         return req;
 391 }
 392
 393
 394 static struct wpabuf * eap_ttls_build_phase2_eap_req(
 395         struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
 396 {
 397         struct wpabuf *buf, *encr_req;
 398
 399
 400         buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
 401         if (buf == NULL)
 402                 return NULL;
 403
 404         wpa_hexdump_buf_key(MSG_DEBUG,
 405                             "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
 406
 407         buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
 408         if (buf == NULL) {
 409                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
 410                            "packet");
 411                 return NULL;
 412         }
 413
 414         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated "
 415                             "Phase 2 data", buf);
 416
 417         encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
 418         wpabuf_free(buf);
 419
 420         return encr_req;
 421 }
 422
 423
 424 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
 425         struct eap_sm *sm, struct eap_ttls_data *data)
 426 {
 427         struct wpabuf *encr_req, msgbuf;
 428         u8 *req, *pos, *end;
 429         int ret;
 430
 431         pos = req = os_malloc(100);
 432         if (req == NULL)
 433                 return NULL;
 434         end = req + 100;
 435
 436         if (data->mschapv2_resp_ok) {
 437                 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
 438                                        RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
 439                 *pos++ = data->mschapv2_ident;
 440                 ret = os_snprintf((char *) pos, end - pos, "S=");
 441                 if (!os_snprintf_error(end - pos, ret))
 442                         pos += ret;
 443                 pos += wpa_snprintf_hex_uppercase(
 444                         (char *) pos, end - pos, data->mschapv2_auth_response,
 445                         sizeof(data->mschapv2_auth_response));
 446         } else {
 447                 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
 448                                        RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
 449                 os_memcpy(pos, "Failed", 6);
 450                 pos += 6;
 451                 AVP_PAD(req, pos);
 452         }
 453
 454         wpabuf_set(&msgbuf, req, pos - req);
 455         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
 456                             "data", &msgbuf);
 457
 458         encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
 459         os_free(req);
 460
 461         return encr_req;
 462 }
 463
 464
 465 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
 466 {
 467         struct eap_ttls_data *data = priv;
 468
 469         if (data->ssl.state == FRAG_ACK) {
 470                 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
 471                                                 data->ttls_version);
 472         }
 473
 474         if (data->ssl.state == WAIT_FRAG_ACK) {
 475                 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
 476                                                 data->ttls_version, id);
 477         }
 478
 479         switch (data->state) {
 480         case START:
 481                 return eap_ttls_build_start(sm, data, id);
 482         case PHASE1:
 483                 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
 484                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
 485                                    "starting Phase2");
 486                         eap_ttls_state(data, PHASE2_START);
 487                 }
 488                 break;
 489         case PHASE2_METHOD:
 490                 wpabuf_free(data->ssl.tls_out);
 491                 data->ssl.tls_out_pos = 0;
 492                 data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
 493                                                                   id);
 494                 break;
 495         case PHASE2_MSCHAPV2_RESP:
 496                 wpabuf_free(data->ssl.tls_out);
 497                 data->ssl.tls_out_pos = 0;
 498                 data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
 499                 break;
 500         default:
 501                 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
 502                            __func__, data->state);
 503                 return NULL;
 504         }
 505
 506         return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
 507                                         data->ttls_version, id);
 508 }
 509
 510
 511 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
 512                               struct wpabuf *respData)
 513 {
 514         const u8 *pos;
 515         size_t len;
 516
 517         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
 518         if (pos == NULL || len < 1) {
 519                 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
 520                 return TRUE;
 521         }
 522
 523         return FALSE;
 524 }
 525
 526
 527 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
 528                                         struct eap_ttls_data *data,
 529                                         const u8 *user_password,
 530                                         size_t user_password_len)
 531 {
 532         if (!sm->user || !sm->user->password || sm->user->password_hash ||
 533             !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
 534                 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
 535                            "password configured");
 536                 eap_ttls_state(data, FAILURE);
 537                 return;
 538         }
 539
 540         if (sm->user->password_len != user_password_len ||
 541             os_memcmp_const(sm->user->password, user_password,
 542                             user_password_len) != 0) {
 543                 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
 544                 eap_ttls_state(data, FAILURE);
 545                 return;
 546         }
 547
 548         wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
 549         eap_ttls_state(data, SUCCESS);
 550         eap_ttls_valid_session(sm, data);
 551 }
 552
 553
 554 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
 555                                          struct eap_ttls_data *data,
 556                                          const u8 *challenge,
 557                                          size_t challenge_len,
 558                                          const u8 *password,
 559                                          size_t password_len)
 560 {
 561         u8 *chal, hash[CHAP_MD5_LEN];
 562
 563         if (challenge == NULL || password == NULL ||
 564             challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
 565             password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
 566                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
 567                            "(challenge len %lu password len %lu)",
 568                            (unsigned long) challenge_len,
 569                            (unsigned long) password_len);
 570                 eap_ttls_state(data, FAILURE);
 571                 return;
 572         }
 573
 574         if (!sm->user || !sm->user->password || sm->user->password_hash ||
 575             !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
 576                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
 577                            "password configured");
 578                 eap_ttls_state(data, FAILURE);
 579                 return;
 580         }
 581
 582         chal = eap_ttls_implicit_challenge(sm, data,
 583                                            EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
 584         if (chal == NULL) {
 585                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
 586                            "challenge from TLS data");
 587                 eap_ttls_state(data, FAILURE);
 588                 return;
 589         }
 590
 591         if (os_memcmp_const(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN)
 592             != 0 ||
 593             password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
 594                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
 595                 os_free(chal);
 596                 eap_ttls_state(data, FAILURE);
 597                 return;
 598         }
 599         os_free(chal);
 600
 601         /* MD5(Ident + Password + Challenge) */
 602         chap_md5(password[0], sm->user->password, sm->user->password_len,
 603                  challenge, challenge_len, hash);
 604
 605         if (os_memcmp_const(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) ==
 606             0) {
 607                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
 608                 eap_ttls_state(data, SUCCESS);
 609                 eap_ttls_valid_session(sm, data);
 610         } else {
 611                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
 612                 eap_ttls_state(data, FAILURE);
 613         }
 614 }
 615
 616
 617 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
 618                                            struct eap_ttls_data *data,
 619                                            u8 *challenge, size_t challenge_len,
 620                                            u8 *response, size_t response_len)
 621 {
 622         u8 *chal, nt_response[24];
 623
 624         if (challenge == NULL || response == NULL ||
 625             challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
 626             response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
 627                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
 628                            "attributes (challenge len %lu response len %lu)",
 629                            (unsigned long) challenge_len,
 630                            (unsigned long) response_len);
 631                 eap_ttls_state(data, FAILURE);
 632                 return;
 633         }
 634
 635         if (!sm->user || !sm->user->password ||
 636             !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
 637                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
 638                            "configured");
 639                 eap_ttls_state(data, FAILURE);
 640                 return;
 641         }
 642
 643         chal = eap_ttls_implicit_challenge(sm, data,
 644                                            EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
 645         if (chal == NULL) {
 646                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
 647                            "challenge from TLS data");
 648                 eap_ttls_state(data, FAILURE);
 649                 return;
 650         }
 651
 652 #ifdef CONFIG_TESTING_OPTIONS
 653         eap_server_mschap_rx_callback(sm, "TTLS-MSCHAP",
 654                                       sm->identity, sm->identity_len,
 655                                       challenge, response + 2 + 24);
 656 #endif /* CONFIG_TESTING_OPTIONS */
 657
 658         if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN)
 659             != 0 ||
 660             response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
 661                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
 662                 os_free(chal);
 663                 eap_ttls_state(data, FAILURE);
 664                 return;
 665         }
 666         os_free(chal);
 667
 668         if ((sm->user->password_hash &&
 669              challenge_response(challenge, sm->user->password, nt_response)) ||
 670             (!sm->user->password_hash &&
 671              nt_challenge_response(challenge, sm->user->password,
 672                                    sm->user->password_len, nt_response))) {
 673                 eap_ttls_state(data, FAILURE);
 674                 return;
 675         }
 676
 677         if (os_memcmp_const(nt_response, response + 2 + 24, 24) == 0) {
 678                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
 679                 eap_ttls_state(data, SUCCESS);
 680                 eap_ttls_valid_session(sm, data);
 681         } else {
 682                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
 683                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
 684                             response + 2 + 24, 24);
 685                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
 686                             nt_response, 24);
 687                 eap_ttls_state(data, FAILURE);
 688         }
 689 }
 690
 691
 692 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
 693                                              struct eap_ttls_data *data,
 694                                              u8 *challenge,
 695                                              size_t challenge_len,
 696                                              u8 *response, size_t response_len)
 697 {
 698         u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
 699                 *auth_challenge;
 700         size_t username_len, i;
 701
 702         if (challenge == NULL || response == NULL ||
 703             challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
 704             response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
 705                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
 706                            "attributes (challenge len %lu response len %lu)",
 707                            (unsigned long) challenge_len,
 708                            (unsigned long) response_len);
 709                 eap_ttls_state(data, FAILURE);
 710                 return;
 711         }
 712
 713         if (!sm->user || !sm->user->password ||
 714             !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
 715                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
 716                            "configured");
 717                 eap_ttls_state(data, FAILURE);
 718                 return;
 719         }
 720
 721         if (sm->identity == NULL) {
 722                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
 723                            "known");
 724                 eap_ttls_state(data, FAILURE);
 725                 return;
 726         }
 727
 728         /* MSCHAPv2 does not include optional domain name in the
 729          * challenge-response calculation, so remove domain prefix
 730          * (if present). */
 731         username = sm->identity;
 732         username_len = sm->identity_len;
 733         for (i = 0; i < username_len; i++) {
 734                 if (username[i] == '\\') {
 735                         username_len -= i + 1;
 736                         username += i + 1;
 737                         break;
 738                 }
 739         }
 740
 741         chal = eap_ttls_implicit_challenge(
 742                 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
 743         if (chal == NULL) {
 744                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
 745                            "challenge from TLS data");
 746                 eap_ttls_state(data, FAILURE);
 747                 return;
 748         }
 749
 750         if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN)
 751             != 0 ||
 752             response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
 753                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
 754                 os_free(chal);
 755                 eap_ttls_state(data, FAILURE);
 756                 return;
 757         }
 758         os_free(chal);
 759
 760         auth_challenge = challenge;
 761         peer_challenge = response + 2;
 762
 763         wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
 764                           username, username_len);
 765         wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
 766                     auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
 767         wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
 768                     peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
 769
 770         if (sm->user->password_hash) {
 771                 generate_nt_response_pwhash(auth_challenge, peer_challenge,
 772                                             username, username_len,
 773                                             sm->user->password,
 774                                             nt_response);
 775         } else {
 776                 generate_nt_response(auth_challenge, peer_challenge,
 777                                      username, username_len,
 778                                      sm->user->password,
 779                                      sm->user->password_len,
 780                                      nt_response);
 781         }
 782
 783         rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
 784 #ifdef CONFIG_TESTING_OPTIONS
 785         {
 786                 u8 challenge2[8];
 787
 788                 if (challenge_hash(peer_challenge, auth_challenge,
 789                                    username, username_len, challenge2) == 0) {
 790                         eap_server_mschap_rx_callback(sm, "TTLS-MSCHAPV2",
 791                                                       username, username_len,
 792                                                       challenge2, rx_resp);
 793                 }
 794         }
 795 #endif /* CONFIG_TESTING_OPTIONS */
 796         if (os_memcmp_const(nt_response, rx_resp, 24) == 0) {
 797                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
 798                            "NT-Response");
 799                 data->mschapv2_resp_ok = 1;
 800
 801                 if (sm->user->password_hash) {
 802                         generate_authenticator_response_pwhash(
 803                                 sm->user->password,
 804                                 peer_challenge, auth_challenge,
 805                                 username, username_len, nt_response,
 806                                 data->mschapv2_auth_response);
 807                 } else {
 808                         generate_authenticator_response(
 809                                 sm->user->password, sm->user->password_len,
 810                                 peer_challenge, auth_challenge,
 811                                 username, username_len, nt_response,
 812                                 data->mschapv2_auth_response);
 813                 }
 814         } else {
 815                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
 816                            "NT-Response");
 817                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
 818                             rx_resp, 24);
 819                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
 820                             nt_response, 24);
 821                 data->mschapv2_resp_ok = 0;
 822         }
 823         eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
 824         data->mschapv2_ident = response[0];
 825 }
 826
 827
 828 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
 829                                     struct eap_ttls_data *data,
 830                                     EapType eap_type)
 831 {
 832         if (data->phase2_priv && data->phase2_method) {
 833                 data->phase2_method->reset(sm, data->phase2_priv);
 834                 data->phase2_method = NULL;
 835                 data->phase2_priv = NULL;
 836         }
 837         data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
 838                                                         eap_type);
 839         if (!data->phase2_method)
 840                 return -1;
 841
 842         sm->init_phase2 = 1;
 843         data->phase2_priv = data->phase2_method->init(sm);
 844         sm->init_phase2 = 0;
 845         return data->phase2_priv == NULL ? -1 : 0;
 846 }
 847
 848
 849 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
 850                                                  struct eap_ttls_data *data,
 851                                                  u8 *in_data, size_t in_len)
 852 {
 853         u8 next_type = EAP_TYPE_NONE;
 854         struct eap_hdr *hdr;
 855         u8 *pos;
 856         size_t left;
 857         struct wpabuf buf;
 858         const struct eap_method *m = data->phase2_method;
 859         void *priv = data->phase2_priv;
 860
 861         if (priv == NULL) {
 862                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
 863                            "initialized?!", __func__);
 864                 return;
 865         }
 866
 867         hdr = (struct eap_hdr *) in_data;
 868         pos = (u8 *) (hdr + 1);
 869
 870         if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
 871                 left = in_len - sizeof(*hdr);
 872                 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
 873                             "allowed types", pos + 1, left - 1);
 874                 eap_sm_process_nak(sm, pos + 1, left - 1);
 875                 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
 876                     sm->user->methods[sm->user_eap_method_index].method !=
 877                     EAP_TYPE_NONE) {
 878                         next_type = sm->user->methods[
 879                                 sm->user_eap_method_index++].method;
 880                         wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
 881                                    next_type);
 882                         if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
 883                                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to "
 884                                            "initialize EAP type %d",
 885                                            next_type);
 886                                 eap_ttls_state(data, FAILURE);
 887                                 return;
 888                         }
 889                 } else {
 890                         eap_ttls_state(data, FAILURE);
 891                 }
 892                 return;
 893         }
 894
 895         wpabuf_set(&buf, in_data, in_len);
 896
 897         if (m->check(sm, priv, &buf)) {
 898                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
 899                            "ignore the packet");
 900                 return;
 901         }
 902
 903         m->process(sm, priv, &buf);
 904
 905         if (sm->method_pending == METHOD_PENDING_WAIT) {
 906                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
 907                            "pending wait state - save decrypted response");
 908                 wpabuf_free(data->pending_phase2_eap_resp);
 909                 data->pending_phase2_eap_resp = wpabuf_dup(&buf);
 910         }
 911
 912         if (!m->isDone(sm, priv))
 913                 return;
 914
 915         if (!m->isSuccess(sm, priv)) {
 916                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
 917                 eap_ttls_state(data, FAILURE);
 918                 return;
 919         }
 920
 921         switch (data->state) {
 922         case PHASE2_START:
 923                 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
 924                         wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
 925                                           "Identity not found in the user "
 926                                           "database",
 927                                           sm->identity, sm->identity_len);
 928                         eap_ttls_state(data, FAILURE);
 929                         break;
 930                 }
 931
 932                 eap_ttls_state(data, PHASE2_METHOD);
 933                 next_type = sm->user->methods[0].method;
 934                 sm->user_eap_method_index = 1;
 935                 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
 936                 if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
 937                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize "
 938                                    "EAP type %d", next_type);
 939                         eap_ttls_state(data, FAILURE);
 940                 }
 941                 break;
 942         case PHASE2_METHOD:
 943                 eap_ttls_state(data, SUCCESS);
 944                 eap_ttls_valid_session(sm, data);
 945                 break;
 946         case FAILURE:
 947                 break;
 948         default:
 949                 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
 950                            __func__, data->state);
 951                 break;
 952         }
 953 }
 954
 955
 956 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
 957                                         struct eap_ttls_data *data,
 958                                         const u8 *eap, size_t eap_len)
 959 {
 960         struct eap_hdr *hdr;
 961         size_t len;
 962
 963         if (data->state == PHASE2_START) {
 964                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
 965                 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
 966                 {
 967                         wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
 968                                    "initialize EAP-Identity");
 969                         return;
 970                 }
 971         }
 972
 973         if (eap_len < sizeof(*hdr)) {
 974                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
 975                            "packet (len=%lu)", (unsigned long) eap_len);
 976                 return;
 977         }
 978
 979         hdr = (struct eap_hdr *) eap;
 980         len = be_to_host16(hdr->length);
 981         wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
 982                    "identifier=%d length=%lu", hdr->code, hdr->identifier,
 983                    (unsigned long) len);
 984         if (len > eap_len) {
 985                 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
 986                            " EAP frame (hdr len=%lu, data len in AVP=%lu)",
 987                            (unsigned long) len, (unsigned long) eap_len);
 988                 return;
 989         }
 990
 991         switch (hdr->code) {
 992         case EAP_CODE_RESPONSE:
 993                 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
 994                                                      len);
 995                 break;
 996         default:
 997                 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
 998                            "Phase 2 EAP header", hdr->code);
 999                 break;
1000         }
1001 }
1002
1003
1004 static void eap_ttls_process_phase2(struct eap_sm *sm,
1005                                     struct eap_ttls_data *data,
1006                                     struct wpabuf *in_buf)
1007 {
1008         struct wpabuf *in_decrypted;
1009         struct eap_ttls_avp parse;
1010
1011         wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1012                    " Phase 2", (unsigned long) wpabuf_len(in_buf));
1013
1014         if (data->pending_phase2_eap_resp) {
1015                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
1016                            "- skip decryption and use old data");
1017                 eap_ttls_process_phase2_eap(
1018                         sm, data, wpabuf_head(data->pending_phase2_eap_resp),
1019                         wpabuf_len(data->pending_phase2_eap_resp));
1020                 wpabuf_free(data->pending_phase2_eap_resp);
1021                 data->pending_phase2_eap_resp = NULL;
1022                 return;
1023         }
1024
1025         in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
1026                                               in_buf);
1027         if (in_decrypted == NULL) {
1028                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
1029                            "data");
1030                 eap_ttls_state(data, FAILURE);
1031                 return;
1032         }
1033
1034         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
1035                             in_decrypted);
1036
1037         if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) {
1038                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
1039                 wpabuf_free(in_decrypted);
1040                 eap_ttls_state(data, FAILURE);
1041                 return;
1042         }
1043
1044         if (parse.user_name) {
1045                 char *nbuf;
1046                 nbuf = os_malloc(parse.user_name_len * 4 + 1);
1047                 if (nbuf) {
1048                         printf_encode(nbuf, parse.user_name_len * 4 + 1,
1049                                       parse.user_name,
1050                                       parse.user_name_len);
1051                         eap_log_msg(sm, "TTLS-User-Name '%s'", nbuf);
1052                         os_free(nbuf);
1053                 }
1054
1055                 os_free(sm->identity);
1056                 sm->identity = os_memdup(parse.user_name, parse.user_name_len);
1057                 if (sm->identity == NULL) {
1058                         eap_ttls_state(data, FAILURE);
1059                         goto done;
1060                 }
1061                 sm->identity_len = parse.user_name_len;
1062                 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1063                     != 0) {
1064                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1065                                    "found in the user database");
1066                         eap_ttls_state(data, FAILURE);
1067                         goto done;
1068                 }
1069         }
1070
1071 #ifdef EAP_SERVER_TNC
1072         if (data->tnc_started && parse.eap == NULL) {
1073                 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1074                            "response from peer");
1075                 eap_ttls_state(data, FAILURE);
1076                 goto done;
1077         }
1078 #endif /* EAP_SERVER_TNC */
1079
1080         if (parse.eap) {
1081                 eap_ttls_process_phase2_eap(sm, data, parse.eap,
1082                                             parse.eap_len);
1083         } else if (parse.user_password) {
1084                 eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1085                                             parse.user_password_len);
1086         } else if (parse.chap_password) {
1087                 eap_ttls_process_phase2_chap(sm, data,
1088                                              parse.chap_challenge,
1089                                              parse.chap_challenge_len,
1090                                              parse.chap_password,
1091                                              parse.chap_password_len);
1092         } else if (parse.mschap_response) {
1093                 eap_ttls_process_phase2_mschap(sm, data,
1094                                                parse.mschap_challenge,
1095                                                parse.mschap_challenge_len,
1096                                                parse.mschap_response,
1097                                                parse.mschap_response_len);
1098         } else if (parse.mschap2_response) {
1099                 eap_ttls_process_phase2_mschapv2(sm, data,
1100                                                  parse.mschap_challenge,
1101                                                  parse.mschap_challenge_len,
1102                                                  parse.mschap2_response,
1103                                                  parse.mschap2_response_len);
1104         }
1105
1106 done:
1107         wpabuf_free(in_decrypted);
1108         os_free(parse.eap);
1109 }
1110
1111
1112 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1113 {
1114 #ifdef EAP_SERVER_TNC
1115         if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
1116                 return;
1117
1118         wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1119         if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) {
1120                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1121                 eap_ttls_state(data, FAILURE);
1122                 return;
1123         }
1124
1125         data->tnc_started = 1;
1126         eap_ttls_state(data, PHASE2_METHOD);
1127 #endif /* EAP_SERVER_TNC */
1128 }
1129
1130
1131 static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
1132                                     int peer_version)
1133 {
1134         struct eap_ttls_data *data = priv;
1135         if (peer_version < data->ttls_version) {
1136                 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1137                            "use version %d",
1138                            peer_version, data->ttls_version, peer_version);
1139                 data->ttls_version = peer_version;
1140         }
1141
1142         return 0;
1143 }
1144
1145
1146 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
1147                                  const struct wpabuf *respData)
1148 {
1149         struct eap_ttls_data *data = priv;
1150
1151         switch (data->state) {
1152         case PHASE1:
1153                 if (eap_server_tls_phase1(sm, &data->ssl) < 0)
1154                         eap_ttls_state(data, FAILURE);
1155                 break;
1156         case PHASE2_START:
1157         case PHASE2_METHOD:
1158                 eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
1159                 eap_ttls_start_tnc(sm, data);
1160                 break;
1161         case PHASE2_MSCHAPV2_RESP:
1162                 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
1163                     0) {
1164                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1165                                    "acknowledged response");
1166                         eap_ttls_state(data, SUCCESS);
1167                         eap_ttls_valid_session(sm, data);
1168                 } else if (!data->mschapv2_resp_ok) {
1169                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1170                                    "acknowledged error");
1171                         eap_ttls_state(data, FAILURE);
1172                 } else {
1173                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1174                                    "frame from peer (payload len %lu, "
1175                                    "expected empty frame)",
1176                                    (unsigned long)
1177                                    wpabuf_len(data->ssl.tls_in));
1178                         eap_ttls_state(data, FAILURE);
1179                 }
1180                 eap_ttls_start_tnc(sm, data);
1181                 break;
1182         default:
1183                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1184                            data->state, __func__);
1185                 break;
1186         }
1187 }
1188
1189
1190 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1191                              struct wpabuf *respData)
1192 {
1193         struct eap_ttls_data *data = priv;
1194         const struct wpabuf *buf;
1195         const u8 *pos;
1196         u8 id_len;
1197
1198         if (eap_server_tls_process(sm, &data->ssl, respData, data,
1199                                    EAP_TYPE_TTLS, eap_ttls_process_version,
1200                                    eap_ttls_process_msg) < 0) {
1201                 eap_ttls_state(data, FAILURE);
1202                 return;
1203         }
1204
1205         if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
1206             !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
1207                 return;
1208
1209         buf = tls_connection_get_success_data(data->ssl.conn);
1210         if (!buf || wpabuf_len(buf) < 1) {
1211                 wpa_printf(MSG_DEBUG,
1212                            "EAP-TTLS: No success data in resumed session - reject attempt");
1213                 eap_ttls_state(data, FAILURE);
1214                 return;
1215         }
1216
1217         pos = wpabuf_head(buf);
1218         if (*pos != EAP_TYPE_TTLS) {
1219                 wpa_printf(MSG_DEBUG,
1220                            "EAP-TTLS: Resumed session for another EAP type (%u) - reject attempt",
1221                            *pos);
1222                 eap_ttls_state(data, FAILURE);
1223                 return;
1224         }
1225
1226         pos++;
1227         id_len = *pos++;
1228         wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: Identity from cached session",
1229                           pos, id_len);
1230         os_free(sm->identity);
1231         sm->identity = os_malloc(id_len ? id_len : 1);
1232         if (!sm->identity) {
1233                 sm->identity_len = 0;
1234                 eap_ttls_state(data, FAILURE);
1235                 return;
1236         }
1237
1238         os_memcpy(sm->identity, pos, id_len);
1239         sm->identity_len = id_len;
1240
1241         if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
1242                 wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not found in the user database",
1243                                   sm->identity, sm->identity_len);
1244                 eap_ttls_state(data, FAILURE);
1245                 return;
1246         }
1247
1248         wpa_printf(MSG_DEBUG,
1249                    "EAP-TTLS: Resuming previous session - skip Phase2");
1250         eap_ttls_state(data, SUCCESS);
1251         tls_connection_set_success_data_resumed(data->ssl.conn);
1252 }
1253
1254
1255 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1256 {
1257         struct eap_ttls_data *data = priv;
1258         return data->state == SUCCESS || data->state == FAILURE;
1259 }
1260
1261
1262 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1263 {
1264         struct eap_ttls_data *data = priv;
1265         u8 *eapKeyData;
1266
1267         if (data->state != SUCCESS)
1268                 return NULL;
1269
1270         eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1271                                                "ttls keying material", NULL, 0,
1272                                                EAP_TLS_KEY_LEN);
1273         if (eapKeyData) {
1274                 *len = EAP_TLS_KEY_LEN;
1275                 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1276                                 eapKeyData, EAP_TLS_KEY_LEN);
1277         } else {
1278                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1279         }
1280
1281         return eapKeyData;
1282 }
1283
1284
1285 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1286 {
1287         struct eap_ttls_data *data = priv;
1288         return data->state == SUCCESS;
1289 }
1290
1291
1292 static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1293 {
1294         struct eap_ttls_data *data = priv;
1295
1296         if (data->state != SUCCESS)
1297                 return NULL;
1298
1299         return eap_server_tls_derive_session_id(sm, &data->ssl, EAP_TYPE_TTLS,
1300                                                 len);
1301 }
1302
1303
1304 static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1305 {
1306         struct eap_ttls_data *data = priv;
1307         u8 *eapKeyData, *emsk;
1308
1309         if (data->state != SUCCESS)
1310                 return NULL;
1311
1312         eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1313                                                "ttls keying material", NULL, 0,
1314                                                EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
1315         if (eapKeyData) {
1316                 emsk = os_malloc(EAP_EMSK_LEN);
1317                 if (emsk)
1318                         os_memcpy(emsk, eapKeyData + EAP_TLS_KEY_LEN,
1319                                   EAP_EMSK_LEN);
1320                 bin_clear_free(eapKeyData, EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
1321         } else
1322                 emsk = NULL;
1323
1324         if (emsk) {
1325                 *len = EAP_EMSK_LEN;
1326                 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived EMSK",
1327                             emsk, EAP_EMSK_LEN);
1328         } else {
1329                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive EMSK");
1330         }
1331
1332         return emsk;
1333 }
1334
1335
1336 int eap_server_ttls_register(void)
1337 {
1338         struct eap_method *eap;
1339
1340         eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1341                                       EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1342         if (eap == NULL)
1343                 return -1;
1344
1345         eap->init = eap_ttls_init;
1346         eap->reset = eap_ttls_reset;
1347         eap->buildReq = eap_ttls_buildReq;
1348         eap->check = eap_ttls_check;
1349         eap->process = eap_ttls_process;
1350         eap->isDone = eap_ttls_isDone;
1351         eap->getKey = eap_ttls_getKey;
1352         eap->isSuccess = eap_ttls_isSuccess;
1353         eap->getSessionId = eap_ttls_get_session_id;
1354         eap->get_emsk = eap_ttls_get_emsk;
1355
1356         return eap_server_method_register(eap);
1357 }