1/*
2 * EAP peer method: EAP-TTLS (RFC 5281)
3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/ms_funcs.h"
13#include "crypto/sha1.h"
14#include "crypto/tls.h"
15#include "eap_common/chap.h"
16#include "eap_common/eap_ttls.h"
17#include "mschapv2.h"
18#include "eap_i.h"
19#include "eap_tls_common.h"
20#include "eap_config.h"
21
22
23#define EAP_TTLS_VERSION 0
24
25
26static void eap_ttls_deinit(struct eap_sm *sm, void *priv);
27
28
29struct eap_ttls_data {
30	struct eap_ssl_data ssl;
31
32	int ttls_version;
33
34	const struct eap_method *phase2_method;
35	void *phase2_priv;
36	int phase2_success;
37	int phase2_start;
38
39	enum phase2_types {
40		EAP_TTLS_PHASE2_EAP,
41		EAP_TTLS_PHASE2_MSCHAPV2,
42		EAP_TTLS_PHASE2_MSCHAP,
43		EAP_TTLS_PHASE2_PAP,
44		EAP_TTLS_PHASE2_CHAP
45	} phase2_type;
46	struct eap_method_type phase2_eap_type;
47	struct eap_method_type *phase2_eap_types;
48	size_t num_phase2_eap_types;
49
50	u8 auth_response[MSCHAPV2_AUTH_RESPONSE_LEN];
51	int auth_response_valid;
52	u8 master_key[MSCHAPV2_MASTER_KEY_LEN]; /* MSCHAPv2 master key */
53	u8 ident;
54	int resuming; /* starting a resumed session */
55	int reauth; /* reauthentication */
56	u8 *key_data;
57	u8 *session_id;
58	size_t id_len;
59
60	struct wpabuf *pending_phase2_req;
61
62#ifdef EAP_TNC
63	int ready_for_tnc;
64	int tnc_started;
65#endif /* EAP_TNC */
66};
67
68
69static void * eap_ttls_init(struct eap_sm *sm)
70{
71	struct eap_ttls_data *data;
72	struct eap_peer_config *config = eap_get_config(sm);
73	char *selected;
74
75	data = os_zalloc(sizeof(*data));
76	if (data == NULL)
77		return NULL;
78	data->ttls_version = EAP_TTLS_VERSION;
79	selected = "EAP";
80	data->phase2_type = EAP_TTLS_PHASE2_EAP;
81
82	if (config && config->phase2) {
83		if (os_strstr(config->phase2, "autheap=")) {
84			selected = "EAP";
85			data->phase2_type = EAP_TTLS_PHASE2_EAP;
86		} else if (os_strstr(config->phase2, "auth=MSCHAPV2")) {
87			selected = "MSCHAPV2";
88			data->phase2_type = EAP_TTLS_PHASE2_MSCHAPV2;
89		} else if (os_strstr(config->phase2, "auth=MSCHAP")) {
90			selected = "MSCHAP";
91			data->phase2_type = EAP_TTLS_PHASE2_MSCHAP;
92		} else if (os_strstr(config->phase2, "auth=PAP")) {
93			selected = "PAP";
94			data->phase2_type = EAP_TTLS_PHASE2_PAP;
95		} else if (os_strstr(config->phase2, "auth=CHAP")) {
96			selected = "CHAP";
97			data->phase2_type = EAP_TTLS_PHASE2_CHAP;
98		}
99	}
100	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 type: %s", selected);
101
102	if (data->phase2_type == EAP_TTLS_PHASE2_EAP) {
103		if (eap_peer_select_phase2_methods(config, "autheap=",
104						   &data->phase2_eap_types,
105						   &data->num_phase2_eap_types)
106		    < 0) {
107			eap_ttls_deinit(sm, data);
108			return NULL;
109		}
110
111		data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
112		data->phase2_eap_type.method = EAP_TYPE_NONE;
113	}
114
115	if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_TTLS)) {
116		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
117		eap_ttls_deinit(sm, data);
118		return NULL;
119	}
120
121	return data;
122}
123
124
125static void eap_ttls_phase2_eap_deinit(struct eap_sm *sm,
126				       struct eap_ttls_data *data)
127{
128	if (data->phase2_priv && data->phase2_method) {
129		data->phase2_method->deinit(sm, data->phase2_priv);
130		data->phase2_method = NULL;
131		data->phase2_priv = NULL;
132	}
133}
134
135
136static void eap_ttls_deinit(struct eap_sm *sm, void *priv)
137{
138	struct eap_ttls_data *data = priv;
139	if (data == NULL)
140		return;
141	eap_ttls_phase2_eap_deinit(sm, data);
142	os_free(data->phase2_eap_types);
143	eap_peer_tls_ssl_deinit(sm, &data->ssl);
144	os_free(data->key_data);
145	os_free(data->session_id);
146	wpabuf_free(data->pending_phase2_req);
147	os_free(data);
148}
149
150
151static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
152			     int mandatory, size_t len)
153{
154	struct ttls_avp_vendor *avp;
155	u8 flags;
156	size_t hdrlen;
157
158	avp = (struct ttls_avp_vendor *) avphdr;
159	flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
160	if (vendor_id) {
161		flags |= AVP_FLAGS_VENDOR;
162		hdrlen = sizeof(*avp);
163		avp->vendor_id = host_to_be32(vendor_id);
164	} else {
165		hdrlen = sizeof(struct ttls_avp);
166	}
167
168	avp->avp_code = host_to_be32(avp_code);
169	avp->avp_length = host_to_be32((flags << 24) | (u32) (hdrlen + len));
170
171	return avphdr + hdrlen;
172}
173
174
175static u8 * eap_ttls_avp_add(u8 *start, u8 *avphdr, u32 avp_code,
176			     u32 vendor_id, int mandatory,
177			     const u8 *data, size_t len)
178{
179	u8 *pos;
180	pos = eap_ttls_avp_hdr(avphdr, avp_code, vendor_id, mandatory, len);
181	os_memcpy(pos, data, len);
182	pos += len;
183	AVP_PAD(start, pos);
184	return pos;
185}
186
187
188static int eap_ttls_avp_encapsulate(struct wpabuf **resp, u32 avp_code,
189				    int mandatory)
190{
191	struct wpabuf *msg;
192	u8 *avp, *pos;
193
194	msg = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(*resp) + 4);
195	if (msg == NULL) {
196		wpabuf_free(*resp);
197		*resp = NULL;
198		return -1;
199	}
200
201	avp = wpabuf_mhead(msg);
202	pos = eap_ttls_avp_hdr(avp, avp_code, 0, mandatory, wpabuf_len(*resp));
203	os_memcpy(pos, wpabuf_head(*resp), wpabuf_len(*resp));
204	pos += wpabuf_len(*resp);
205	AVP_PAD(avp, pos);
206	wpabuf_free(*resp);
207	wpabuf_put(msg, pos - avp);
208	*resp = msg;
209	return 0;
210}
211
212
213static int eap_ttls_v0_derive_key(struct eap_sm *sm,
214				  struct eap_ttls_data *data)
215{
216	os_free(data->key_data);
217	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,
218						 "ttls keying material",
219						 EAP_TLS_KEY_LEN);
220	if (!data->key_data) {
221		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to derive key");
222		return -1;
223	}
224
225	wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
226			data->key_data, EAP_TLS_KEY_LEN);
227
228	os_free(data->session_id);
229	data->session_id = eap_peer_tls_derive_session_id(sm, &data->ssl,
230							  EAP_TYPE_TTLS,
231	                                                  &data->id_len);
232	if (data->session_id) {
233		wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Derived Session-Id",
234			    data->session_id, data->id_len);
235	} else {
236		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to derive Session-Id");
237	}
238
239	return 0;
240}
241
242
243static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
244					struct eap_ttls_data *data, size_t len)
245{
246	return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len);
247}
248
249
250static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data,
251					      u8 method)
252{
253	size_t i;
254	for (i = 0; i < data->num_phase2_eap_types; i++) {
255		if (data->phase2_eap_types[i].vendor != EAP_VENDOR_IETF ||
256		    data->phase2_eap_types[i].method != method)
257			continue;
258
259		data->phase2_eap_type.vendor =
260			data->phase2_eap_types[i].vendor;
261		data->phase2_eap_type.method =
262			data->phase2_eap_types[i].method;
263		wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
264			   "Phase 2 EAP vendor %d method %d",
265			   data->phase2_eap_type.vendor,
266			   data->phase2_eap_type.method);
267		break;
268	}
269}
270
271
272static int eap_ttls_phase2_eap_process(struct eap_sm *sm,
273				       struct eap_ttls_data *data,
274				       struct eap_method_ret *ret,
275				       struct eap_hdr *hdr, size_t len,
276				       struct wpabuf **resp)
277{
278	struct wpabuf msg;
279	struct eap_method_ret iret;
280
281	os_memset(&iret, 0, sizeof(iret));
282	wpabuf_set(&msg, hdr, len);
283	*resp = data->phase2_method->process(sm, data->phase2_priv, &iret,
284					     &msg);
285	if ((iret.methodState == METHOD_DONE ||
286	     iret.methodState == METHOD_MAY_CONT) &&
287	    (iret.decision == DECISION_UNCOND_SUCC ||
288	     iret.decision == DECISION_COND_SUCC ||
289	     iret.decision == DECISION_FAIL)) {
290		ret->methodState = iret.methodState;
291		ret->decision = iret.decision;
292	}
293
294	return 0;
295}
296
297
298static int eap_ttls_phase2_request_eap_method(struct eap_sm *sm,
299					      struct eap_ttls_data *data,
300					      struct eap_method_ret *ret,
301					      struct eap_hdr *hdr, size_t len,
302					      u8 method, struct wpabuf **resp)
303{
304#ifdef EAP_TNC
305	if (data->tnc_started && data->phase2_method &&
306	    data->phase2_priv && method == EAP_TYPE_TNC &&
307	    data->phase2_eap_type.method == EAP_TYPE_TNC)
308		return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len,
309						   resp);
310
311	if (data->ready_for_tnc && !data->tnc_started &&
312	    method == EAP_TYPE_TNC) {
313		wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
314			   "EAP method");
315		data->tnc_started = 1;
316	}
317
318	if (data->tnc_started) {
319		if (data->phase2_eap_type.vendor != EAP_VENDOR_IETF ||
320		    data->phase2_eap_type.method == EAP_TYPE_TNC) {
321			wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected EAP "
322				   "type %d for TNC", method);
323			return -1;
324		}
325
326		data->phase2_eap_type.vendor = EAP_VENDOR_IETF;
327		data->phase2_eap_type.method = method;
328		wpa_printf(MSG_DEBUG, "EAP-TTLS: Selected "
329			   "Phase 2 EAP vendor %d method %d (TNC)",
330			   data->phase2_eap_type.vendor,
331			   data->phase2_eap_type.method);
332
333		if (data->phase2_type == EAP_TTLS_PHASE2_EAP)
334			eap_ttls_phase2_eap_deinit(sm, data);
335	}
336#endif /* EAP_TNC */
337
338	if (data->phase2_eap_type.vendor == EAP_VENDOR_IETF &&
339	    data->phase2_eap_type.method == EAP_TYPE_NONE)
340		eap_ttls_phase2_select_eap_method(data, method);
341
342	if (method != data->phase2_eap_type.method || method == EAP_TYPE_NONE)
343	{
344		if (eap_peer_tls_phase2_nak(data->phase2_eap_types,
345					    data->num_phase2_eap_types,
346					    hdr, resp))
347			return -1;
348		return 0;
349	}
350
351	if (data->phase2_priv == NULL) {
352		data->phase2_method = eap_peer_get_eap_method(
353			EAP_VENDOR_IETF, method);
354		if (data->phase2_method) {
355			sm->init_phase2 = 1;
356			data->phase2_priv = data->phase2_method->init(sm);
357			sm->init_phase2 = 0;
358		}
359	}
360	if (data->phase2_priv == NULL || data->phase2_method == NULL) {
361		wpa_printf(MSG_INFO, "EAP-TTLS: failed to initialize "
362			   "Phase 2 EAP method %d", method);
363		return -1;
364	}
365
366	return eap_ttls_phase2_eap_process(sm, data, ret, hdr, len, resp);
367}
368
369
370static int eap_ttls_phase2_request_eap(struct eap_sm *sm,
371				       struct eap_ttls_data *data,
372				       struct eap_method_ret *ret,
373				       struct eap_hdr *hdr,
374				       struct wpabuf **resp)
375{
376	size_t len = be_to_host16(hdr->length);
377	u8 *pos;
378	struct eap_peer_config *config = eap_get_config(sm);
379
380	if (len <= sizeof(struct eap_hdr)) {
381		wpa_printf(MSG_INFO, "EAP-TTLS: too short "
382			   "Phase 2 request (len=%lu)", (unsigned long) len);
383		return -1;
384	}
385	pos = (u8 *) (hdr + 1);
386	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP Request: type=%d", *pos);
387	switch (*pos) {
388	case EAP_TYPE_IDENTITY:
389		*resp = eap_sm_buildIdentity(sm, hdr->identifier, 1);
390		break;
391	default:
392		if (eap_ttls_phase2_request_eap_method(sm, data, ret, hdr, len,
393						       *pos, resp) < 0)
394			return -1;
395		break;
396	}
397
398	if (*resp == NULL &&
399	    (config->pending_req_identity || config->pending_req_password ||
400	     config->pending_req_otp)) {
401		return 0;
402	}
403
404	if (*resp == NULL)
405		return -1;
406
407	wpa_hexdump_buf(MSG_DEBUG, "EAP-TTLS: AVP encapsulate EAP Response",
408			*resp);
409	return eap_ttls_avp_encapsulate(resp, RADIUS_ATTR_EAP_MESSAGE, 1);
410}
411
412
413static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
414					    struct eap_ttls_data *data,
415					    struct eap_method_ret *ret,
416					    struct wpabuf **resp)
417{
418#ifdef EAP_MSCHAPv2
419	struct wpabuf *msg;
420	u8 *buf, *pos, *challenge, *peer_challenge;
421	const u8 *identity, *password;
422	size_t identity_len, password_len;
423	int pwhash;
424
425	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAPV2 Request");
426
427	identity = eap_get_config_identity(sm, &identity_len);
428	password = eap_get_config_password2(sm, &password_len, &pwhash);
429	if (identity == NULL || password == NULL)
430		return -1;
431
432	msg = wpabuf_alloc(identity_len + 1000);
433	if (msg == NULL) {
434		wpa_printf(MSG_ERROR,
435			   "EAP-TTLS/MSCHAPV2: Failed to allocate memory");
436		return -1;
437	}
438	pos = buf = wpabuf_mhead(msg);
439
440	/* User-Name */
441	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
442			       identity, identity_len);
443
444	/* MS-CHAP-Challenge */
445	challenge = eap_ttls_implicit_challenge(
446		sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
447	if (challenge == NULL) {
448		wpabuf_free(msg);
449		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
450			   "implicit challenge");
451		return -1;
452	}
453
454	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
455			       RADIUS_VENDOR_ID_MICROSOFT, 1,
456			       challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
457
458	/* MS-CHAP2-Response */
459	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_RESPONSE,
460			       RADIUS_VENDOR_ID_MICROSOFT, 1,
461			       EAP_TTLS_MSCHAPV2_RESPONSE_LEN);
462	data->ident = challenge[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN];
463	*pos++ = data->ident;
464	*pos++ = 0; /* Flags */
465	if (os_get_random(pos, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN) < 0) {
466		os_free(challenge);
467		wpabuf_free(msg);
468		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to get "
469			   "random data for peer challenge");
470		return -1;
471	}
472	peer_challenge = pos;
473	pos += EAP_TTLS_MSCHAPV2_CHALLENGE_LEN;
474	os_memset(pos, 0, 8); /* Reserved, must be zero */
475	pos += 8;
476	if (mschapv2_derive_response(identity, identity_len, password,
477				     password_len, pwhash, challenge,
478				     peer_challenge, pos, data->auth_response,
479				     data->master_key)) {
480		os_free(challenge);
481		wpabuf_free(msg);
482		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAPV2: Failed to derive "
483			   "response");
484		return -1;
485	}
486	data->auth_response_valid = 1;
487
488	pos += 24;
489	os_free(challenge);
490	AVP_PAD(buf, pos);
491
492	wpabuf_put(msg, pos - buf);
493	*resp = msg;
494
495	if (sm->workaround) {
496		/* At least FreeRADIUS seems to be terminating
497		 * EAP-TTLS/MSHCAPV2 without the expected MS-CHAP-v2 Success
498		 * packet. */
499		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: EAP workaround - "
500			   "allow success without tunneled response");
501		ret->methodState = METHOD_MAY_CONT;
502		ret->decision = DECISION_COND_SUCC;
503	}
504
505	return 0;
506#else /* EAP_MSCHAPv2 */
507	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
508	return -1;
509#endif /* EAP_MSCHAPv2 */
510}
511
512
513static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
514					  struct eap_ttls_data *data,
515					  struct eap_method_ret *ret,
516					  struct wpabuf **resp)
517{
518	struct wpabuf *msg;
519	u8 *buf, *pos, *challenge;
520	const u8 *identity, *password;
521	size_t identity_len, password_len;
522	int pwhash;
523
524	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 MSCHAP Request");
525
526	identity = eap_get_config_identity(sm, &identity_len);
527	password = eap_get_config_password2(sm, &password_len, &pwhash);
528	if (identity == NULL || password == NULL)
529		return -1;
530
531	msg = wpabuf_alloc(identity_len + 1000);
532	if (msg == NULL) {
533		wpa_printf(MSG_ERROR,
534			   "EAP-TTLS/MSCHAP: Failed to allocate memory");
535		return -1;
536	}
537	pos = buf = wpabuf_mhead(msg);
538
539	/* User-Name */
540	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
541			       identity, identity_len);
542
543	/* MS-CHAP-Challenge */
544	challenge = eap_ttls_implicit_challenge(
545		sm, data, EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
546	if (challenge == NULL) {
547		wpabuf_free(msg);
548		wpa_printf(MSG_ERROR, "EAP-TTLS/MSCHAP: Failed to derive "
549			   "implicit challenge");
550		return -1;
551	}
552
553	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_MS_CHAP_CHALLENGE,
554			       RADIUS_VENDOR_ID_MICROSOFT, 1,
555			       challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
556
557	/* MS-CHAP-Response */
558	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_RESPONSE,
559			       RADIUS_VENDOR_ID_MICROSOFT, 1,
560			       EAP_TTLS_MSCHAP_RESPONSE_LEN);
561	data->ident = challenge[EAP_TTLS_MSCHAP_CHALLENGE_LEN];
562	*pos++ = data->ident;
563	*pos++ = 1; /* Flags: Use NT style passwords */
564	os_memset(pos, 0, 24); /* LM-Response */
565	pos += 24;
566	if (pwhash) {
567		challenge_response(challenge, password, pos); /* NT-Response */
568		wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password hash",
569				password, 16);
570	} else {
571		nt_challenge_response(challenge, password, password_len,
572				      pos); /* NT-Response */
573		wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: MSCHAP password",
574				      password, password_len);
575	}
576	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP implicit challenge",
577		    challenge, EAP_TTLS_MSCHAP_CHALLENGE_LEN);
578	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: MSCHAP response", pos, 24);
579	pos += 24;
580	os_free(challenge);
581	AVP_PAD(buf, pos);
582
583	wpabuf_put(msg, pos - buf);
584	*resp = msg;
585
586	/* EAP-TTLS/MSCHAP does not provide tunneled success
587	 * notification, so assume that Phase2 succeeds. */
588	ret->methodState = METHOD_DONE;
589	ret->decision = DECISION_COND_SUCC;
590
591	return 0;
592}
593
594
595static int eap_ttls_phase2_request_pap(struct eap_sm *sm,
596				       struct eap_ttls_data *data,
597				       struct eap_method_ret *ret,
598				       struct wpabuf **resp)
599{
600	struct wpabuf *msg;
601	u8 *buf, *pos;
602	size_t pad;
603	const u8 *identity, *password;
604	size_t identity_len, password_len;
605
606	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 PAP Request");
607
608	identity = eap_get_config_identity(sm, &identity_len);
609	password = eap_get_config_password(sm, &password_len);
610	if (identity == NULL || password == NULL)
611		return -1;
612
613	msg = wpabuf_alloc(identity_len + password_len + 100);
614	if (msg == NULL) {
615		wpa_printf(MSG_ERROR,
616			   "EAP-TTLS/PAP: Failed to allocate memory");
617		return -1;
618	}
619	pos = buf = wpabuf_mhead(msg);
620
621	/* User-Name */
622	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
623			       identity, identity_len);
624
625	/* User-Password; in RADIUS, this is encrypted, but EAP-TTLS encrypts
626	 * the data, so no separate encryption is used in the AVP itself.
627	 * However, the password is padded to obfuscate its length. */
628	pad = password_len == 0 ? 16 : (16 - (password_len & 15)) & 15;
629	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_USER_PASSWORD, 0, 1,
630			       password_len + pad);
631	os_memcpy(pos, password, password_len);
632	pos += password_len;
633	os_memset(pos, 0, pad);
634	pos += pad;
635	AVP_PAD(buf, pos);
636
637	wpabuf_put(msg, pos - buf);
638	*resp = msg;
639
640	/* EAP-TTLS/PAP does not provide tunneled success notification,
641	 * so assume that Phase2 succeeds. */
642	ret->methodState = METHOD_DONE;
643	ret->decision = DECISION_COND_SUCC;
644
645	return 0;
646}
647
648
649static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
650					struct eap_ttls_data *data,
651					struct eap_method_ret *ret,
652					struct wpabuf **resp)
653{
654	struct wpabuf *msg;
655	u8 *buf, *pos, *challenge;
656	const u8 *identity, *password;
657	size_t identity_len, password_len;
658
659	wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase 2 CHAP Request");
660
661	identity = eap_get_config_identity(sm, &identity_len);
662	password = eap_get_config_password(sm, &password_len);
663	if (identity == NULL || password == NULL)
664		return -1;
665
666	msg = wpabuf_alloc(identity_len + 1000);
667	if (msg == NULL) {
668		wpa_printf(MSG_ERROR,
669			   "EAP-TTLS/CHAP: Failed to allocate memory");
670		return -1;
671	}
672	pos = buf = wpabuf_mhead(msg);
673
674	/* User-Name */
675	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_USER_NAME, 0, 1,
676			       identity, identity_len);
677
678	/* CHAP-Challenge */
679	challenge = eap_ttls_implicit_challenge(
680		sm, data, EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
681	if (challenge == NULL) {
682		wpabuf_free(msg);
683		wpa_printf(MSG_ERROR, "EAP-TTLS/CHAP: Failed to derive "
684			   "implicit challenge");
685		return -1;
686	}
687
688	pos = eap_ttls_avp_add(buf, pos, RADIUS_ATTR_CHAP_CHALLENGE, 0, 1,
689			       challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
690
691	/* CHAP-Password */
692	pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_CHAP_PASSWORD, 0, 1,
693			       1 + EAP_TTLS_CHAP_PASSWORD_LEN);
694	data->ident = challenge[EAP_TTLS_CHAP_CHALLENGE_LEN];
695	*pos++ = data->ident;
696
697	/* MD5(Ident + Password + Challenge) */
698	chap_md5(data->ident, password, password_len, challenge,
699		 EAP_TTLS_CHAP_CHALLENGE_LEN, pos);
700
701	wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: CHAP username",
702			  identity, identity_len);
703	wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: CHAP password",
704			      password, password_len);
705	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP implicit challenge",
706		    challenge, EAP_TTLS_CHAP_CHALLENGE_LEN);
707	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: CHAP password",
708		    pos, EAP_TTLS_CHAP_PASSWORD_LEN);
709	pos += EAP_TTLS_CHAP_PASSWORD_LEN;
710	os_free(challenge);
711	AVP_PAD(buf, pos);
712
713	wpabuf_put(msg, pos - buf);
714	*resp = msg;
715
716	/* EAP-TTLS/CHAP does not provide tunneled success
717	 * notification, so assume that Phase2 succeeds. */
718	ret->methodState = METHOD_DONE;
719	ret->decision = DECISION_COND_SUCC;
720
721	return 0;
722}
723
724
725static int eap_ttls_phase2_request(struct eap_sm *sm,
726				   struct eap_ttls_data *data,
727				   struct eap_method_ret *ret,
728				   struct eap_hdr *hdr,
729				   struct wpabuf **resp)
730{
731	int res = 0;
732	size_t len;
733	enum phase2_types phase2_type = data->phase2_type;
734
735#ifdef EAP_TNC
736	if (data->tnc_started) {
737		wpa_printf(MSG_DEBUG, "EAP-TTLS: Processing TNC");
738		phase2_type = EAP_TTLS_PHASE2_EAP;
739	}
740#endif /* EAP_TNC */
741
742	if (phase2_type == EAP_TTLS_PHASE2_MSCHAPV2 ||
743	    phase2_type == EAP_TTLS_PHASE2_MSCHAP ||
744	    phase2_type == EAP_TTLS_PHASE2_PAP ||
745	    phase2_type == EAP_TTLS_PHASE2_CHAP) {
746		if (eap_get_config_identity(sm, &len) == NULL) {
747			wpa_printf(MSG_INFO,
748				   "EAP-TTLS: Identity not configured");
749			eap_sm_request_identity(sm);
750			if (eap_get_config_password(sm, &len) == NULL)
751				eap_sm_request_password(sm);
752			return 0;
753		}
754
755		if (eap_get_config_password(sm, &len) == NULL) {
756			wpa_printf(MSG_INFO,
757				   "EAP-TTLS: Password not configured");
758			eap_sm_request_password(sm);
759			return 0;
760		}
761	}
762
763	switch (phase2_type) {
764	case EAP_TTLS_PHASE2_EAP:
765		res = eap_ttls_phase2_request_eap(sm, data, ret, hdr, resp);
766		break;
767	case EAP_TTLS_PHASE2_MSCHAPV2:
768		res = eap_ttls_phase2_request_mschapv2(sm, data, ret, resp);
769		break;
770	case EAP_TTLS_PHASE2_MSCHAP:
771		res = eap_ttls_phase2_request_mschap(sm, data, ret, resp);
772		break;
773	case EAP_TTLS_PHASE2_PAP:
774		res = eap_ttls_phase2_request_pap(sm, data, ret, resp);
775		break;
776	case EAP_TTLS_PHASE2_CHAP:
777		res = eap_ttls_phase2_request_chap(sm, data, ret, resp);
778		break;
779	default:
780		wpa_printf(MSG_ERROR, "EAP-TTLS: Phase 2 - Unknown");
781		res = -1;
782		break;
783	}
784
785	if (res < 0) {
786		ret->methodState = METHOD_DONE;
787		ret->decision = DECISION_FAIL;
788	}
789
790	return res;
791}
792
793
794struct ttls_parse_avp {
795	u8 *mschapv2;
796	u8 *eapdata;
797	size_t eap_len;
798	int mschapv2_error;
799};
800
801
802static int eap_ttls_parse_attr_eap(const u8 *dpos, size_t dlen,
803				   struct ttls_parse_avp *parse)
804{
805	wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
806	if (parse->eapdata == NULL) {
807		parse->eapdata = os_malloc(dlen);
808		if (parse->eapdata == NULL) {
809			wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
810				   "memory for Phase 2 EAP data");
811			return -1;
812		}
813		os_memcpy(parse->eapdata, dpos, dlen);
814		parse->eap_len = dlen;
815	} else {
816		u8 *neweap = os_realloc(parse->eapdata, parse->eap_len + dlen);
817		if (neweap == NULL) {
818			wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to allocate "
819				   "memory for Phase 2 EAP data");
820			return -1;
821		}
822		os_memcpy(neweap + parse->eap_len, dpos, dlen);
823		parse->eapdata = neweap;
824		parse->eap_len += dlen;
825	}
826
827	return 0;
828}
829
830
831static int eap_ttls_parse_avp(u8 *pos, size_t left,
832			      struct ttls_parse_avp *parse)
833{
834	struct ttls_avp *avp;
835	u32 avp_code, avp_length, vendor_id = 0;
836	u8 avp_flags, *dpos;
837	size_t dlen;
838
839	avp = (struct ttls_avp *) pos;
840	avp_code = be_to_host32(avp->avp_code);
841	avp_length = be_to_host32(avp->avp_length);
842	avp_flags = (avp_length >> 24) & 0xff;
843	avp_length &= 0xffffff;
844	wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
845		   "length=%d", (int) avp_code, avp_flags,
846		   (int) avp_length);
847
848	if (avp_length > left) {
849		wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
850			   "(len=%d, left=%lu) - dropped",
851			   (int) avp_length, (unsigned long) left);
852		return -1;
853	}
854
855	if (avp_length < sizeof(*avp)) {
856		wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length %d",
857			   avp_length);
858		return -1;
859	}
860
861	dpos = (u8 *) (avp + 1);
862	dlen = avp_length - sizeof(*avp);
863	if (avp_flags & AVP_FLAGS_VENDOR) {
864		if (dlen < 4) {
865			wpa_printf(MSG_WARNING, "EAP-TTLS: Vendor AVP "
866				   "underflow");
867			return -1;
868		}
869		vendor_id = WPA_GET_BE32(dpos);
870		wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
871			   (int) vendor_id);
872		dpos += 4;
873		dlen -= 4;
874	}
875
876	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
877
878	if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
879		if (eap_ttls_parse_attr_eap(dpos, dlen, parse) < 0)
880			return -1;
881	} else if (vendor_id == 0 && avp_code == RADIUS_ATTR_REPLY_MESSAGE) {
882		/* This is an optional message that can be displayed to
883		 * the user. */
884		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: AVP - Reply-Message",
885				  dpos, dlen);
886	} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
887		   avp_code == RADIUS_ATTR_MS_CHAP2_SUCCESS) {
888		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP2-Success",
889				  dpos, dlen);
890		if (dlen != 43) {
891			wpa_printf(MSG_WARNING, "EAP-TTLS: Unexpected "
892				   "MS-CHAP2-Success length "
893				   "(len=%lu, expected 43)",
894				   (unsigned long) dlen);
895			return -1;
896		}
897		parse->mschapv2 = dpos;
898	} else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
899		   avp_code == RADIUS_ATTR_MS_CHAP_ERROR) {
900		wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: MS-CHAP-Error",
901				  dpos, dlen);
902		parse->mschapv2_error = 1;
903	} else if (avp_flags & AVP_FLAGS_MANDATORY) {
904		wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported mandatory AVP "
905			   "code %d vendor_id %d - dropped",
906			   (int) avp_code, (int) vendor_id);
907		return -1;
908	} else {
909		wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported AVP "
910			   "code %d vendor_id %d",
911			   (int) avp_code, (int) vendor_id);
912	}
913
914	return avp_length;
915}
916
917
918static int eap_ttls_parse_avps(struct wpabuf *in_decrypted,
919			       struct ttls_parse_avp *parse)
920{
921	u8 *pos;
922	size_t left, pad;
923	int avp_length;
924
925	pos = wpabuf_mhead(in_decrypted);
926	left = wpabuf_len(in_decrypted);
927	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 AVPs", pos, left);
928	if (left < sizeof(struct ttls_avp)) {
929		wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 AVP frame"
930			   " len=%lu expected %lu or more - dropped",
931			   (unsigned long) left,
932			   (unsigned long) sizeof(struct ttls_avp));
933		return -1;
934	}
935
936	/* Parse AVPs */
937	os_memset(parse, 0, sizeof(*parse));
938
939	while (left > 0) {
940		avp_length = eap_ttls_parse_avp(pos, left, parse);
941		if (avp_length < 0)
942			return -1;
943
944		pad = (4 - (avp_length & 3)) & 3;
945		pos += avp_length + pad;
946		if (left < avp_length + pad)
947			left = 0;
948		else
949			left -= avp_length + pad;
950	}
951
952	return 0;
953}
954
955
956static u8 * eap_ttls_fake_identity_request(void)
957{
958	struct eap_hdr *hdr;
959	u8 *buf;
960
961	wpa_printf(MSG_DEBUG, "EAP-TTLS: empty data in beginning of "
962		   "Phase 2 - use fake EAP-Request Identity");
963	buf = os_malloc(sizeof(*hdr) + 1);
964	if (buf == NULL) {
965		wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate "
966			   "memory for fake EAP-Identity Request");
967		return NULL;
968	}
969
970	hdr = (struct eap_hdr *) buf;
971	hdr->code = EAP_CODE_REQUEST;
972	hdr->identifier = 0;
973	hdr->length = host_to_be16(sizeof(*hdr) + 1);
974	buf[sizeof(*hdr)] = EAP_TYPE_IDENTITY;
975
976	return buf;
977}
978
979
980static int eap_ttls_encrypt_response(struct eap_sm *sm,
981				     struct eap_ttls_data *data,
982				     struct wpabuf *resp, u8 identifier,
983				     struct wpabuf **out_data)
984{
985	if (resp == NULL)
986		return 0;
987
988	wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Encrypting Phase 2 data",
989			    resp);
990	if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
991				 data->ttls_version, identifier,
992				 resp, out_data)) {
993		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt a Phase 2 "
994			   "frame");
995		return -1;
996	}
997	wpabuf_free(resp);
998
999	return 0;
1000}
1001
1002
1003static int eap_ttls_process_phase2_eap(struct eap_sm *sm,
1004				       struct eap_ttls_data *data,
1005				       struct eap_method_ret *ret,
1006				       struct ttls_parse_avp *parse,
1007				       struct wpabuf **resp)
1008{
1009	struct eap_hdr *hdr;
1010	size_t len;
1011
1012	if (parse->eapdata == NULL) {
1013		wpa_printf(MSG_WARNING, "EAP-TTLS: No EAP Message in the "
1014			   "packet - dropped");
1015		return -1;
1016	}
1017
1018	wpa_hexdump(MSG_DEBUG, "EAP-TTLS: Phase 2 EAP",
1019		    parse->eapdata, parse->eap_len);
1020	hdr = (struct eap_hdr *) parse->eapdata;
1021
1022	if (parse->eap_len < sizeof(*hdr)) {
1023		wpa_printf(MSG_WARNING, "EAP-TTLS: Too short Phase 2 EAP "
1024			   "frame (len=%lu, expected %lu or more) - dropped",
1025			   (unsigned long) parse->eap_len,
1026			   (unsigned long) sizeof(*hdr));
1027		return -1;
1028	}
1029	len = be_to_host16(hdr->length);
1030	if (len > parse->eap_len) {
1031		wpa_printf(MSG_INFO, "EAP-TTLS: Length mismatch in Phase 2 "
1032			   "EAP frame (EAP hdr len=%lu, EAP data len in "
1033			   "AVP=%lu)",
1034			   (unsigned long) len,
1035			   (unsigned long) parse->eap_len);
1036		return -1;
1037	}
1038	wpa_printf(MSG_DEBUG, "EAP-TTLS: received Phase 2: code=%d "
1039		   "identifier=%d length=%lu",
1040		   hdr->code, hdr->identifier, (unsigned long) len);
1041	switch (hdr->code) {
1042	case EAP_CODE_REQUEST:
1043		if (eap_ttls_phase2_request(sm, data, ret, hdr, resp)) {
1044			wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1045				   "processing failed");
1046			return -1;
1047		}
1048		break;
1049	default:
1050		wpa_printf(MSG_INFO, "EAP-TTLS: Unexpected code=%d in "
1051			   "Phase 2 EAP header", hdr->code);
1052		return -1;
1053	}
1054
1055	return 0;
1056}
1057
1058
1059static int eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
1060					    struct eap_ttls_data *data,
1061					    struct eap_method_ret *ret,
1062					    struct ttls_parse_avp *parse)
1063{
1064#ifdef EAP_MSCHAPv2
1065	if (parse->mschapv2_error) {
1066		wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Received "
1067			   "MS-CHAP-Error - failed");
1068		ret->methodState = METHOD_DONE;
1069		ret->decision = DECISION_FAIL;
1070		/* Reply with empty data to ACK error */
1071		return 1;
1072	}
1073
1074	if (parse->mschapv2 == NULL) {
1075#ifdef EAP_TNC
1076		if (data->phase2_success && parse->eapdata) {
1077			/*
1078			 * Allow EAP-TNC to be started after successfully
1079			 * completed MSCHAPV2.
1080			 */
1081			return 1;
1082		}
1083#endif /* EAP_TNC */
1084		wpa_printf(MSG_WARNING, "EAP-TTLS: no MS-CHAP2-Success AVP "
1085			   "received for Phase2 MSCHAPV2");
1086		return -1;
1087	}
1088	if (parse->mschapv2[0] != data->ident) {
1089		wpa_printf(MSG_WARNING, "EAP-TTLS: Ident mismatch for Phase 2 "
1090			   "MSCHAPV2 (received Ident 0x%02x, expected 0x%02x)",
1091			   parse->mschapv2[0], data->ident);
1092		return -1;
1093	}
1094	if (!data->auth_response_valid ||
1095	    mschapv2_verify_auth_response(data->auth_response,
1096					  parse->mschapv2 + 1, 42)) {
1097		wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid authenticator "
1098			   "response in Phase 2 MSCHAPV2 success request");
1099		return -1;
1100	}
1101
1102	wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 MSCHAPV2 "
1103		   "authentication succeeded");
1104	ret->methodState = METHOD_DONE;
1105	ret->decision = DECISION_UNCOND_SUCC;
1106	data->phase2_success = 1;
1107
1108	/*
1109	 * Reply with empty data; authentication server will reply
1110	 * with EAP-Success after this.
1111	 */
1112	return 1;
1113#else /* EAP_MSCHAPv2 */
1114	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
1115	return -1;
1116#endif /* EAP_MSCHAPv2 */
1117}
1118
1119
1120#ifdef EAP_TNC
1121static int eap_ttls_process_tnc_start(struct eap_sm *sm,
1122				      struct eap_ttls_data *data,
1123				      struct eap_method_ret *ret,
1124				      struct ttls_parse_avp *parse,
1125				      struct wpabuf **resp)
1126{
1127	/* TNC uses inner EAP method after non-EAP TTLS phase 2. */
1128	if (parse->eapdata == NULL) {
1129		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1130			   "unexpected tunneled data (no EAP)");
1131		return -1;
1132	}
1133
1134	if (!data->ready_for_tnc) {
1135		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received "
1136			   "EAP after non-EAP, but not ready for TNC");
1137		return -1;
1138	}
1139
1140	wpa_printf(MSG_DEBUG, "EAP-TTLS: Start TNC after completed "
1141		   "non-EAP method");
1142	data->tnc_started = 1;
1143
1144	if (eap_ttls_process_phase2_eap(sm, data, ret, parse, resp) < 0)
1145		return -1;
1146
1147	return 0;
1148}
1149#endif /* EAP_TNC */
1150
1151
1152static int eap_ttls_process_decrypted(struct eap_sm *sm,
1153				      struct eap_ttls_data *data,
1154				      struct eap_method_ret *ret,
1155				      u8 identifier,
1156				      struct ttls_parse_avp *parse,
1157				      struct wpabuf *in_decrypted,
1158				      struct wpabuf **out_data)
1159{
1160	struct wpabuf *resp = NULL;
1161	struct eap_peer_config *config = eap_get_config(sm);
1162	int res;
1163	enum phase2_types phase2_type = data->phase2_type;
1164
1165#ifdef EAP_TNC
1166	if (data->tnc_started)
1167		phase2_type = EAP_TTLS_PHASE2_EAP;
1168#endif /* EAP_TNC */
1169
1170	switch (phase2_type) {
1171	case EAP_TTLS_PHASE2_EAP:
1172		if (eap_ttls_process_phase2_eap(sm, data, ret, parse, &resp) <
1173		    0)
1174			return -1;
1175		break;
1176	case EAP_TTLS_PHASE2_MSCHAPV2:
1177		res = eap_ttls_process_phase2_mschapv2(sm, data, ret, parse);
1178#ifdef EAP_TNC
1179		if (res == 1 && parse->eapdata && data->phase2_success) {
1180			/*
1181			 * TNC may be required as the next
1182			 * authentication method within the tunnel.
1183			 */
1184			ret->methodState = METHOD_MAY_CONT;
1185			data->ready_for_tnc = 1;
1186			if (eap_ttls_process_tnc_start(sm, data, ret, parse,
1187						       &resp) == 0)
1188				break;
1189		}
1190#endif /* EAP_TNC */
1191		return res;
1192	case EAP_TTLS_PHASE2_MSCHAP:
1193	case EAP_TTLS_PHASE2_PAP:
1194	case EAP_TTLS_PHASE2_CHAP:
1195#ifdef EAP_TNC
1196		if (eap_ttls_process_tnc_start(sm, data, ret, parse, &resp) <
1197		    0)
1198			return -1;
1199		break;
1200#else /* EAP_TNC */
1201		/* EAP-TTLS/{MSCHAP,PAP,CHAP} should not send any TLS tunneled
1202		 * requests to the supplicant */
1203		wpa_printf(MSG_INFO, "EAP-TTLS: Phase 2 received unexpected "
1204			   "tunneled data");
1205		return -1;
1206#endif /* EAP_TNC */
1207	}
1208
1209	if (resp) {
1210		if (eap_ttls_encrypt_response(sm, data, resp, identifier,
1211					      out_data) < 0)
1212			return -1;
1213	} else if (config->pending_req_identity ||
1214		   config->pending_req_password ||
1215		   config->pending_req_otp ||
1216		   config->pending_req_new_password) {
1217		wpabuf_free(data->pending_phase2_req);
1218		data->pending_phase2_req = wpabuf_dup(in_decrypted);
1219	}
1220
1221	return 0;
1222}
1223
1224
1225static int eap_ttls_implicit_identity_request(struct eap_sm *sm,
1226					      struct eap_ttls_data *data,
1227					      struct eap_method_ret *ret,
1228					      u8 identifier,
1229					      struct wpabuf **out_data)
1230{
1231	int retval = 0;
1232	struct eap_hdr *hdr;
1233	struct wpabuf *resp;
1234
1235	hdr = (struct eap_hdr *) eap_ttls_fake_identity_request();
1236	if (hdr == NULL) {
1237		ret->methodState = METHOD_DONE;
1238		ret->decision = DECISION_FAIL;
1239		return -1;
1240	}
1241
1242	resp = NULL;
1243	if (eap_ttls_phase2_request(sm, data, ret, hdr, &resp)) {
1244		wpa_printf(MSG_INFO, "EAP-TTLS: Phase2 Request "
1245			   "processing failed");
1246		retval = -1;
1247	} else {
1248		struct eap_peer_config *config = eap_get_config(sm);
1249		if (resp == NULL &&
1250		    (config->pending_req_identity ||
1251		     config->pending_req_password ||
1252		     config->pending_req_otp ||
1253		     config->pending_req_new_password)) {
1254			/*
1255			 * Use empty buffer to force implicit request
1256			 * processing when EAP request is re-processed after
1257			 * user input.
1258			 */
1259			wpabuf_free(data->pending_phase2_req);
1260			data->pending_phase2_req = wpabuf_alloc(0);
1261		}
1262
1263		retval = eap_ttls_encrypt_response(sm, data, resp, identifier,
1264						   out_data);
1265	}
1266
1267	os_free(hdr);
1268
1269	if (retval < 0) {
1270		ret->methodState = METHOD_DONE;
1271		ret->decision = DECISION_FAIL;
1272	}
1273
1274	return retval;
1275}
1276
1277
1278static int eap_ttls_phase2_start(struct eap_sm *sm, struct eap_ttls_data *data,
1279				 struct eap_method_ret *ret, u8 identifier,
1280				 struct wpabuf **out_data)
1281{
1282	data->phase2_start = 0;
1283
1284	/*
1285	 * EAP-TTLS does not use Phase2 on fast re-auth; this must be done only
1286	 * if TLS part was indeed resuming a previous session. Most
1287	 * Authentication Servers terminate EAP-TTLS before reaching this
1288	 * point, but some do not. Make wpa_supplicant stop phase 2 here, if
1289	 * needed.
1290	 */
1291	if (data->reauth &&
1292	    tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
1293		wpa_printf(MSG_DEBUG, "EAP-TTLS: Session resumption - "
1294			   "skip phase 2");
1295		*out_data = eap_peer_tls_build_ack(identifier, EAP_TYPE_TTLS,
1296						   data->ttls_version);
1297		ret->methodState = METHOD_DONE;
1298		ret->decision = DECISION_UNCOND_SUCC;
1299		data->phase2_success = 1;
1300		return 0;
1301	}
1302
1303	return eap_ttls_implicit_identity_request(sm, data, ret, identifier,
1304						  out_data);
1305}
1306
1307
1308static int eap_ttls_decrypt(struct eap_sm *sm, struct eap_ttls_data *data,
1309			    struct eap_method_ret *ret, u8 identifier,
1310			    const struct wpabuf *in_data,
1311			    struct wpabuf **out_data)
1312{
1313	struct wpabuf *in_decrypted = NULL;
1314	int retval = 0;
1315	struct ttls_parse_avp parse;
1316
1317	os_memset(&parse, 0, sizeof(parse));
1318
1319	wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
1320		   " Phase 2",
1321		   in_data ? (unsigned long) wpabuf_len(in_data) : 0);
1322
1323	if (data->pending_phase2_req) {
1324		wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - "
1325			   "skip decryption and use old data");
1326		/* Clear TLS reassembly state. */
1327		eap_peer_tls_reset_input(&data->ssl);
1328
1329		in_decrypted = data->pending_phase2_req;
1330		data->pending_phase2_req = NULL;
1331		if (wpabuf_len(in_decrypted) == 0) {
1332			wpabuf_free(in_decrypted);
1333			return eap_ttls_implicit_identity_request(
1334				sm, data, ret, identifier, out_data);
1335		}
1336		goto continue_req;
1337	}
1338
1339	if ((in_data == NULL || wpabuf_len(in_data) == 0) &&
1340	    data->phase2_start) {
1341		return eap_ttls_phase2_start(sm, data, ret, identifier,
1342					     out_data);
1343	}
1344
1345	if (in_data == NULL || wpabuf_len(in_data) == 0) {
1346		/* Received TLS ACK - requesting more fragments */
1347		return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_TTLS,
1348					    data->ttls_version,
1349					    identifier, NULL, out_data);
1350	}
1351
1352	retval = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
1353	if (retval)
1354		goto done;
1355
1356continue_req:
1357	data->phase2_start = 0;
1358
1359	if (eap_ttls_parse_avps(in_decrypted, &parse) < 0) {
1360		retval = -1;
1361		goto done;
1362	}
1363
1364	retval = eap_ttls_process_decrypted(sm, data, ret, identifier,
1365					    &parse, in_decrypted, out_data);
1366
1367done:
1368	wpabuf_free(in_decrypted);
1369	os_free(parse.eapdata);
1370
1371	if (retval < 0) {
1372		ret->methodState = METHOD_DONE;
1373		ret->decision = DECISION_FAIL;
1374	}
1375
1376	return retval;
1377}
1378
1379
1380static int eap_ttls_process_handshake(struct eap_sm *sm,
1381				      struct eap_ttls_data *data,
1382				      struct eap_method_ret *ret,
1383				      u8 identifier,
1384				      const u8 *in_data, size_t in_len,
1385				      struct wpabuf **out_data)
1386{
1387	int res;
1388
1389	res = eap_peer_tls_process_helper(sm, &data->ssl, EAP_TYPE_TTLS,
1390					  data->ttls_version, identifier,
1391					  in_data, in_len, out_data);
1392
1393	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1394		wpa_printf(MSG_DEBUG, "EAP-TTLS: TLS done, proceed to "
1395			   "Phase 2");
1396		if (data->resuming) {
1397			wpa_printf(MSG_DEBUG, "EAP-TTLS: fast reauth - may "
1398				   "skip Phase 2");
1399			ret->decision = DECISION_COND_SUCC;
1400			ret->methodState = METHOD_MAY_CONT;
1401		}
1402		data->phase2_start = 1;
1403		eap_ttls_v0_derive_key(sm, data);
1404
1405		if (*out_data == NULL || wpabuf_len(*out_data) == 0) {
1406			if (eap_ttls_decrypt(sm, data, ret, identifier,
1407					     NULL, out_data)) {
1408				wpa_printf(MSG_WARNING, "EAP-TTLS: "
1409					   "failed to process early "
1410					   "start for Phase 2");
1411			}
1412			res = 0;
1413		}
1414		data->resuming = 0;
1415	}
1416
1417	if (res == 2) {
1418		struct wpabuf msg;
1419		/*
1420		 * Application data included in the handshake message.
1421		 */
1422		wpabuf_free(data->pending_phase2_req);
1423		data->pending_phase2_req = *out_data;
1424		*out_data = NULL;
1425		wpabuf_set(&msg, in_data, in_len);
1426		res = eap_ttls_decrypt(sm, data, ret, identifier, &msg,
1427				       out_data);
1428	}
1429
1430	return res;
1431}
1432
1433
1434static void eap_ttls_check_auth_status(struct eap_sm *sm,
1435				       struct eap_ttls_data *data,
1436				       struct eap_method_ret *ret)
1437{
1438	if (ret->methodState == METHOD_DONE) {
1439		ret->allowNotifications = FALSE;
1440		if (ret->decision == DECISION_UNCOND_SUCC ||
1441		    ret->decision == DECISION_COND_SUCC) {
1442			wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1443				   "completed successfully");
1444			data->phase2_success = 1;
1445#ifdef EAP_TNC
1446			if (!data->ready_for_tnc && !data->tnc_started) {
1447				/*
1448				 * TNC may be required as the next
1449				 * authentication method within the tunnel.
1450				 */
1451				ret->methodState = METHOD_MAY_CONT;
1452				data->ready_for_tnc = 1;
1453			}
1454#endif /* EAP_TNC */
1455		}
1456	} else if (ret->methodState == METHOD_MAY_CONT &&
1457		   (ret->decision == DECISION_UNCOND_SUCC ||
1458		    ret->decision == DECISION_COND_SUCC)) {
1459			wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication "
1460				   "completed successfully (MAY_CONT)");
1461			data->phase2_success = 1;
1462	}
1463}
1464
1465
1466static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv,
1467					struct eap_method_ret *ret,
1468					const struct wpabuf *reqData)
1469{
1470	size_t left;
1471	int res;
1472	u8 flags, id;
1473	struct wpabuf *resp;
1474	const u8 *pos;
1475	struct eap_ttls_data *data = priv;
1476
1477	pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_TTLS, ret,
1478					reqData, &left, &flags);
1479	if (pos == NULL)
1480		return NULL;
1481	id = eap_get_id(reqData);
1482
1483	if (flags & EAP_TLS_FLAGS_START) {
1484		wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own "
1485			   "ver=%d)", flags & EAP_TLS_VERSION_MASK,
1486			   data->ttls_version);
1487
1488		/* RFC 5281, Ch. 9.2:
1489		 * "This packet MAY contain additional information in the form
1490		 * of AVPs, which may provide useful hints to the client"
1491		 * For now, ignore any potential extra data.
1492		 */
1493		left = 0;
1494	}
1495
1496	resp = NULL;
1497	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1498	    !data->resuming) {
1499		struct wpabuf msg;
1500		wpabuf_set(&msg, pos, left);
1501		res = eap_ttls_decrypt(sm, data, ret, id, &msg, &resp);
1502	} else {
1503		res = eap_ttls_process_handshake(sm, data, ret, id,
1504						 pos, left, &resp);
1505	}
1506
1507	eap_ttls_check_auth_status(sm, data, ret);
1508
1509	/* FIX: what about res == -1? Could just move all error processing into
1510	 * the other functions and get rid of this res==1 case here. */
1511	if (res == 1) {
1512		wpabuf_free(resp);
1513		return eap_peer_tls_build_ack(id, EAP_TYPE_TTLS,
1514					      data->ttls_version);
1515	}
1516	return resp;
1517}
1518
1519
1520static Boolean eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
1521{
1522	struct eap_ttls_data *data = priv;
1523	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
1524		data->phase2_success;
1525}
1526
1527
1528static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv)
1529{
1530	struct eap_ttls_data *data = priv;
1531	wpabuf_free(data->pending_phase2_req);
1532	data->pending_phase2_req = NULL;
1533#ifdef EAP_TNC
1534	data->ready_for_tnc = 0;
1535	data->tnc_started = 0;
1536#endif /* EAP_TNC */
1537}
1538
1539
1540static void * eap_ttls_init_for_reauth(struct eap_sm *sm, void *priv)
1541{
1542	struct eap_ttls_data *data = priv;
1543	os_free(data->key_data);
1544	data->key_data = NULL;
1545	os_free(data->session_id);
1546	data->session_id = NULL;
1547	if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
1548		os_free(data);
1549		return NULL;
1550	}
1551	if (data->phase2_priv && data->phase2_method &&
1552	    data->phase2_method->init_for_reauth)
1553		data->phase2_method->init_for_reauth(sm, data->phase2_priv);
1554	data->phase2_start = 0;
1555	data->phase2_success = 0;
1556	data->resuming = 1;
1557	data->reauth = 1;
1558	return priv;
1559}
1560
1561
1562static int eap_ttls_get_status(struct eap_sm *sm, void *priv, char *buf,
1563			       size_t buflen, int verbose)
1564{
1565	struct eap_ttls_data *data = priv;
1566	int len, ret;
1567
1568	len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
1569	ret = os_snprintf(buf + len, buflen - len,
1570			  "EAP-TTLSv%d Phase2 method=",
1571			  data->ttls_version);
1572	if (ret < 0 || (size_t) ret >= buflen - len)
1573		return len;
1574	len += ret;
1575	switch (data->phase2_type) {
1576	case EAP_TTLS_PHASE2_EAP:
1577		ret = os_snprintf(buf + len, buflen - len, "EAP-%s\n",
1578				  data->phase2_method ?
1579				  data->phase2_method->name : "?");
1580		break;
1581	case EAP_TTLS_PHASE2_MSCHAPV2:
1582		ret = os_snprintf(buf + len, buflen - len, "MSCHAPV2\n");
1583		break;
1584	case EAP_TTLS_PHASE2_MSCHAP:
1585		ret = os_snprintf(buf + len, buflen - len, "MSCHAP\n");
1586		break;
1587	case EAP_TTLS_PHASE2_PAP:
1588		ret = os_snprintf(buf + len, buflen - len, "PAP\n");
1589		break;
1590	case EAP_TTLS_PHASE2_CHAP:
1591		ret = os_snprintf(buf + len, buflen - len, "CHAP\n");
1592		break;
1593	default:
1594		ret = 0;
1595		break;
1596	}
1597	if (ret < 0 || (size_t) ret >= buflen - len)
1598		return len;
1599	len += ret;
1600
1601	return len;
1602}
1603
1604
1605static Boolean eap_ttls_isKeyAvailable(struct eap_sm *sm, void *priv)
1606{
1607	struct eap_ttls_data *data = priv;
1608	return data->key_data != NULL && data->phase2_success;
1609}
1610
1611
1612static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1613{
1614	struct eap_ttls_data *data = priv;
1615	u8 *key;
1616
1617	if (data->key_data == NULL || !data->phase2_success)
1618		return NULL;
1619
1620	key = os_malloc(EAP_TLS_KEY_LEN);
1621	if (key == NULL)
1622		return NULL;
1623
1624	*len = EAP_TLS_KEY_LEN;
1625	os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN);
1626
1627	return key;
1628}
1629
1630
1631static u8 * eap_ttls_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1632{
1633	struct eap_ttls_data *data = priv;
1634	u8 *id;
1635
1636	if (data->session_id == NULL || !data->phase2_success)
1637		return NULL;
1638
1639	id = os_malloc(data->id_len);
1640	if (id == NULL)
1641		return NULL;
1642
1643	*len = data->id_len;
1644	os_memcpy(id, data->session_id, data->id_len);
1645
1646	return id;
1647}
1648
1649
1650int eap_peer_ttls_register(void)
1651{
1652	struct eap_method *eap;
1653	int ret;
1654
1655	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1656				    EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1657	if (eap == NULL)
1658		return -1;
1659
1660	eap->init = eap_ttls_init;
1661	eap->deinit = eap_ttls_deinit;
1662	eap->process = eap_ttls_process;
1663	eap->isKeyAvailable = eap_ttls_isKeyAvailable;
1664	eap->getKey = eap_ttls_getKey;
1665	eap->getSessionId = eap_ttls_get_session_id;
1666	eap->get_status = eap_ttls_get_status;
1667	eap->has_reauth_data = eap_ttls_has_reauth_data;
1668	eap->deinit_for_reauth = eap_ttls_deinit_for_reauth;
1669	eap->init_for_reauth = eap_ttls_init_for_reauth;
1670
1671	ret = eap_peer_method_register(eap);
1672	if (ret)
1673		eap_peer_method_free(eap);
1674	return ret;
1675}
1676