src/eap_server/eap_peap.c

   1 /*
   2  * hostapd / EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-10.txt)
   3  * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "sha1.h"
  19 #include "eap_i.h"
  20 #include "eap_tls_common.h"
  21 #include "eap_common/eap_tlv_common.h"
  22 #include "tls.h"
  23
  24
  25 /* Maximum supported PEAP version
  26  * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
  27  * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
  28  * 2 = draft-josefsson-ppext-eap-tls-eap-10.txt
  29  */
  30 #define EAP_PEAP_VERSION 1
  31
  32
  33 static void eap_peap_reset(struct eap_sm *sm, void *priv);
  34
  35
  36 struct eap_peap_data {
  37         struct eap_ssl_data ssl;
  38         enum {
  39                 START, PHASE1, PHASE1_ID2, PHASE2_START, PHASE2_ID,
  40                 PHASE2_METHOD,
  41                 PHASE2_TLV, SUCCESS_REQ, FAILURE_REQ, SUCCESS, FAILURE
  42         } state;
  43
  44         int peap_version;
  45         int recv_version;
  46         const struct eap_method *phase2_method;
  47         void *phase2_priv;
  48         int force_version;
  49         struct wpabuf *pending_phase2_resp;
  50         enum { TLV_REQ_NONE, TLV_REQ_SUCCESS, TLV_REQ_FAILURE } tlv_request;
  51         int crypto_binding_sent;
  52         int crypto_binding_used;
  53         enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding;
  54         u8 binding_nonce[32];
  55         u8 ipmk[40];
  56         u8 cmk[20];
  57         u8 *phase2_key;
  58         size_t phase2_key_len;
  59 };
  60
  61
  62 static const char * eap_peap_state_txt(int state)
  63 {
  64         switch (state) {
  65         case START:
  66                 return "START";
  67         case PHASE1:
  68                 return "PHASE1";
  69         case PHASE1_ID2:
  70                 return "PHASE1_ID2";
  71         case PHASE2_START:
  72                 return "PHASE2_START";
  73         case PHASE2_ID:
  74                 return "PHASE2_ID";
  75         case PHASE2_METHOD:
  76                 return "PHASE2_METHOD";
  77         case PHASE2_TLV:
  78                 return "PHASE2_TLV";
  79         case SUCCESS_REQ:
  80                 return "SUCCESS_REQ";
  81         case FAILURE_REQ:
  82                 return "FAILURE_REQ";
  83         case SUCCESS:
  84                 return "SUCCESS";
  85         case FAILURE:
  86                 return "FAILURE";
  87         default:
  88                 return "Unknown?!";
  89         }
  90 }
  91
  92
  93 static void eap_peap_state(struct eap_peap_data *data, int state)
  94 {
  95         wpa_printf(MSG_DEBUG, "EAP-PEAP: %s -> %s",
  96                    eap_peap_state_txt(data->state),
  97                    eap_peap_state_txt(state));
  98         data->state = state;
  99 }
 100
 101
 102 static struct wpabuf * eap_peapv2_tlv_eap_payload(struct wpabuf *buf)
 103 {
 104         struct wpabuf *e;
 105         struct eap_tlv_hdr *tlv;
 106
 107         if (buf == NULL)
 108                 return NULL;
 109
 110         /* Encapsulate EAP packet in EAP-Payload TLV */
 111         wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Add EAP-Payload TLV");
 112         e = wpabuf_alloc(sizeof(*tlv) + wpabuf_len(buf));
 113         if (e == NULL) {
 114                 wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Failed to allocate memory "
 115                            "for TLV encapsulation");
 116                 wpabuf_free(buf);
 117                 return NULL;
 118         }
 119         tlv = wpabuf_put(e, sizeof(*tlv));
 120         tlv->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
 121                                      EAP_TLV_EAP_PAYLOAD_TLV);
 122         tlv->length = host_to_be16(wpabuf_len(buf));
 123         wpabuf_put_buf(e, buf);
 124         wpabuf_free(buf);
 125         return e;
 126 }
 127
 128
 129 static void eap_peap_req_success(struct eap_sm *sm,
 130                                  struct eap_peap_data *data)
 131 {
 132         if (data->state == FAILURE || data->state == FAILURE_REQ) {
 133                 eap_peap_state(data, FAILURE);
 134                 return;
 135         }
 136
 137         if (data->peap_version == 0) {
 138                 data->tlv_request = TLV_REQ_SUCCESS;
 139                 eap_peap_state(data, PHASE2_TLV);
 140         } else {
 141                 eap_peap_state(data, SUCCESS_REQ);
 142         }
 143 }
 144
 145
 146 static void eap_peap_req_failure(struct eap_sm *sm,
 147                                  struct eap_peap_data *data)
 148 {
 149         if (data->state == FAILURE || data->state == FAILURE_REQ ||
 150             data->state == SUCCESS_REQ || data->tlv_request != TLV_REQ_NONE) {
 151                 eap_peap_state(data, FAILURE);
 152                 return;
 153         }
 154
 155         if (data->peap_version == 0) {
 156                 data->tlv_request = TLV_REQ_FAILURE;
 157                 eap_peap_state(data, PHASE2_TLV);
 158         } else {
 159                 eap_peap_state(data, FAILURE_REQ);
 160         }
 161 }
 162
 163
 164 static void * eap_peap_init(struct eap_sm *sm)
 165 {
 166         struct eap_peap_data *data;
 167
 168         data = os_zalloc(sizeof(*data));
 169         if (data == NULL)
 170                 return NULL;
 171         data->peap_version = EAP_PEAP_VERSION;
 172         data->force_version = -1;
 173         if (sm->user && sm->user->force_version >= 0) {
 174                 data->force_version = sm->user->force_version;
 175                 wpa_printf(MSG_DEBUG, "EAP-PEAP: forcing version %d",
 176                            data->force_version);
 177                 data->peap_version = data->force_version;
 178         }
 179         data->state = START;
 180         data->crypto_binding = OPTIONAL_BINDING;
 181
 182         if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
 183                 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
 184                 eap_peap_reset(sm, data);
 185                 return NULL;
 186         }
 187
 188         return data;
 189 }
 190
 191
 192 static void eap_peap_reset(struct eap_sm *sm, void *priv)
 193 {
 194         struct eap_peap_data *data = priv;
 195         if (data == NULL)
 196                 return;
 197         if (data->phase2_priv && data->phase2_method)
 198                 data->phase2_method->reset(sm, data->phase2_priv);
 199         eap_server_tls_ssl_deinit(sm, &data->ssl);
 200         wpabuf_free(data->pending_phase2_resp);
 201         os_free(data->phase2_key);
 202         os_free(data);
 203 }
 204
 205
 206 static struct wpabuf * eap_peap_build_start(struct eap_sm *sm,
 207                                             struct eap_peap_data *data, u8 id)
 208 {
 209         struct wpabuf *req;
 210
 211         req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PEAP, 1,
 212                             EAP_CODE_REQUEST, id);
 213         if (req == NULL) {
 214                 wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to allocate memory for"
 215                            " request");
 216                 eap_peap_state(data, FAILURE);
 217                 return NULL;
 218         }
 219
 220         wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->peap_version);
 221
 222         eap_peap_state(data, PHASE1);
 223
 224         return req;
 225 }
 226
 227
 228 static struct wpabuf * eap_peap_build_req(struct eap_sm *sm,
 229                                           struct eap_peap_data *data, u8 id)
 230 {
 231         int res;
 232         struct wpabuf *req;
 233
 234         res = eap_server_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_PEAP,
 235                                              data->peap_version, id, &req);
 236
 237         if (data->peap_version < 2 &&
 238             tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
 239                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, starting "
 240                            "Phase2");
 241                 eap_peap_state(data, PHASE2_START);
 242         }
 243
 244         if (res == 1)
 245                 return eap_server_tls_build_ack(id, EAP_TYPE_PEAP,
 246                                                 data->peap_version);
 247         return req;
 248 }
 249
 250
 251 static struct wpabuf * eap_peap_encrypt(struct eap_sm *sm,
 252                                         struct eap_peap_data *data,
 253                                         u8 id, const u8 *plain,
 254                                         size_t plain_len)
 255 {
 256         int res;
 257         struct wpabuf *buf;
 258
 259         /* TODO: add support for fragmentation, if needed. This will need to
 260          * add TLS Message Length field, if the frame is fragmented. */
 261         buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PEAP,
 262                             1 + data->ssl.tls_out_limit,
 263                             EAP_CODE_REQUEST, id);
 264         if (buf == NULL)
 265                 return NULL;
 266
 267         wpabuf_put_u8(buf, data->peap_version);
 268
 269         res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
 270                                      plain, plain_len, wpabuf_put(buf, 0),
 271                                      data->ssl.tls_out_limit);
 272         if (res < 0) {
 273                 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt Phase 2 "
 274                            "data");
 275                 wpabuf_free(buf);
 276                 return NULL;
 277         }
 278
 279         wpabuf_put(buf, res);
 280         eap_update_len(buf);
 281
 282         return buf;
 283 }
 284
 285
 286 static struct wpabuf * eap_peap_build_phase2_req(struct eap_sm *sm,
 287                                                  struct eap_peap_data *data,
 288                                                  u8 id)
 289 {
 290         struct wpabuf *buf, *encr_req;
 291         const u8 *req;
 292         size_t req_len;
 293
 294         buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
 295         if (data->peap_version >= 2 && buf)
 296                 buf = eap_peapv2_tlv_eap_payload(buf);
 297         if (buf == NULL)
 298                 return NULL;
 299
 300         req = wpabuf_head(buf);
 301         req_len = wpabuf_len(buf);
 302         wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
 303                         req, req_len);
 304
 305         if (data->peap_version == 0 &&
 306             data->phase2_method->method != EAP_TYPE_TLV) {
 307                 req += sizeof(struct eap_hdr);
 308                 req_len -= sizeof(struct eap_hdr);
 309         }
 310
 311         encr_req = eap_peap_encrypt(sm, data, id, req, req_len);
 312         wpabuf_free(buf);
 313
 314         return encr_req;
 315 }
 316
 317
 318 static void eap_peap_get_isk(struct eap_peap_data *data,
 319                              u8 *isk, size_t isk_len)
 320 {
 321         size_t key_len;
 322
 323         os_memset(isk, 0, isk_len);
 324         if (data->phase2_key == NULL)
 325                 return;
 326
 327         key_len = data->phase2_key_len;
 328         if (key_len > isk_len)
 329                 key_len = isk_len;
 330         os_memcpy(isk, data->phase2_key, key_len);
 331 }
 332
 333
 334 void peap_prfplus(int version, const u8 *key, size_t key_len,
 335                   const char *label, const u8 *seed, size_t seed_len,
 336                   u8 *buf, size_t buf_len)
 337 {
 338         unsigned char counter = 0;
 339         size_t pos, plen;
 340         u8 hash[SHA1_MAC_LEN];
 341         size_t label_len = os_strlen(label);
 342         u8 extra[2];
 343         const unsigned char *addr[5];
 344         size_t len[5];
 345
 346         addr[0] = hash;
 347         len[0] = 0;
 348         addr[1] = (unsigned char *) label;
 349         len[1] = label_len;
 350         addr[2] = seed;
 351         len[2] = seed_len;
 352
 353         if (version == 0) {
 354                 /*
 355                  * PRF+(K, S, LEN) = T1 | T2 | ... | Tn
 356                  * T1 = HMAC-SHA1(K, S | 0x01 | 0x00 | 0x00)
 357                  * T2 = HMAC-SHA1(K, T1 | S | 0x02 | 0x00 | 0x00)
 358                  * ...
 359                  * Tn = HMAC-SHA1(K, Tn-1 | S | n | 0x00 | 0x00)
 360                  */
 361
 362                 extra[0] = 0;
 363                 extra[1] = 0;
 364
 365                 addr[3] = &counter;
 366                 len[3] = 1;
 367                 addr[4] = extra;
 368                 len[4] = 2;
 369         } else {
 370                 /*
 371                  * PRF (K,S,LEN) = T1 | T2 | T3 | T4 | ... where:
 372                  * T1 = HMAC-SHA1(K, S | LEN | 0x01)
 373                  * T2 = HMAC-SHA1 (K, T1 | S | LEN | 0x02)
 374                  * T3 = HMAC-SHA1 (K, T2 | S | LEN | 0x03)
 375                  * T4 = HMAC-SHA1 (K, T3 | S | LEN | 0x04)
 376                  *   ...
 377                  */
 378
 379                 extra[0] = buf_len & 0xff;
 380
 381                 addr[3] = extra;
 382                 len[3] = 1;
 383                 addr[4] = &counter;
 384                 len[4] = 1;
 385         }
 386
 387         pos = 0;
 388         while (pos < buf_len) {
 389                 counter++;
 390                 plen = buf_len - pos;
 391                 hmac_sha1_vector(key, key_len, 5, addr, len, hash);
 392                 if (plen >= SHA1_MAC_LEN) {
 393                         os_memcpy(&buf[pos], hash, SHA1_MAC_LEN);
 394                         pos += SHA1_MAC_LEN;
 395                 } else {
 396                         os_memcpy(&buf[pos], hash, plen);
 397                         break;
 398                 }
 399                 len[0] = SHA1_MAC_LEN;
 400         }
 401 }
 402
 403
 404 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
 405 {
 406         u8 *tk;
 407         u8 isk[32], imck[60];
 408
 409         /*
 410          * Tunnel key (TK) is the first 60 octets of the key generated by
 411          * phase 1 of PEAP (based on TLS).
 412          */
 413         tk = eap_server_tls_derive_key(sm, &data->ssl, "client EAP encryption",
 414                                        EAP_TLS_KEY_LEN);
 415         if (tk == NULL)
 416                 return -1;
 417         wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
 418
 419         eap_peap_get_isk(data, isk, sizeof(isk));
 420         wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: ISK", isk, sizeof(isk));
 421
 422         /*
 423          * IPMK Seed = "Inner Methods Compound Keys" | ISK
 424          * TempKey = First 40 octets of TK
 425          * IPMK|CMK = PRF+(TempKey, IPMK Seed, 60)
 426          * (note: draft-josefsson-pppext-eap-tls-eap-10.txt includes a space
 427          * in the end of the label just before ISK; is that just a typo?)
 428          */
 429         wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TempKey", tk, 40);
 430         peap_prfplus(data->peap_version, tk, 40, "Inner Methods Compound Keys",
 431                      isk, sizeof(isk), imck, sizeof(imck));
 432         wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IMCK (IPMKj)",
 433                         imck, sizeof(imck));
 434
 435         os_free(tk);
 436
 437         /* TODO: fast-connect: IPMK|CMK = TK */
 438         os_memcpy(data->ipmk, imck, 40);
 439         wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40);
 440         os_memcpy(data->cmk, imck + 40, 20);
 441         wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20);
 442
 443         return 0;
 444 }
 445
 446
 447 static struct wpabuf * eap_peap_build_phase2_tlv(struct eap_sm *sm,
 448                                                  struct eap_peap_data *data,
 449                                                  u8 id)
 450 {
 451         struct wpabuf *buf, *encr_req;
 452         size_t len;
 453
 454         len = 6; /* Result TLV */
 455         if (data->crypto_binding != NO_BINDING)
 456                 len += 60; /* Cryptobinding TLV */
 457
 458         buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TLV, len,
 459                             EAP_CODE_REQUEST, id);
 460         if (buf == NULL)
 461                 return NULL;
 462
 463         wpabuf_put_u8(buf, 0x80); /* Mandatory */
 464         wpabuf_put_u8(buf, EAP_TLV_RESULT_TLV);
 465         /* Length */
 466         wpabuf_put_be16(buf, 2);
 467         /* Status */
 468         wpabuf_put_be16(buf, data->tlv_request == TLV_REQ_SUCCESS ?
 469                         EAP_TLV_RESULT_SUCCESS : EAP_TLV_RESULT_FAILURE);
 470
 471         if (data->peap_version == 0 && data->tlv_request == TLV_REQ_SUCCESS &&
 472             data->crypto_binding != NO_BINDING) {
 473                 u8 *mac;
 474                 u8 eap_type = EAP_TYPE_PEAP;
 475                 const u8 *addr[2];
 476                 size_t len[2];
 477                 u16 tlv_type;
 478
 479                 if (eap_peap_derive_cmk(sm, data) < 0 ||
 480                     os_get_random(data->binding_nonce, 32)) {
 481                         wpabuf_free(buf);
 482                         return NULL;
 483                 }
 484
 485                 /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
 486                 addr[0] = wpabuf_put(buf, 0);
 487                 len[0] = 60;
 488                 addr[1] = &eap_type;
 489                 len[1] = 1;
 490
 491                 tlv_type = EAP_TLV_CRYPTO_BINDING_TLV;
 492                 if (data->peap_version >= 2)
 493                         tlv_type |= EAP_TLV_TYPE_MANDATORY;
 494                 wpabuf_put_be16(buf, tlv_type);
 495                 wpabuf_put_be16(buf, 56);
 496
 497                 wpabuf_put_u8(buf, 0); /* Reserved */
 498                 wpabuf_put_u8(buf, data->peap_version); /* Version */
 499                 wpabuf_put_u8(buf, data->recv_version); /* RecvVersion */
 500                 wpabuf_put_u8(buf, 0); /* SubType: 0 = Request, 1 = Response */
 501                 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */
 502                 mac = wpabuf_put(buf, 20); /* Compound_MAC */
 503                 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK",
 504                             data->cmk, 20);
 505                 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1",
 506                             addr[0], len[0]);
 507                 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 2",
 508                             addr[1], len[1]);
 509                 hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac);
 510                 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC",
 511                             mac, SHA1_MAC_LEN);
 512                 data->crypto_binding_sent = 1;
 513         }
 514
 515         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 TLV data",
 516                             buf);
 517
 518         encr_req = eap_peap_encrypt(sm, data, id, wpabuf_head(buf),
 519                                     wpabuf_len(buf));
 520         wpabuf_free(buf);
 521
 522         return encr_req;
 523 }
 524
 525
 526 static struct wpabuf * eap_peap_build_phase2_term(struct eap_sm *sm,
 527                                                   struct eap_peap_data *data,
 528                                                   u8 id, int success)
 529 {
 530         struct wpabuf *encr_req;
 531         size_t req_len;
 532         struct eap_hdr *hdr;
 533
 534         req_len = sizeof(*hdr);
 535         hdr = os_zalloc(req_len);
 536         if (hdr == NULL)
 537                 return NULL;
 538
 539         hdr->code = success ? EAP_CODE_SUCCESS : EAP_CODE_FAILURE;
 540         hdr->identifier = id;
 541         hdr->length = host_to_be16(req_len);
 542
 543         wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
 544                         (u8 *) hdr, req_len);
 545
 546         encr_req = eap_peap_encrypt(sm, data, id, (u8 *) hdr, req_len);
 547         os_free(hdr);
 548
 549         return encr_req;
 550 }
 551
 552
 553 static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
 554 {
 555         struct eap_peap_data *data = priv;
 556
 557         switch (data->state) {
 558         case START:
 559                 return eap_peap_build_start(sm, data, id);
 560         case PHASE1:
 561         case PHASE1_ID2:
 562                 return eap_peap_build_req(sm, data, id);
 563         case PHASE2_ID:
 564         case PHASE2_METHOD:
 565                 return eap_peap_build_phase2_req(sm, data, id);
 566         case PHASE2_TLV:
 567                 return eap_peap_build_phase2_tlv(sm, data, id);
 568         case SUCCESS_REQ:
 569                 return eap_peap_build_phase2_term(sm, data, id, 1);
 570         case FAILURE_REQ:
 571                 return eap_peap_build_phase2_term(sm, data, id, 0);
 572         default:
 573                 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
 574                            __func__, data->state);
 575                 return NULL;
 576         }
 577 }
 578
 579
 580 static Boolean eap_peap_check(struct eap_sm *sm, void *priv,
 581                               struct wpabuf *respData)
 582 {
 583         const u8 *pos;
 584         size_t len;
 585
 586         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData, &len);
 587         if (pos == NULL || len < 1) {
 588                 wpa_printf(MSG_INFO, "EAP-PEAP: Invalid frame");
 589                 return TRUE;
 590         }
 591
 592         return FALSE;
 593 }
 594
 595
 596 static int eap_peap_phase2_init(struct eap_sm *sm, struct eap_peap_data *data,
 597                                 EapType eap_type)
 598 {
 599         if (data->phase2_priv && data->phase2_method) {
 600                 data->phase2_method->reset(sm, data->phase2_priv);
 601                 data->phase2_method = NULL;
 602                 data->phase2_priv = NULL;
 603         }
 604         data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
 605                                                         eap_type);
 606         if (!data->phase2_method)
 607                 return -1;
 608
 609         sm->init_phase2 = 1;
 610         data->phase2_priv = data->phase2_method->init(sm);
 611         sm->init_phase2 = 0;
 612         return 0;
 613 }
 614
 615
 616 static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
 617                                           struct eap_peap_data *data,
 618                                           const u8 *crypto_tlv,
 619                                           size_t crypto_tlv_len)
 620 {
 621         u8 buf[61], mac[SHA1_MAC_LEN];
 622         const u8 *pos;
 623
 624         if (crypto_tlv_len != 4 + 56) {
 625                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid cryptobinding TLV "
 626                            "length %d", (int) crypto_tlv_len);
 627                 return -1;
 628         }
 629
 630         pos = crypto_tlv;
 631         pos += 4; /* TLV header */
 632         if (pos[1] != data->peap_version) {
 633                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV Version "
 634                            "mismatch (was %d; expected %d)",
 635                            pos[1], data->peap_version);
 636                 return -1;
 637         }
 638
 639         if (pos[3] != 1) {
 640                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected Cryptobinding TLV "
 641                            "SubType %d", pos[3]);
 642                 return -1;
 643         }
 644         pos += 4;
 645         pos += 32; /* Nonce */
 646
 647         /* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
 648         os_memcpy(buf, crypto_tlv, 60);
 649         os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */
 650         buf[60] = EAP_TYPE_PEAP;
 651         hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac);
 652
 653         if (os_memcmp(mac, pos, SHA1_MAC_LEN) != 0) {
 654                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in "
 655                            "cryptobinding TLV");
 656                 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK", data->cmk, 20);
 657                 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding seed data",
 658                             buf, 61);
 659                 return -1;
 660         }
 661
 662         wpa_printf(MSG_DEBUG, "EAP-PEAP: Valid cryptobinding TLV received");
 663
 664         return 0;
 665 }
 666
 667
 668 static void eap_peap_process_phase2_tlv(struct eap_sm *sm,
 669                                         struct eap_peap_data *data,
 670                                         struct wpabuf *in_data)
 671 {
 672         const u8 *pos;
 673         size_t left;
 674         const u8 *result_tlv = NULL, *crypto_tlv = NULL;
 675         size_t result_tlv_len = 0, crypto_tlv_len = 0;
 676         int tlv_type, mandatory, tlv_len;
 677
 678         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLV, in_data, &left);
 679         if (pos == NULL) {
 680                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid EAP-TLV header");
 681                 return;
 682         }
 683
 684         /* Parse TLVs */
 685         wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received TLVs", pos, left);
 686         while (left >= 4) {
 687                 mandatory = !!(pos[0] & 0x80);
 688                 tlv_type = pos[0] & 0x3f;
 689                 tlv_type = (tlv_type << 8) | pos[1];
 690                 tlv_len = ((int) pos[2] << 8) | pos[3];
 691                 pos += 4;
 692                 left -= 4;
 693                 if ((size_t) tlv_len > left) {
 694                         wpa_printf(MSG_DEBUG, "EAP-PEAP: TLV underrun "
 695                                    "(tlv_len=%d left=%lu)", tlv_len,
 696                                    (unsigned long) left);
 697                         eap_peap_state(data, FAILURE);
 698                         return;
 699                 }
 700                 switch (tlv_type) {
 701                 case EAP_TLV_RESULT_TLV:
 702                         result_tlv = pos;
 703                         result_tlv_len = tlv_len;
 704                         break;
 705                 case EAP_TLV_CRYPTO_BINDING_TLV:
 706                         crypto_tlv = pos;
 707                         crypto_tlv_len = tlv_len;
 708                         break;
 709                 default:
 710                         wpa_printf(MSG_DEBUG, "EAP-PEAP: Unsupported TLV Type "
 711                                    "%d%s", tlv_type,
 712                                    mandatory ? " (mandatory)" : "");
 713                         if (mandatory) {
 714                                 eap_peap_state(data, FAILURE);
 715                                 return;
 716                         }
 717                         /* Ignore this TLV, but process other TLVs */
 718                         break;
 719                 }
 720
 721                 pos += tlv_len;
 722                 left -= tlv_len;
 723         }
 724         if (left) {
 725                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Last TLV too short in "
 726                            "Request (left=%lu)", (unsigned long) left);
 727                 eap_peap_state(data, FAILURE);
 728                 return;
 729         }
 730
 731         /* Process supported TLVs */
 732         if (crypto_tlv && data->crypto_binding_sent) {
 733                 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Cryptobinding TLV",
 734                             crypto_tlv, crypto_tlv_len);
 735                 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4,
 736                                                    crypto_tlv_len + 4) < 0) {
 737                         eap_peap_state(data, FAILURE);
 738                         return;
 739                 }
 740                 data->crypto_binding_used = 1;
 741         } else if (!crypto_tlv && data->crypto_binding_sent &&
 742                    data->crypto_binding == REQUIRE_BINDING) {
 743                 wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV");
 744                 eap_peap_state(data, FAILURE);
 745                 return;
 746         }
 747
 748         if (result_tlv) {
 749                 int status;
 750                 const char *requested;
 751
 752                 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Result TLV",
 753                             result_tlv, result_tlv_len);
 754                 if (result_tlv_len < 2) {
 755                         wpa_printf(MSG_INFO, "EAP-PEAP: Too short Result TLV "
 756                                    "(len=%lu)",
 757                                    (unsigned long) result_tlv_len);
 758                         eap_peap_state(data, FAILURE);
 759                         return;
 760                 }
 761                 requested = data->tlv_request == TLV_REQ_SUCCESS ? "Success" :
 762                         "Failure";
 763                 status = WPA_GET_BE16(result_tlv);
 764                 if (status == EAP_TLV_RESULT_SUCCESS) {
 765                         wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Success "
 766                                    "- requested %s", requested);
 767                         if (data->tlv_request == TLV_REQ_SUCCESS)
 768                                 eap_peap_state(data, SUCCESS);
 769                         else
 770                                 eap_peap_state(data, FAILURE);
 771
 772                 } else if (status == EAP_TLV_RESULT_FAILURE) {
 773                         wpa_printf(MSG_INFO, "EAP-PEAP: TLV Result - Failure "
 774                                    "- requested %s", requested);
 775                         eap_peap_state(data, FAILURE);
 776                 } else {
 777                         wpa_printf(MSG_INFO, "EAP-PEAP: Unknown TLV Result "
 778                                    "Status %d", status);
 779                         eap_peap_state(data, FAILURE);
 780                 }
 781         }
 782 }
 783
 784
 785 static void eap_peap_process_phase2_response(struct eap_sm *sm,
 786                                              struct eap_peap_data *data,
 787                                              struct wpabuf *in_data)
 788 {
 789         u8 next_type = EAP_TYPE_NONE;
 790         const struct eap_hdr *hdr;
 791         const u8 *pos;
 792         size_t left;
 793
 794         if (data->state == PHASE2_TLV) {
 795                 eap_peap_process_phase2_tlv(sm, data, in_data);
 796                 return;
 797         }
 798
 799         if (data->phase2_priv == NULL) {
 800                 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - Phase2 not "
 801                            "initialized?!", __func__);
 802                 return;
 803         }
 804
 805         hdr = wpabuf_head(in_data);
 806         pos = (const u8 *) (hdr + 1);
 807
 808         if (wpabuf_len(in_data) > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
 809                 left = wpabuf_len(in_data) - sizeof(*hdr);
 810                 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Phase2 type Nak'ed; "
 811                             "allowed types", pos + 1, left - 1);
 812                 eap_sm_process_nak(sm, pos + 1, left - 1);
 813                 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
 814                     sm->user->methods[sm->user_eap_method_index].method !=
 815                     EAP_TYPE_NONE) {
 816                         next_type = sm->user->methods[
 817                                 sm->user_eap_method_index++].method;
 818                         wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d",
 819                                    next_type);
 820                 } else {
 821                         eap_peap_req_failure(sm, data);
 822                         next_type = EAP_TYPE_NONE;
 823                 }
 824                 eap_peap_phase2_init(sm, data, next_type);
 825                 return;
 826         }
 827
 828         if (data->phase2_method->check(sm, data->phase2_priv, in_data)) {
 829                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 check() asked to "
 830                            "ignore the packet");
 831                 return;
 832         }
 833
 834         data->phase2_method->process(sm, data->phase2_priv, in_data);
 835
 836         if (sm->method_pending == METHOD_PENDING_WAIT) {
 837                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method is in "
 838                            "pending wait state - save decrypted response");
 839                 wpabuf_free(data->pending_phase2_resp);
 840                 data->pending_phase2_resp = wpabuf_dup(in_data);
 841         }
 842
 843         if (!data->phase2_method->isDone(sm, data->phase2_priv))
 844                 return;
 845
 846         if (!data->phase2_method->isSuccess(sm, data->phase2_priv)) {
 847                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method failed");
 848                 eap_peap_req_failure(sm, data);
 849                 next_type = EAP_TYPE_NONE;
 850                 eap_peap_phase2_init(sm, data, next_type);
 851                 return;
 852         }
 853
 854         os_free(data->phase2_key);
 855         if (data->phase2_method->getKey) {
 856                 data->phase2_key = data->phase2_method->getKey(
 857                         sm, data->phase2_priv, &data->phase2_key_len);
 858                 if (data->phase2_key == NULL) {
 859                         wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 getKey "
 860                                    "failed");
 861                         eap_peap_req_failure(sm, data);
 862                         eap_peap_phase2_init(sm, data, EAP_TYPE_NONE);
 863                         return;
 864                 }
 865
 866                 if (data->phase2_key_len == 32 &&
 867                     data->phase2_method->vendor == EAP_VENDOR_IETF &&
 868                     data->phase2_method->method == EAP_TYPE_MSCHAPV2) {
 869                         /*
 870                          * Microsoft uses reverse order for MS-MPPE keys in
 871                          * EAP-PEAP when compared to EAP-FAST derivation of
 872                          * ISK. Swap the keys here to get the correct ISK for
 873                          * EAP-PEAPv0 cryptobinding.
 874                          */
 875                         u8 tmp[16];
 876                         os_memcpy(tmp, data->phase2_key, 16);
 877                         os_memcpy(data->phase2_key, data->phase2_key + 16, 16);
 878                         os_memcpy(data->phase2_key + 16, tmp, 16);
 879                 }
 880         }
 881
 882         switch (data->state) {
 883         case PHASE1_ID2:
 884         case PHASE2_ID:
 885                 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
 886                         wpa_hexdump_ascii(MSG_DEBUG, "EAP_PEAP: Phase2 "
 887                                           "Identity not found in the user "
 888                                           "database",
 889                                           sm->identity, sm->identity_len);
 890                         eap_peap_req_failure(sm, data);
 891                         next_type = EAP_TYPE_NONE;
 892                         break;
 893                 }
 894
 895                 eap_peap_state(data, PHASE2_METHOD);
 896                 next_type = sm->user->methods[0].method;
 897                 sm->user_eap_method_index = 1;
 898                 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d", next_type);
 899                 break;
 900         case PHASE2_METHOD:
 901                 eap_peap_req_success(sm, data);
 902                 next_type = EAP_TYPE_NONE;
 903                 break;
 904         case FAILURE:
 905                 break;
 906         default:
 907                 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
 908                            __func__, data->state);
 909                 break;
 910         }
 911
 912         eap_peap_phase2_init(sm, data, next_type);
 913 }
 914
 915
 916 static void eap_peap_process_phase2(struct eap_sm *sm,
 917                                     struct eap_peap_data *data,
 918                                     const struct wpabuf *respData,
 919                                     const u8 *in_data, size_t in_len)
 920 {
 921         struct wpabuf *in_decrypted;
 922         int len_decrypted, res;
 923         const struct eap_hdr *hdr;
 924         size_t buf_len, len;
 925
 926         wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
 927                    " Phase 2", (unsigned long) in_len);
 928
 929         if (data->pending_phase2_resp) {
 930                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
 931                            "skip decryption and use old data");
 932                 eap_peap_process_phase2_response(sm, data,
 933                                                  data->pending_phase2_resp);
 934                 wpabuf_free(data->pending_phase2_resp);
 935                 data->pending_phase2_resp = NULL;
 936                 return;
 937         }
 938
 939         /* FIX: get rid of const -> non-const typecast */
 940         res = eap_server_tls_data_reassemble(sm, &data->ssl, (u8 **) &in_data,
 941                                              &in_len);
 942         if (res < 0 || res == 1)
 943                 return;
 944
 945         buf_len = in_len;
 946         if (data->ssl.tls_in_total > buf_len)
 947                 buf_len = data->ssl.tls_in_total;
 948         in_decrypted = wpabuf_alloc(buf_len);
 949         if (in_decrypted == NULL) {
 950                 os_free(data->ssl.tls_in);
 951                 data->ssl.tls_in = NULL;
 952                 data->ssl.tls_in_len = 0;
 953                 wpa_printf(MSG_WARNING, "EAP-PEAP: failed to allocate memory "
 954                            "for decryption");
 955                 return;
 956         }
 957
 958         len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
 959                                                in_data, in_len,
 960                                                wpabuf_mhead(in_decrypted),
 961                                                buf_len);
 962         os_free(data->ssl.tls_in);
 963         data->ssl.tls_in = NULL;
 964         data->ssl.tls_in_len = 0;
 965         if (len_decrypted < 0) {
 966                 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
 967                            "data");
 968                 wpabuf_free(in_decrypted);
 969                 eap_peap_state(data, FAILURE);
 970                 return;
 971         }
 972         wpabuf_put(in_decrypted, len_decrypted);
 973
 974         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
 975                             in_decrypted);
 976
 977         hdr = wpabuf_head(in_decrypted);
 978
 979         if (data->peap_version == 0 && data->state != PHASE2_TLV) {
 980                 const struct eap_hdr *resp;
 981                 struct eap_hdr *nhdr;
 982                 struct wpabuf *nbuf =
 983                         wpabuf_alloc(sizeof(struct eap_hdr) +
 984                                      wpabuf_len(in_decrypted));
 985                 if (nbuf == NULL) {
 986                         wpabuf_free(in_decrypted);
 987                         return;
 988                 }
 989
 990                 resp = wpabuf_head(respData);
 991                 nhdr = wpabuf_put(nbuf, sizeof(*nhdr));
 992                 nhdr->code = resp->code;
 993                 nhdr->identifier = resp->identifier;
 994                 nhdr->length = host_to_be16(sizeof(struct eap_hdr) +
 995                                             wpabuf_len(in_decrypted));
 996                 wpabuf_put_buf(nbuf, in_decrypted);
 997                 wpabuf_free(in_decrypted);
 998
 999                 in_decrypted = nbuf;
1000         } else if (data->peap_version >= 2) {
1001                 struct eap_tlv_hdr *tlv;
1002                 struct wpabuf *nmsg;
1003
1004                 if (wpabuf_len(in_decrypted) < sizeof(*tlv) + sizeof(*hdr)) {
1005                         wpa_printf(MSG_INFO, "EAP-PEAPv2: Too short Phase 2 "
1006                                    "EAP TLV");
1007                         wpabuf_free(in_decrypted);
1008                         return;
1009                 }
1010                 tlv = wpabuf_mhead(in_decrypted);
1011                 if ((be_to_host16(tlv->tlv_type) & EAP_TLV_TYPE_MASK) !=
1012                     EAP_TLV_EAP_PAYLOAD_TLV) {
1013                         wpa_printf(MSG_INFO, "EAP-PEAPv2: Not an EAP TLV");
1014                         wpabuf_free(in_decrypted);
1015                         return;
1016                 }
1017                 if (sizeof(*tlv) + be_to_host16(tlv->length) >
1018                     wpabuf_len(in_decrypted)) {
1019                         wpa_printf(MSG_INFO, "EAP-PEAPv2: Invalid EAP TLV "
1020                                    "length");
1021                         wpabuf_free(in_decrypted);
1022                         return;
1023                 }
1024                 hdr = (struct eap_hdr *) (tlv + 1);
1025                 if (be_to_host16(hdr->length) > be_to_host16(tlv->length)) {
1026                         wpa_printf(MSG_INFO, "EAP-PEAPv2: No room for full "
1027                                    "EAP packet in EAP TLV");
1028                         wpabuf_free(in_decrypted);
1029                         return;
1030                 }
1031
1032                 nmsg = wpabuf_alloc(be_to_host16(hdr->length));
1033                 if (nmsg == NULL) {
1034                         wpabuf_free(in_decrypted);
1035                         return;
1036                 }
1037
1038                 wpabuf_put_data(nmsg, hdr, be_to_host16(hdr->length));
1039                 wpabuf_free(in_decrypted);
1040                 in_decrypted = nmsg;
1041         }
1042
1043         hdr = wpabuf_head(in_decrypted);
1044         if (wpabuf_len(in_decrypted) < (int) sizeof(*hdr)) {
1045                 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 "
1046                            "EAP frame (len=%lu)",
1047                            (unsigned long) wpabuf_len(in_decrypted));
1048                 wpabuf_free(in_decrypted);
1049                 eap_peap_req_failure(sm, data);
1050                 return;
1051         }
1052         len = be_to_host16(hdr->length);
1053         if (len > wpabuf_len(in_decrypted)) {
1054                 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in "
1055                            "Phase 2 EAP frame (len=%lu hdr->length=%lu)",
1056                            (unsigned long) wpabuf_len(in_decrypted),
1057                            (unsigned long) len);
1058                 wpabuf_free(in_decrypted);
1059                 eap_peap_req_failure(sm, data);
1060                 return;
1061         }
1062         wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d "
1063                    "identifier=%d length=%lu", hdr->code, hdr->identifier,
1064                    (unsigned long) len);
1065         switch (hdr->code) {
1066         case EAP_CODE_RESPONSE:
1067                 eap_peap_process_phase2_response(sm, data, in_decrypted);
1068                 break;
1069         case EAP_CODE_SUCCESS:
1070                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success");
1071                 if (data->state == SUCCESS_REQ) {
1072                         eap_peap_state(data, SUCCESS);
1073                 }
1074                 break;
1075         case EAP_CODE_FAILURE:
1076                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure");
1077                 eap_peap_state(data, FAILURE);
1078                 break;
1079         default:
1080                 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in "
1081                            "Phase 2 EAP header", hdr->code);
1082                 break;
1083         }
1084
1085         os_free(in_decrypted);
1086 }
1087
1088
1089 static int eap_peapv2_start_phase2(struct eap_sm *sm,
1090                                    struct eap_peap_data *data)
1091 {
1092         struct wpabuf *buf, *buf2;
1093         int res;
1094         u8 *tls_out;
1095
1096         wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Phase1 done, include first Phase2 "
1097                    "payload in the same message");
1098         eap_peap_state(data, PHASE1_ID2);
1099         if (eap_peap_phase2_init(sm, data, EAP_TYPE_IDENTITY))
1100                 return -1;
1101
1102         /* TODO: which Id to use here? */
1103         buf = data->phase2_method->buildReq(sm, data->phase2_priv, 6);
1104         if (buf == NULL)
1105                 return -1;
1106
1107         buf2 = eap_peapv2_tlv_eap_payload(buf);
1108         if (buf2 == NULL)
1109                 return -1;
1110
1111         wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAPv2: Identity Request", buf2);
1112
1113         buf = wpabuf_alloc(data->ssl.tls_out_limit);
1114         if (buf == NULL) {
1115                 wpabuf_free(buf2);
1116                 return -1;
1117         }
1118
1119         res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
1120                                      wpabuf_head(buf2), wpabuf_len(buf2),
1121                                      wpabuf_put(buf, 0),
1122                                      data->ssl.tls_out_limit);
1123         wpabuf_free(buf2);
1124
1125         if (res < 0) {
1126                 wpa_printf(MSG_INFO, "EAP-PEAPv2: Failed to encrypt Phase 2 "
1127                            "data");
1128                 wpabuf_free(buf);
1129                 return -1;
1130         }
1131
1132         wpabuf_put(buf, res);
1133         wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAPv2: Encrypted Identity Request",
1134                         buf);
1135
1136         /* Append TLS data into the pending buffer after the Server Finished */
1137         tls_out = os_realloc(data->ssl.tls_out,
1138                              data->ssl.tls_out_len + wpabuf_len(buf));
1139         if (tls_out == NULL) {
1140                 wpabuf_free(buf);
1141                 return -1;
1142         }
1143
1144         os_memcpy(tls_out + data->ssl.tls_out_len, wpabuf_head(buf),
1145                   wpabuf_len(buf));
1146         data->ssl.tls_out = tls_out;
1147         data->ssl.tls_out_len += wpabuf_len(buf);
1148
1149         wpabuf_free(buf);
1150
1151         return 0;
1152 }
1153
1154
1155 static void eap_peap_process(struct eap_sm *sm, void *priv,
1156                              struct wpabuf *respData)
1157 {
1158         struct eap_peap_data *data = priv;
1159         const u8 *pos;
1160         u8 flags;
1161         size_t left;
1162         unsigned int tls_msg_len;
1163         int peer_version;
1164
1165         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData,
1166                                &left);
1167         if (pos == NULL || left < 1)
1168                 return;
1169         flags = *pos++;
1170         left--;
1171         wpa_printf(MSG_DEBUG, "EAP-PEAP: Received packet(len=%lu) - "
1172                    "Flags 0x%02x", (unsigned long) wpabuf_len(respData),
1173                    flags);
1174         data->recv_version = peer_version = flags & EAP_PEAP_VERSION_MASK;
1175         if (data->force_version >= 0 && peer_version != data->force_version) {
1176                 wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
1177                            " version (forced=%d peer=%d) - reject",
1178                            data->force_version, peer_version);
1179                 eap_peap_state(data, FAILURE);
1180                 return;
1181         }
1182         if (peer_version < data->peap_version) {
1183                 wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; "
1184                            "use version %d",
1185                            peer_version, data->peap_version, peer_version);
1186                 data->peap_version = peer_version;
1187         }
1188         if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
1189                 if (left < 4) {
1190                         wpa_printf(MSG_INFO, "EAP-PEAP: Short frame with TLS "
1191                                    "length");
1192                         eap_peap_state(data, FAILURE);
1193                         return;
1194                 }
1195                 tls_msg_len = WPA_GET_BE32(pos);
1196                 wpa_printf(MSG_DEBUG, "EAP-PEAP: TLS Message Length: %d",
1197                            tls_msg_len);
1198                 if (data->ssl.tls_in_left == 0) {
1199                         data->ssl.tls_in_total = tls_msg_len;
1200                         data->ssl.tls_in_left = tls_msg_len;
1201                         os_free(data->ssl.tls_in);
1202                         data->ssl.tls_in = NULL;
1203                         data->ssl.tls_in_len = 0;
1204                 }
1205                 pos += 4;
1206                 left -= 4;
1207         }
1208
1209         switch (data->state) {
1210         case PHASE1:
1211                 if (eap_server_tls_process_helper(sm, &data->ssl, pos, left) <
1212                     0) {
1213                         wpa_printf(MSG_INFO, "EAP-PEAP: TLS processing "
1214                                    "failed");
1215                         eap_peap_state(data, FAILURE);
1216                         break;
1217                 }
1218
1219                 if (data->peap_version >= 2 &&
1220                     tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
1221                         if (eap_peapv2_start_phase2(sm, data)) {
1222                                 eap_peap_state(data, FAILURE);
1223                                 break;
1224                         }
1225                 }
1226                 break;
1227         case PHASE2_START:
1228                 eap_peap_state(data, PHASE2_ID);
1229                 eap_peap_phase2_init(sm, data, EAP_TYPE_IDENTITY);
1230                 break;
1231         case PHASE1_ID2:
1232         case PHASE2_ID:
1233         case PHASE2_METHOD:
1234         case PHASE2_TLV:
1235                 eap_peap_process_phase2(sm, data, respData, pos, left);
1236                 break;
1237         case SUCCESS_REQ:
1238                 eap_peap_state(data, SUCCESS);
1239                 break;
1240         case FAILURE_REQ:
1241                 eap_peap_state(data, FAILURE);
1242                 break;
1243         default:
1244                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected state %d in %s",
1245                            data->state, __func__);
1246                 break;
1247         }
1248
1249         if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
1250                 wpa_printf(MSG_INFO, "EAP-PEAP: Locally detected fatal error "
1251                            "in TLS processing");
1252                 eap_peap_state(data, FAILURE);
1253         }
1254 }
1255
1256
1257 static Boolean eap_peap_isDone(struct eap_sm *sm, void *priv)
1258 {
1259         struct eap_peap_data *data = priv;
1260         return data->state == SUCCESS || data->state == FAILURE;
1261 }
1262
1263
1264 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
1265 {
1266         struct eap_peap_data *data = priv;
1267         u8 *eapKeyData;
1268
1269         if (data->state != SUCCESS)
1270                 return NULL;
1271
1272         if (data->crypto_binding_used) {
1273                 u8 csk[128];
1274                 /*
1275                  * Note: It looks like Microsoft implementation requires null
1276                  * termination for this label while the one used for deriving
1277                  * IPMK|CMK did not use null termination.
1278                  */
1279                 peap_prfplus(data->peap_version, data->ipmk, 40,
1280                              "Session Key Generating Function",
1281                              (u8 *) "\00", 1, csk, sizeof(csk));
1282                 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CSK", csk, sizeof(csk));
1283                 eapKeyData = os_malloc(EAP_TLS_KEY_LEN);
1284                 if (eapKeyData) {
1285                         os_memcpy(eapKeyData, csk, EAP_TLS_KEY_LEN);
1286                         *len = EAP_TLS_KEY_LEN;
1287                         wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1288                                     eapKeyData, EAP_TLS_KEY_LEN);
1289                 } else {
1290                         wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive "
1291                                    "key");
1292                 }
1293
1294                 return eapKeyData;
1295         }
1296
1297         /* TODO: PEAPv1 - different label in some cases */
1298         eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1299                                                "client EAP encryption",
1300                                                EAP_TLS_KEY_LEN);
1301         if (eapKeyData) {
1302                 *len = EAP_TLS_KEY_LEN;
1303                 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
1304                             eapKeyData, EAP_TLS_KEY_LEN);
1305         } else {
1306                 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive key");
1307         }
1308
1309         return eapKeyData;
1310 }
1311
1312
1313 static Boolean eap_peap_isSuccess(struct eap_sm *sm, void *priv)
1314 {
1315         struct eap_peap_data *data = priv;
1316         return data->state == SUCCESS;
1317 }
1318
1319
1320 int eap_server_peap_register(void)
1321 {
1322         struct eap_method *eap;
1323         int ret;
1324
1325         eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1326                                       EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP");
1327         if (eap == NULL)
1328                 return -1;
1329
1330         eap->init = eap_peap_init;
1331         eap->reset = eap_peap_reset;
1332         eap->buildReq = eap_peap_buildReq;
1333         eap->check = eap_peap_check;
1334         eap->process = eap_peap_process;
1335         eap->isDone = eap_peap_isDone;
1336         eap->getKey = eap_peap_getKey;
1337         eap->isSuccess = eap_peap_isSuccess;
1338
1339         ret = eap_server_method_register(eap);
1340         if (ret)
1341                 eap_server_method_free(eap);
1342         return ret;
1343 }