projects / mech_eap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
EAP-pwd: Remove unnecessary OpenSSL EVP_sha256() registration
[mech_eap.git] / src / eap_server / eap_server_ttls.c
1 /*
2  * hostapd / EAP-TTLS (RFC 5281)
3  * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/ms_funcs.h"
13 #include "crypto/sha1.h"
14 #include "crypto/tls.h"
15 #include "eap_server/eap_i.h"
16 #include "eap_server/eap_tls_common.h"
17 #include "eap_common/chap.h"
18 #include "eap_common/eap_ttls.h"
19
20
21 #define EAP_TTLS_VERSION 0
22
23
24 static void eap_ttls_reset(struct eap_sm *sm, void *priv);
25
26
27 struct eap_ttls_data {
28         struct eap_ssl_data ssl;
29         enum {
30                 START, PHASE1, PHASE2_START, PHASE2_METHOD,
31                 PHASE2_MSCHAPV2_RESP, SUCCESS, FAILURE
32         } state;
33
34         int ttls_version;
35         const struct eap_method *phase2_method;
36         void *phase2_priv;
37         int mschapv2_resp_ok;
38         u8 mschapv2_auth_response[20];
39         u8 mschapv2_ident;
40         struct wpabuf *pending_phase2_eap_resp;
41         int tnc_started;
42 };
43
44
45 static const char * eap_ttls_state_txt(int state)
46 {
47         switch (state) {
48         case START:
49                 return "START";
50         case PHASE1:
51                 return "PHASE1";
52         case PHASE2_START:
53                 return "PHASE2_START";
54         case PHASE2_METHOD:
55                 return "PHASE2_METHOD";
56         case PHASE2_MSCHAPV2_RESP:
57                 return "PHASE2_MSCHAPV2_RESP";
58         case SUCCESS:
59                 return "SUCCESS";
60         case FAILURE:
61                 return "FAILURE";
62         default:
63                 return "Unknown?!";
64         }
65 }
66
67
68 static void eap_ttls_state(struct eap_ttls_data *data, int state)
69 {
70         wpa_printf(MSG_DEBUG, "EAP-TTLS: %s -> %s",
71                    eap_ttls_state_txt(data->state),
72                    eap_ttls_state_txt(state));
73         data->state = state;
74 }
75
76
77 static u8 * eap_ttls_avp_hdr(u8 *avphdr, u32 avp_code, u32 vendor_id,
78                              int mandatory, size_t len)
79 {
80         struct ttls_avp_vendor *avp;
81         u8 flags;
82         size_t hdrlen;
83
84         avp = (struct ttls_avp_vendor *) avphdr;
85         flags = mandatory ? AVP_FLAGS_MANDATORY : 0;
86         if (vendor_id) {
87                 flags |= AVP_FLAGS_VENDOR;
88                 hdrlen = sizeof(*avp);
89                 avp->vendor_id = host_to_be32(vendor_id);
90         } else {
91                 hdrlen = sizeof(struct ttls_avp);
92         }
93
94         avp->avp_code = host_to_be32(avp_code);
95         avp->avp_length = host_to_be32(((u32) flags << 24) |
96                                        ((u32) (hdrlen + len)));
97
98         return avphdr + hdrlen;
99 }
100
101
102 static struct wpabuf * eap_ttls_avp_encapsulate(struct wpabuf *resp,
103                                                 u32 avp_code, int mandatory)
104 {
105         struct wpabuf *avp;
106         u8 *pos;
107
108         avp = wpabuf_alloc(sizeof(struct ttls_avp) + wpabuf_len(resp) + 4);
109         if (avp == NULL) {
110                 wpabuf_free(resp);
111                 return NULL;
112         }
113
114         pos = eap_ttls_avp_hdr(wpabuf_mhead(avp), avp_code, 0, mandatory,
115                                wpabuf_len(resp));
116         os_memcpy(pos, wpabuf_head(resp), wpabuf_len(resp));
117         pos += wpabuf_len(resp);
118         AVP_PAD((const u8 *) wpabuf_head(avp), pos);
119         wpabuf_free(resp);
120         wpabuf_put(avp, pos - (u8 *) wpabuf_head(avp));
121         return avp;
122 }
123
124
125 struct eap_ttls_avp {
126          /* Note: eap is allocated memory; caller is responsible for freeing
127           * it. All the other pointers are pointing to the packet data, i.e.,
128           * they must not be freed separately. */
129         u8 *eap;
130         size_t eap_len;
131         u8 *user_name;
132         size_t user_name_len;
133         u8 *user_password;
134         size_t user_password_len;
135         u8 *chap_challenge;
136         size_t chap_challenge_len;
137         u8 *chap_password;
138         size_t chap_password_len;
139         u8 *mschap_challenge;
140         size_t mschap_challenge_len;
141         u8 *mschap_response;
142         size_t mschap_response_len;
143         u8 *mschap2_response;
144         size_t mschap2_response_len;
145 };
146
147
148 static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse)
149 {
150         struct ttls_avp *avp;
151         u8 *pos;
152         int left;
153
154         pos = wpabuf_mhead(buf);
155         left = wpabuf_len(buf);
156         os_memset(parse, 0, sizeof(*parse));
157
158         while (left > 0) {
159                 u32 avp_code, avp_length, vendor_id = 0;
160                 u8 avp_flags, *dpos;
161                 size_t pad, dlen;
162                 avp = (struct ttls_avp *) pos;
163                 avp_code = be_to_host32(avp->avp_code);
164                 avp_length = be_to_host32(avp->avp_length);
165                 avp_flags = (avp_length >> 24) & 0xff;
166                 avp_length &= 0xffffff;
167                 wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP: code=%d flags=0x%02x "
168                            "length=%d", (int) avp_code, avp_flags,
169                            (int) avp_length);
170                 if ((int) avp_length > left) {
171                         wpa_printf(MSG_WARNING, "EAP-TTLS: AVP overflow "
172                                    "(len=%d, left=%d) - dropped",
173                                    (int) avp_length, left);
174                         goto fail;
175                 }
176                 if (avp_length < sizeof(*avp)) {
177                         wpa_printf(MSG_WARNING, "EAP-TTLS: Invalid AVP length "
178                                    "%d", avp_length);
179                         goto fail;
180                 }
181                 dpos = (u8 *) (avp + 1);
182                 dlen = avp_length - sizeof(*avp);
183                 if (avp_flags & AVP_FLAGS_VENDOR) {
184                         if (dlen < 4) {
185                                 wpa_printf(MSG_WARNING, "EAP-TTLS: vendor AVP "
186                                            "underflow");
187                                 goto fail;
188                         }
189                         vendor_id = be_to_host32(* (be32 *) dpos);
190                         wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP vendor_id %d",
191                                    (int) vendor_id);
192                         dpos += 4;
193                         dlen -= 4;
194                 }
195
196                 wpa_hexdump(MSG_DEBUG, "EAP-TTLS: AVP data", dpos, dlen);
197
198                 if (vendor_id == 0 && avp_code == RADIUS_ATTR_EAP_MESSAGE) {
199                         wpa_printf(MSG_DEBUG, "EAP-TTLS: AVP - EAP Message");
200                         if (parse->eap == NULL) {
201                                 parse->eap = os_malloc(dlen);
202                                 if (parse->eap == NULL) {
203                                         wpa_printf(MSG_WARNING, "EAP-TTLS: "
204                                                    "failed to allocate memory "
205                                                    "for Phase 2 EAP data");
206                                         goto fail;
207                                 }
208                                 os_memcpy(parse->eap, dpos, dlen);
209                                 parse->eap_len = dlen;
210                         } else {
211                                 u8 *neweap = os_realloc(parse->eap,
212                                                         parse->eap_len + dlen);
213                                 if (neweap == NULL) {
214                                         wpa_printf(MSG_WARNING, "EAP-TTLS: "
215                                                    "failed to allocate memory "
216                                                    "for Phase 2 EAP data");
217                                         goto fail;
218                                 }
219                                 os_memcpy(neweap + parse->eap_len, dpos, dlen);
220                                 parse->eap = neweap;
221                                 parse->eap_len += dlen;
222                         }
223                 } else if (vendor_id == 0 &&
224                            avp_code == RADIUS_ATTR_USER_NAME) {
225                         wpa_hexdump_ascii(MSG_DEBUG, "EAP-TTLS: User-Name",
226                                           dpos, dlen);
227                         parse->user_name = dpos;
228                         parse->user_name_len = dlen;
229                 } else if (vendor_id == 0 &&
230                            avp_code == RADIUS_ATTR_USER_PASSWORD) {
231                         u8 *password = dpos;
232                         size_t password_len = dlen;
233                         while (password_len > 0 &&
234                                password[password_len - 1] == '\0') {
235                                 password_len--;
236                         }
237                         wpa_hexdump_ascii_key(MSG_DEBUG, "EAP-TTLS: "
238                                               "User-Password (PAP)",
239                                               password, password_len);
240                         parse->user_password = password;
241                         parse->user_password_len = password_len;
242                 } else if (vendor_id == 0 &&
243                            avp_code == RADIUS_ATTR_CHAP_CHALLENGE) {
244                         wpa_hexdump(MSG_DEBUG,
245                                     "EAP-TTLS: CHAP-Challenge (CHAP)",
246                                     dpos, dlen);
247                         parse->chap_challenge = dpos;
248                         parse->chap_challenge_len = dlen;
249                 } else if (vendor_id == 0 &&
250                            avp_code == RADIUS_ATTR_CHAP_PASSWORD) {
251                         wpa_hexdump(MSG_DEBUG,
252                                     "EAP-TTLS: CHAP-Password (CHAP)",
253                                     dpos, dlen);
254                         parse->chap_password = dpos;
255                         parse->chap_password_len = dlen;
256                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
257                            avp_code == RADIUS_ATTR_MS_CHAP_CHALLENGE) {
258                         wpa_hexdump(MSG_DEBUG,
259                                     "EAP-TTLS: MS-CHAP-Challenge",
260                                     dpos, dlen);
261                         parse->mschap_challenge = dpos;
262                         parse->mschap_challenge_len = dlen;
263                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
264                            avp_code == RADIUS_ATTR_MS_CHAP_RESPONSE) {
265                         wpa_hexdump(MSG_DEBUG,
266                                     "EAP-TTLS: MS-CHAP-Response (MSCHAP)",
267                                     dpos, dlen);
268                         parse->mschap_response = dpos;
269                         parse->mschap_response_len = dlen;
270                 } else if (vendor_id == RADIUS_VENDOR_ID_MICROSOFT &&
271                            avp_code == RADIUS_ATTR_MS_CHAP2_RESPONSE) {
272                         wpa_hexdump(MSG_DEBUG,
273                                     "EAP-TTLS: MS-CHAP2-Response (MSCHAPV2)",
274                                     dpos, dlen);
275                         parse->mschap2_response = dpos;
276                         parse->mschap2_response_len = dlen;
277                 } else if (avp_flags & AVP_FLAGS_MANDATORY) {
278                         wpa_printf(MSG_WARNING, "EAP-TTLS: Unsupported "
279                                    "mandatory AVP code %d vendor_id %d - "
280                                    "dropped", (int) avp_code, (int) vendor_id);
281                         goto fail;
282                 } else {
283                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Ignoring unsupported "
284                                    "AVP code %d vendor_id %d",
285                                    (int) avp_code, (int) vendor_id);
286                 }
287
288                 pad = (4 - (avp_length & 3)) & 3;
289                 pos += avp_length + pad;
290                 left -= avp_length + pad;
291         }
292
293         return 0;
294
295 fail:
296         os_free(parse->eap);
297         parse->eap = NULL;
298         return -1;
299 }
300
301
302 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
303                                         struct eap_ttls_data *data, size_t len)
304 {
305         return eap_server_tls_derive_key(sm, &data->ssl, "ttls challenge",
306                                          len);
307 }
308
309
310 static void * eap_ttls_init(struct eap_sm *sm)
311 {
312         struct eap_ttls_data *data;
313
314         data = os_zalloc(sizeof(*data));
315         if (data == NULL)
316                 return NULL;
317         data->ttls_version = EAP_TTLS_VERSION;
318         data->state = START;
319
320         if (eap_server_tls_ssl_init(sm, &data->ssl, 0)) {
321                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to initialize SSL.");
322                 eap_ttls_reset(sm, data);
323                 return NULL;
324         }
325
326         return data;
327 }
328
329
330 static void eap_ttls_reset(struct eap_sm *sm, void *priv)
331 {
332         struct eap_ttls_data *data = priv;
333         if (data == NULL)
334                 return;
335         if (data->phase2_priv && data->phase2_method)
336                 data->phase2_method->reset(sm, data->phase2_priv);
337         eap_server_tls_ssl_deinit(sm, &data->ssl);
338         wpabuf_free(data->pending_phase2_eap_resp);
339         bin_clear_free(data, sizeof(*data));
340 }
341
342
343 static struct wpabuf * eap_ttls_build_start(struct eap_sm *sm,
344                                             struct eap_ttls_data *data, u8 id)
345 {       
346         struct wpabuf *req;
347
348         req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_TTLS, 1,
349                             EAP_CODE_REQUEST, id);
350         if (req == NULL) {
351                 wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to allocate memory for"
352                            " request");
353                 eap_ttls_state(data, FAILURE);
354                 return NULL;
355         }
356
357         wpabuf_put_u8(req, EAP_TLS_FLAGS_START | data->ttls_version);
358
359         eap_ttls_state(data, PHASE1);
360
361         return req;
362 }
363
364
365 static struct wpabuf * eap_ttls_build_phase2_eap_req(
366         struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
367 {
368         struct wpabuf *buf, *encr_req;
369
370
371         buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
372         if (buf == NULL)
373                 return NULL;
374
375         wpa_hexdump_buf_key(MSG_DEBUG,
376                             "EAP-TTLS/EAP: Encapsulate Phase 2 data", buf);
377
378         buf = eap_ttls_avp_encapsulate(buf, RADIUS_ATTR_EAP_MESSAGE, 1);
379         if (buf == NULL) {
380                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Failed to encapsulate "
381                            "packet");
382                 return NULL;
383         }
384
385         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated "
386                             "Phase 2 data", buf);
387
388         encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
389         wpabuf_free(buf);
390
391         return encr_req;
392 }
393
394
395 static struct wpabuf * eap_ttls_build_phase2_mschapv2(
396         struct eap_sm *sm, struct eap_ttls_data *data)
397 {
398         struct wpabuf *encr_req, msgbuf;
399         u8 *req, *pos, *end;
400         int ret;
401
402         pos = req = os_malloc(100);
403         if (req == NULL)
404                 return NULL;
405         end = req + 100;
406
407         if (data->mschapv2_resp_ok) {
408                 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP2_SUCCESS,
409                                        RADIUS_VENDOR_ID_MICROSOFT, 1, 43);
410                 *pos++ = data->mschapv2_ident;
411                 ret = os_snprintf((char *) pos, end - pos, "S=");
412                 if (ret >= 0 && ret < end - pos)
413                         pos += ret;
414                 pos += wpa_snprintf_hex_uppercase(
415                         (char *) pos, end - pos, data->mschapv2_auth_response,
416                         sizeof(data->mschapv2_auth_response));
417         } else {
418                 pos = eap_ttls_avp_hdr(pos, RADIUS_ATTR_MS_CHAP_ERROR,
419                                        RADIUS_VENDOR_ID_MICROSOFT, 1, 6);
420                 os_memcpy(pos, "Failed", 6);
421                 pos += 6;
422                 AVP_PAD(req, pos);
423         }
424
425         wpabuf_set(&msgbuf, req, pos - req);
426         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
427                             "data", &msgbuf);
428
429         encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
430         os_free(req);
431
432         return encr_req;
433 }
434
435
436 static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
437 {
438         struct eap_ttls_data *data = priv;
439
440         if (data->ssl.state == FRAG_ACK) {
441                 return eap_server_tls_build_ack(id, EAP_TYPE_TTLS,
442                                                 data->ttls_version);
443         }
444
445         if (data->ssl.state == WAIT_FRAG_ACK) {
446                 return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
447                                                 data->ttls_version, id);
448         }
449
450         switch (data->state) {
451         case START:
452                 return eap_ttls_build_start(sm, data, id);
453         case PHASE1:
454                 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
455                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
456                                    "starting Phase2");
457                         eap_ttls_state(data, PHASE2_START);
458                 }
459                 break;
460         case PHASE2_METHOD:
461                 wpabuf_free(data->ssl.tls_out);
462                 data->ssl.tls_out_pos = 0;
463                 data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
464                                                                   id);
465                 break;
466         case PHASE2_MSCHAPV2_RESP:
467                 wpabuf_free(data->ssl.tls_out);
468                 data->ssl.tls_out_pos = 0;
469                 data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
470                 break;
471         default:
472                 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
473                            __func__, data->state);
474                 return NULL;
475         }
476
477         return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TTLS,
478                                         data->ttls_version, id);
479 }
480
481
482 static Boolean eap_ttls_check(struct eap_sm *sm, void *priv,
483                               struct wpabuf *respData)
484 {
485         const u8 *pos;
486         size_t len;
487
488         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len);
489         if (pos == NULL || len < 1) {
490                 wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame");
491                 return TRUE;
492         }
493
494         return FALSE;
495 }
496
497
498 static void eap_ttls_process_phase2_pap(struct eap_sm *sm,
499                                         struct eap_ttls_data *data,
500                                         const u8 *user_password,
501                                         size_t user_password_len)
502 {
503         if (!sm->user || !sm->user->password || sm->user->password_hash ||
504             !(sm->user->ttls_auth & EAP_TTLS_AUTH_PAP)) {
505                 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: No plaintext user "
506                            "password configured");
507                 eap_ttls_state(data, FAILURE);
508                 return;
509         }
510
511         if (sm->user->password_len != user_password_len ||
512             os_memcmp_const(sm->user->password, user_password,
513                             user_password_len) != 0) {
514                 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password");
515                 eap_ttls_state(data, FAILURE);
516                 return;
517         }
518
519         wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Correct user password");
520         eap_ttls_state(data, SUCCESS);
521 }
522
523
524 static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
525                                          struct eap_ttls_data *data,
526                                          const u8 *challenge,
527                                          size_t challenge_len,
528                                          const u8 *password,
529                                          size_t password_len)
530 {
531         u8 *chal, hash[CHAP_MD5_LEN];
532
533         if (challenge == NULL || password == NULL ||
534             challenge_len != EAP_TTLS_CHAP_CHALLENGE_LEN ||
535             password_len != 1 + EAP_TTLS_CHAP_PASSWORD_LEN) {
536                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid CHAP attributes "
537                            "(challenge len %lu password len %lu)",
538                            (unsigned long) challenge_len,
539                            (unsigned long) password_len);
540                 eap_ttls_state(data, FAILURE);
541                 return;
542         }
543
544         if (!sm->user || !sm->user->password || sm->user->password_hash ||
545             !(sm->user->ttls_auth & EAP_TTLS_AUTH_CHAP)) {
546                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: No plaintext user "
547                            "password configured");
548                 eap_ttls_state(data, FAILURE);
549                 return;
550         }
551
552         chal = eap_ttls_implicit_challenge(sm, data,
553                                            EAP_TTLS_CHAP_CHALLENGE_LEN + 1);
554         if (chal == NULL) {
555                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Failed to generate "
556                            "challenge from TLS data");
557                 eap_ttls_state(data, FAILURE);
558                 return;
559         }
560
561         if (os_memcmp_const(challenge, chal, EAP_TTLS_CHAP_CHALLENGE_LEN)
562             != 0 ||
563             password[0] != chal[EAP_TTLS_CHAP_CHALLENGE_LEN]) {
564                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Challenge mismatch");
565                 os_free(chal);
566                 eap_ttls_state(data, FAILURE);
567                 return;
568         }
569         os_free(chal);
570
571         /* MD5(Ident + Password + Challenge) */
572         chap_md5(password[0], sm->user->password, sm->user->password_len,
573                  challenge, challenge_len, hash);
574
575         if (os_memcmp_const(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) ==
576             0) {
577                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password");
578                 eap_ttls_state(data, SUCCESS);
579         } else {
580                 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
581                 eap_ttls_state(data, FAILURE);
582         }
583 }
584
585
586 static void eap_ttls_process_phase2_mschap(struct eap_sm *sm,
587                                            struct eap_ttls_data *data,
588                                            u8 *challenge, size_t challenge_len,
589                                            u8 *response, size_t response_len)
590 {
591         u8 *chal, nt_response[24];
592
593         if (challenge == NULL || response == NULL ||
594             challenge_len != EAP_TTLS_MSCHAP_CHALLENGE_LEN ||
595             response_len != EAP_TTLS_MSCHAP_RESPONSE_LEN) {
596                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid MS-CHAP "
597                            "attributes (challenge len %lu response len %lu)",
598                            (unsigned long) challenge_len,
599                            (unsigned long) response_len);
600                 eap_ttls_state(data, FAILURE);
601                 return;
602         }
603
604         if (!sm->user || !sm->user->password ||
605             !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAP)) {
606                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: No user password "
607                            "configured");
608                 eap_ttls_state(data, FAILURE);
609                 return;
610         }
611
612         chal = eap_ttls_implicit_challenge(sm, data,
613                                            EAP_TTLS_MSCHAP_CHALLENGE_LEN + 1);
614         if (chal == NULL) {
615                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Failed to generate "
616                            "challenge from TLS data");
617                 eap_ttls_state(data, FAILURE);
618                 return;
619         }
620
621         if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAP_CHALLENGE_LEN)
622             != 0 ||
623             response[0] != chal[EAP_TTLS_MSCHAP_CHALLENGE_LEN]) {
624                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Challenge mismatch");
625                 os_free(chal);
626                 eap_ttls_state(data, FAILURE);
627                 return;
628         }
629         os_free(chal);
630
631         if (sm->user->password_hash)
632                 challenge_response(challenge, sm->user->password, nt_response);
633         else
634                 nt_challenge_response(challenge, sm->user->password,
635                                       sm->user->password_len, nt_response);
636
637         if (os_memcmp_const(nt_response, response + 2 + 24, 24) == 0) {
638                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response");
639                 eap_ttls_state(data, SUCCESS);
640         } else {
641                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Invalid NT-Response");
642                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Received",
643                             response + 2 + 24, 24);
644                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAP: Expected",
645                             nt_response, 24);
646                 eap_ttls_state(data, FAILURE);
647         }
648 }
649
650
651 static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm,
652                                              struct eap_ttls_data *data,
653                                              u8 *challenge,
654                                              size_t challenge_len,
655                                              u8 *response, size_t response_len)
656 {
657         u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge,
658                 *auth_challenge;
659         size_t username_len, i;
660
661         if (challenge == NULL || response == NULL ||
662             challenge_len != EAP_TTLS_MSCHAPV2_CHALLENGE_LEN ||
663             response_len != EAP_TTLS_MSCHAPV2_RESPONSE_LEN) {
664                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid MS-CHAP2 "
665                            "attributes (challenge len %lu response len %lu)",
666                            (unsigned long) challenge_len,
667                            (unsigned long) response_len);
668                 eap_ttls_state(data, FAILURE);
669                 return;
670         }
671
672         if (!sm->user || !sm->user->password ||
673             !(sm->user->ttls_auth & EAP_TTLS_AUTH_MSCHAPV2)) {
674                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user password "
675                            "configured");
676                 eap_ttls_state(data, FAILURE);
677                 return;
678         }
679
680         if (sm->identity == NULL) {
681                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: No user identity "
682                            "known");
683                 eap_ttls_state(data, FAILURE);
684                 return;
685         }
686
687         /* MSCHAPv2 does not include optional domain name in the
688          * challenge-response calculation, so remove domain prefix
689          * (if present). */
690         username = sm->identity;
691         username_len = sm->identity_len;
692         for (i = 0; i < username_len; i++) {
693                 if (username[i] == '\\') {
694                         username_len -= i + 1;
695                         username += i + 1;
696                         break;
697                 }
698         }
699
700         chal = eap_ttls_implicit_challenge(
701                 sm, data, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 1);
702         if (chal == NULL) {
703                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Failed to generate "
704                            "challenge from TLS data");
705                 eap_ttls_state(data, FAILURE);
706                 return;
707         }
708
709         if (os_memcmp_const(challenge, chal, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN)
710             != 0 ||
711             response[0] != chal[EAP_TTLS_MSCHAPV2_CHALLENGE_LEN]) {
712                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Challenge mismatch");
713                 os_free(chal);
714                 eap_ttls_state(data, FAILURE);
715                 return;
716         }
717         os_free(chal);
718
719         auth_challenge = challenge;
720         peer_challenge = response + 2;
721
722         wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: User",
723                           username, username_len);
724         wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: auth_challenge",
725                     auth_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
726         wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: peer_challenge",
727                     peer_challenge, EAP_TTLS_MSCHAPV2_CHALLENGE_LEN);
728
729         if (sm->user->password_hash) {
730                 generate_nt_response_pwhash(auth_challenge, peer_challenge,
731                                             username, username_len,
732                                             sm->user->password,
733                                             nt_response);
734         } else {
735                 generate_nt_response(auth_challenge, peer_challenge,
736                                      username, username_len,
737                                      sm->user->password,
738                                      sm->user->password_len,
739                                      nt_response);
740         }
741
742         rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8;
743         if (os_memcmp_const(nt_response, rx_resp, 24) == 0) {
744                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Correct "
745                            "NT-Response");
746                 data->mschapv2_resp_ok = 1;
747
748                 if (sm->user->password_hash) {
749                         generate_authenticator_response_pwhash(
750                                 sm->user->password,
751                                 peer_challenge, auth_challenge,
752                                 username, username_len, nt_response,
753                                 data->mschapv2_auth_response);
754                 } else {
755                         generate_authenticator_response(
756                                 sm->user->password, sm->user->password_len,
757                                 peer_challenge, auth_challenge,
758                                 username, username_len, nt_response,
759                                 data->mschapv2_auth_response);
760                 }
761         } else {
762                 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Invalid "
763                            "NT-Response");
764                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Received",
765                             rx_resp, 24);
766                 wpa_hexdump(MSG_MSGDUMP, "EAP-TTLS/MSCHAPV2: Expected",
767                             nt_response, 24);
768                 data->mschapv2_resp_ok = 0;
769         }
770         eap_ttls_state(data, PHASE2_MSCHAPV2_RESP);
771         data->mschapv2_ident = response[0];
772 }
773
774
775 static int eap_ttls_phase2_eap_init(struct eap_sm *sm,
776                                     struct eap_ttls_data *data,
777                                     EapType eap_type)
778 {
779         if (data->phase2_priv && data->phase2_method) {
780                 data->phase2_method->reset(sm, data->phase2_priv);
781                 data->phase2_method = NULL;
782                 data->phase2_priv = NULL;
783         }
784         data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF,
785                                                         eap_type);
786         if (!data->phase2_method)
787                 return -1;
788
789         sm->init_phase2 = 1;
790         data->phase2_priv = data->phase2_method->init(sm);
791         sm->init_phase2 = 0;
792         return data->phase2_priv == NULL ? -1 : 0;
793 }
794
795
796 static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm,
797                                                  struct eap_ttls_data *data,
798                                                  u8 *in_data, size_t in_len)
799 {
800         u8 next_type = EAP_TYPE_NONE;
801         struct eap_hdr *hdr;
802         u8 *pos;
803         size_t left;
804         struct wpabuf buf;
805         const struct eap_method *m = data->phase2_method;
806         void *priv = data->phase2_priv;
807
808         if (priv == NULL) {
809                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: %s - Phase2 not "
810                            "initialized?!", __func__);
811                 return;
812         }
813
814         hdr = (struct eap_hdr *) in_data;
815         pos = (u8 *) (hdr + 1);
816
817         if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
818                 left = in_len - sizeof(*hdr);
819                 wpa_hexdump(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 type Nak'ed; "
820                             "allowed types", pos + 1, left - 1);
821                 eap_sm_process_nak(sm, pos + 1, left - 1);
822                 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
823                     sm->user->methods[sm->user_eap_method_index].method !=
824                     EAP_TYPE_NONE) {
825                         next_type = sm->user->methods[
826                                 sm->user_eap_method_index++].method;
827                         wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d",
828                                    next_type);
829                         if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
830                                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to "
831                                            "initialize EAP type %d",
832                                            next_type);
833                                 eap_ttls_state(data, FAILURE);
834                                 return;
835                         }
836                 } else {
837                         eap_ttls_state(data, FAILURE);
838                 }
839                 return;
840         }
841
842         wpabuf_set(&buf, in_data, in_len);
843
844         if (m->check(sm, priv, &buf)) {
845                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 check() asked to "
846                            "ignore the packet");
847                 return;
848         }
849
850         m->process(sm, priv, &buf);
851
852         if (sm->method_pending == METHOD_PENDING_WAIT) {
853                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method is in "
854                            "pending wait state - save decrypted response");
855                 wpabuf_free(data->pending_phase2_eap_resp);
856                 data->pending_phase2_eap_resp = wpabuf_dup(&buf);
857         }
858
859         if (!m->isDone(sm, priv))
860                 return;
861
862         if (!m->isSuccess(sm, priv)) {
863                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: Phase2 method failed");
864                 eap_ttls_state(data, FAILURE);
865                 return;
866         }
867
868         switch (data->state) {
869         case PHASE2_START:
870                 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
871                         wpa_hexdump_ascii(MSG_DEBUG, "EAP_TTLS: Phase2 "
872                                           "Identity not found in the user "
873                                           "database",
874                                           sm->identity, sm->identity_len);
875                         eap_ttls_state(data, FAILURE);
876                         break;
877                 }
878
879                 eap_ttls_state(data, PHASE2_METHOD);
880                 next_type = sm->user->methods[0].method;
881                 sm->user_eap_method_index = 1;
882                 wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type);
883                 if (eap_ttls_phase2_eap_init(sm, data, next_type)) {
884                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize "
885                                    "EAP type %d", next_type);
886                         eap_ttls_state(data, FAILURE);
887                 }
888                 break;
889         case PHASE2_METHOD:
890                 eap_ttls_state(data, SUCCESS);
891                 break;
892         case FAILURE:
893                 break;
894         default:
895                 wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
896                            __func__, data->state);
897                 break;
898         }
899 }
900
901
902 static void eap_ttls_process_phase2_eap(struct eap_sm *sm,
903                                         struct eap_ttls_data *data,
904                                         const u8 *eap, size_t eap_len)
905 {
906         struct eap_hdr *hdr;
907         size_t len;
908
909         if (data->state == PHASE2_START) {
910                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2");
911                 if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0)
912                 {
913                         wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to "
914                                    "initialize EAP-Identity");
915                         return;
916                 }
917         }
918
919         if (eap_len < sizeof(*hdr)) {
920                 wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: too short Phase 2 EAP "
921                            "packet (len=%lu)", (unsigned long) eap_len);
922                 return;
923         }
924
925         hdr = (struct eap_hdr *) eap;
926         len = be_to_host16(hdr->length);
927         wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: received Phase 2 EAP: code=%d "
928                    "identifier=%d length=%lu", hdr->code, hdr->identifier,
929                    (unsigned long) len);
930         if (len > eap_len) {
931                 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Length mismatch in Phase 2"
932                            " EAP frame (hdr len=%lu, data len in AVP=%lu)",
933                            (unsigned long) len, (unsigned long) eap_len);
934                 return;
935         }
936
937         switch (hdr->code) {
938         case EAP_CODE_RESPONSE:
939                 eap_ttls_process_phase2_eap_response(sm, data, (u8 *) hdr,
940                                                      len);
941                 break;
942         default:
943                 wpa_printf(MSG_INFO, "EAP-TTLS/EAP: Unexpected code=%d in "
944                            "Phase 2 EAP header", hdr->code);
945                 break;
946         }
947 }
948
949
950 static void eap_ttls_process_phase2(struct eap_sm *sm,
951                                     struct eap_ttls_data *data,
952                                     struct wpabuf *in_buf)
953 {
954         struct wpabuf *in_decrypted;
955         struct eap_ttls_avp parse;
956
957         wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
958                    " Phase 2", (unsigned long) wpabuf_len(in_buf));
959
960         if (data->pending_phase2_eap_resp) {
961                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
962                            "- skip decryption and use old data");
963                 eap_ttls_process_phase2_eap(
964                         sm, data, wpabuf_head(data->pending_phase2_eap_resp),
965                         wpabuf_len(data->pending_phase2_eap_resp));
966                 wpabuf_free(data->pending_phase2_eap_resp);
967                 data->pending_phase2_eap_resp = NULL;
968                 return;
969         }
970
971         in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
972                                               in_buf);
973         if (in_decrypted == NULL) {
974                 wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
975                            "data");
976                 eap_ttls_state(data, FAILURE);
977                 return;
978         }
979
980         wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
981                             in_decrypted);
982
983         if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) {
984                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
985                 wpabuf_free(in_decrypted);
986                 eap_ttls_state(data, FAILURE);
987                 return;
988         }
989
990         if (parse.user_name) {
991                 char *nbuf;
992                 nbuf = os_malloc(parse.user_name_len * 4 + 1);
993                 if (nbuf) {
994                         printf_encode(nbuf, parse.user_name_len * 4 + 1,
995                                       parse.user_name,
996                                       parse.user_name_len);
997                         eap_log_msg(sm, "TTLS-User-Name '%s'", nbuf);
998                         os_free(nbuf);
999                 }
1000
1001                 os_free(sm->identity);
1002                 sm->identity = os_malloc(parse.user_name_len);
1003                 if (sm->identity == NULL) {
1004                         eap_ttls_state(data, FAILURE);
1005                         goto done;
1006                 }
1007                 os_memcpy(sm->identity, parse.user_name, parse.user_name_len);
1008                 sm->identity_len = parse.user_name_len;
1009                 if (eap_user_get(sm, parse.user_name, parse.user_name_len, 1)
1010                     != 0) {
1011                         wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase2 Identity not "
1012                                    "found in the user database");
1013                         eap_ttls_state(data, FAILURE);
1014                         goto done;
1015                 }
1016         }
1017
1018 #ifdef EAP_SERVER_TNC
1019         if (data->tnc_started && parse.eap == NULL) {
1020                 wpa_printf(MSG_DEBUG, "EAP-TTLS: TNC started but no EAP "
1021                            "response from peer");
1022                 eap_ttls_state(data, FAILURE);
1023                 goto done;
1024         }
1025 #endif /* EAP_SERVER_TNC */
1026
1027         if (parse.eap) {
1028                 eap_ttls_process_phase2_eap(sm, data, parse.eap,
1029                                             parse.eap_len);
1030         } else if (parse.user_password) {
1031                 eap_ttls_process_phase2_pap(sm, data, parse.user_password,
1032                                             parse.user_password_len);
1033         } else if (parse.chap_password) {
1034                 eap_ttls_process_phase2_chap(sm, data,
1035                                              parse.chap_challenge,
1036                                              parse.chap_challenge_len,
1037                                              parse.chap_password,
1038                                              parse.chap_password_len);
1039         } else if (parse.mschap_response) {
1040                 eap_ttls_process_phase2_mschap(sm, data,
1041                                                parse.mschap_challenge,
1042                                                parse.mschap_challenge_len,
1043                                                parse.mschap_response,
1044                                                parse.mschap_response_len);
1045         } else if (parse.mschap2_response) {
1046                 eap_ttls_process_phase2_mschapv2(sm, data,
1047                                                  parse.mschap_challenge,
1048                                                  parse.mschap_challenge_len,
1049                                                  parse.mschap2_response,
1050                                                  parse.mschap2_response_len);
1051         }
1052
1053 done:
1054         wpabuf_free(in_decrypted);
1055         os_free(parse.eap);
1056 }
1057
1058
1059 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
1060 {
1061 #ifdef EAP_SERVER_TNC
1062         if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
1063                 return;
1064
1065         wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
1066         if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) {
1067                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC");
1068                 eap_ttls_state(data, FAILURE);
1069                 return;
1070         }
1071
1072         data->tnc_started = 1;
1073         eap_ttls_state(data, PHASE2_METHOD);
1074 #endif /* EAP_SERVER_TNC */
1075 }
1076
1077
1078 static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
1079                                     int peer_version)
1080 {
1081         struct eap_ttls_data *data = priv;
1082         if (peer_version < data->ttls_version) {
1083                 wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
1084                            "use version %d",
1085                            peer_version, data->ttls_version, peer_version);
1086                 data->ttls_version = peer_version;
1087         }
1088
1089         return 0;
1090 }
1091
1092
1093 static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
1094                                  const struct wpabuf *respData)
1095 {
1096         struct eap_ttls_data *data = priv;
1097
1098         switch (data->state) {
1099         case PHASE1:
1100                 if (eap_server_tls_phase1(sm, &data->ssl) < 0)
1101                         eap_ttls_state(data, FAILURE);
1102                 break;
1103         case PHASE2_START:
1104         case PHASE2_METHOD:
1105                 eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
1106                 eap_ttls_start_tnc(sm, data);
1107                 break;
1108         case PHASE2_MSCHAPV2_RESP:
1109                 if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
1110                     0) {
1111                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1112                                    "acknowledged response");
1113                         eap_ttls_state(data, SUCCESS);
1114                 } else if (!data->mschapv2_resp_ok) {
1115                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
1116                                    "acknowledged error");
1117                         eap_ttls_state(data, FAILURE);
1118                 } else {
1119                         wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
1120                                    "frame from peer (payload len %lu, "
1121                                    "expected empty frame)",
1122                                    (unsigned long)
1123                                    wpabuf_len(data->ssl.tls_in));
1124                         eap_ttls_state(data, FAILURE);
1125                 }
1126                 eap_ttls_start_tnc(sm, data);
1127                 break;
1128         default:
1129                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Unexpected state %d in %s",
1130                            data->state, __func__);
1131                 break;
1132         }
1133 }
1134
1135
1136 static void eap_ttls_process(struct eap_sm *sm, void *priv,
1137                              struct wpabuf *respData)
1138 {
1139         struct eap_ttls_data *data = priv;
1140         if (eap_server_tls_process(sm, &data->ssl, respData, data,
1141                                    EAP_TYPE_TTLS, eap_ttls_process_version,
1142                                    eap_ttls_process_msg) < 0)
1143                 eap_ttls_state(data, FAILURE);
1144 }
1145
1146
1147 static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv)
1148 {
1149         struct eap_ttls_data *data = priv;
1150         return data->state == SUCCESS || data->state == FAILURE;
1151 }
1152
1153
1154 static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len)
1155 {
1156         struct eap_ttls_data *data = priv;
1157         u8 *eapKeyData;
1158
1159         if (data->state != SUCCESS)
1160                 return NULL;
1161
1162         eapKeyData = eap_server_tls_derive_key(sm, &data->ssl,
1163                                                "ttls keying material",
1164                                                EAP_TLS_KEY_LEN);
1165         if (eapKeyData) {
1166                 *len = EAP_TLS_KEY_LEN;
1167                 wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key",
1168                                 eapKeyData, EAP_TLS_KEY_LEN);
1169         } else {
1170                 wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to derive key");
1171         }
1172
1173         return eapKeyData;
1174 }
1175
1176
1177 static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv)
1178 {
1179         struct eap_ttls_data *data = priv;
1180         return data->state == SUCCESS;
1181 }
1182
1183
1184 int eap_server_ttls_register(void)
1185 {
1186         struct eap_method *eap;
1187         int ret;
1188
1189         eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1190                                       EAP_VENDOR_IETF, EAP_TYPE_TTLS, "TTLS");
1191         if (eap == NULL)
1192                 return -1;
1193
1194         eap->init = eap_ttls_init;
1195         eap->reset = eap_ttls_reset;
1196         eap->buildReq = eap_ttls_buildReq;
1197         eap->check = eap_ttls_check;
1198         eap->process = eap_ttls_process;
1199         eap->isDone = eap_ttls_isDone;
1200         eap->getKey = eap_ttls_getKey;
1201         eap->isSuccess = eap_ttls_isSuccess;
1202
1203         ret = eap_server_method_register(eap);
1204         if (ret)
1205                 eap_server_method_free(eap);
1206         return ret;
1207 }
Moonshot GSS-API mechanism