search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Sync mly(4) with FreeBSD.
[dragonfly.git] / contrib / hostapd-0.5.8 / eap_peap.c
blob6ea1f618a1d8f0b187d64554e97dbb0429978200
1 /*
2 * hostapd / EAP-PEAP (draft-josefsson-pppext-eap-tls-eap-07.txt)
3 * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "hostapd.h"
18 #include "common.h"
19 #include "eap_i.h"
20 #include "eap_tls_common.h"
21 #include "tls.h"
22
23
24 /* Maximum supported PEAP version
25 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
26 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
27 * 2 = draft-josefsson-ppext-eap-tls-eap-07.txt
28 */
29 #define EAP_PEAP_VERSION 1
30
31
32 static void eap_peap_reset(struct eap_sm *sm, void *priv);
33
34
35 struct eap_peap_data {
36 struct eap_ssl_data ssl;
37 enum {
38 START, PHASE1, PHASE2_START, PHASE2_ID, PHASE2_METHOD,
39 PHASE2_TLV, SUCCESS_REQ, FAILURE_REQ, SUCCESS, FAILURE
40 } state;
41
42 int peap_version;
43 const struct eap_method *phase2_method;
44 void *phase2_priv;
45 int force_version;
46 };
47
48
49 static const char * eap_peap_state_txt(int state)
50 {
51 switch (state) {
52 case START:
53 return "START";
54 case PHASE1:
55 return "PHASE1";
56 case PHASE2_START:
57 return "PHASE2_START";
58 case PHASE2_ID:
59 return "PHASE2_ID";
60 case PHASE2_METHOD:
61 return "PHASE2_METHOD";
62 case PHASE2_TLV:
63 return "PHASE2_TLV";
64 case SUCCESS_REQ:
65 return "SUCCESS_REQ";
66 case FAILURE_REQ:
67 return "FAILURE_REQ";
68 case SUCCESS:
69 return "SUCCESS";
70 case FAILURE:
71 return "FAILURE";
72 default:
73 return "Unknown?!";
74 }
75 }
76
77
78 static void eap_peap_state(struct eap_peap_data *data, int state)
79 {
80 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s -> %s",
81 eap_peap_state_txt(data->state),
82 eap_peap_state_txt(state));
83 data->state = state;
84 }
85
86
87 static EapType eap_peap_req_success(struct eap_sm *sm,
88 struct eap_peap_data *data)
89 {
90 if (data->state == FAILURE || data->state == FAILURE_REQ) {
91 eap_peap_state(data, FAILURE);
92 return EAP_TYPE_NONE;
93 }
94
95 if (data->peap_version == 0) {
96 sm->tlv_request = TLV_REQ_SUCCESS;
97 eap_peap_state(data, PHASE2_TLV);
98 return EAP_TYPE_TLV;
99 } else {
100 eap_peap_state(data, SUCCESS_REQ);
101 return EAP_TYPE_NONE;
102 }
103 }
104
105
106 static EapType eap_peap_req_failure(struct eap_sm *sm,
107 struct eap_peap_data *data)
108 {
109 if (data->state == FAILURE || data->state == FAILURE_REQ ||
110 data->state == SUCCESS_REQ ||
111 (data->phase2_method &&
112 data->phase2_method->method == EAP_TYPE_TLV)) {
113 eap_peap_state(data, FAILURE);
114 return EAP_TYPE_NONE;
115 }
116
117 if (data->peap_version == 0) {
118 sm->tlv_request = TLV_REQ_FAILURE;
119 eap_peap_state(data, PHASE2_TLV);
120 return EAP_TYPE_TLV;
121 } else {
122 eap_peap_state(data, FAILURE_REQ);
123 return EAP_TYPE_NONE;
124 }
125 }
126
127
128 static void * eap_peap_init(struct eap_sm *sm)
129 {
130 struct eap_peap_data *data;
131
132 data = wpa_zalloc(sizeof(*data));
133 if (data == NULL)
134 return NULL;
135 data->peap_version = EAP_PEAP_VERSION;
136 data->force_version = -1;
137 if (sm->user && sm->user->force_version >= 0) {
138 data->force_version = sm->user->force_version;
139 wpa_printf(MSG_DEBUG, "EAP-PEAP: forcing version %d",
140 data->force_version);
141 data->peap_version = data->force_version;
142 }
143 data->state = START;
144
145 if (eap_tls_ssl_init(sm, &data->ssl, 0)) {
146 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to initialize SSL.");
147 eap_peap_reset(sm, data);
148 return NULL;
149 }
150
151 return data;
152 }
153
154
155 static void eap_peap_reset(struct eap_sm *sm, void *priv)
156 {
157 struct eap_peap_data *data = priv;
158 if (data == NULL)
159 return;
160 if (data->phase2_priv && data->phase2_method)
161 data->phase2_method->reset(sm, data->phase2_priv);
162 eap_tls_ssl_deinit(sm, &data->ssl);
163 free(data);
164 }
165
166
167 static u8 * eap_peap_build_start(struct eap_sm *sm, struct eap_peap_data *data,
168 int id, size_t *reqDataLen)
169 {
170 struct eap_hdr *req;
171 u8 *pos;
172
173 *reqDataLen = sizeof(*req) + 2;
174 req = malloc(*reqDataLen);
175 if (req == NULL) {
176 wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to allocate memory for"
177 " request");
178 eap_peap_state(data, FAILURE);
179 return NULL;
180 }
181
182 req->code = EAP_CODE_REQUEST;
183 req->identifier = id;
184 req->length = htons(*reqDataLen);
185 pos = (u8 *) (req + 1);
186 *pos++ = EAP_TYPE_PEAP;
187 *pos = EAP_TLS_FLAGS_START | data->peap_version;
188
189 eap_peap_state(data, PHASE1);
190
191 return (u8 *) req;
192 }
193
194
195 static u8 * eap_peap_build_req(struct eap_sm *sm, struct eap_peap_data *data,
196 int id, size_t *reqDataLen)
197 {
198 int res;
199 u8 *req;
200
201 res = eap_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_PEAP,
202 data->peap_version, id, &req,
203 reqDataLen);
204
205 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
206 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, starting "
207 "Phase2");
208 eap_peap_state(data, PHASE2_START);
209 }
210
211 if (res == 1)
212 return eap_tls_build_ack(reqDataLen, id, EAP_TYPE_PEAP,
213 data->peap_version);
214 return req;
215 }
216
217
218 static u8 * eap_peap_encrypt(struct eap_sm *sm, struct eap_peap_data *data,
219 int id, u8 *plain, size_t plain_len,
220 size_t *out_len)
221 {
222 int res;
223 u8 *pos;
224 struct eap_hdr *req;
225
226 /* TODO: add support for fragmentation, if needed. This will need to
227 * add TLS Message Length field, if the frame is fragmented. */
228 req = malloc(sizeof(struct eap_hdr) + 2 + data->ssl.tls_out_limit);
229 if (req == NULL)
230 return NULL;
231
232 req->code = EAP_CODE_REQUEST;
233 req->identifier = id;
234
235 pos = (u8 *) (req + 1);
236 *pos++ = EAP_TYPE_PEAP;
237 *pos++ = data->peap_version;
238
239 res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
240 plain, plain_len,
241 pos, data->ssl.tls_out_limit);
242 if (res < 0) {
243 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt Phase 2 "
244 "data");
245 free(req);
246 return NULL;
247 }
248
249 *out_len = sizeof(struct eap_hdr) + 2 + res;
250 req->length = host_to_be16(*out_len);
251 return (u8 *) req;
252 }
253
254
255 static u8 * eap_peap_build_phase2_req(struct eap_sm *sm,
256 struct eap_peap_data *data,
257 int id, size_t *reqDataLen)
258 {
259 u8 *req, *buf, *encr_req;
260 size_t req_len;
261
262 buf = req = data->phase2_method->buildReq(sm, data->phase2_priv, id,
263 &req_len);
264 if (req == NULL)
265 return NULL;
266
267 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
268 req, req_len);
269
270 if (data->peap_version == 0 &&
271 data->phase2_method->method != EAP_TYPE_TLV) {
272 req += sizeof(struct eap_hdr);
273 req_len -= sizeof(struct eap_hdr);
274 }
275
276 encr_req = eap_peap_encrypt(sm, data, id, req, req_len, reqDataLen);
277 free(buf);
278
279 return encr_req;
280 }
281
282
283 static u8 * eap_peap_build_phase2_term(struct eap_sm *sm,
284 struct eap_peap_data *data,
285 int id, size_t *reqDataLen, int success)
286 {
287 u8 *encr_req;
288 size_t req_len;
289 struct eap_hdr *hdr;
290
291 req_len = sizeof(*hdr);
292 hdr = wpa_zalloc(req_len);
293 if (hdr == NULL)
294 return NULL;
295
296 hdr->code = success ? EAP_CODE_SUCCESS : EAP_CODE_FAILURE;
297 hdr->identifier = id;
298 hdr->length = htons(req_len);
299
300 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
301 (u8 *) hdr, req_len);
302
303 encr_req = eap_peap_encrypt(sm, data, id, (u8 *) hdr, req_len,
304 reqDataLen);
305 free(hdr);
306
307 return encr_req;
308 }
309
310
311 static u8 * eap_peap_buildReq(struct eap_sm *sm, void *priv, int id,
312 size_t *reqDataLen)
313 {
314 struct eap_peap_data *data = priv;
315
316 switch (data->state) {
317 case START:
318 return eap_peap_build_start(sm, data, id, reqDataLen);
319 case PHASE1:
320 return eap_peap_build_req(sm, data, id, reqDataLen);
321 case PHASE2_ID:
322 case PHASE2_METHOD:
323 case PHASE2_TLV:
324 return eap_peap_build_phase2_req(sm, data, id, reqDataLen);
325 case SUCCESS_REQ:
326 return eap_peap_build_phase2_term(sm, data, id, reqDataLen, 1);
327 case FAILURE_REQ:
328 return eap_peap_build_phase2_term(sm, data, id, reqDataLen, 0);
329 default:
330 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
331 __func__, data->state);
332 return NULL;
333 }
334 }
335
336
337 static Boolean eap_peap_check(struct eap_sm *sm, void *priv,
338 u8 *respData, size_t respDataLen)
339 {
340 struct eap_hdr *resp;
341 u8 *pos;
342
343 resp = (struct eap_hdr *) respData;
344 pos = (u8 *) (resp + 1);
345 if (respDataLen < sizeof(*resp) + 2 || *pos != EAP_TYPE_PEAP ||
346 (ntohs(resp->length)) > respDataLen) {
347 wpa_printf(MSG_INFO, "EAP-PEAP: Invalid frame");
348 return TRUE;
349 }
350
351 return FALSE;
352 }
353
354
355 static int eap_peap_phase2_init(struct eap_sm *sm, struct eap_peap_data *data,
356 EapType eap_type)
357 {
358 if (data->phase2_priv && data->phase2_method) {
359 data->phase2_method->reset(sm, data->phase2_priv);
360 data->phase2_method = NULL;
361 data->phase2_priv = NULL;
362 }
363 data->phase2_method = eap_sm_get_eap_methods(EAP_VENDOR_IETF,
364 eap_type);
365 if (!data->phase2_method)
366 return -1;
367
368 sm->init_phase2 = 1;
369 data->phase2_priv = data->phase2_method->init(sm);
370 sm->init_phase2 = 0;
371 return 0;
372 }
373
374
375 static void eap_peap_process_phase2_response(struct eap_sm *sm,
376 struct eap_peap_data *data,
377 u8 *in_data, size_t in_len)
378 {
379 u8 next_type = EAP_TYPE_NONE;
380 struct eap_hdr *hdr;
381 u8 *pos;
382 size_t left;
383
384 if (data->phase2_priv == NULL) {
385 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - Phase2 not "
386 "initialized?!", __func__);
387 return;
388 }
389
390 hdr = (struct eap_hdr *) in_data;
391 pos = (u8 *) (hdr + 1);
392
393 if (in_len > sizeof(*hdr) && *pos == EAP_TYPE_NAK) {
394 left = in_len - sizeof(*hdr);
395 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Phase2 type Nak'ed; "
396 "allowed types", pos + 1, left - 1);
397 eap_sm_process_nak(sm, pos + 1, left - 1);
398 if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS &&
399 sm->user->methods[sm->user_eap_method_index].method !=
400 EAP_TYPE_NONE) {
401 next_type = sm->user->methods[
402 sm->user_eap_method_index++].method;
403 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d",
404 next_type);
405 } else {
406 next_type = eap_peap_req_failure(sm, data);
407 }
408 eap_peap_phase2_init(sm, data, next_type);
409 return;
410 }
411
412 if (data->phase2_method->check(sm, data->phase2_priv, in_data,
413 in_len)) {
414 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 check() asked to "
415 "ignore the packet");
416 return;
417 }
418
419 data->phase2_method->process(sm, data->phase2_priv, in_data, in_len);
420
421 if (!data->phase2_method->isDone(sm, data->phase2_priv))
422 return;
423
424
425 if (!data->phase2_method->isSuccess(sm, data->phase2_priv)) {
426 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase2 method failed");
427 next_type = eap_peap_req_failure(sm, data);
428 eap_peap_phase2_init(sm, data, next_type);
429 return;
430 }
431
432 switch (data->state) {
433 case PHASE2_ID:
434 if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
435 wpa_hexdump_ascii(MSG_DEBUG, "EAP_PEAP: Phase2 "
436 "Identity not found in the user "
437 "database",
438 sm->identity, sm->identity_len);
439 next_type = eap_peap_req_failure(sm, data);
440 break;
441 }
442
443 eap_peap_state(data, PHASE2_METHOD);
444 next_type = sm->user->methods[0].method;
445 sm->user_eap_method_index = 1;
446 wpa_printf(MSG_DEBUG, "EAP-PEAP: try EAP type %d", next_type);
447 break;
448 case PHASE2_METHOD:
449 next_type = eap_peap_req_success(sm, data);
450 break;
451 case PHASE2_TLV:
452 if (sm->tlv_request == TLV_REQ_SUCCESS ||
453 data->state == SUCCESS_REQ) {
454 eap_peap_state(data, SUCCESS);
455 } else {
456 eap_peap_state(data, FAILURE);
457 }
458 break;
459 case FAILURE:
460 break;
461 default:
462 wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
463 __func__, data->state);
464 break;
465 }
466
467 eap_peap_phase2_init(sm, data, next_type);
468 }
469
470
471 static void eap_peap_process_phase2(struct eap_sm *sm,
472 struct eap_peap_data *data,
473 struct eap_hdr *resp,
474 u8 *in_data, size_t in_len)
475 {
476 u8 *in_decrypted;
477 int len_decrypted, len, res;
478 struct eap_hdr *hdr;
479 size_t buf_len;
480
481 wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
482 " Phase 2", (unsigned long) in_len);
483
484 res = eap_tls_data_reassemble(sm, &data->ssl, &in_data, &in_len);
485 if (res < 0 || res == 1)
486 return;
487
488 buf_len = in_len;
489 if (data->ssl.tls_in_total > buf_len)
490 buf_len = data->ssl.tls_in_total;
491 in_decrypted = malloc(buf_len);
492 if (in_decrypted == NULL) {
493 free(data->ssl.tls_in);
494 data->ssl.tls_in = NULL;
495 data->ssl.tls_in_len = 0;
496 wpa_printf(MSG_WARNING, "EAP-PEAP: failed to allocate memory "
497 "for decryption");
498 return;
499 }
500
501 len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
502 in_data, in_len,
503 in_decrypted, buf_len);
504 free(data->ssl.tls_in);
505 data->ssl.tls_in = NULL;
506 data->ssl.tls_in_len = 0;
507 if (len_decrypted < 0) {
508 wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
509 "data");
510 free(in_decrypted);
511 eap_peap_state(data, FAILURE);
512 return;
513 }
514
515 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
516 in_decrypted, len_decrypted);
517
518 hdr = (struct eap_hdr *) in_decrypted;
519
520 if (data->peap_version == 0 && data->state != PHASE2_TLV) {
521 struct eap_hdr *nhdr = malloc(sizeof(struct eap_hdr) +
522 len_decrypted);
523 if (nhdr == NULL) {
524 free(in_decrypted);
525 return;
526 }
527 memcpy((u8 *) (nhdr + 1), in_decrypted, len_decrypted);
528 free(in_decrypted);
529 nhdr->code = resp->code;
530 nhdr->identifier = resp->identifier;
531 nhdr->length = host_to_be16(sizeof(struct eap_hdr) +
532 len_decrypted);
533
534 len_decrypted += sizeof(struct eap_hdr);
535 in_decrypted = (u8 *) nhdr;
536 }
537 hdr = (struct eap_hdr *) in_decrypted;
538 if (len_decrypted < (int) sizeof(*hdr)) {
539 free(in_decrypted);
540 wpa_printf(MSG_INFO, "EAP-PEAP: Too short Phase 2 "
541 "EAP frame (len=%d)", len_decrypted);
542 eap_peap_req_failure(sm, data);
543 return;
544 }
545 len = be_to_host16(hdr->length);
546 if (len > len_decrypted) {
547 free(in_decrypted);
548 wpa_printf(MSG_INFO, "EAP-PEAP: Length mismatch in "
549 "Phase 2 EAP frame (len=%d hdr->length=%d)",
550 len_decrypted, len);
551 eap_peap_req_failure(sm, data);
552 return;
553 }
554 wpa_printf(MSG_DEBUG, "EAP-PEAP: received Phase 2: code=%d "
555 "identifier=%d length=%d", hdr->code, hdr->identifier, len);
556 switch (hdr->code) {
557 case EAP_CODE_RESPONSE:
558 eap_peap_process_phase2_response(sm, data, (u8 *) hdr, len);
559 break;
560 case EAP_CODE_SUCCESS:
561 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Success");
562 if (data->state == SUCCESS_REQ) {
563 eap_peap_state(data, SUCCESS);
564 }
565 break;
566 case EAP_CODE_FAILURE:
567 wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 Failure");
568 eap_peap_state(data, FAILURE);
569 break;
570 default:
571 wpa_printf(MSG_INFO, "EAP-PEAP: Unexpected code=%d in "
572 "Phase 2 EAP header", hdr->code);
573 break;
574 }
575
576 free(in_decrypted);
577 }
578
579
580 static void eap_peap_process(struct eap_sm *sm, void *priv,
581 u8 *respData, size_t respDataLen)
582 {
583 struct eap_peap_data *data = priv;
584 struct eap_hdr *resp;
585 u8 *pos, flags;
586 int left;
587 unsigned int tls_msg_len;
588 int peer_version;
589
590 resp = (struct eap_hdr *) respData;
591 pos = (u8 *) (resp + 1);
592 pos++;
593 flags = *pos++;
594 left = htons(resp->length) - sizeof(struct eap_hdr) - 2;
595 wpa_printf(MSG_DEBUG, "EAP-PEAP: Received packet(len=%lu) - "
596 "Flags 0x%02x", (unsigned long) respDataLen, flags);
597 peer_version = flags & EAP_PEAP_VERSION_MASK;
598 if (data->force_version >= 0 && peer_version != data->force_version) {
599 wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
600 " version (forced=%d peer=%d) - reject",
601 data->force_version, peer_version);
602 eap_peap_state(data, FAILURE);
603 return;
604 }
605 if (peer_version < data->peap_version) {
606 wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; "
607 "use version %d",
608 peer_version, data->peap_version, peer_version);
609 data->peap_version = peer_version;
610 }
611 if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
612 if (left < 4) {
613 wpa_printf(MSG_INFO, "EAP-PEAP: Short frame with TLS "
614 "length");
615 eap_peap_state(data, FAILURE);
616 return;
617 }
618 tls_msg_len = (pos[0] << 24) | (pos[1] << 16) | (pos[2] << 8) |
619 pos[3];
620 wpa_printf(MSG_DEBUG, "EAP-PEAP: TLS Message Length: %d",
621 tls_msg_len);
622 if (data->ssl.tls_in_left == 0) {
623 data->ssl.tls_in_total = tls_msg_len;
624 data->ssl.tls_in_left = tls_msg_len;
625 free(data->ssl.tls_in);
626 data->ssl.tls_in = NULL;
627 data->ssl.tls_in_len = 0;
628 }
629 pos += 4;
630 left -= 4;
631 }
632
633 switch (data->state) {
634 case PHASE1:
635 if (eap_tls_process_helper(sm, &data->ssl, pos, left) < 0) {
636 wpa_printf(MSG_INFO, "EAP-PEAP: TLS processing "
637 "failed");
638 eap_peap_state(data, FAILURE);
639 }
640 break;
641 case PHASE2_START:
642 eap_peap_state(data, PHASE2_ID);
643 eap_peap_phase2_init(sm, data, EAP_TYPE_IDENTITY);
644 break;
645 case PHASE2_ID:
646 case PHASE2_METHOD:
647 case PHASE2_TLV:
648 eap_peap_process_phase2(sm, data, resp, pos, left);
649 break;
650 case SUCCESS_REQ:
651 eap_peap_state(data, SUCCESS);
652 break;
653 case FAILURE_REQ:
654 eap_peap_state(data, FAILURE);
655 break;
656 default:
657 wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected state %d in %s",
658 data->state, __func__);
659 break;
660 }
661
662 if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
663 wpa_printf(MSG_INFO, "EAP-PEAP: Locally detected fatal error "
664 "in TLS processing");
665 eap_peap_state(data, FAILURE);
666 }
667 }
668
669
670 static Boolean eap_peap_isDone(struct eap_sm *sm, void *priv)
671 {
672 struct eap_peap_data *data = priv;
673 return data->state == SUCCESS || data->state == FAILURE;
674 }
675
676
677 static u8 * eap_peap_getKey(struct eap_sm *sm, void *priv, size_t *len)
678 {
679 struct eap_peap_data *data = priv;
680 u8 *eapKeyData;
681
682 if (data->state != SUCCESS)
683 return NULL;
684
685 /* TODO: PEAPv1 - different label in some cases */
686 eapKeyData = eap_tls_derive_key(sm, &data->ssl,
687 "client EAP encryption",
688 EAP_TLS_KEY_LEN);
689 if (eapKeyData) {
690 *len = EAP_TLS_KEY_LEN;
691 wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Derived key",
692 eapKeyData, EAP_TLS_KEY_LEN);
693 } else {
694 wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to derive key");
695 }
696
697 return eapKeyData;
698 }
699
700
701 static Boolean eap_peap_isSuccess(struct eap_sm *sm, void *priv)
702 {
703 struct eap_peap_data *data = priv;
704 return data->state == SUCCESS;
705 }
706
707
708 int eap_server_peap_register(void)
709 {
710 struct eap_method *eap;
711 int ret;
712
713 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
714 EAP_VENDOR_IETF, EAP_TYPE_PEAP, "PEAP");
715 if (eap == NULL)
716 return -1;
717
718 eap->init = eap_peap_init;
719 eap->reset = eap_peap_reset;
720 eap->buildReq = eap_peap_buildReq;
721 eap->check = eap_peap_check;
722 eap->process = eap_peap_process;
723 eap->isDone = eap_peap_isDone;
724 eap->getKey = eap_peap_getKey;
725 eap->isSuccess = eap_peap_isSuccess;
726
727 ret = eap_server_method_register(eap);
728 if (ret)
729 eap_server_method_free(eap);
730 return ret;
731 }
DragonFly BSD