1 /*
2  * EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions
3  * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "eap_i.h"
15 #include "eap_tls_common.h"
16 #include "eap_config.h"
17 
18 
eap_tls_msg_alloc(enum eap_type type,size_t payload_len,u8 code,u8 identifier)19 static struct wpabuf * eap_tls_msg_alloc(enum eap_type type, size_t payload_len,
20                                                    u8 code, u8 identifier)
21 {
22           if (type == EAP_UNAUTH_TLS_TYPE)
23                     return eap_msg_alloc(EAP_VENDOR_UNAUTH_TLS,
24                                              EAP_VENDOR_TYPE_UNAUTH_TLS, payload_len,
25                                              code, identifier);
26           if (type == EAP_WFA_UNAUTH_TLS_TYPE)
27                     return eap_msg_alloc(EAP_VENDOR_WFA_NEW,
28                                              EAP_VENDOR_WFA_UNAUTH_TLS, payload_len,
29                                              code, identifier);
30           return eap_msg_alloc(EAP_VENDOR_IETF, type, payload_len, code,
31                                    identifier);
32 }
33 
34 
eap_tls_check_blob(struct eap_sm * sm,const char ** name,const u8 ** data,size_t * data_len)35 static int eap_tls_check_blob(struct eap_sm *sm, const char **name,
36                                     const u8 **data, size_t *data_len)
37 {
38           const struct wpa_config_blob *blob;
39 
40           if (*name == NULL || os_strncmp(*name, "blob://", 7) != 0)
41                     return 0;
42 
43           blob = eap_get_config_blob(sm, *name + 7);
44           if (blob == NULL) {
45                     wpa_printf(MSG_ERROR, "%s: Named configuration blob '%s' not "
46                                  "found", __func__, *name + 7);
47                     return -1;
48           }
49 
50           *name = NULL;
51           *data = blob->data;
52           *data_len = blob->len;
53 
54           return 0;
55 }
56 
57 
eap_tls_params_flags(struct tls_connection_params * params,const char * txt)58 static void eap_tls_params_flags(struct tls_connection_params *params,
59                                          const char *txt)
60 {
61           if (txt == NULL)
62                     return;
63           if (os_strstr(txt, "tls_allow_md5=1"))
64                     params->flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
65           if (os_strstr(txt, "tls_disable_time_checks=1"))
66                     params->flags |= TLS_CONN_DISABLE_TIME_CHECKS;
67           if (os_strstr(txt, "tls_disable_session_ticket=1"))
68                     params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
69           if (os_strstr(txt, "tls_disable_session_ticket=0"))
70                     params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
71           if (os_strstr(txt, "tls_disable_tlsv1_0=1"))
72                     params->flags |= TLS_CONN_DISABLE_TLSv1_0;
73           if (os_strstr(txt, "tls_disable_tlsv1_0=0")) {
74                     params->flags &= ~TLS_CONN_DISABLE_TLSv1_0;
75                     params->flags |= TLS_CONN_ENABLE_TLSv1_0;
76           }
77           if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
78                     params->flags |= TLS_CONN_DISABLE_TLSv1_1;
79           if (os_strstr(txt, "tls_disable_tlsv1_1=0")) {
80                     params->flags &= ~TLS_CONN_DISABLE_TLSv1_1;
81                     params->flags |= TLS_CONN_ENABLE_TLSv1_1;
82           }
83           if (os_strstr(txt, "tls_disable_tlsv1_2=1"))
84                     params->flags |= TLS_CONN_DISABLE_TLSv1_2;
85           if (os_strstr(txt, "tls_disable_tlsv1_2=0")) {
86                     params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;
87                     params->flags |= TLS_CONN_ENABLE_TLSv1_2;
88           }
89           if (os_strstr(txt, "tls_disable_tlsv1_3=1"))
90                     params->flags |= TLS_CONN_DISABLE_TLSv1_3;
91           if (os_strstr(txt, "tls_disable_tlsv1_3=0"))
92                     params->flags &= ~TLS_CONN_DISABLE_TLSv1_3;
93           if (os_strstr(txt, "tls_ext_cert_check=1"))
94                     params->flags |= TLS_CONN_EXT_CERT_CHECK;
95           if (os_strstr(txt, "tls_ext_cert_check=0"))
96                     params->flags &= ~TLS_CONN_EXT_CERT_CHECK;
97           if (os_strstr(txt, "tls_suiteb=1"))
98                     params->flags |= TLS_CONN_SUITEB;
99           if (os_strstr(txt, "tls_suiteb=0"))
100                     params->flags &= ~TLS_CONN_SUITEB;
101           if (os_strstr(txt, "tls_suiteb_no_ecdh=1"))
102                     params->flags |= TLS_CONN_SUITEB_NO_ECDH;
103           if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
104                     params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
105           if (os_strstr(txt, "allow_unsafe_renegotiation=1"))
106                     params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
107           if (os_strstr(txt, "allow_unsafe_renegotiation=0"))
108                     params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
109 }
110 
111 
eap_tls_cert_params_from_conf(struct tls_connection_params * params,struct eap_peer_cert_config * config)112 static void eap_tls_cert_params_from_conf(struct tls_connection_params *params,
113                                                     struct eap_peer_cert_config *config)
114 {
115           params->ca_cert = config->ca_cert;
116           params->ca_path = config->ca_path;
117           params->client_cert = config->client_cert;
118           params->private_key = config->private_key;
119           params->private_key_passwd = config->private_key_passwd;
120           params->subject_match = config->subject_match;
121           params->altsubject_match = config->altsubject_match;
122           params->check_cert_subject = config->check_cert_subject;
123           params->suffix_match = config->domain_suffix_match;
124           params->domain_match = config->domain_match;
125           params->engine = config->engine;
126           params->engine_id = config->engine_id;
127           params->pin = config->pin;
128           params->key_id = config->key_id;
129           params->cert_id = config->cert_id;
130           params->ca_cert_id = config->ca_cert_id;
131           if (config->ocsp)
132                     params->flags |= TLS_CONN_REQUEST_OCSP;
133           if (config->ocsp >= 2)
134                     params->flags |= TLS_CONN_REQUIRE_OCSP;
135           if (config->ocsp == 3)
136                     params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
137 }
138 
139 
eap_tls_params_from_conf1(struct tls_connection_params * params,struct eap_peer_config * config)140 static void eap_tls_params_from_conf1(struct tls_connection_params *params,
141                                               struct eap_peer_config *config)
142 {
143           eap_tls_cert_params_from_conf(params, &config->cert);
144           eap_tls_params_flags(params, config->phase1);
145 }
146 
147 
eap_tls_params_from_conf2(struct tls_connection_params * params,struct eap_peer_config * config)148 static void eap_tls_params_from_conf2(struct tls_connection_params *params,
149                                               struct eap_peer_config *config)
150 {
151           eap_tls_cert_params_from_conf(params, &config->phase2_cert);
152           eap_tls_params_flags(params, config->phase2);
153 }
154 
155 
eap_tls_params_from_conf2m(struct tls_connection_params * params,struct eap_peer_config * config)156 static void eap_tls_params_from_conf2m(struct tls_connection_params *params,
157                                                struct eap_peer_config *config)
158 {
159           eap_tls_cert_params_from_conf(params, &config->machine_cert);
160           eap_tls_params_flags(params, config->machine_phase2);
161 }
162 
163 
eap_tls_params_from_conf(struct eap_sm * sm,struct eap_ssl_data * data,struct tls_connection_params * params,struct eap_peer_config * config,int phase2)164 static int eap_tls_params_from_conf(struct eap_sm *sm,
165                                             struct eap_ssl_data *data,
166                                             struct tls_connection_params *params,
167                                             struct eap_peer_config *config, int phase2)
168 {
169           os_memset(params, 0, sizeof(*params));
170           if (sm->workaround && data->eap_type != EAP_TYPE_FAST &&
171               data->eap_type != EAP_TYPE_TEAP) {
172                     /*
173                      * Some deployed authentication servers seem to be unable to
174                      * handle the TLS Session Ticket extension (they are supposed
175                      * to ignore unrecognized TLS extensions, but end up rejecting
176                      * the ClientHello instead). As a workaround, disable use of
177                      * TLS Sesson Ticket extension for EAP-TLS, EAP-PEAP, and
178                      * EAP-TTLS (EAP-FAST uses session ticket, so any server that
179                      * supports EAP-FAST does not need this workaround).
180                      */
181                     params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
182           }
183           if (data->eap_type == EAP_TYPE_TEAP) {
184                     /* RFC 7170 requires TLS v1.2 or newer to be used with TEAP */
185                     params->flags |= TLS_CONN_DISABLE_TLSv1_0 |
186                               TLS_CONN_DISABLE_TLSv1_1;
187                     if (config->teap_anon_dh)
188                               params->flags |= TLS_CONN_TEAP_ANON_DH;
189           }
190           if (data->eap_type == EAP_TYPE_FAST ||
191               data->eap_type == EAP_TYPE_TEAP ||
192               data->eap_type == EAP_TYPE_TTLS ||
193               data->eap_type == EAP_TYPE_PEAP) {
194                     /* The current EAP peer implementation is not yet ready for the
195                      * TLS v1.3 changes, so disable this by default for now. */
196                     params->flags |= TLS_CONN_DISABLE_TLSv1_3;
197           }
198 #ifndef EAP_TLSV1_3
199           if (data->eap_type == EAP_TYPE_TLS ||
200               data->eap_type == EAP_UNAUTH_TLS_TYPE ||
201               data->eap_type == EAP_WFA_UNAUTH_TLS_TYPE) {
202                     /* While the current EAP-TLS implementation is more or less
203                      * complete for TLS v1.3, there has been only minimal
204                      * interoperability testing with other implementations, so
205                      * disable it by default for now until there has been chance to
206                      * confirm that no significant interoperability issues show up
207                      * with TLS version update.
208                      */
209                     params->flags |= TLS_CONN_DISABLE_TLSv1_3;
210           }
211 #endif /* EAP_TLSV1_3 */
212           if (phase2 && sm->use_machine_cred) {
213                     wpa_printf(MSG_DEBUG, "TLS: using machine config options");
214                     eap_tls_params_from_conf2m(params, config);
215           } else if (phase2) {
216                     wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
217                     eap_tls_params_from_conf2(params, config);
218           } else {
219                     wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
220                     eap_tls_params_from_conf1(params, config);
221                     if (data->eap_type == EAP_TYPE_FAST)
222                               params->flags |= TLS_CONN_EAP_FAST;
223           }
224 
225           /*
226            * Use blob data, if available. Otherwise, leave reference to external
227            * file as-is.
228            */
229           if (eap_tls_check_blob(sm, &params->ca_cert, &params->ca_cert_blob,
230                                      &params->ca_cert_blob_len) ||
231               eap_tls_check_blob(sm, &params->client_cert,
232                                      &params->client_cert_blob,
233                                      &params->client_cert_blob_len) ||
234               eap_tls_check_blob(sm, &params->private_key,
235                                      &params->private_key_blob,
236                                      &params->private_key_blob_len)) {
237                     wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
238                     return -1;
239           }
240 
241           params->openssl_ciphers = config->openssl_ciphers;
242 
243           sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
244 
245           if (!phase2)
246                     data->client_cert_conf = params->client_cert ||
247                               params->client_cert_blob ||
248                               params->private_key ||
249                               params->private_key_blob;
250 
251           return 0;
252 }
253 
254 
eap_tls_init_connection(struct eap_sm * sm,struct eap_ssl_data * data,struct eap_peer_config * config,struct tls_connection_params * params)255 static int eap_tls_init_connection(struct eap_sm *sm,
256                                            struct eap_ssl_data *data,
257                                            struct eap_peer_config *config,
258                                            struct tls_connection_params *params)
259 {
260           int res;
261 
262           data->conn = tls_connection_init(data->ssl_ctx);
263           if (data->conn == NULL) {
264                     wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
265                                  "connection");
266                     return -1;
267           }
268 
269           res = tls_connection_set_params(data->ssl_ctx, data->conn, params);
270           if (res == TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN) {
271                     /*
272                      * At this point with the pkcs11 engine the PIN is wrong. We
273                      * reset the PIN in the configuration to be sure to not use it
274                      * again and the calling function must request a new one.
275                      */
276                     wpa_printf(MSG_INFO,
277                                  "TLS: Bad PIN provided, requesting a new one");
278                     os_free(config->cert.pin);
279                     config->cert.pin = NULL;
280                     eap_sm_request_pin(sm);
281                     sm->ignore = true;
282           } else if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) {
283                     wpa_printf(MSG_INFO, "TLS: Failed to initialize engine");
284           } else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) {
285                     wpa_printf(MSG_INFO, "TLS: Failed to load private key");
286                     sm->ignore = true;
287           }
288           if (res) {
289                     wpa_printf(MSG_INFO, "TLS: Failed to set TLS connection "
290                                  "parameters");
291                     tls_connection_deinit(data->ssl_ctx, data->conn);
292                     data->conn = NULL;
293                     return -1;
294           }
295 
296           return 0;
297 }
298 
299 
300 /**
301  * eap_peer_tls_ssl_init - Initialize shared TLS functionality
302  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
303  * @data: Data for TLS processing
304  * @config: Pointer to the network configuration
305  * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
306  * Returns: 0 on success, -1 on failure
307  *
308  * This function is used to initialize shared TLS functionality for EAP-TLS,
309  * EAP-PEAP, EAP-TTLS, and EAP-FAST.
310  */
eap_peer_tls_ssl_init(struct eap_sm * sm,struct eap_ssl_data * data,struct eap_peer_config * config,u8 eap_type)311 int eap_peer_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
312                                 struct eap_peer_config *config, u8 eap_type)
313 {
314           struct tls_connection_params params;
315 
316           if (config == NULL)
317                     return -1;
318 
319           data->eap = sm;
320           data->eap_type = eap_type;
321           data->phase2 = sm->init_phase2;
322           data->ssl_ctx = sm->init_phase2 && sm->ssl_ctx2 ? sm->ssl_ctx2 :
323                     sm->ssl_ctx;
324           if (eap_tls_params_from_conf(sm, data, &params, config, data->phase2) <
325               0)
326                     return -1;
327 
328           if (eap_tls_init_connection(sm, data, config, &params) < 0)
329                     return -1;
330 
331           data->tls_out_limit = config->fragment_size;
332           if (data->phase2) {
333                     /* Limit the fragment size in the inner TLS authentication
334                      * since the outer authentication with EAP-PEAP does not yet
335                      * support fragmentation */
336                     if (data->tls_out_limit > 100)
337                               data->tls_out_limit -= 100;
338           }
339 
340           if (config->phase1 &&
341               os_strstr(config->phase1, "include_tls_length=1")) {
342                     wpa_printf(MSG_DEBUG, "TLS: Include TLS Message Length in "
343                                  "unfragmented packets");
344                     data->include_tls_length = 1;
345           }
346 
347           return 0;
348 }
349 
350 
351 /**
352  * eap_peer_tls_ssl_deinit - Deinitialize shared TLS functionality
353  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
354  * @data: Data for TLS processing
355  *
356  * This function deinitializes shared TLS functionality that was initialized
357  * with eap_peer_tls_ssl_init().
358  */
eap_peer_tls_ssl_deinit(struct eap_sm * sm,struct eap_ssl_data * data)359 void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
360 {
361           tls_connection_deinit(data->ssl_ctx, data->conn);
362           eap_peer_tls_reset_input(data);
363           eap_peer_tls_reset_output(data);
364 }
365 
366 
367 /**
368  * eap_peer_tls_derive_key - Derive a key based on TLS session data
369  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
370  * @data: Data for TLS processing
371  * @label: Label string for deriving the keys, e.g., "client EAP encryption"
372  * @context: Optional extra upper-layer context (max len 2^16)
373  * @context_len: The length of the context value
374  * @len: Length of the key material to generate (usually 64 for MSK)
375  * Returns: Pointer to allocated key on success or %NULL on failure
376  *
377  * This function uses TLS-PRF to generate pseudo-random data based on the TLS
378  * session data (client/server random and master key). Each key type may use a
379  * different label to bind the key usage into the generated material.
380  *
381  * The caller is responsible for freeing the returned buffer.
382  *
383  * Note: To provide the RFC 5705 context, the context variable must be non-NULL.
384  */
eap_peer_tls_derive_key(struct eap_sm * sm,struct eap_ssl_data * data,const char * label,const u8 * context,size_t context_len,size_t len)385 u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
386                                    const char *label, const u8 *context,
387                                    size_t context_len, size_t len)
388 {
389           u8 *out;
390 
391           out = os_malloc(len);
392           if (out == NULL)
393                     return NULL;
394 
395           if (tls_connection_export_key(data->ssl_ctx, data->conn, label,
396                                               context, context_len, out, len)) {
397                     os_free(out);
398                     return NULL;
399           }
400 
401           return out;
402 }
403 
404 
405 /**
406  * eap_peer_tls_derive_session_id - Derive a Session-Id based on TLS data
407  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
408  * @data: Data for TLS processing
409  * @eap_type: EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
410  * @len: Pointer to length of the session ID generated
411  * Returns: Pointer to allocated Session-Id on success or %NULL on failure
412  *
413  * This function derive the Session-Id based on the TLS session data
414  * (client/server random and method type).
415  *
416  * The caller is responsible for freeing the returned buffer.
417  */
eap_peer_tls_derive_session_id(struct eap_sm * sm,struct eap_ssl_data * data,u8 eap_type,size_t * len)418 u8 * eap_peer_tls_derive_session_id(struct eap_sm *sm,
419                                             struct eap_ssl_data *data, u8 eap_type,
420                                             size_t *len)
421 {
422           struct tls_random keys;
423           u8 *out;
424 
425           if (data->tls_v13) {
426                     u8 *id, *method_id;
427                     const u8 context[] = { eap_type };
428 
429                     /* Session-Id = <EAP-Type> || Method-Id
430                      * Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id",
431                      *                          Type-Code, 64)
432                      */
433                     *len = 1 + 64;
434                     id = os_malloc(*len);
435                     if (!id)
436                               return NULL;
437                     method_id = eap_peer_tls_derive_key(
438                               sm, data, "EXPORTER_EAP_TLS_Method-Id", context, 1, 64);
439                     if (!method_id) {
440                               os_free(id);
441                               return NULL;
442                     }
443                     id[0] = eap_type;
444                     os_memcpy(id + 1, method_id, 64);
445                     os_free(method_id);
446                     return id;
447           }
448 
449           if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys) ||
450               keys.client_random == NULL || keys.server_random == NULL)
451                     return NULL;
452 
453           *len = 1 + keys.client_random_len + keys.server_random_len;
454           out = os_malloc(*len);
455           if (out == NULL)
456                     return NULL;
457 
458           /* Session-Id = EAP type || client.random || server.random */
459           out[0] = eap_type;
460           os_memcpy(out + 1, keys.client_random, keys.client_random_len);
461           os_memcpy(out + 1 + keys.client_random_len, keys.server_random,
462                       keys.server_random_len);
463 
464           return out;
465 }
466 
467 
468 /**
469  * eap_peer_tls_reassemble_fragment - Reassemble a received fragment
470  * @data: Data for TLS processing
471  * @in_data: Next incoming TLS segment
472  * Returns: 0 on success, 1 if more data is needed for the full message, or
473  * -1 on error
474  */
eap_peer_tls_reassemble_fragment(struct eap_ssl_data * data,const struct wpabuf * in_data)475 static int eap_peer_tls_reassemble_fragment(struct eap_ssl_data *data,
476                                                       const struct wpabuf *in_data)
477 {
478           size_t tls_in_len, in_len;
479 
480           tls_in_len = data->tls_in ? wpabuf_len(data->tls_in) : 0;
481           in_len = in_data ? wpabuf_len(in_data) : 0;
482 
483           if (tls_in_len + in_len == 0) {
484                     /* No message data received?! */
485                     wpa_printf(MSG_WARNING, "SSL: Invalid reassembly state: "
486                                  "tls_in_left=%lu tls_in_len=%lu in_len=%lu",
487                                  (unsigned long) data->tls_in_left,
488                                  (unsigned long) tls_in_len,
489                                  (unsigned long) in_len);
490                     eap_peer_tls_reset_input(data);
491                     return -1;
492           }
493 
494           if (tls_in_len + in_len > 65536) {
495                     /*
496                      * Limit length to avoid rogue servers from causing large
497                      * memory allocations.
498                      */
499                     wpa_printf(MSG_INFO, "SSL: Too long TLS fragment (size over "
500                                  "64 kB)");
501                     eap_peer_tls_reset_input(data);
502                     return -1;
503           }
504 
505           if (in_len > data->tls_in_left) {
506                     /* Sender is doing something odd - reject message */
507                     wpa_printf(MSG_INFO, "SSL: more data than TLS message length "
508                                  "indicated");
509                     eap_peer_tls_reset_input(data);
510                     return -1;
511           }
512 
513           if (wpabuf_resize(&data->tls_in, in_len) < 0) {
514                     wpa_printf(MSG_INFO, "SSL: Could not allocate memory for TLS "
515                                  "data");
516                     eap_peer_tls_reset_input(data);
517                     return -1;
518           }
519           if (in_data)
520                     wpabuf_put_buf(data->tls_in, in_data);
521           data->tls_in_left -= in_len;
522 
523           if (data->tls_in_left > 0) {
524                     wpa_printf(MSG_DEBUG, "SSL: Need %lu bytes more input "
525                                  "data", (unsigned long) data->tls_in_left);
526                     return 1;
527           }
528 
529           return 0;
530 }
531 
532 
533 /**
534  * eap_peer_tls_data_reassemble - Reassemble TLS data
535  * @data: Data for TLS processing
536  * @in_data: Next incoming TLS segment
537  * @need_more_input: Variable for returning whether more input data is needed
538  * to reassemble this TLS packet
539  * Returns: Pointer to output data, %NULL on error or when more data is needed
540  * for the full message (in which case, *need_more_input is also set to 1).
541  *
542  * This function reassembles TLS fragments. Caller must not free the returned
543  * data buffer since an internal pointer to it is maintained.
544  */
eap_peer_tls_data_reassemble(struct eap_ssl_data * data,const struct wpabuf * in_data,int * need_more_input)545 static const struct wpabuf * eap_peer_tls_data_reassemble(
546           struct eap_ssl_data *data, const struct wpabuf *in_data,
547           int *need_more_input)
548 {
549           *need_more_input = 0;
550 
551           if (data->tls_in_left > wpabuf_len(in_data) || data->tls_in) {
552                     /* Message has fragments */
553                     int res = eap_peer_tls_reassemble_fragment(data, in_data);
554                     if (res) {
555                               if (res == 1)
556                                         *need_more_input = 1;
557                               return NULL;
558                     }
559 
560                     /* Message is now fully reassembled. */
561           } else {
562                     /* No fragments in this message, so just make a copy of it. */
563                     data->tls_in_left = 0;
564                     data->tls_in = wpabuf_dup(in_data);
565                     if (data->tls_in == NULL)
566                               return NULL;
567           }
568 
569           return data->tls_in;
570 }
571 
572 
573 /**
574  * eap_tls_process_input - Process incoming TLS message
575  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
576  * @data: Data for TLS processing
577  * @in_data: Message received from the server
578  * @out_data: Buffer for returning a pointer to application data (if available)
579  * Returns: 0 on success, 1 if more input data is needed, 2 if application data
580  * is available, -1 on failure
581  */
eap_tls_process_input(struct eap_sm * sm,struct eap_ssl_data * data,const struct wpabuf * in_data,struct wpabuf ** out_data)582 static int eap_tls_process_input(struct eap_sm *sm, struct eap_ssl_data *data,
583                                          const struct wpabuf *in_data,
584                                          struct wpabuf **out_data)
585 {
586           const struct wpabuf *msg;
587           int need_more_input;
588           struct wpabuf *appl_data;
589 
590           msg = eap_peer_tls_data_reassemble(data, in_data, &need_more_input);
591           if (msg == NULL)
592                     return need_more_input ? 1 : -1;
593 
594           /* Full TLS message reassembled - continue handshake processing */
595           if (data->tls_out) {
596                     /* This should not happen.. */
597                     wpa_printf(MSG_INFO, "SSL: eap_tls_process_input - pending "
598                                  "tls_out data even though tls_out_len = 0");
599                     wpabuf_free(data->tls_out);
600                     WPA_ASSERT(data->tls_out == NULL);
601           }
602           appl_data = NULL;
603           data->tls_out = tls_connection_handshake(data->ssl_ctx, data->conn,
604                                                              msg, &appl_data);
605 
606           eap_peer_tls_reset_input(data);
607 
608           if (appl_data &&
609               tls_connection_established(data->ssl_ctx, data->conn) &&
610               !tls_connection_get_failed(data->ssl_ctx, data->conn)) {
611                     wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application data",
612                                             appl_data);
613                     *out_data = appl_data;
614                     return 2;
615           }
616 
617           wpabuf_free(appl_data);
618 
619           return 0;
620 }
621 
622 
623 /**
624  * eap_tls_process_output - Process outgoing TLS message
625  * @data: Data for TLS processing
626  * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
627  * @peap_version: Version number for EAP-PEAP/TTLS
628  * @id: EAP identifier for the response
629  * @ret: Return value to use on success
630  * @out_data: Buffer for returning the allocated output buffer
631  * Returns: ret (0 or 1) on success, -1 on failure
632  */
eap_tls_process_output(struct eap_ssl_data * data,enum eap_type eap_type,int peap_version,u8 id,int ret,struct wpabuf ** out_data)633 static int eap_tls_process_output(struct eap_ssl_data *data,
634                                           enum eap_type eap_type,
635                                           int peap_version, u8 id, int ret,
636                                           struct wpabuf **out_data)
637 {
638           size_t len;
639           u8 *flags;
640           int more_fragments, length_included;
641 
642           if (data->tls_out == NULL)
643                     return -1;
644           len = wpabuf_len(data->tls_out) - data->tls_out_pos;
645           wpa_printf(MSG_DEBUG, "SSL: %lu bytes left to be sent out (of total "
646                        "%lu bytes)",
647                        (unsigned long) len,
648                        (unsigned long) wpabuf_len(data->tls_out));
649 
650           /*
651            * Limit outgoing message to the configured maximum size. Fragment
652            * message if needed.
653            */
654           if (len > data->tls_out_limit) {
655                     more_fragments = 1;
656                     len = data->tls_out_limit;
657                     wpa_printf(MSG_DEBUG, "SSL: sending %lu bytes, more fragments "
658                                  "will follow", (unsigned long) len);
659           } else
660                     more_fragments = 0;
661 
662           length_included = data->tls_out_pos == 0 &&
663                     (wpabuf_len(data->tls_out) > data->tls_out_limit ||
664                      data->include_tls_length);
665           if (!length_included &&
666               eap_type == EAP_TYPE_PEAP && peap_version == 0 &&
667               !tls_connection_established(data->eap->ssl_ctx, data->conn)) {
668                     /*
669                      * Windows Server 2008 NPS really wants to have the TLS Message
670                      * length included in phase 0 even for unfragmented frames or
671                      * it will get very confused with Compound MAC calculation and
672                      * Outer TLVs.
673                      */
674                     length_included = 1;
675           }
676 
677           *out_data = eap_tls_msg_alloc(eap_type, 1 + length_included * 4 + len,
678                                               EAP_CODE_RESPONSE, id);
679           if (*out_data == NULL)
680                     return -1;
681 
682           flags = wpabuf_put(*out_data, 1);
683           *flags = peap_version;
684           if (more_fragments)
685                     *flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
686           if (length_included) {
687                     *flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
688                     wpabuf_put_be32(*out_data, wpabuf_len(data->tls_out));
689           }
690 
691           wpabuf_put_data(*out_data,
692                               wpabuf_head_u8(data->tls_out) + data->tls_out_pos,
693                               len);
694           data->tls_out_pos += len;
695 
696           if (!more_fragments)
697                     eap_peer_tls_reset_output(data);
698 
699           return ret;
700 }
701 
702 
703 /**
704  * eap_peer_tls_process_helper - Process TLS handshake message
705  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
706  * @data: Data for TLS processing
707  * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
708  * @peap_version: Version number for EAP-PEAP/TTLS
709  * @id: EAP identifier for the response
710  * @in_data: Message received from the server
711  * @out_data: Buffer for returning a pointer to the response message
712  * Returns: 0 on success, 1 if more input data is needed, 2 if application data
713  * is available, or -1 on failure
714  *
715  * This function can be used to process TLS handshake messages. It reassembles
716  * the received fragments and uses a TLS library to process the messages. The
717  * response data from the TLS library is fragmented to suitable output messages
718  * that the caller can send out.
719  *
720  * out_data is used to return the response message if the return value of this
721  * function is 0, 2, or -1. In case of failure, the message is likely a TLS
722  * alarm message. The caller is responsible for freeing the allocated buffer if
723  * *out_data is not %NULL.
724  *
725  * This function is called for each received TLS message during the TLS
726  * handshake after eap_peer_tls_process_init() call and possible processing of
727  * TLS Flags field. Once the handshake has been completed, i.e., when
728  * tls_connection_established() returns 1, EAP method specific decrypting of
729  * the tunneled data is used.
730  */
eap_peer_tls_process_helper(struct eap_sm * sm,struct eap_ssl_data * data,enum eap_type eap_type,int peap_version,u8 id,const struct wpabuf * in_data,struct wpabuf ** out_data)731 int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data,
732                                         enum eap_type eap_type, int peap_version,
733                                         u8 id, const struct wpabuf *in_data,
734                                         struct wpabuf **out_data)
735 {
736           int ret = 0;
737 
738           *out_data = NULL;
739 
740           if (data->tls_out && wpabuf_len(data->tls_out) > 0 &&
741               wpabuf_len(in_data) > 0) {
742                     wpa_printf(MSG_DEBUG, "SSL: Received non-ACK when output "
743                                  "fragments are waiting to be sent out");
744                     return -1;
745           }
746 
747           if (data->tls_out == NULL || wpabuf_len(data->tls_out) == 0) {
748                     /*
749                      * No more data to send out - expect to receive more data from
750                      * the AS.
751                      */
752                     int res = eap_tls_process_input(sm, data, in_data, out_data);
753                     char buf[20];
754 
755                     if (res) {
756                               /*
757                                * Input processing failed (res = -1) or more data is
758                                * needed (res = 1).
759                                */
760                               return res;
761                     }
762 
763                     /*
764                      * The incoming message has been reassembled and processed. The
765                      * response was allocated into data->tls_out buffer.
766                      */
767 
768                     if (tls_get_version(data->ssl_ctx, data->conn,
769                                             buf, sizeof(buf)) == 0) {
770                               wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf);
771                               data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
772                     }
773           }
774 
775           if (data->tls_out == NULL) {
776                     /*
777                      * No outgoing fragments remaining from the previous message
778                      * and no new message generated. This indicates an error in TLS
779                      * processing.
780                      */
781                     eap_peer_tls_reset_output(data);
782                     return -1;
783           }
784 
785           if (tls_connection_get_failed(data->ssl_ctx, data->conn)) {
786                     /* TLS processing has failed - return error */
787                     wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
788                                  "report error (len=%u)",
789                                  (unsigned int) wpabuf_len(data->tls_out));
790                     ret = -1;
791                     /* TODO: clean pin if engine used? */
792                     if (wpabuf_len(data->tls_out) == 0) {
793                               wpabuf_free(data->tls_out);
794                               data->tls_out = NULL;
795                               return -1;
796                     }
797           }
798 
799           if (wpabuf_len(data->tls_out) == 0) {
800                     /*
801                      * TLS negotiation should now be complete since all other cases
802                      * needing more data should have been caught above based on
803                      * the TLS Message Length field.
804                      */
805                     wpa_printf(MSG_DEBUG, "SSL: No data to be sent out");
806                     wpabuf_free(data->tls_out);
807                     data->tls_out = NULL;
808                     return 1;
809           }
810 
811           /* Send the pending message (in fragments, if needed). */
812           return eap_tls_process_output(data, eap_type, peap_version, id, ret,
813                                               out_data);
814 }
815 
816 
817 /**
818  * eap_peer_tls_build_ack - Build a TLS ACK frame
819  * @id: EAP identifier for the response
820  * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
821  * @peap_version: Version number for EAP-PEAP/TTLS
822  * Returns: Pointer to the allocated ACK frame or %NULL on failure
823  */
eap_peer_tls_build_ack(u8 id,enum eap_type eap_type,int peap_version)824 struct wpabuf * eap_peer_tls_build_ack(u8 id, enum eap_type eap_type,
825                                                int peap_version)
826 {
827           struct wpabuf *resp;
828 
829           resp = eap_tls_msg_alloc(eap_type, 1, EAP_CODE_RESPONSE, id);
830           if (resp == NULL)
831                     return NULL;
832           wpa_printf(MSG_DEBUG, "SSL: Building ACK (type=%d id=%d ver=%d)",
833                        (int) eap_type, id, peap_version);
834           wpabuf_put_u8(resp, peap_version); /* Flags */
835           return resp;
836 }
837 
838 
839 /**
840  * eap_peer_tls_reauth_init - Re-initialize shared TLS for session resumption
841  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
842  * @data: Data for TLS processing
843  * Returns: 0 on success, -1 on failure
844  */
eap_peer_tls_reauth_init(struct eap_sm * sm,struct eap_ssl_data * data)845 int eap_peer_tls_reauth_init(struct eap_sm *sm, struct eap_ssl_data *data)
846 {
847           eap_peer_tls_reset_input(data);
848           eap_peer_tls_reset_output(data);
849           return tls_connection_shutdown(data->ssl_ctx, data->conn);
850 }
851 
852 
853 /**
854  * eap_peer_tls_status - Get TLS status
855  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
856  * @data: Data for TLS processing
857  * @buf: Buffer for status information
858  * @buflen: Maximum buffer length
859  * @verbose: Whether to include verbose status information
860  * Returns: Number of bytes written to buf.
861  */
eap_peer_tls_status(struct eap_sm * sm,struct eap_ssl_data * data,char * buf,size_t buflen,int verbose)862 int eap_peer_tls_status(struct eap_sm *sm, struct eap_ssl_data *data,
863                               char *buf, size_t buflen, int verbose)
864 {
865           char version[20], name[128];
866           int len = 0, ret;
867 
868           if (tls_get_version(data->ssl_ctx, data->conn, version,
869                                   sizeof(version)) < 0)
870                     version[0] = '\0';
871           if (tls_get_cipher(data->ssl_ctx, data->conn, name, sizeof(name)) < 0)
872                     name[0] = '\0';
873 
874           ret = os_snprintf(buf + len, buflen - len,
875                                 "eap_tls_version=%s\n"
876                                 "EAP TLS cipher=%s\n"
877                                 "tls_session_reused=%d\n",
878                                 version, name,
879                                 tls_connection_resumed(data->ssl_ctx, data->conn));
880           if (os_snprintf_error(buflen - len, ret))
881                     return len;
882           len += ret;
883 
884           return len;
885 }
886 
887 
888 /**
889  * eap_peer_tls_process_init - Initial validation/processing of EAP requests
890  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
891  * @data: Data for TLS processing
892  * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
893  * @ret: Return values from EAP request validation and processing
894  * @reqData: EAP request to be processed (eapReqData)
895  * @len: Buffer for returning length of the remaining payload
896  * @flags: Buffer for returning TLS flags
897  * Returns: Pointer to payload after TLS flags and length or %NULL on failure
898  *
899  * This function validates the EAP header and processes the optional TLS
900  * Message Length field. If this is the first fragment of a TLS message, the
901  * TLS reassembly code is initialized to receive the indicated number of bytes.
902  *
903  * EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-FAST methods are expected to use this
904  * function as the first step in processing received messages. They will need
905  * to process the flags (apart from Message Length Included) that are returned
906  * through the flags pointer and the message payload that will be returned (and
907  * the length is returned through the len pointer). Return values (ret) are set
908  * for continuation of EAP method processing. The caller is responsible for
909  * setting these to indicate completion (either success or failure) based on
910  * the authentication result.
911  */
eap_peer_tls_process_init(struct eap_sm * sm,struct eap_ssl_data * data,enum eap_type eap_type,struct eap_method_ret * ret,const struct wpabuf * reqData,size_t * len,u8 * flags)912 const u8 * eap_peer_tls_process_init(struct eap_sm *sm,
913                                              struct eap_ssl_data *data,
914                                              enum eap_type eap_type,
915                                              struct eap_method_ret *ret,
916                                              const struct wpabuf *reqData,
917                                              size_t *len, u8 *flags)
918 {
919           const u8 *pos;
920           size_t left;
921           unsigned int tls_msg_len;
922 
923           if (tls_get_errors(data->ssl_ctx)) {
924                     wpa_printf(MSG_INFO, "SSL: TLS errors detected");
925                     ret->ignore = true;
926                     return NULL;
927           }
928 
929           if (eap_type == EAP_UNAUTH_TLS_TYPE)
930                     pos = eap_hdr_validate(EAP_VENDOR_UNAUTH_TLS,
931                                                EAP_VENDOR_TYPE_UNAUTH_TLS, reqData,
932                                                &left);
933           else if (eap_type == EAP_WFA_UNAUTH_TLS_TYPE)
934                     pos = eap_hdr_validate(EAP_VENDOR_WFA_NEW,
935                                                EAP_VENDOR_WFA_UNAUTH_TLS, reqData,
936                                                &left);
937           else
938                     pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, reqData,
939                                                &left);
940           if (pos == NULL) {
941                     ret->ignore = true;
942                     return NULL;
943           }
944           if (left == 0) {
945                     wpa_printf(MSG_DEBUG, "SSL: Invalid TLS message: no Flags "
946                                  "octet included");
947                     if (!sm->workaround) {
948                               ret->ignore = true;
949                               return NULL;
950                     }
951 
952                     wpa_printf(MSG_DEBUG, "SSL: Workaround - assume no Flags "
953                                  "indicates ACK frame");
954                     *flags = 0;
955           } else {
956                     *flags = *pos++;
957                     left--;
958           }
959           wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - "
960                        "Flags 0x%02x", (unsigned long) wpabuf_len(reqData),
961                        *flags);
962           if (*flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
963                     if (left < 4) {
964                               wpa_printf(MSG_INFO, "SSL: Short frame with TLS "
965                                            "length");
966                               ret->ignore = true;
967                               return NULL;
968                     }
969                     tls_msg_len = WPA_GET_BE32(pos);
970                     wpa_printf(MSG_DEBUG, "SSL: TLS Message Length: %d",
971                                  tls_msg_len);
972                     if (data->tls_in_left == 0) {
973                               data->tls_in_total = tls_msg_len;
974                               data->tls_in_left = tls_msg_len;
975                               wpabuf_free(data->tls_in);
976                               data->tls_in = NULL;
977                     }
978                     pos += 4;
979                     left -= 4;
980 
981                     if (left > tls_msg_len) {
982                               wpa_printf(MSG_INFO, "SSL: TLS Message Length (%d "
983                                            "bytes) smaller than this fragment (%d "
984                                            "bytes)", (int) tls_msg_len, (int) left);
985                               ret->ignore = true;
986                               return NULL;
987                     }
988           }
989 
990           ret->ignore = false;
991           ret->methodState = METHOD_MAY_CONT;
992           ret->decision = DECISION_FAIL;
993           ret->allowNotifications = true;
994 
995           *len = left;
996           return pos;
997 }
998 
999 
1000 /**
1001  * eap_peer_tls_reset_input - Reset input buffers
1002  * @data: Data for TLS processing
1003  *
1004  * This function frees any allocated memory for input buffers and resets input
1005  * state.
1006  */
eap_peer_tls_reset_input(struct eap_ssl_data * data)1007 void eap_peer_tls_reset_input(struct eap_ssl_data *data)
1008 {
1009           data->tls_in_left = data->tls_in_total = 0;
1010           wpabuf_free(data->tls_in);
1011           data->tls_in = NULL;
1012 }
1013 
1014 
1015 /**
1016  * eap_peer_tls_reset_output - Reset output buffers
1017  * @data: Data for TLS processing
1018  *
1019  * This function frees any allocated memory for output buffers and resets
1020  * output state.
1021  */
eap_peer_tls_reset_output(struct eap_ssl_data * data)1022 void eap_peer_tls_reset_output(struct eap_ssl_data *data)
1023 {
1024           data->tls_out_pos = 0;
1025           wpabuf_free(data->tls_out);
1026           data->tls_out = NULL;
1027 }
1028 
1029 
1030 /**
1031  * eap_peer_tls_decrypt - Decrypt received phase 2 TLS message
1032  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
1033  * @data: Data for TLS processing
1034  * @in_data: Message received from the server
1035  * @in_decrypted: Buffer for returning a pointer to the decrypted message
1036  * Returns: 0 on success, 1 if more input data is needed, or -1 on failure
1037  */
eap_peer_tls_decrypt(struct eap_sm * sm,struct eap_ssl_data * data,const struct wpabuf * in_data,struct wpabuf ** in_decrypted)1038 int eap_peer_tls_decrypt(struct eap_sm *sm, struct eap_ssl_data *data,
1039                                const struct wpabuf *in_data,
1040                                struct wpabuf **in_decrypted)
1041 {
1042           const struct wpabuf *msg;
1043           int need_more_input;
1044 
1045           msg = eap_peer_tls_data_reassemble(data, in_data, &need_more_input);
1046           if (msg == NULL)
1047                     return need_more_input ? 1 : -1;
1048 
1049           *in_decrypted = tls_connection_decrypt(data->ssl_ctx, data->conn, msg);
1050           eap_peer_tls_reset_input(data);
1051           if (*in_decrypted == NULL) {
1052                     wpa_printf(MSG_INFO, "SSL: Failed to decrypt Phase 2 data");
1053                     return -1;
1054           }
1055           return 0;
1056 }
1057 
1058 
1059 /**
1060  * eap_peer_tls_encrypt - Encrypt phase 2 TLS message
1061  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
1062  * @data: Data for TLS processing
1063  * @eap_type: EAP type (EAP_TYPE_TLS, EAP_TYPE_PEAP, ...)
1064  * @peap_version: Version number for EAP-PEAP/TTLS
1065  * @id: EAP identifier for the response
1066  * @in_data: Plaintext phase 2 data to encrypt or %NULL to continue fragments
1067  * @out_data: Buffer for returning a pointer to the encrypted response message
1068  * Returns: 0 on success, -1 on failure
1069  */
eap_peer_tls_encrypt(struct eap_sm * sm,struct eap_ssl_data * data,enum eap_type eap_type,int peap_version,u8 id,const struct wpabuf * in_data,struct wpabuf ** out_data)1070 int eap_peer_tls_encrypt(struct eap_sm *sm, struct eap_ssl_data *data,
1071                                enum eap_type eap_type, int peap_version, u8 id,
1072                                const struct wpabuf *in_data,
1073                                struct wpabuf **out_data)
1074 {
1075           if (in_data) {
1076                     eap_peer_tls_reset_output(data);
1077                     data->tls_out = tls_connection_encrypt(data->ssl_ctx,
1078                                                                    data->conn, in_data);
1079                     if (data->tls_out == NULL) {
1080                               wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 "
1081                                            "data (in_len=%lu)",
1082                                            (unsigned long) wpabuf_len(in_data));
1083                               eap_peer_tls_reset_output(data);
1084                               return -1;
1085                     }
1086           }
1087 
1088           return eap_tls_process_output(data, eap_type, peap_version, id, 0,
1089                                               out_data);
1090 }
1091 
1092 
1093 /**
1094  * eap_peer_select_phase2_methods - Select phase 2 EAP method
1095  * @config: Pointer to the network configuration
1096  * @prefix: 'phase2' configuration prefix, e.g., "auth="
1097  * @types: Buffer for returning allocated list of allowed EAP methods
1098  * @num_types: Buffer for returning number of allocated EAP methods
1099  * Returns: 0 on success, -1 on failure
1100  *
1101  * This function is used to parse EAP method list and select allowed methods
1102  * for Phase2 authentication.
1103  */
eap_peer_select_phase2_methods(struct eap_peer_config * config,const char * prefix,struct eap_method_type ** types,size_t * num_types,int use_machine_cred)1104 int eap_peer_select_phase2_methods(struct eap_peer_config *config,
1105                                            const char *prefix,
1106                                            struct eap_method_type **types,
1107                                            size_t *num_types, int use_machine_cred)
1108 {
1109           char *start, *pos, *buf;
1110           struct eap_method_type *methods = NULL, *_methods;
1111           u32 method;
1112           size_t num_methods = 0, prefix_len;
1113           const char *phase2;
1114 
1115           if (!config)
1116                     goto get_defaults;
1117           phase2 = use_machine_cred ? config->machine_phase2 : config->phase2;
1118           if (!phase2)
1119                     goto get_defaults;
1120 
1121           start = buf = os_strdup(phase2);
1122           if (buf == NULL)
1123                     return -1;
1124 
1125           prefix_len = os_strlen(prefix);
1126 
1127           while (start && *start != '\0') {
1128                     int vendor;
1129                     pos = os_strstr(start, prefix);
1130                     if (pos == NULL)
1131                               break;
1132                     if (start != pos && *(pos - 1) != ' ') {
1133                               start = pos + prefix_len;
1134                               continue;
1135                     }
1136 
1137                     start = pos + prefix_len;
1138                     pos = os_strchr(start, ' ');
1139                     if (pos)
1140                               *pos++ = '\0';
1141                     method = eap_get_phase2_type(start, &vendor);
1142                     if (vendor == EAP_VENDOR_IETF && method == EAP_TYPE_NONE) {
1143                               wpa_printf(MSG_ERROR, "TLS: Unsupported Phase2 EAP "
1144                                            "method '%s'", start);
1145                               os_free(methods);
1146                               os_free(buf);
1147                               return -1;
1148                     } else {
1149                               num_methods++;
1150                               _methods = os_realloc_array(methods, num_methods,
1151                                                                 sizeof(*methods));
1152                               if (_methods == NULL) {
1153                                         os_free(methods);
1154                                         os_free(buf);
1155                                         return -1;
1156                               }
1157                               methods = _methods;
1158                               methods[num_methods - 1].vendor = vendor;
1159                               methods[num_methods - 1].method = method;
1160                     }
1161 
1162                     start = pos;
1163           }
1164 
1165           os_free(buf);
1166 
1167 get_defaults:
1168           if (methods == NULL)
1169                     methods = eap_get_phase2_types(config, &num_methods);
1170 
1171           if (methods == NULL) {
1172                     wpa_printf(MSG_ERROR, "TLS: No Phase2 EAP methods available");
1173                     return -1;
1174           }
1175           wpa_hexdump(MSG_DEBUG, "TLS: Phase2 EAP types",
1176                         (u8 *) methods,
1177                         num_methods * sizeof(struct eap_method_type));
1178 
1179           *types = methods;
1180           *num_types = num_methods;
1181 
1182           return 0;
1183 }
1184 
1185 
1186 /**
1187  * eap_peer_tls_phase2_nak - Generate EAP-Nak for Phase 2
1188  * @types: Buffer for returning allocated list of allowed EAP methods
1189  * @num_types: Buffer for returning number of allocated EAP methods
1190  * @hdr: EAP-Request header (and the following EAP type octet)
1191  * @resp: Buffer for returning the EAP-Nak message
1192  * Returns: 0 on success, -1 on failure
1193  */
eap_peer_tls_phase2_nak(struct eap_method_type * types,size_t num_types,struct eap_hdr * hdr,struct wpabuf ** resp)1194 int eap_peer_tls_phase2_nak(struct eap_method_type *types, size_t num_types,
1195                                   struct eap_hdr *hdr, struct wpabuf **resp)
1196 {
1197           u8 *pos = (u8 *) (hdr + 1);
1198           size_t i;
1199 
1200           /* TODO: add support for expanded Nak */
1201           wpa_printf(MSG_DEBUG, "TLS: Phase 2 Request: Nak type=%d", *pos);
1202           wpa_hexdump(MSG_DEBUG, "TLS: Allowed Phase2 EAP types",
1203                         (u8 *) types, num_types * sizeof(struct eap_method_type));
1204           *resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_NAK, num_types,
1205                                     EAP_CODE_RESPONSE, hdr->identifier);
1206           if (*resp == NULL)
1207                     return -1;
1208 
1209           for (i = 0; i < num_types; i++) {
1210                     if (types[i].vendor == EAP_VENDOR_IETF &&
1211                         types[i].method < 256)
1212                               wpabuf_put_u8(*resp, types[i].method);
1213           }
1214 
1215           eap_update_len(*resp);
1216 
1217           return 0;
1218 }
1219