Lines Matching refs:data
74 static void eap_peap_parse_phase1(struct eap_peap_data *data, in eap_peap_parse_phase1() argument
81 data->force_peap_version = atoi(pos + 8); in eap_peap_parse_phase1()
82 data->peap_version = data->force_peap_version; in eap_peap_parse_phase1()
84 data->force_peap_version); in eap_peap_parse_phase1()
88 data->force_new_label = 1; in eap_peap_parse_phase1()
94 data->peap_outer_success = 0; in eap_peap_parse_phase1()
98 data->peap_outer_success = 1; in eap_peap_parse_phase1()
102 data->peap_outer_success = 2; in eap_peap_parse_phase1()
108 data->crypto_binding = NO_BINDING; in eap_peap_parse_phase1()
111 data->crypto_binding = OPTIONAL_BINDING; in eap_peap_parse_phase1()
114 data->crypto_binding = REQUIRE_BINDING; in eap_peap_parse_phase1()
119 data->phase2_auth = NO_AUTH; in eap_peap_parse_phase1()
123 data->phase2_auth = FOR_INITIAL; in eap_peap_parse_phase1()
127 data->phase2_auth = ALWAYS; in eap_peap_parse_phase1()
133 data->soh = 2; in eap_peap_parse_phase1()
136 data->soh = 1; in eap_peap_parse_phase1()
139 data->soh = 2; in eap_peap_parse_phase1()
148 struct eap_peap_data *data; in eap_peap_init() local
151 data = os_zalloc(sizeof(*data)); in eap_peap_init()
152 if (data == NULL) in eap_peap_init()
155 data->peap_version = EAP_PEAP_VERSION; in eap_peap_init()
156 data->force_peap_version = -1; in eap_peap_init()
157 data->peap_outer_success = 2; in eap_peap_init()
158 data->crypto_binding = OPTIONAL_BINDING; in eap_peap_init()
159 data->phase2_auth = FOR_INITIAL; in eap_peap_init()
162 eap_peap_parse_phase1(data, config->phase1); in eap_peap_init()
165 &data->phase2_types, in eap_peap_init()
166 &data->num_phase2_types, 0) < 0) { in eap_peap_init()
167 eap_peap_deinit(sm, data); in eap_peap_init()
171 data->phase2_type.vendor = EAP_VENDOR_IETF; in eap_peap_init()
172 data->phase2_type.method = EAP_TYPE_NONE; in eap_peap_init()
174 if (eap_peer_tls_ssl_init(sm, &data->ssl, config, EAP_TYPE_PEAP)) { in eap_peap_init()
176 eap_peap_deinit(sm, data); in eap_peap_init()
180 return data; in eap_peap_init()
184 static void eap_peap_free_key(struct eap_peap_data *data) in eap_peap_free_key() argument
186 if (data->key_data) { in eap_peap_free_key()
187 bin_clear_free(data->key_data, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); in eap_peap_free_key()
188 data->key_data = NULL; in eap_peap_free_key()
195 struct eap_peap_data *data = priv; in eap_peap_deinit() local
196 if (data == NULL) in eap_peap_deinit()
198 if (data->phase2_priv && data->phase2_method) in eap_peap_deinit()
199 data->phase2_method->deinit(sm, data->phase2_priv); in eap_peap_deinit()
200 os_free(data->phase2_types); in eap_peap_deinit()
201 eap_peer_tls_ssl_deinit(sm, &data->ssl); in eap_peap_deinit()
202 eap_peap_free_key(data); in eap_peap_deinit()
203 os_free(data->session_id); in eap_peap_deinit()
204 wpabuf_clear_free(data->pending_phase2_req); in eap_peap_deinit()
205 wpabuf_clear_free(data->pending_resp); in eap_peap_deinit()
206 bin_clear_free(data, sizeof(*data)); in eap_peap_deinit()
238 static int eap_peap_get_isk(struct eap_sm *sm, struct eap_peap_data *data, in eap_peap_get_isk() argument
245 if (data->phase2_method == NULL || data->phase2_priv == NULL || in eap_peap_get_isk()
246 data->phase2_method->isKeyAvailable == NULL || in eap_peap_get_isk()
247 data->phase2_method->getKey == NULL) in eap_peap_get_isk()
250 if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) || in eap_peap_get_isk()
251 (key = data->phase2_method->getKey(sm, data->phase2_priv, in eap_peap_get_isk()
267 static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) in eap_peap_derive_cmk() argument
277 tk = data->key_data; in eap_peap_derive_cmk()
282 resumed = tls_connection_resumed(sm->ssl_ctx, data->ssl.conn); in eap_peap_derive_cmk()
285 data->reauth, resumed, data->phase2_eap_started, in eap_peap_derive_cmk()
286 data->phase2_success); in eap_peap_derive_cmk()
287 if (data->reauth && !data->phase2_eap_started && resumed) { in eap_peap_derive_cmk()
289 os_memcpy(data->ipmk, tk, 40); in eap_peap_derive_cmk()
291 data->ipmk, 40); in eap_peap_derive_cmk()
292 os_memcpy(data->cmk, tk + 40, 20); in eap_peap_derive_cmk()
294 data->cmk, 20); in eap_peap_derive_cmk()
298 if (eap_peap_get_isk(sm, data, isk, sizeof(isk)) < 0) in eap_peap_derive_cmk()
310 res = peap_prfplus(data->peap_version, tk, 40, in eap_peap_derive_cmk()
319 os_memcpy(data->ipmk, imck, 40); in eap_peap_derive_cmk()
320 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK (S-IPMKj)", data->ipmk, 40); in eap_peap_derive_cmk()
321 os_memcpy(data->cmk, imck + 40, 20); in eap_peap_derive_cmk()
322 wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: CMK (CMKj)", data->cmk, 20); in eap_peap_derive_cmk()
330 struct eap_peap_data *data, in eap_tlv_add_cryptobinding() argument
350 wpabuf_put_u8(buf, data->peap_version); /* Version */ in eap_tlv_add_cryptobinding()
351 wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */ in eap_tlv_add_cryptobinding()
353 wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */ in eap_tlv_add_cryptobinding()
355 wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20); in eap_tlv_add_cryptobinding()
360 if (hmac_sha1_vector(data->cmk, 20, 2, addr, len, mac) < 0) in eap_tlv_add_cryptobinding()
363 data->crypto_binding_used = 1; in eap_tlv_add_cryptobinding()
379 struct eap_peap_data *data, in eap_tlv_build_result() argument
386 if (data->crypto_binding == NO_BINDING) in eap_tlv_build_result()
402 if (crypto_tlv_used && eap_tlv_add_cryptobinding(sm, data, msg)) { in eap_tlv_build_result()
412 struct eap_peap_data *data, in eap_tlv_validate_cryptobinding() argument
419 if (eap_peap_derive_cmk(sm, data) < 0) { in eap_tlv_validate_cryptobinding()
432 if (pos[1] != data->peap_version) { in eap_tlv_validate_cryptobinding()
435 pos[1], data->peap_version); in eap_tlv_validate_cryptobinding()
445 os_memcpy(data->binding_nonce, pos, 32); in eap_tlv_validate_cryptobinding()
454 hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac); in eap_tlv_validate_cryptobinding()
473 struct eap_peap_data *data) in peap_phase2_sufficient() argument
475 if ((data->phase2_auth == ALWAYS || in peap_phase2_sufficient()
476 (data->phase2_auth == FOR_INITIAL && in peap_phase2_sufficient()
477 !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && in peap_phase2_sufficient()
478 !data->ssl.client_cert_conf) || in peap_phase2_sufficient()
479 data->phase2_eap_started) && in peap_phase2_sufficient()
480 !data->phase2_eap_success) in peap_phase2_sufficient()
500 static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, in eap_tlv_process() argument
564 if (crypto_tlv && data->crypto_binding != NO_BINDING) { in eap_tlv_process()
567 if (eap_tlv_validate_cryptobinding(sm, data, crypto_tlv - 4, in eap_tlv_process()
576 } else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) { in eap_tlv_process()
600 } else if (!peap_phase2_sufficient(sm, data)) { in eap_tlv_process()
621 *resp = eap_tlv_build_result(sm, data, crypto_tlv != NULL, in eap_tlv_process()
630 struct eap_peap_data *data, in eap_peap_phase2_request() argument
656 if (eap_tlv_process(sm, data, &iret, req, resp, in eap_peap_phase2_request()
657 data->phase2_eap_started && in eap_peap_phase2_request()
658 !data->phase2_eap_success)) { in eap_peap_phase2_request()
667 data->phase2_success = 1; in eap_peap_phase2_request()
672 if (data->soh) { in eap_peap_phase2_request()
682 buf = tncc_process_soh_request(data->soh, in eap_peap_phase2_request()
719 if (data->phase2_type.vendor == EAP_VENDOR_IETF && in eap_peap_phase2_request()
720 data->phase2_type.method == EAP_TYPE_NONE) { in eap_peap_phase2_request()
722 for (i = 0; i < data->num_phase2_types; i++) { in eap_peap_phase2_request()
723 if (data->phase2_types[i].vendor != vendor || in eap_peap_phase2_request()
724 data->phase2_types[i].method != method) in eap_peap_phase2_request()
727 data->phase2_type.vendor = in eap_peap_phase2_request()
728 data->phase2_types[i].vendor; in eap_peap_phase2_request()
729 data->phase2_type.method = in eap_peap_phase2_request()
730 data->phase2_types[i].method; in eap_peap_phase2_request()
733 data->phase2_type.vendor, in eap_peap_phase2_request()
734 data->phase2_type.method); in eap_peap_phase2_request()
738 if (vendor != data->phase2_type.vendor || in eap_peap_phase2_request()
739 method != data->phase2_type.method || in eap_peap_phase2_request()
741 if (eap_peer_tls_phase2_nak(data->phase2_types, in eap_peap_phase2_request()
742 data->num_phase2_types, in eap_peap_phase2_request()
748 if (data->phase2_priv == NULL) { in eap_peap_phase2_request()
749 data->phase2_method = eap_peer_get_eap_method( in eap_peap_phase2_request()
750 data->phase2_type.vendor, in eap_peap_phase2_request()
751 data->phase2_type.method); in eap_peap_phase2_request()
752 if (data->phase2_method) { in eap_peap_phase2_request()
754 data->phase2_priv = in eap_peap_phase2_request()
755 data->phase2_method->init(sm); in eap_peap_phase2_request()
759 if (data->phase2_priv == NULL || data->phase2_method == NULL) { in eap_peap_phase2_request()
766 data->phase2_eap_started = 1; in eap_peap_phase2_request()
768 *resp = data->phase2_method->process(sm, data->phase2_priv, in eap_peap_phase2_request()
774 data->phase2_eap_success = 1; in eap_peap_phase2_request()
775 data->phase2_success = 1; in eap_peap_phase2_request()
784 wpabuf_clear_free(data->pending_phase2_req); in eap_peap_phase2_request()
785 data->pending_phase2_req = wpabuf_alloc_copy(hdr, len); in eap_peap_phase2_request()
792 static int eap_peap_decrypt(struct eap_sm *sm, struct eap_peap_data *data, in eap_peap_decrypt() argument
807 if (data->pending_phase2_req) { in eap_peap_decrypt()
811 eap_peer_tls_reset_input(&data->ssl); in eap_peap_decrypt()
812 in_decrypted = data->pending_phase2_req; in eap_peap_decrypt()
813 data->pending_phase2_req = NULL; in eap_peap_decrypt()
819 data->phase2_success) { in eap_peap_decrypt()
832 return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, in eap_peap_decrypt()
833 data->peap_version, in eap_peap_decrypt()
837 res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted); in eap_peap_decrypt()
862 if (data->peap_version == 0 && !skip_change) { in eap_peap_decrypt()
910 if (eap_peap_phase2_request(sm, data, ret, in_decrypted, in eap_peap_decrypt()
920 if (data->peap_version == 1) { in eap_peap_decrypt()
924 if (!peap_phase2_sufficient(sm, data)) { in eap_peap_decrypt()
939 data->phase2_success = 1; in eap_peap_decrypt()
940 if (data->peap_outer_success == 2) { in eap_peap_decrypt()
945 } else if (data->peap_outer_success == 1) { in eap_peap_decrypt()
1001 if (data->peap_version == 0 && !skip_change2) { in eap_peap_decrypt()
1008 if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_PEAP, in eap_peap_decrypt()
1009 data->peap_version, req->identifier, in eap_peap_decrypt()
1031 struct eap_peap_data *data = priv; in eap_peap_process() local
1034 pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_PEAP, ret, in eap_peap_process()
1044 data->peap_version); in eap_peap_process()
1045 if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version) in eap_peap_process()
1046 data->peap_version = flags & EAP_TLS_VERSION_MASK; in eap_peap_process()
1047 if (data->force_peap_version >= 0 && in eap_peap_process()
1048 data->force_peap_version != data->peap_version) { in eap_peap_process()
1051 data->force_peap_version); in eap_peap_process()
1058 data->peap_version); in eap_peap_process()
1066 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) && in eap_peap_process()
1067 !data->resuming) { in eap_peap_process()
1068 res = eap_peap_decrypt(sm, data, ret, req, &msg, &resp); in eap_peap_process()
1070 if (sm->waiting_ext_cert_check && data->pending_resp) { in eap_peap_process()
1077 resp = data->pending_resp; in eap_peap_process()
1078 data->pending_resp = NULL; in eap_peap_process()
1098 res = eap_peer_tls_process_helper(sm, &data->ssl, in eap_peap_process()
1100 data->peap_version, id, &msg, in eap_peap_process()
1115 wpabuf_clear_free(data->pending_resp); in eap_peap_process()
1116 data->pending_resp = resp; in eap_peap_process()
1120 if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { in eap_peap_process()
1128 eap_peap_free_key(data); in eap_peap_process()
1140 if (data->ssl.tls_v13) { in eap_peap_process()
1144 } else if (data->force_new_label) { in eap_peap_process()
1151 data->key_data = in eap_peap_process()
1152 eap_peer_tls_derive_key(sm, &data->ssl, label, in eap_peap_process()
1156 if (data->key_data) { in eap_peap_process()
1159 data->key_data, in eap_peap_process()
1163 data->key_data + in eap_peap_process()
1171 os_free(data->session_id); in eap_peap_process()
1172 data->session_id = in eap_peap_process()
1173 eap_peer_tls_derive_session_id(sm, &data->ssl, in eap_peap_process()
1175 &data->id_len); in eap_peap_process()
1176 if (data->session_id) { in eap_peap_process()
1179 data->session_id, data->id_len); in eap_peap_process()
1185 if (sm->workaround && data->resuming) { in eap_peap_process()
1200 data->phase2_success = 1; in eap_peap_process()
1203 data->resuming = 0; in eap_peap_process()
1210 wpabuf_clear_free(data->pending_phase2_req); in eap_peap_process()
1211 data->pending_phase2_req = resp; in eap_peap_process()
1213 res = eap_peap_decrypt(sm, data, ret, req, &msg, in eap_peap_process()
1225 data->peap_version); in eap_peap_process()
1234 struct eap_peap_data *data = priv; in eap_peap_has_reauth_data() local
1236 return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && in eap_peap_has_reauth_data()
1237 data->phase2_success && data->phase2_auth != ALWAYS; in eap_peap_has_reauth_data()
1243 struct eap_peap_data *data = priv; in eap_peap_deinit_for_reauth() local
1245 if (data->phase2_priv && data->phase2_method && in eap_peap_deinit_for_reauth()
1246 data->phase2_method->deinit_for_reauth) in eap_peap_deinit_for_reauth()
1247 data->phase2_method->deinit_for_reauth(sm, data->phase2_priv); in eap_peap_deinit_for_reauth()
1248 wpabuf_clear_free(data->pending_phase2_req); in eap_peap_deinit_for_reauth()
1249 data->pending_phase2_req = NULL; in eap_peap_deinit_for_reauth()
1250 wpabuf_clear_free(data->pending_resp); in eap_peap_deinit_for_reauth()
1251 data->pending_resp = NULL; in eap_peap_deinit_for_reauth()
1252 data->crypto_binding_used = 0; in eap_peap_deinit_for_reauth()
1258 struct eap_peap_data *data = priv; in eap_peap_init_for_reauth() local
1259 eap_peap_free_key(data); in eap_peap_init_for_reauth()
1260 os_free(data->session_id); in eap_peap_init_for_reauth()
1261 data->session_id = NULL; in eap_peap_init_for_reauth()
1262 if (eap_peer_tls_reauth_init(sm, &data->ssl)) { in eap_peap_init_for_reauth()
1263 os_free(data); in eap_peap_init_for_reauth()
1266 if (data->phase2_priv && data->phase2_method && in eap_peap_init_for_reauth()
1267 data->phase2_method->init_for_reauth) in eap_peap_init_for_reauth()
1268 data->phase2_method->init_for_reauth(sm, data->phase2_priv); in eap_peap_init_for_reauth()
1269 data->phase2_success = 0; in eap_peap_init_for_reauth()
1270 data->phase2_eap_success = 0; in eap_peap_init_for_reauth()
1271 data->phase2_eap_started = 0; in eap_peap_init_for_reauth()
1272 data->resuming = 1; in eap_peap_init_for_reauth()
1273 data->reauth = 1; in eap_peap_init_for_reauth()
1282 struct eap_peap_data *data = priv; in eap_peap_get_status() local
1285 len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose); in eap_peap_get_status()
1286 if (data->phase2_method) { in eap_peap_get_status()
1289 data->peap_version, in eap_peap_get_status()
1290 data->phase2_method->name); in eap_peap_get_status()
1301 struct eap_peap_data *data = priv; in eap_peap_isKeyAvailable() local
1302 return data->key_data != NULL && data->phase2_success; in eap_peap_isKeyAvailable()
1308 struct eap_peap_data *data = priv; in eap_peap_getKey() local
1311 if (data->key_data == NULL || !data->phase2_success) in eap_peap_getKey()
1320 if (data->crypto_binding_used) { in eap_peap_getKey()
1327 if (peap_prfplus(data->peap_version, data->ipmk, 40, in eap_peap_getKey()
1339 os_memcpy(key, data->key_data, EAP_TLS_KEY_LEN); in eap_peap_getKey()
1347 struct eap_peap_data *data = priv; in eap_peap_get_emsk() local
1350 if (!data->key_data || !data->phase2_success) in eap_peap_get_emsk()
1353 if (data->crypto_binding_used) { in eap_peap_get_emsk()
1358 key = os_memdup(data->key_data + EAP_TLS_KEY_LEN, EAP_EMSK_LEN); in eap_peap_get_emsk()
1370 struct eap_peap_data *data = priv; in eap_peap_get_session_id() local
1373 if (data->session_id == NULL || !data->phase2_success) in eap_peap_get_session_id()
1376 id = os_memdup(data->session_id, data->id_len); in eap_peap_get_session_id()
1380 *len = data->id_len; in eap_peap_get_session_id()