Home | History | Annotate | Download | only in eap_peer
      1 /*
      2  * EAP peer method: EAP-FAST (RFC 4851)
      3  * Copyright (c) 2004-2008, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This program is free software; you can redistribute it and/or modify
      6  * it under the terms of the GNU General Public License version 2 as
      7  * published by the Free Software Foundation.
      8  *
      9  * Alternatively, this software may be distributed under the terms of BSD
     10  * license.
     11  *
     12  * See README and COPYING for more details.
     13  */
     14 
     15 #include "includes.h"
     16 
     17 #include "common.h"
     18 #include "eap_i.h"
     19 #include "eap_tls_common.h"
     20 #include "eap_config.h"
     21 #include "tls.h"
     22 #include "eap_common/eap_tlv_common.h"
     23 #include "sha1.h"
     24 #include "eap_fast_pac.h"
     25 
     26 #ifdef EAP_FAST_DYNAMIC
     27 #include "eap_fast_pac.c"
     28 #endif /* EAP_FAST_DYNAMIC */
     29 
     30 /* TODO:
     31  * - test session resumption and enable it if it interoperates
     32  * - password change (pending mschapv2 packet; replay decrypted packet)
     33  */
     34 
     35 
     36 static void eap_fast_deinit(struct eap_sm *sm, void *priv);
     37 
     38 
     39 struct eap_fast_data {
     40 	struct eap_ssl_data ssl;
     41 
     42 	int fast_version;
     43 
     44 	const struct eap_method *phase2_method;
     45 	void *phase2_priv;
     46 	int phase2_success;
     47 
     48 	struct eap_method_type phase2_type;
     49 	struct eap_method_type *phase2_types;
     50 	size_t num_phase2_types;
     51 	int resuming; /* starting a resumed session */
     52 	struct eap_fast_key_block_provisioning *key_block_p;
     53 #define EAP_FAST_PROV_UNAUTH 1
     54 #define EAP_FAST_PROV_AUTH 2
     55 	int provisioning_allowed; /* Allowed PAC provisioning modes */
     56 	int provisioning; /* doing PAC provisioning (not the normal auth) */
     57 	int anon_provisioning; /* doing anonymous (unauthenticated)
     58 				* provisioning */
     59 	int session_ticket_used;
     60 
     61 	u8 key_data[EAP_FAST_KEY_LEN];
     62 	u8 emsk[EAP_EMSK_LEN];
     63 	int success;
     64 
     65 	struct eap_fast_pac *pac;
     66 	struct eap_fast_pac *current_pac;
     67 	size_t max_pac_list_len;
     68 	int use_pac_binary_format;
     69 
     70 	u8 simck[EAP_FAST_SIMCK_LEN];
     71 	int simck_idx;
     72 
     73 	struct wpabuf *pending_phase2_req;
     74 };
     75 
     76 
     77 static int eap_fast_session_ticket_cb(void *ctx, const u8 *ticket, size_t len,
     78 				      const u8 *client_random,
     79 				      const u8 *server_random,
     80 				      u8 *master_secret)
     81 {
     82 	struct eap_fast_data *data = ctx;
     83 
     84 	wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket callback");
     85 
     86 	if (client_random == NULL || server_random == NULL ||
     87 	    master_secret == NULL) {
     88 		wpa_printf(MSG_DEBUG, "EAP-FAST: SessionTicket failed - fall "
     89 			   "back to full TLS handshake");
     90 		data->session_ticket_used = 0;
     91 		if (data->provisioning_allowed) {
     92 			wpa_printf(MSG_DEBUG, "EAP-FAST: Try to provision a "
     93 				   "new PAC-Key");
     94 			data->provisioning = 1;
     95 			data->current_pac = NULL;
     96 		}
     97 		return 0;
     98 	}
     99 
    100 	wpa_hexdump(MSG_DEBUG, "EAP-FAST: SessionTicket", ticket, len);
    101 
    102 	if (data->current_pac == NULL) {
    103 		wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC-Key available for "
    104 			   "using SessionTicket");
    105 		data->session_ticket_used = 0;
    106 		return 0;
    107 	}
    108 
    109 	eap_fast_derive_master_secret(data->current_pac->pac_key,
    110 				      server_random, client_random,
    111 				      master_secret);
    112 
    113 	data->session_ticket_used = 1;
    114 
    115 	return 1;
    116 }
    117 
    118 
    119 static int eap_fast_parse_phase1(struct eap_fast_data *data,
    120 				 const char *phase1)
    121 {
    122 	const char *pos;
    123 
    124 	pos = os_strstr(phase1, "fast_provisioning=");
    125 	if (pos) {
    126 		data->provisioning_allowed = atoi(pos + 18);
    127 		wpa_printf(MSG_DEBUG, "EAP-FAST: Automatic PAC provisioning "
    128 			   "mode: %d", data->provisioning_allowed);
    129 	}
    130 
    131 	pos = os_strstr(phase1, "fast_max_pac_list_len=");
    132 	if (pos) {
    133 		data->max_pac_list_len = atoi(pos + 22);
    134 		if (data->max_pac_list_len == 0)
    135 			data->max_pac_list_len = 1;
    136 		wpa_printf(MSG_DEBUG, "EAP-FAST: Maximum PAC list length: %lu",
    137 			   (unsigned long) data->max_pac_list_len);
    138 	}
    139 
    140 	pos = os_strstr(phase1, "fast_pac_format=binary");
    141 	if (pos) {
    142 		data->use_pac_binary_format = 1;
    143 		wpa_printf(MSG_DEBUG, "EAP-FAST: Using binary format for PAC "
    144 			   "list");
    145 	}
    146 
    147 	return 0;
    148 }
    149 
    150 
    151 static void * eap_fast_init(struct eap_sm *sm)
    152 {
    153 	struct eap_fast_data *data;
    154 	struct eap_peer_config *config = eap_get_config(sm);
    155 
    156 	data = os_zalloc(sizeof(*data));
    157 	if (data == NULL)
    158 		return NULL;
    159 	data->fast_version = EAP_FAST_VERSION;
    160 	data->max_pac_list_len = 10;
    161 
    162 	if (config && config->phase1 &&
    163 	    eap_fast_parse_phase1(data, config->phase1) < 0) {
    164 		eap_fast_deinit(sm, data);
    165 		return NULL;
    166 	}
    167 
    168 	if (eap_peer_select_phase2_methods(config, "auth=",
    169 					   &data->phase2_types,
    170 					   &data->num_phase2_types) < 0) {
    171 		eap_fast_deinit(sm, data);
    172 		return NULL;
    173 	}
    174 
    175 	data->phase2_type.vendor = EAP_VENDOR_IETF;
    176 	data->phase2_type.method = EAP_TYPE_NONE;
    177 
    178 	if (eap_peer_tls_ssl_init(sm, &data->ssl, config)) {
    179 		wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize SSL.");
    180 		eap_fast_deinit(sm, data);
    181 		return NULL;
    182 	}
    183 
    184 	if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn,
    185 						 eap_fast_session_ticket_cb,
    186 						 data) < 0) {
    187 		wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket "
    188 			   "callback");
    189 		eap_fast_deinit(sm, data);
    190 		return NULL;
    191 	}
    192 
    193 	/*
    194 	 * The local RADIUS server in a Cisco AP does not seem to like empty
    195 	 * fragments before data, so disable that workaround for CBC.
    196 	 * TODO: consider making this configurable
    197 	 */
    198 	if (tls_connection_enable_workaround(sm->ssl_ctx, data->ssl.conn)) {
    199 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to enable TLS "
    200 			   "workarounds");
    201 	}
    202 
    203 	if (data->use_pac_binary_format &&
    204 	    eap_fast_load_pac_bin(sm, &data->pac, config->pac_file) < 0) {
    205 		eap_fast_deinit(sm, data);
    206 		return NULL;
    207 	}
    208 
    209 	if (!data->use_pac_binary_format &&
    210 	    eap_fast_load_pac(sm, &data->pac, config->pac_file) < 0) {
    211 		eap_fast_deinit(sm, data);
    212 		return NULL;
    213 	}
    214 	eap_fast_pac_list_truncate(data->pac, data->max_pac_list_len);
    215 
    216 	if (data->pac == NULL && !data->provisioning_allowed) {
    217 		wpa_printf(MSG_INFO, "EAP-FAST: No PAC configured and "
    218 			   "provisioning disabled");
    219 		eap_fast_deinit(sm, data);
    220 		return NULL;
    221 	}
    222 
    223 	return data;
    224 }
    225 
    226 
    227 static void eap_fast_deinit(struct eap_sm *sm, void *priv)
    228 {
    229 	struct eap_fast_data *data = priv;
    230 	struct eap_fast_pac *pac, *prev;
    231 
    232 	if (data == NULL)
    233 		return;
    234 	if (data->phase2_priv && data->phase2_method)
    235 		data->phase2_method->deinit(sm, data->phase2_priv);
    236 	os_free(data->phase2_types);
    237 	os_free(data->key_block_p);
    238 	eap_peer_tls_ssl_deinit(sm, &data->ssl);
    239 
    240 	pac = data->pac;
    241 	prev = NULL;
    242 	while (pac) {
    243 		prev = pac;
    244 		pac = pac->next;
    245 		eap_fast_free_pac(prev);
    246 	}
    247 	wpabuf_free(data->pending_phase2_req);
    248 	os_free(data);
    249 }
    250 
    251 
    252 static int eap_fast_derive_msk(struct eap_fast_data *data)
    253 {
    254 	eap_fast_derive_eap_msk(data->simck, data->key_data);
    255 	eap_fast_derive_eap_emsk(data->simck, data->emsk);
    256 	data->success = 1;
    257 	return 0;
    258 }
    259 
    260 
    261 static void eap_fast_derive_key_auth(struct eap_sm *sm,
    262 				     struct eap_fast_data *data)
    263 {
    264 	u8 *sks;
    265 
    266 	/* RFC 4851, Section 5.1:
    267 	 * Extra key material after TLS key_block: session_key_seed[40]
    268 	 */
    269 
    270 	sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn, "key expansion",
    271 				  EAP_FAST_SKS_LEN);
    272 	if (sks == NULL) {
    273 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive "
    274 			   "session_key_seed");
    275 		return;
    276 	}
    277 
    278 	/*
    279 	 * RFC 4851, Section 5.2:
    280 	 * S-IMCK[0] = session_key_seed
    281 	 */
    282 	wpa_hexdump_key(MSG_DEBUG,
    283 			"EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
    284 			sks, EAP_FAST_SKS_LEN);
    285 	data->simck_idx = 0;
    286 	os_memcpy(data->simck, sks, EAP_FAST_SIMCK_LEN);
    287 	os_free(sks);
    288 }
    289 
    290 
    291 static void eap_fast_derive_key_provisioning(struct eap_sm *sm,
    292 					     struct eap_fast_data *data)
    293 {
    294 	os_free(data->key_block_p);
    295 	data->key_block_p = (struct eap_fast_key_block_provisioning *)
    296 		eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn,
    297 				    "key expansion",
    298 				    sizeof(*data->key_block_p));
    299 	if (data->key_block_p == NULL) {
    300 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block");
    301 		return;
    302 	}
    303 	/*
    304 	 * RFC 4851, Section 5.2:
    305 	 * S-IMCK[0] = session_key_seed
    306 	 */
    307 	wpa_hexdump_key(MSG_DEBUG,
    308 			"EAP-FAST: session_key_seed (SKS = S-IMCK[0])",
    309 			data->key_block_p->session_key_seed,
    310 			sizeof(data->key_block_p->session_key_seed));
    311 	data->simck_idx = 0;
    312 	os_memcpy(data->simck, data->key_block_p->session_key_seed,
    313 		  EAP_FAST_SIMCK_LEN);
    314 	wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: server_challenge",
    315 			data->key_block_p->server_challenge,
    316 			sizeof(data->key_block_p->server_challenge));
    317 	wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: client_challenge",
    318 			data->key_block_p->client_challenge,
    319 			sizeof(data->key_block_p->client_challenge));
    320 }
    321 
    322 
    323 static void eap_fast_derive_keys(struct eap_sm *sm, struct eap_fast_data *data)
    324 {
    325 	if (data->anon_provisioning)
    326 		eap_fast_derive_key_provisioning(sm, data);
    327 	else
    328 		eap_fast_derive_key_auth(sm, data);
    329 }
    330 
    331 
    332 static int eap_fast_init_phase2_method(struct eap_sm *sm,
    333 				       struct eap_fast_data *data)
    334 {
    335 	data->phase2_method =
    336 		eap_peer_get_eap_method(data->phase2_type.vendor,
    337 					data->phase2_type.method);
    338 	if (data->phase2_method == NULL)
    339 		return -1;
    340 
    341 	if (data->key_block_p) {
    342 		sm->auth_challenge = data->key_block_p->server_challenge;
    343 		sm->peer_challenge = data->key_block_p->client_challenge;
    344 	}
    345 	sm->init_phase2 = 1;
    346 	data->phase2_priv = data->phase2_method->init(sm);
    347 	sm->init_phase2 = 0;
    348 	sm->auth_challenge = NULL;
    349 	sm->peer_challenge = NULL;
    350 
    351 	return data->phase2_priv == NULL ? -1 : 0;
    352 }
    353 
    354 
    355 static int eap_fast_select_phase2_method(struct eap_fast_data *data, u8 type)
    356 {
    357 	size_t i;
    358 
    359 	/* TODO: TNC with anonymous provisioning; need to require both
    360 	 * completed MSCHAPv2 and TNC */
    361 
    362 	if (data->anon_provisioning && type != EAP_TYPE_MSCHAPV2) {
    363 		wpa_printf(MSG_INFO, "EAP-FAST: Only EAP-MSCHAPv2 is allowed "
    364 			   "during unauthenticated provisioning; reject phase2"
    365 			   " type %d", type);
    366 		return -1;
    367 	}
    368 
    369 #ifdef EAP_TNC
    370 	if (type == EAP_TYPE_TNC) {
    371 		data->phase2_type.vendor = EAP_VENDOR_IETF;
    372 		data->phase2_type.method = EAP_TYPE_TNC;
    373 		wpa_printf(MSG_DEBUG, "EAP-FAST: Selected Phase 2 EAP "
    374 			   "vendor %d method %d for TNC",
    375 			   data->phase2_type.vendor,
    376 			   data->phase2_type.method);
    377 		return 0;
    378 	}
    379 #endif /* EAP_TNC */
    380 
    381 	for (i = 0; i < data->num_phase2_types; i++) {
    382 		if (data->phase2_types[i].vendor != EAP_VENDOR_IETF ||
    383 		    data->phase2_types[i].method != type)
    384 			continue;
    385 
    386 		data->phase2_type.vendor = data->phase2_types[i].vendor;
    387 		data->phase2_type.method = data->phase2_types[i].method;
    388 		wpa_printf(MSG_DEBUG, "EAP-FAST: Selected Phase 2 EAP "
    389 			   "vendor %d method %d",
    390 			   data->phase2_type.vendor,
    391 			   data->phase2_type.method);
    392 		break;
    393 	}
    394 
    395 	if (type != data->phase2_type.method || type == EAP_TYPE_NONE)
    396 		return -1;
    397 
    398 	return 0;
    399 }
    400 
    401 
    402 static int eap_fast_phase2_request(struct eap_sm *sm,
    403 				   struct eap_fast_data *data,
    404 				   struct eap_method_ret *ret,
    405 				   struct eap_hdr *hdr,
    406 				   struct wpabuf **resp)
    407 {
    408 	size_t len = be_to_host16(hdr->length);
    409 	u8 *pos;
    410 	struct eap_method_ret iret;
    411 	struct eap_peer_config *config = eap_get_config(sm);
    412 	struct wpabuf msg;
    413 
    414 	if (len <= sizeof(struct eap_hdr)) {
    415 		wpa_printf(MSG_INFO, "EAP-FAST: too short "
    416 			   "Phase 2 request (len=%lu)", (unsigned long) len);
    417 		return -1;
    418 	}
    419 	pos = (u8 *) (hdr + 1);
    420 	wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 Request: type=%d", *pos);
    421 	if (*pos == EAP_TYPE_IDENTITY) {
    422 		*resp = eap_sm_buildIdentity(sm, hdr->identifier, 1);
    423 		return 0;
    424 	}
    425 
    426 	if (data->phase2_priv && data->phase2_method &&
    427 	    *pos != data->phase2_type.method) {
    428 		wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 EAP sequence - "
    429 			   "deinitialize previous method");
    430 		data->phase2_method->deinit(sm, data->phase2_priv);
    431 		data->phase2_method = NULL;
    432 		data->phase2_priv = NULL;
    433 		data->phase2_type.vendor = EAP_VENDOR_IETF;
    434 		data->phase2_type.method = EAP_TYPE_NONE;
    435 	}
    436 
    437 	if (data->phase2_type.vendor == EAP_VENDOR_IETF &&
    438 	    data->phase2_type.method == EAP_TYPE_NONE &&
    439 	    eap_fast_select_phase2_method(data, *pos) < 0) {
    440 		if (eap_peer_tls_phase2_nak(data->phase2_types,
    441 					    data->num_phase2_types,
    442 					    hdr, resp))
    443 			return -1;
    444 		return 0;
    445 	}
    446 
    447 	if (data->phase2_priv == NULL &&
    448 	    eap_fast_init_phase2_method(sm, data) < 0) {
    449 		wpa_printf(MSG_INFO, "EAP-FAST: Failed to initialize "
    450 			   "Phase 2 EAP method %d", *pos);
    451 		ret->methodState = METHOD_DONE;
    452 		ret->decision = DECISION_FAIL;
    453 		return -1;
    454 	}
    455 
    456 	os_memset(&iret, 0, sizeof(iret));
    457 	wpabuf_set(&msg, hdr, len);
    458 	*resp = data->phase2_method->process(sm, data->phase2_priv, &iret,
    459 					     &msg);
    460 	if (*resp == NULL ||
    461 	    (iret.methodState == METHOD_DONE &&
    462 	     iret.decision == DECISION_FAIL)) {
    463 		ret->methodState = METHOD_DONE;
    464 		ret->decision = DECISION_FAIL;
    465 	} else if ((iret.methodState == METHOD_DONE ||
    466 		    iret.methodState == METHOD_MAY_CONT) &&
    467 		   (iret.decision == DECISION_UNCOND_SUCC ||
    468 		    iret.decision == DECISION_COND_SUCC)) {
    469 		data->phase2_success = 1;
    470 	}
    471 
    472 	if (*resp == NULL && config &&
    473 	    (config->pending_req_identity || config->pending_req_password ||
    474 	     config->pending_req_otp || config->pending_req_new_password)) {
    475 		wpabuf_free(data->pending_phase2_req);
    476 		data->pending_phase2_req = wpabuf_alloc_copy(hdr, len);
    477 	} else if (*resp == NULL)
    478 		return -1;
    479 
    480 	return 0;
    481 }
    482 
    483 
    484 static struct wpabuf * eap_fast_tlv_nak(int vendor_id, int tlv_type)
    485 {
    486 	struct wpabuf *buf;
    487 	struct eap_tlv_nak_tlv *nak;
    488 	buf = wpabuf_alloc(sizeof(*nak));
    489 	if (buf == NULL)
    490 		return NULL;
    491 	nak = wpabuf_put(buf, sizeof(*nak));
    492 	nak->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY | EAP_TLV_NAK_TLV);
    493 	nak->length = host_to_be16(6);
    494 	nak->vendor_id = host_to_be32(vendor_id);
    495 	nak->nak_type = host_to_be16(tlv_type);
    496 	return buf;
    497 }
    498 
    499 
    500 static struct wpabuf * eap_fast_tlv_result(int status, int intermediate)
    501 {
    502 	struct wpabuf *buf;
    503 	struct eap_tlv_intermediate_result_tlv *result;
    504 	buf = wpabuf_alloc(sizeof(*result));
    505 	if (buf == NULL)
    506 		return NULL;
    507 	wpa_printf(MSG_DEBUG, "EAP-FAST: Add %sResult TLV(status=%d)",
    508 		   intermediate ? "Intermediate " : "", status);
    509 	result = wpabuf_put(buf, sizeof(*result));
    510 	result->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
    511 					(intermediate ?
    512 					 EAP_TLV_INTERMEDIATE_RESULT_TLV :
    513 					 EAP_TLV_RESULT_TLV));
    514 	result->length = host_to_be16(2);
    515 	result->status = host_to_be16(status);
    516 	return buf;
    517 }
    518 
    519 
    520 static struct wpabuf * eap_fast_tlv_pac_ack(void)
    521 {
    522 	struct wpabuf *buf;
    523 	struct eap_tlv_result_tlv *res;
    524 	struct eap_tlv_pac_ack_tlv *ack;
    525 
    526 	buf = wpabuf_alloc(sizeof(*res) + sizeof(*ack));
    527 	if (buf == NULL)
    528 		return NULL;
    529 
    530 	wpa_printf(MSG_DEBUG, "EAP-FAST: Add PAC TLV (ack)");
    531 	ack = wpabuf_put(buf, sizeof(*ack));
    532 	ack->tlv_type = host_to_be16(EAP_TLV_PAC_TLV |
    533 				     EAP_TLV_TYPE_MANDATORY);
    534 	ack->length = host_to_be16(sizeof(*ack) - sizeof(struct eap_tlv_hdr));
    535 	ack->pac_type = host_to_be16(PAC_TYPE_PAC_ACKNOWLEDGEMENT);
    536 	ack->pac_len = host_to_be16(2);
    537 	ack->result = host_to_be16(EAP_TLV_RESULT_SUCCESS);
    538 
    539 	return buf;
    540 }
    541 
    542 
    543 static struct wpabuf * eap_fast_process_eap_payload_tlv(
    544 	struct eap_sm *sm, struct eap_fast_data *data,
    545 	struct eap_method_ret *ret, const struct eap_hdr *req,
    546 	u8 *eap_payload_tlv, size_t eap_payload_tlv_len)
    547 {
    548 	struct eap_hdr *hdr;
    549 	struct wpabuf *resp = NULL;
    550 
    551 	if (eap_payload_tlv_len < sizeof(*hdr)) {
    552 		wpa_printf(MSG_DEBUG, "EAP-FAST: too short EAP "
    553 			   "Payload TLV (len=%lu)",
    554 			   (unsigned long) eap_payload_tlv_len);
    555 		return NULL;
    556 	}
    557 
    558 	hdr = (struct eap_hdr *) eap_payload_tlv;
    559 	if (be_to_host16(hdr->length) > eap_payload_tlv_len) {
    560 		wpa_printf(MSG_DEBUG, "EAP-FAST: EAP packet overflow in "
    561 			   "EAP Payload TLV");
    562 		return NULL;
    563 	}
    564 
    565 	if (hdr->code != EAP_CODE_REQUEST) {
    566 		wpa_printf(MSG_INFO, "EAP-FAST: Unexpected code=%d in "
    567 			   "Phase 2 EAP header", hdr->code);
    568 		return NULL;
    569 	}
    570 
    571 	if (eap_fast_phase2_request(sm, data, ret, hdr, &resp)) {
    572 		wpa_printf(MSG_INFO, "EAP-FAST: Phase2 Request processing "
    573 			   "failed");
    574 		return NULL;
    575 	}
    576 
    577 	return eap_fast_tlv_eap_payload(resp);
    578 }
    579 
    580 
    581 static int eap_fast_validate_crypto_binding(
    582 	struct eap_tlv_crypto_binding_tlv *_bind)
    583 {
    584 	wpa_printf(MSG_DEBUG, "EAP-FAST: Crypto-Binding TLV: Version %d "
    585 		   "Received Version %d SubType %d",
    586 		   _bind->version, _bind->received_version, _bind->subtype);
    587 	wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE",
    588 		    _bind->nonce, sizeof(_bind->nonce));
    589 	wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC",
    590 		    _bind->compound_mac, sizeof(_bind->compound_mac));
    591 
    592 	if (_bind->version != EAP_FAST_VERSION ||
    593 	    _bind->received_version != EAP_FAST_VERSION ||
    594 	    _bind->subtype != EAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST) {
    595 		wpa_printf(MSG_INFO, "EAP-FAST: Invalid version/subtype in "
    596 			   "Crypto-Binding TLV: Version %d "
    597 			   "Received Version %d SubType %d",
    598 			   _bind->version, _bind->received_version,
    599 			   _bind->subtype);
    600 		return -1;
    601 	}
    602 
    603 	return 0;
    604 }
    605 
    606 
    607 static void eap_fast_write_crypto_binding(
    608 	struct eap_tlv_crypto_binding_tlv *rbind,
    609 	struct eap_tlv_crypto_binding_tlv *_bind, const u8 *cmk)
    610 {
    611 	rbind->tlv_type = host_to_be16(EAP_TLV_TYPE_MANDATORY |
    612 				       EAP_TLV_CRYPTO_BINDING_TLV);
    613 	rbind->length = host_to_be16(sizeof(*rbind) -
    614 				     sizeof(struct eap_tlv_hdr));
    615 	rbind->version = EAP_FAST_VERSION;
    616 	rbind->received_version = _bind->version;
    617 	rbind->subtype = EAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE;
    618 	os_memcpy(rbind->nonce, _bind->nonce, sizeof(_bind->nonce));
    619 	inc_byte_array(rbind->nonce, sizeof(rbind->nonce));
    620 	hmac_sha1(cmk, EAP_FAST_CMK_LEN, (u8 *) rbind, sizeof(*rbind),
    621 		  rbind->compound_mac);
    622 
    623 	wpa_printf(MSG_DEBUG, "EAP-FAST: Reply Crypto-Binding TLV: Version %d "
    624 		   "Received Version %d SubType %d",
    625 		   rbind->version, rbind->received_version, rbind->subtype);
    626 	wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: NONCE",
    627 		    rbind->nonce, sizeof(rbind->nonce));
    628 	wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Compound MAC",
    629 		    rbind->compound_mac, sizeof(rbind->compound_mac));
    630 }
    631 
    632 
    633 static int eap_fast_get_phase2_key(struct eap_sm *sm,
    634 				   struct eap_fast_data *data,
    635 				   u8 *isk, size_t isk_len)
    636 {
    637 	u8 *key;
    638 	size_t key_len;
    639 
    640 	os_memset(isk, 0, isk_len);
    641 
    642 	if (data->phase2_method == NULL || data->phase2_priv == NULL) {
    643 		wpa_printf(MSG_DEBUG, "EAP-FAST: Phase 2 method not "
    644 			   "available");
    645 		return -1;
    646 	}
    647 
    648 	if (data->phase2_method->isKeyAvailable == NULL ||
    649 	    data->phase2_method->getKey == NULL)
    650 		return 0;
    651 
    652 	if (!data->phase2_method->isKeyAvailable(sm, data->phase2_priv) ||
    653 	    (key = data->phase2_method->getKey(sm, data->phase2_priv,
    654 					       &key_len)) == NULL) {
    655 		wpa_printf(MSG_DEBUG, "EAP-FAST: Could not get key material "
    656 			   "from Phase 2");
    657 		return -1;
    658 	}
    659 
    660 	if (key_len > isk_len)
    661 		key_len = isk_len;
    662 	if (key_len == 32 &&
    663 	    data->phase2_method->vendor == EAP_VENDOR_IETF &&
    664 	    data->phase2_method->method == EAP_TYPE_MSCHAPV2) {
    665 		/*
    666 		 * EAP-FAST uses reverse order for MS-MPPE keys when deriving
    667 		 * MSK from EAP-MSCHAPv2. Swap the keys here to get the correct
    668 		 * ISK for EAP-FAST cryptobinding.
    669 		 */
    670 		os_memcpy(isk, key + 16, 16);
    671 		os_memcpy(isk + 16, key, 16);
    672 	} else
    673 		os_memcpy(isk, key, key_len);
    674 	os_free(key);
    675 
    676 	return 0;
    677 }
    678 
    679 
    680 static int eap_fast_get_cmk(struct eap_sm *sm, struct eap_fast_data *data,
    681 			    u8 *cmk)
    682 {
    683 	u8 isk[32], imck[60];
    684 
    685 	wpa_printf(MSG_DEBUG, "EAP-FAST: Determining CMK[%d] for Compound MIC "
    686 		   "calculation", data->simck_idx + 1);
    687 
    688 	/*
    689 	 * RFC 4851, Section 5.2:
    690 	 * IMCK[j] = T-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
    691 	 *                 MSK[j], 60)
    692 	 * S-IMCK[j] = first 40 octets of IMCK[j]
    693 	 * CMK[j] = last 20 octets of IMCK[j]
    694 	 */
    695 
    696 	if (eap_fast_get_phase2_key(sm, data, isk, sizeof(isk)) < 0)
    697 		return -1;
    698 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: ISK[j]", isk, sizeof(isk));
    699 	sha1_t_prf(data->simck, EAP_FAST_SIMCK_LEN,
    700 		   "Inner Methods Compound Keys",
    701 		   isk, sizeof(isk), imck, sizeof(imck));
    702 	data->simck_idx++;
    703 	os_memcpy(data->simck, imck, EAP_FAST_SIMCK_LEN);
    704 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: S-IMCK[j]",
    705 			data->simck, EAP_FAST_SIMCK_LEN);
    706 	os_memcpy(cmk, imck + EAP_FAST_SIMCK_LEN, EAP_FAST_CMK_LEN);
    707 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: CMK[j]",
    708 			cmk, EAP_FAST_CMK_LEN);
    709 
    710 	return 0;
    711 }
    712 
    713 
    714 static u8 * eap_fast_write_pac_request(u8 *pos, u16 pac_type)
    715 {
    716 	struct eap_tlv_hdr *pac;
    717 	struct eap_tlv_request_action_tlv *act;
    718 	struct eap_tlv_pac_type_tlv *type;
    719 
    720 	act = (struct eap_tlv_request_action_tlv *) pos;
    721 	act->tlv_type = host_to_be16(EAP_TLV_REQUEST_ACTION_TLV);
    722 	act->length = host_to_be16(2);
    723 	act->action = host_to_be16(EAP_TLV_ACTION_PROCESS_TLV);
    724 
    725 	pac = (struct eap_tlv_hdr *) (act + 1);
    726 	pac->tlv_type = host_to_be16(EAP_TLV_PAC_TLV);
    727 	pac->length = host_to_be16(sizeof(*type));
    728 
    729 	type = (struct eap_tlv_pac_type_tlv *) (pac + 1);
    730 	type->tlv_type = host_to_be16(PAC_TYPE_PAC_TYPE);
    731 	type->length = host_to_be16(2);
    732 	type->pac_type = host_to_be16(pac_type);
    733 
    734 	return (u8 *) (type + 1);
    735 }
    736 
    737 
    738 static struct wpabuf * eap_fast_process_crypto_binding(
    739 	struct eap_sm *sm, struct eap_fast_data *data,
    740 	struct eap_method_ret *ret,
    741 	struct eap_tlv_crypto_binding_tlv *_bind, size_t bind_len)
    742 {
    743 	struct wpabuf *resp;
    744 	u8 *pos;
    745 	u8 cmk[EAP_FAST_CMK_LEN], cmac[SHA1_MAC_LEN];
    746 	int res;
    747 	size_t len;
    748 
    749 	if (eap_fast_validate_crypto_binding(_bind) < 0)
    750 		return NULL;
    751 
    752 	if (eap_fast_get_cmk(sm, data, cmk) < 0)
    753 		return NULL;
    754 
    755 	/* Validate received Compound MAC */
    756 	os_memcpy(cmac, _bind->compound_mac, sizeof(cmac));
    757 	os_memset(_bind->compound_mac, 0, sizeof(cmac));
    758 	wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV for Compound "
    759 		    "MAC calculation", (u8 *) _bind, bind_len);
    760 	hmac_sha1(cmk, EAP_FAST_CMK_LEN, (u8 *) _bind, bind_len,
    761 		  _bind->compound_mac);
    762 	res = os_memcmp(cmac, _bind->compound_mac, sizeof(cmac));
    763 	wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Received Compound MAC",
    764 		    cmac, sizeof(cmac));
    765 	wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Calculated Compound MAC",
    766 		    _bind->compound_mac, sizeof(cmac));
    767 	if (res != 0) {
    768 		wpa_printf(MSG_INFO, "EAP-FAST: Compound MAC did not match");
    769 		os_memcpy(_bind->compound_mac, cmac, sizeof(cmac));
    770 		return NULL;
    771 	}
    772 
    773 	/*
    774 	 * Compound MAC was valid, so authentication succeeded. Reply with
    775 	 * crypto binding to allow server to complete authentication.
    776 	 */
    777 
    778 	len = sizeof(struct eap_tlv_crypto_binding_tlv);
    779 	resp = wpabuf_alloc(len);
    780 	if (resp == NULL)
    781 		return NULL;
    782 
    783 	if (!data->anon_provisioning && data->phase2_success &&
    784 	    eap_fast_derive_msk(data) < 0) {
    785 		wpa_printf(MSG_INFO, "EAP-FAST: Failed to generate MSK");
    786 		ret->methodState = METHOD_DONE;
    787 		ret->decision = DECISION_FAIL;
    788 		data->phase2_success = 0;
    789 		wpabuf_free(resp);
    790 		return NULL;
    791 	}
    792 
    793 	pos = wpabuf_put(resp, sizeof(struct eap_tlv_crypto_binding_tlv));
    794 	eap_fast_write_crypto_binding((struct eap_tlv_crypto_binding_tlv *)
    795 				      pos, _bind, cmk);
    796 
    797 	return resp;
    798 }
    799 
    800 
    801 static void eap_fast_parse_pac_tlv(struct eap_fast_pac *entry, int type,
    802 				   u8 *pos, size_t len, int *pac_key_found)
    803 {
    804 	switch (type & 0x7fff) {
    805 	case PAC_TYPE_PAC_KEY:
    806 		wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: PAC-Key", pos, len);
    807 		if (len != EAP_FAST_PAC_KEY_LEN) {
    808 			wpa_printf(MSG_DEBUG, "EAP-FAST: Invalid PAC-Key "
    809 				   "length %lu", (unsigned long) len);
    810 			break;
    811 		}
    812 		*pac_key_found = 1;
    813 		os_memcpy(entry->pac_key, pos, len);
    814 		break;
    815 	case PAC_TYPE_PAC_OPAQUE:
    816 		wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Opaque", pos, len);
    817 		entry->pac_opaque = pos;
    818 		entry->pac_opaque_len = len;
    819 		break;
    820 	case PAC_TYPE_PAC_INFO:
    821 		wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Info", pos, len);
    822 		entry->pac_info = pos;
    823 		entry->pac_info_len = len;
    824 		break;
    825 	default:
    826 		wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored unknown PAC type %d",
    827 			   type);
    828 		break;
    829 	}
    830 }
    831 
    832 
    833 static int eap_fast_process_pac_tlv(struct eap_fast_pac *entry,
    834 				    u8 *pac, size_t pac_len)
    835 {
    836 	struct pac_tlv_hdr *hdr;
    837 	u8 *pos;
    838 	size_t left, len;
    839 	int type, pac_key_found = 0;
    840 
    841 	pos = pac;
    842 	left = pac_len;
    843 
    844 	while (left > sizeof(*hdr)) {
    845 		hdr = (struct pac_tlv_hdr *) pos;
    846 		type = be_to_host16(hdr->type);
    847 		len = be_to_host16(hdr->len);
    848 		pos += sizeof(*hdr);
    849 		left -= sizeof(*hdr);
    850 		if (len > left) {
    851 			wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV overrun "
    852 				   "(type=%d len=%lu left=%lu)",
    853 				   type, (unsigned long) len,
    854 				   (unsigned long) left);
    855 			return -1;
    856 		}
    857 
    858 		eap_fast_parse_pac_tlv(entry, type, pos, len, &pac_key_found);
    859 
    860 		pos += len;
    861 		left -= len;
    862 	}
    863 
    864 	if (!pac_key_found || !entry->pac_opaque || !entry->pac_info) {
    865 		wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV does not include "
    866 			   "all the required fields");
    867 		return -1;
    868 	}
    869 
    870 	return 0;
    871 }
    872 
    873 
    874 static int eap_fast_parse_pac_info(struct eap_fast_pac *entry, int type,
    875 				   u8 *pos, size_t len)
    876 {
    877 	u16 pac_type;
    878 	u32 lifetime;
    879 	struct os_time now;
    880 
    881 	switch (type & 0x7fff) {
    882 	case PAC_TYPE_CRED_LIFETIME:
    883 		if (len != 4) {
    884 			wpa_hexdump(MSG_DEBUG, "EAP-FAST: PAC-Info - "
    885 				    "Invalid CRED_LIFETIME length - ignored",
    886 				    pos, len);
    887 			return 0;
    888 		}
    889 
    890 		/*
    891 		 * This is not currently saved separately in PAC files since
    892 		 * the server can automatically initiate PAC update when
    893 		 * needed. Anyway, the information is available from PAC-Info
    894 		 * dump if it is needed for something in the future.
    895 		 */
    896 		lifetime = WPA_GET_BE32(pos);
    897 		os_get_time(&now);
    898 		wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Info - CRED_LIFETIME %d "
    899 			   "(%d days)",
    900 			   lifetime, (lifetime - (u32) now.sec) / 86400);
    901 		break;
    902 	case PAC_TYPE_A_ID:
    903 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: PAC-Info - A-ID",
    904 				  pos, len);
    905 		entry->a_id = pos;
    906 		entry->a_id_len = len;
    907 		break;
    908 	case PAC_TYPE_I_ID:
    909 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: PAC-Info - I-ID",
    910 				  pos, len);
    911 		entry->i_id = pos;
    912 		entry->i_id_len = len;
    913 		break;
    914 	case PAC_TYPE_A_ID_INFO:
    915 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: PAC-Info - A-ID-Info",
    916 				  pos, len);
    917 		entry->a_id_info = pos;
    918 		entry->a_id_info_len = len;
    919 		break;
    920 	case PAC_TYPE_PAC_TYPE:
    921 		/* RFC 5422, Section 4.2.6 - PAC-Type TLV */
    922 		if (len != 2) {
    923 			wpa_printf(MSG_INFO, "EAP-FAST: Invalid PAC-Type "
    924 				   "length %lu (expected 2)",
    925 				   (unsigned long) len);
    926 			wpa_hexdump_ascii(MSG_DEBUG,
    927 					  "EAP-FAST: PAC-Info - PAC-Type",
    928 					  pos, len);
    929 			return -1;
    930 		}
    931 		pac_type = WPA_GET_BE16(pos);
    932 		if (pac_type != PAC_TYPE_TUNNEL_PAC &&
    933 		    pac_type != PAC_TYPE_USER_AUTHORIZATION &&
    934 		    pac_type != PAC_TYPE_MACHINE_AUTHENTICATION) {
    935 			wpa_printf(MSG_INFO, "EAP-FAST: Unsupported PAC Type "
    936 				   "%d", pac_type);
    937 			return -1;
    938 		}
    939 
    940 		wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Info - PAC-Type %d",
    941 			   pac_type);
    942 		entry->pac_type = pac_type;
    943 		break;
    944 	default:
    945 		wpa_printf(MSG_DEBUG, "EAP-FAST: Ignored unknown PAC-Info "
    946 			   "type %d", type);
    947 		break;
    948 	}
    949 
    950 	return 0;
    951 }
    952 
    953 
    954 static int eap_fast_process_pac_info(struct eap_fast_pac *entry)
    955 {
    956 	struct pac_tlv_hdr *hdr;
    957 	u8 *pos;
    958 	size_t left, len;
    959 	int type;
    960 
    961 	/* RFC 5422, Section 4.2.4 */
    962 
    963 	/* PAC-Type defaults to Tunnel PAC (Type 1) */
    964 	entry->pac_type = PAC_TYPE_TUNNEL_PAC;
    965 
    966 	pos = entry->pac_info;
    967 	left = entry->pac_info_len;
    968 	while (left > sizeof(*hdr)) {
    969 		hdr = (struct pac_tlv_hdr *) pos;
    970 		type = be_to_host16(hdr->type);
    971 		len = be_to_host16(hdr->len);
    972 		pos += sizeof(*hdr);
    973 		left -= sizeof(*hdr);
    974 		if (len > left) {
    975 			wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Info overrun "
    976 				   "(type=%d len=%lu left=%lu)",
    977 				   type, (unsigned long) len,
    978 				   (unsigned long) left);
    979 			return -1;
    980 		}
    981 
    982 		if (eap_fast_parse_pac_info(entry, type, pos, len) < 0)
    983 			return -1;
    984 
    985 		pos += len;
    986 		left -= len;
    987 	}
    988 
    989 	if (entry->a_id == NULL || entry->a_id_info == NULL) {
    990 		wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Info does not include "
    991 			   "all the required fields");
    992 		return -1;
    993 	}
    994 
    995 	return 0;
    996 }
    997 
    998 
    999 static struct wpabuf * eap_fast_process_pac(struct eap_sm *sm,
   1000 					    struct eap_fast_data *data,
   1001 					    struct eap_method_ret *ret,
   1002 					    u8 *pac, size_t pac_len)
   1003 {
   1004 	struct eap_peer_config *config = eap_get_config(sm);
   1005 	struct eap_fast_pac entry;
   1006 
   1007 	os_memset(&entry, 0, sizeof(entry));
   1008 	if (eap_fast_process_pac_tlv(&entry, pac, pac_len) ||
   1009 	    eap_fast_process_pac_info(&entry))
   1010 		return NULL;
   1011 
   1012 	eap_fast_add_pac(&data->pac, &data->current_pac, &entry);
   1013 	eap_fast_pac_list_truncate(data->pac, data->max_pac_list_len);
   1014 	if (data->use_pac_binary_format)
   1015 		eap_fast_save_pac_bin(sm, data->pac, config->pac_file);
   1016 	else
   1017 		eap_fast_save_pac(sm, data->pac, config->pac_file);
   1018 
   1019 	if (data->provisioning) {
   1020 		if (data->anon_provisioning) {
   1021 			/*
   1022 			 * Unauthenticated provisioning does not provide keying
   1023 			 * material and must end with an EAP-Failure.
   1024 			 * Authentication will be done separately after this.
   1025 			 */
   1026 			data->success = 0;
   1027 			ret->decision = DECISION_FAIL;
   1028 		} else {
   1029 			/*
   1030 			 * Server may or may not allow authenticated
   1031 			 * provisioning also for key generation.
   1032 			 */
   1033 			ret->decision = DECISION_COND_SUCC;
   1034 		}
   1035 		wpa_printf(MSG_DEBUG, "EAP-FAST: Send PAC-Acknowledgement TLV "
   1036 			   "- Provisioning completed successfully");
   1037 	} else {
   1038 		/*
   1039 		 * This is PAC refreshing, i.e., normal authentication that is
   1040 		 * expected to be completed with an EAP-Success.
   1041 		 */
   1042 		wpa_printf(MSG_DEBUG, "EAP-FAST: Send PAC-Acknowledgement TLV "
   1043 			   "- PAC refreshing completed successfully");
   1044 		ret->decision = DECISION_UNCOND_SUCC;
   1045 	}
   1046 	ret->methodState = METHOD_DONE;
   1047 	return eap_fast_tlv_pac_ack();
   1048 }
   1049 
   1050 
   1051 static int eap_fast_parse_decrypted(struct wpabuf *decrypted,
   1052 				    struct eap_fast_tlv_parse *tlv,
   1053 				    struct wpabuf **resp)
   1054 {
   1055 	int mandatory, tlv_type, len, res;
   1056 	u8 *pos, *end;
   1057 
   1058 	os_memset(tlv, 0, sizeof(*tlv));
   1059 
   1060 	/* Parse TLVs from the decrypted Phase 2 data */
   1061 	pos = wpabuf_mhead(decrypted);
   1062 	end = pos + wpabuf_len(decrypted);
   1063 	while (pos + 4 < end) {
   1064 		mandatory = pos[0] & 0x80;
   1065 		tlv_type = WPA_GET_BE16(pos) & 0x3fff;
   1066 		pos += 2;
   1067 		len = WPA_GET_BE16(pos);
   1068 		pos += 2;
   1069 		if (pos + len > end) {
   1070 			wpa_printf(MSG_INFO, "EAP-FAST: TLV overflow");
   1071 			return -1;
   1072 		}
   1073 		wpa_printf(MSG_DEBUG, "EAP-FAST: Received Phase 2: "
   1074 			   "TLV type %d length %d%s",
   1075 			   tlv_type, len, mandatory ? " (mandatory)" : "");
   1076 
   1077 		res = eap_fast_parse_tlv(tlv, tlv_type, pos, len);
   1078 		if (res == -2)
   1079 			break;
   1080 		if (res < 0) {
   1081 			if (mandatory) {
   1082 				wpa_printf(MSG_DEBUG, "EAP-FAST: Nak unknown "
   1083 					   "mandatory TLV type %d", tlv_type);
   1084 				*resp = eap_fast_tlv_nak(0, tlv_type);
   1085 				break;
   1086 			} else {
   1087 				wpa_printf(MSG_DEBUG, "EAP-FAST: ignored "
   1088 					   "unknown optional TLV type %d",
   1089 					   tlv_type);
   1090 			}
   1091 		}
   1092 
   1093 		pos += len;
   1094 	}
   1095 
   1096 	return 0;
   1097 }
   1098 
   1099 
   1100 static int eap_fast_encrypt_response(struct eap_sm *sm,
   1101 				     struct eap_fast_data *data,
   1102 				     struct wpabuf *resp,
   1103 				     u8 identifier, struct wpabuf **out_data)
   1104 {
   1105 	if (resp == NULL)
   1106 		return 0;
   1107 
   1108 	wpa_hexdump_buf(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 data",
   1109 			resp);
   1110 	if (eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_FAST,
   1111 				 data->fast_version, identifier,
   1112 				 resp, out_data)) {
   1113 		wpa_printf(MSG_INFO, "EAP-FAST: Failed to encrypt a Phase 2 "
   1114 			   "frame");
   1115 	}
   1116 	wpabuf_free(resp);
   1117 
   1118 	return 0;
   1119 }
   1120 
   1121 
   1122 static struct wpabuf * eap_fast_pac_request(void)
   1123 {
   1124 	struct wpabuf *tmp;
   1125 	u8 *pos, *pos2;
   1126 
   1127 	tmp = wpabuf_alloc(sizeof(struct eap_tlv_hdr) +
   1128 			   sizeof(struct eap_tlv_request_action_tlv) +
   1129 			   sizeof(struct eap_tlv_pac_type_tlv));
   1130 	if (tmp == NULL)
   1131 		return NULL;
   1132 
   1133 	pos = wpabuf_put(tmp, 0);
   1134 	pos2 = eap_fast_write_pac_request(pos, PAC_TYPE_TUNNEL_PAC);
   1135 	wpabuf_put(tmp, pos2 - pos);
   1136 	return tmp;
   1137 }
   1138 
   1139 
   1140 static int eap_fast_process_decrypted(struct eap_sm *sm,
   1141 				      struct eap_fast_data *data,
   1142 				      struct eap_method_ret *ret,
   1143 				      const struct eap_hdr *req,
   1144 				      struct wpabuf *decrypted,
   1145 				      struct wpabuf **out_data)
   1146 {
   1147 	struct wpabuf *resp = NULL, *tmp;
   1148 	struct eap_fast_tlv_parse tlv;
   1149 	int failed = 0;
   1150 
   1151 	if (eap_fast_parse_decrypted(decrypted, &tlv, &resp) < 0)
   1152 		return 0;
   1153 	if (resp)
   1154 		return eap_fast_encrypt_response(sm, data, resp,
   1155 						 req->identifier, out_data);
   1156 
   1157 	if (tlv.result == EAP_TLV_RESULT_FAILURE) {
   1158 		resp = eap_fast_tlv_result(EAP_TLV_RESULT_FAILURE, 0);
   1159 		return eap_fast_encrypt_response(sm, data, resp,
   1160 						 req->identifier, out_data);
   1161 	}
   1162 
   1163 	if (tlv.iresult == EAP_TLV_RESULT_FAILURE) {
   1164 		resp = eap_fast_tlv_result(EAP_TLV_RESULT_FAILURE, 1);
   1165 		return eap_fast_encrypt_response(sm, data, resp,
   1166 						 req->identifier, out_data);
   1167 	}
   1168 
   1169 	if (tlv.crypto_binding) {
   1170 		tmp = eap_fast_process_crypto_binding(sm, data, ret,
   1171 						      tlv.crypto_binding,
   1172 						      tlv.crypto_binding_len);
   1173 		if (tmp == NULL)
   1174 			failed = 1;
   1175 		else
   1176 			resp = wpabuf_concat(resp, tmp);
   1177 	}
   1178 
   1179 	if (tlv.iresult == EAP_TLV_RESULT_SUCCESS) {
   1180 		tmp = eap_fast_tlv_result(failed ? EAP_TLV_RESULT_FAILURE :
   1181 					  EAP_TLV_RESULT_SUCCESS, 1);
   1182 		resp = wpabuf_concat(resp, tmp);
   1183 	}
   1184 
   1185 	if (tlv.eap_payload_tlv) {
   1186 		tmp = eap_fast_process_eap_payload_tlv(
   1187 			sm, data, ret, req, tlv.eap_payload_tlv,
   1188 			tlv.eap_payload_tlv_len);
   1189 		resp = wpabuf_concat(resp, tmp);
   1190 	}
   1191 
   1192 	if (tlv.pac && tlv.result != EAP_TLV_RESULT_SUCCESS) {
   1193 		wpa_printf(MSG_DEBUG, "EAP-FAST: PAC TLV without Result TLV "
   1194 			   "acknowledging success");
   1195 		failed = 1;
   1196 	} else if (tlv.pac && tlv.result == EAP_TLV_RESULT_SUCCESS) {
   1197 		tmp = eap_fast_process_pac(sm, data, ret, tlv.pac,
   1198 					   tlv.pac_len);
   1199 		resp = wpabuf_concat(resp, tmp);
   1200 	}
   1201 
   1202 	if (data->current_pac == NULL && data->provisioning &&
   1203 	    !data->anon_provisioning && !tlv.pac &&
   1204 	    (tlv.iresult == EAP_TLV_RESULT_SUCCESS ||
   1205 	     tlv.result == EAP_TLV_RESULT_SUCCESS)) {
   1206 		/*
   1207 		 * Need to request Tunnel PAC when using authenticated
   1208 		 * provisioning.
   1209 		 */
   1210 		wpa_printf(MSG_DEBUG, "EAP-FAST: Request Tunnel PAC");
   1211 		tmp = eap_fast_pac_request();
   1212 		resp = wpabuf_concat(resp, tmp);
   1213 	}
   1214 
   1215 	if (tlv.result == EAP_TLV_RESULT_SUCCESS && !failed) {
   1216 		tmp = eap_fast_tlv_result(EAP_TLV_RESULT_SUCCESS, 0);
   1217 		resp = wpabuf_concat(tmp, resp);
   1218 	} else if (failed) {
   1219 		tmp = eap_fast_tlv_result(EAP_TLV_RESULT_FAILURE, 0);
   1220 		resp = wpabuf_concat(tmp, resp);
   1221 	}
   1222 
   1223 	if (resp && tlv.result == EAP_TLV_RESULT_SUCCESS && !failed &&
   1224 	    tlv.crypto_binding && data->phase2_success) {
   1225 		if (data->anon_provisioning) {
   1226 			wpa_printf(MSG_DEBUG, "EAP-FAST: Unauthenticated "
   1227 				   "provisioning completed successfully.");
   1228 			ret->methodState = METHOD_DONE;
   1229 			ret->decision = DECISION_FAIL;
   1230 		} else {
   1231 			wpa_printf(MSG_DEBUG, "EAP-FAST: Authentication "
   1232 				   "completed successfully.");
   1233 			if (data->provisioning)
   1234 				ret->methodState = METHOD_MAY_CONT;
   1235 			else
   1236 				ret->methodState = METHOD_DONE;
   1237 			ret->decision = DECISION_UNCOND_SUCC;
   1238 		}
   1239 	}
   1240 
   1241 	if (resp == NULL) {
   1242 		wpa_printf(MSG_DEBUG, "EAP-FAST: No recognized TLVs - send "
   1243 			   "empty response packet");
   1244 		resp = wpabuf_alloc(1);
   1245 	}
   1246 
   1247 	return eap_fast_encrypt_response(sm, data, resp, req->identifier,
   1248 					 out_data);
   1249 }
   1250 
   1251 
   1252 static int eap_fast_decrypt(struct eap_sm *sm, struct eap_fast_data *data,
   1253 			    struct eap_method_ret *ret,
   1254 			    const struct eap_hdr *req,
   1255 			    const struct wpabuf *in_data,
   1256 			    struct wpabuf **out_data)
   1257 {
   1258 	struct wpabuf *in_decrypted;
   1259 	int res;
   1260 
   1261 	wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for"
   1262 		   " Phase 2", (unsigned long) wpabuf_len(in_data));
   1263 
   1264 	if (data->pending_phase2_req) {
   1265 		wpa_printf(MSG_DEBUG, "EAP-FAST: Pending Phase 2 request - "
   1266 			   "skip decryption and use old data");
   1267 		/* Clear TLS reassembly state. */
   1268 		eap_peer_tls_reset_input(&data->ssl);
   1269 
   1270 		in_decrypted = data->pending_phase2_req;
   1271 		data->pending_phase2_req = NULL;
   1272 		goto continue_req;
   1273 	}
   1274 
   1275 	if (wpabuf_len(in_data) == 0) {
   1276 		/* Received TLS ACK - requesting more fragments */
   1277 		return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_FAST,
   1278 					    data->fast_version,
   1279 					    req->identifier, NULL, out_data);
   1280 	}
   1281 
   1282 	res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
   1283 	if (res)
   1284 		return res;
   1285 
   1286 continue_req:
   1287 	wpa_hexdump_buf(MSG_MSGDUMP, "EAP-FAST: Decrypted Phase 2 TLV(s)",
   1288 			in_decrypted);
   1289 
   1290 	if (wpabuf_len(in_decrypted) < 4) {
   1291 		wpa_printf(MSG_INFO, "EAP-FAST: Too short Phase 2 "
   1292 			   "TLV frame (len=%lu)",
   1293 			   (unsigned long) wpabuf_len(in_decrypted));
   1294 		wpabuf_free(in_decrypted);
   1295 		return -1;
   1296 	}
   1297 
   1298 	res = eap_fast_process_decrypted(sm, data, ret, req,
   1299 					 in_decrypted, out_data);
   1300 
   1301 	wpabuf_free(in_decrypted);
   1302 
   1303 	return res;
   1304 }
   1305 
   1306 
   1307 static const u8 * eap_fast_get_a_id(const u8 *buf, size_t len, size_t *id_len)
   1308 {
   1309 	const u8 *a_id;
   1310 	struct pac_tlv_hdr *hdr;
   1311 
   1312 	/*
   1313 	 * Parse authority identity (A-ID) from the EAP-FAST/Start. This
   1314 	 * supports both raw A-ID and one inside an A-ID TLV.
   1315 	 */
   1316 	a_id = buf;
   1317 	*id_len = len;
   1318 	if (len > sizeof(*hdr)) {
   1319 		int tlen;
   1320 		hdr = (struct pac_tlv_hdr *) buf;
   1321 		tlen = be_to_host16(hdr->len);
   1322 		if (be_to_host16(hdr->type) == PAC_TYPE_A_ID &&
   1323 		    sizeof(*hdr) + tlen <= len) {
   1324 			wpa_printf(MSG_DEBUG, "EAP-FAST: A-ID was in TLV "
   1325 				   "(Start)");
   1326 			a_id = (u8 *) (hdr + 1);
   1327 			*id_len = tlen;
   1328 		}
   1329 	}
   1330 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: A-ID", a_id, *id_len);
   1331 
   1332 	return a_id;
   1333 }
   1334 
   1335 
   1336 static void eap_fast_select_pac(struct eap_fast_data *data,
   1337 				const u8 *a_id, size_t a_id_len)
   1338 {
   1339 	data->current_pac = eap_fast_get_pac(data->pac, a_id, a_id_len,
   1340 					     PAC_TYPE_TUNNEL_PAC);
   1341 	if (data->current_pac == NULL) {
   1342 		/*
   1343 		 * Tunnel PAC was not available for this A-ID. Try to use
   1344 		 * Machine Authentication PAC, if one is available.
   1345 		 */
   1346 		data->current_pac = eap_fast_get_pac(
   1347 			data->pac, a_id, a_id_len,
   1348 			PAC_TYPE_MACHINE_AUTHENTICATION);
   1349 	}
   1350 
   1351 	if (data->current_pac) {
   1352 		wpa_printf(MSG_DEBUG, "EAP-FAST: PAC found for this A-ID "
   1353 			   "(PAC-Type %d)", data->current_pac->pac_type);
   1354 		wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-FAST: A-ID-Info",
   1355 				  data->current_pac->a_id_info,
   1356 				  data->current_pac->a_id_info_len);
   1357 	}
   1358 }
   1359 
   1360 
   1361 static int eap_fast_use_pac_opaque(struct eap_sm *sm,
   1362 				   struct eap_fast_data *data,
   1363 				   struct eap_fast_pac *pac)
   1364 {
   1365 	u8 *tlv;
   1366 	size_t tlv_len, olen;
   1367 	struct eap_tlv_hdr *ehdr;
   1368 
   1369 	olen = pac->pac_opaque_len;
   1370 	tlv_len = sizeof(*ehdr) + olen;
   1371 	tlv = os_malloc(tlv_len);
   1372 	if (tlv) {
   1373 		ehdr = (struct eap_tlv_hdr *) tlv;
   1374 		ehdr->tlv_type = host_to_be16(PAC_TYPE_PAC_OPAQUE);
   1375 		ehdr->length = host_to_be16(olen);
   1376 		os_memcpy(ehdr + 1, pac->pac_opaque, olen);
   1377 	}
   1378 	if (tlv == NULL ||
   1379 	    tls_connection_client_hello_ext(sm->ssl_ctx, data->ssl.conn,
   1380 					    TLS_EXT_PAC_OPAQUE,
   1381 					    tlv, tlv_len) < 0) {
   1382 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to add PAC-Opaque TLS "
   1383 			   "extension");
   1384 		os_free(tlv);
   1385 		return -1;
   1386 	}
   1387 	os_free(tlv);
   1388 
   1389 	return 0;
   1390 }
   1391 
   1392 
   1393 static int eap_fast_clear_pac_opaque_ext(struct eap_sm *sm,
   1394 					 struct eap_fast_data *data)
   1395 {
   1396 	if (tls_connection_client_hello_ext(sm->ssl_ctx, data->ssl.conn,
   1397 					    TLS_EXT_PAC_OPAQUE, NULL, 0) < 0) {
   1398 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to remove PAC-Opaque "
   1399 			   "TLS extension");
   1400 		return -1;
   1401 	}
   1402 	return 0;
   1403 }
   1404 
   1405 
   1406 static int eap_fast_set_provisioning_ciphers(struct eap_sm *sm,
   1407 					     struct eap_fast_data *data)
   1408 {
   1409 	u8 ciphers[5];
   1410 	int count = 0;
   1411 
   1412 	if (data->provisioning_allowed & EAP_FAST_PROV_UNAUTH) {
   1413 		wpa_printf(MSG_DEBUG, "EAP-FAST: Enabling unauthenticated "
   1414 			   "provisioning TLS cipher suites");
   1415 		ciphers[count++] = TLS_CIPHER_ANON_DH_AES128_SHA;
   1416 	}
   1417 
   1418 	if (data->provisioning_allowed & EAP_FAST_PROV_AUTH) {
   1419 		wpa_printf(MSG_DEBUG, "EAP-FAST: Enabling authenticated "
   1420 			   "provisioning TLS cipher suites");
   1421 		ciphers[count++] = TLS_CIPHER_RSA_DHE_AES128_SHA;
   1422 		ciphers[count++] = TLS_CIPHER_AES128_SHA;
   1423 		ciphers[count++] = TLS_CIPHER_RC4_SHA;
   1424 	}
   1425 
   1426 	ciphers[count++] = TLS_CIPHER_NONE;
   1427 
   1428 	if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn,
   1429 					   ciphers)) {
   1430 		wpa_printf(MSG_INFO, "EAP-FAST: Could not configure TLS "
   1431 			   "cipher suites for provisioning");
   1432 		return -1;
   1433 	}
   1434 
   1435 	return 0;
   1436 }
   1437 
   1438 
   1439 static int eap_fast_process_start(struct eap_sm *sm,
   1440 				  struct eap_fast_data *data, u8 flags,
   1441 				  const u8 *pos, size_t left)
   1442 {
   1443 	const u8 *a_id;
   1444 	size_t a_id_len;
   1445 
   1446 	/* EAP-FAST Version negotiation (section 3.1) */
   1447 	wpa_printf(MSG_DEBUG, "EAP-FAST: Start (server ver=%d, own ver=%d)",
   1448 		   flags & EAP_PEAP_VERSION_MASK, data->fast_version);
   1449 	if ((flags & EAP_PEAP_VERSION_MASK) < data->fast_version)
   1450 		data->fast_version = flags & EAP_PEAP_VERSION_MASK;
   1451 	wpa_printf(MSG_DEBUG, "EAP-FAST: Using FAST version %d",
   1452 		   data->fast_version);
   1453 
   1454 	a_id = eap_fast_get_a_id(pos, left, &a_id_len);
   1455 	eap_fast_select_pac(data, a_id, a_id_len);
   1456 
   1457 	if (data->resuming && data->current_pac) {
   1458 		wpa_printf(MSG_DEBUG, "EAP-FAST: Trying to resume session - "
   1459 			   "do not add PAC-Opaque to TLS ClientHello");
   1460 		if (eap_fast_clear_pac_opaque_ext(sm, data) < 0)
   1461 			return -1;
   1462 	} else if (data->current_pac) {
   1463 		/*
   1464 		 * PAC found for the A-ID and we are not resuming an old
   1465 		 * session, so add PAC-Opaque extension to ClientHello.
   1466 		 */
   1467 		if (eap_fast_use_pac_opaque(sm, data, data->current_pac) < 0)
   1468 			return -1;
   1469 	} else {
   1470 		/* No PAC found, so we must provision one. */
   1471 		if (!data->provisioning_allowed) {
   1472 			wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC found and "
   1473 				   "provisioning disabled");
   1474 			return -1;
   1475 		}
   1476 		wpa_printf(MSG_DEBUG, "EAP-FAST: No PAC found - "
   1477 			   "starting provisioning");
   1478 		if (eap_fast_set_provisioning_ciphers(sm, data) < 0 ||
   1479 		    eap_fast_clear_pac_opaque_ext(sm, data) < 0)
   1480 			return -1;
   1481 		data->provisioning = 1;
   1482 	}
   1483 
   1484 	return 0;
   1485 }
   1486 
   1487 
   1488 static struct wpabuf * eap_fast_process(struct eap_sm *sm, void *priv,
   1489 					struct eap_method_ret *ret,
   1490 					const struct wpabuf *reqData)
   1491 {
   1492 	const struct eap_hdr *req;
   1493 	size_t left;
   1494 	int res;
   1495 	u8 flags, id;
   1496 	struct wpabuf *resp;
   1497 	const u8 *pos;
   1498 	struct eap_fast_data *data = priv;
   1499 
   1500 	pos = eap_peer_tls_process_init(sm, &data->ssl, EAP_TYPE_FAST, ret,
   1501 					reqData, &left, &flags);
   1502 	if (pos == NULL)
   1503 		return NULL;
   1504 
   1505 	req = wpabuf_head(reqData);
   1506 	id = req->identifier;
   1507 
   1508 	if (flags & EAP_TLS_FLAGS_START) {
   1509 		if (eap_fast_process_start(sm, data, flags, pos, left) < 0)
   1510 			return NULL;
   1511 
   1512 		left = 0; /* A-ID is not used in further packet processing */
   1513 	}
   1514 
   1515 	resp = NULL;
   1516 	if (tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
   1517 	    !data->resuming) {
   1518 		/* Process tunneled (encrypted) phase 2 data. */
   1519 		struct wpabuf msg;
   1520 		wpabuf_set(&msg, pos, left);
   1521 		res = eap_fast_decrypt(sm, data, ret, req, &msg, &resp);
   1522 		if (res < 0) {
   1523 			ret->methodState = METHOD_DONE;
   1524 			ret->decision = DECISION_FAIL;
   1525 			/*
   1526 			 * Ack possible Alert that may have caused failure in
   1527 			 * decryption.
   1528 			 */
   1529 			res = 1;
   1530 		}
   1531 	} else {
   1532 		/* Continue processing TLS handshake (phase 1). */
   1533 		res = eap_peer_tls_process_helper(sm, &data->ssl,
   1534 						  EAP_TYPE_FAST,
   1535 						  data->fast_version, id, pos,
   1536 						  left, &resp);
   1537 
   1538 		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
   1539 			char cipher[80];
   1540 			wpa_printf(MSG_DEBUG,
   1541 				   "EAP-FAST: TLS done, proceed to Phase 2");
   1542 			if (data->provisioning &&
   1543 			    (!(data->provisioning_allowed &
   1544 			       EAP_FAST_PROV_AUTH) ||
   1545 			     tls_get_cipher(sm->ssl_ctx, data->ssl.conn,
   1546 					    cipher, sizeof(cipher)) < 0 ||
   1547 			     os_strstr(cipher, "ADH-") ||
   1548 			     os_strstr(cipher, "anon"))) {
   1549 				wpa_printf(MSG_DEBUG, "EAP-FAST: Using "
   1550 					   "anonymous (unauthenticated) "
   1551 					   "provisioning");
   1552 				data->anon_provisioning = 1;
   1553 			} else
   1554 				data->anon_provisioning = 0;
   1555 			data->resuming = 0;
   1556 			eap_fast_derive_keys(sm, data);
   1557 		}
   1558 
   1559 		if (res == 2) {
   1560 			struct wpabuf msg;
   1561 			/*
   1562 			 * Application data included in the handshake message.
   1563 			 */
   1564 			wpabuf_free(data->pending_phase2_req);
   1565 			data->pending_phase2_req = resp;
   1566 			resp = NULL;
   1567 			wpabuf_set(&msg, pos, left);
   1568 			res = eap_fast_decrypt(sm, data, ret, req, &msg,
   1569 					       &resp);
   1570 		}
   1571 	}
   1572 
   1573 	if (res == 1) {
   1574 		wpabuf_free(resp);
   1575 		return eap_peer_tls_build_ack(id, EAP_TYPE_FAST,
   1576 					      data->fast_version);
   1577 	}
   1578 
   1579 	return resp;
   1580 }
   1581 
   1582 
   1583 #if 0 /* FIX */
   1584 static Boolean eap_fast_has_reauth_data(struct eap_sm *sm, void *priv)
   1585 {
   1586 	struct eap_fast_data *data = priv;
   1587 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn);
   1588 }
   1589 
   1590 
   1591 static void eap_fast_deinit_for_reauth(struct eap_sm *sm, void *priv)
   1592 {
   1593 	struct eap_fast_data *data = priv;
   1594 	os_free(data->key_block_p);
   1595 	data->key_block_p = NULL;
   1596 	wpabuf_free(data->pending_phase2_req);
   1597 	data->pending_phase2_req = NULL;
   1598 }
   1599 
   1600 
   1601 static void * eap_fast_init_for_reauth(struct eap_sm *sm, void *priv)
   1602 {
   1603 	struct eap_fast_data *data = priv;
   1604 	if (eap_peer_tls_reauth_init(sm, &data->ssl)) {
   1605 		os_free(data);
   1606 		return NULL;
   1607 	}
   1608 	if (data->phase2_priv && data->phase2_method &&
   1609 	    data->phase2_method->init_for_reauth)
   1610 		data->phase2_method->init_for_reauth(sm, data->phase2_priv);
   1611 	data->phase2_success = 0;
   1612 	data->resuming = 1;
   1613 	data->provisioning = 0;
   1614 	data->anon_provisioning = 0;
   1615 	data->simck_idx = 0;
   1616 	return priv;
   1617 }
   1618 #endif
   1619 
   1620 
   1621 static int eap_fast_get_status(struct eap_sm *sm, void *priv, char *buf,
   1622 			       size_t buflen, int verbose)
   1623 {
   1624 	struct eap_fast_data *data = priv;
   1625 	int len, ret;
   1626 
   1627 	len = eap_peer_tls_status(sm, &data->ssl, buf, buflen, verbose);
   1628 	if (data->phase2_method) {
   1629 		ret = os_snprintf(buf + len, buflen - len,
   1630 				  "EAP-FAST Phase2 method=%s\n",
   1631 				  data->phase2_method->name);
   1632 		if (ret < 0 || (size_t) ret >= buflen - len)
   1633 			return len;
   1634 		len += ret;
   1635 	}
   1636 	return len;
   1637 }
   1638 
   1639 
   1640 static Boolean eap_fast_isKeyAvailable(struct eap_sm *sm, void *priv)
   1641 {
   1642 	struct eap_fast_data *data = priv;
   1643 	return data->success;
   1644 }
   1645 
   1646 
   1647 static u8 * eap_fast_getKey(struct eap_sm *sm, void *priv, size_t *len)
   1648 {
   1649 	struct eap_fast_data *data = priv;
   1650 	u8 *key;
   1651 
   1652 	if (!data->success)
   1653 		return NULL;
   1654 
   1655 	key = os_malloc(EAP_FAST_KEY_LEN);
   1656 	if (key == NULL)
   1657 		return NULL;
   1658 
   1659 	*len = EAP_FAST_KEY_LEN;
   1660 	os_memcpy(key, data->key_data, EAP_FAST_KEY_LEN);
   1661 
   1662 	return key;
   1663 }
   1664 
   1665 
   1666 static u8 * eap_fast_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
   1667 {
   1668 	struct eap_fast_data *data = priv;
   1669 	u8 *key;
   1670 
   1671 	if (!data->success)
   1672 		return NULL;
   1673 
   1674 	key = os_malloc(EAP_EMSK_LEN);
   1675 	if (key == NULL)
   1676 		return NULL;
   1677 
   1678 	*len = EAP_EMSK_LEN;
   1679 	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
   1680 
   1681 	return key;
   1682 }
   1683 
   1684 
   1685 int eap_peer_fast_register(void)
   1686 {
   1687 	struct eap_method *eap;
   1688 	int ret;
   1689 
   1690 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
   1691 				    EAP_VENDOR_IETF, EAP_TYPE_FAST, "FAST");
   1692 	if (eap == NULL)
   1693 		return -1;
   1694 
   1695 	eap->init = eap_fast_init;
   1696 	eap->deinit = eap_fast_deinit;
   1697 	eap->process = eap_fast_process;
   1698 	eap->isKeyAvailable = eap_fast_isKeyAvailable;
   1699 	eap->getKey = eap_fast_getKey;
   1700 	eap->get_status = eap_fast_get_status;
   1701 #if 0
   1702 	eap->has_reauth_data = eap_fast_has_reauth_data;
   1703 	eap->deinit_for_reauth = eap_fast_deinit_for_reauth;
   1704 	eap->init_for_reauth = eap_fast_init_for_reauth;
   1705 #endif
   1706 	eap->get_emsk = eap_fast_get_emsk;
   1707 
   1708 	ret = eap_peer_method_register(eap);
   1709 	if (ret)
   1710 		eap_peer_method_free(eap);
   1711 	return ret;
   1712 }
   1713