xref: /freebsd-src/contrib/wpa/src/eap_common/eap_teap_common.c (revision 206b73d0429edb7c49b612537544e677fa568e83)

/*
 * EAP-TEAP common helper functions (RFC 7170)
 * Copyright (c) 2008-2019, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "crypto/sha1.h"
#include "crypto/sha256.h"
#include "crypto/sha384.h"
#include "crypto/tls.h"
#include "eap_defs.h"
#include "eap_teap_common.h"


void eap_teap_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len)
{
	struct teap_tlv_hdr hdr;

	hdr.tlv_type = host_to_be16(type);
	hdr.length = host_to_be16(len);
	wpabuf_put_data(buf, &hdr, sizeof(hdr));
}


void eap_teap_put_tlv(struct wpabuf *buf, u16 type, const void *data, u16 len)
{
	eap_teap_put_tlv_hdr(buf, type, len);
	wpabuf_put_data(buf, data, len);
}


void eap_teap_put_tlv_buf(struct wpabuf *buf, u16 type,
			  const struct wpabuf *data)
{
	eap_teap_put_tlv_hdr(buf, type, wpabuf_len(data));
	wpabuf_put_buf(buf, data);
}


struct wpabuf * eap_teap_tlv_eap_payload(struct wpabuf *buf)
{
	struct wpabuf *e;

	if (!buf)
		return NULL;

	/* Encapsulate EAP packet in EAP-Payload TLV */
	wpa_printf(MSG_DEBUG, "EAP-TEAP: Add EAP-Payload TLV");
	e = wpabuf_alloc(sizeof(struct teap_tlv_hdr) + wpabuf_len(buf));
	if (!e) {
		wpa_printf(MSG_ERROR,
			   "EAP-TEAP: Failed to allocate memory for TLV encapsulation");
		wpabuf_free(buf);
		return NULL;
	}
	eap_teap_put_tlv_buf(e, TEAP_TLV_MANDATORY | TEAP_TLV_EAP_PAYLOAD, buf);
	wpabuf_free(buf);

	/* TODO: followed by optional TLVs associated with the EAP packet */

	return e;
}


static int eap_teap_tls_prf(const u8 *secret, size_t secret_len,
			    const char *label, const u8 *seed, size_t seed_len,
			    u8 *out, size_t outlen)
{
	/* TODO: TLS-PRF for TLSv1.3 */
	return tls_prf_sha256(secret, secret_len, label, seed, seed_len,
			      out, outlen);
}


int eap_teap_derive_eap_msk(const u8 *simck, u8 *msk)
{
	/*
	 * RFC 7170, Section 5.4: EAP Master Session Key Generation
	 * MSK = TLS-PRF(S-IMCK[j], "Session Key Generating Function", 64)
	 */

	if (eap_teap_tls_prf(simck, EAP_TEAP_SIMCK_LEN,
			     "Session Key Generating Function", (u8 *) "", 0,
			     msk, EAP_TEAP_KEY_LEN) < 0)
		return -1;
	wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: Derived key (MSK)",
			msk, EAP_TEAP_KEY_LEN);
	return 0;
}


int eap_teap_derive_eap_emsk(const u8 *simck, u8 *emsk)
{
	/*
	 * RFC 7170, Section 5.4: EAP Master Session Key Generation
	 * EMSK = TLS-PRF(S-IMCK[j],
	 *        "Extended Session Key Generating Function", 64)
	 */

	if (eap_teap_tls_prf(simck, EAP_TEAP_SIMCK_LEN,
			     "Extended Session Key Generating Function",
			     (u8 *) "", 0, emsk, EAP_EMSK_LEN) < 0)
		return -1;
	wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: Derived key (EMSK)",
			emsk, EAP_EMSK_LEN);
	return 0;
}


int eap_teap_derive_cmk_basic_pw_auth(const u8 *s_imck_msk, u8 *cmk)
{
	u8 imsk[32], imck[EAP_TEAP_IMCK_LEN];
	int res;

	/* FIX: The Basic-Password-Auth (i.e., no inner EAP) case is
	 * not fully defined in RFC 7170, so this CMK derivation may
	 * need to be changed if a fixed definition is eventually
	 * published. For now, derive CMK[0] based on S-IMCK[0] and
	 * IMSK of 32 octets of zeros. */
	os_memset(imsk, 0, 32);
	res = eap_teap_tls_prf(s_imck_msk, EAP_TEAP_SIMCK_LEN,
			       "Inner Methods Compound Keys",
			       imsk, 32, imck, sizeof(imck));
	if (res < 0)
		return -1;
	os_memcpy(cmk, &imck[EAP_TEAP_SIMCK_LEN], EAP_TEAP_CMK_LEN);
	wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: CMK[no-inner-EAP]",
			cmk, EAP_TEAP_CMK_LEN);
	forced_memzero(imck, sizeof(imck));
	return 0;
}


int eap_teap_derive_imck(const u8 *prev_s_imck_msk, const u8 *prev_s_imck_emsk,
			 const u8 *msk, size_t msk_len,
			 const u8 *emsk, size_t emsk_len,
			 u8 *s_imck_msk, u8 *cmk_msk,
			 u8 *s_imck_emsk, u8 *cmk_emsk)
{
	u8 imsk[64], imck[EAP_TEAP_IMCK_LEN];
	int res;

	/*
	 * RFC 7170, Section 5.2:
	 * IMSK = First 32 octets of TLS-PRF(EMSK, "TEAPbindkey@ietf.org" |
	 *                                   "\0" | 64)
	 * (if EMSK is not available, MSK is used instead; if neither is
	 * available, IMSK is 32 octets of zeros; MSK is truncated to 32 octets
	 * or padded to 32 octets, if needed)
	 * (64 is encoded as a 2-octet field in network byte order)
	 *
	 * S-IMCK[0] = session_key_seed
	 * IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
	 *                   IMSK[j], 60)
	 * S-IMCK[j] = first 40 octets of IMCK[j]
	 * CMK[j] = last 20 octets of IMCK[j]
	 */

	wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: MSK[j]", msk, msk_len);
	wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: EMSK[j]", emsk, emsk_len);

	if (emsk && emsk_len > 0) {
		u8 context[3];

		context[0] = 0;
		context[1] = 0;
		context[2] = 64;
		if (eap_teap_tls_prf(emsk, emsk_len, "TEAPbindkey@ietf.org",
				     context, sizeof(context), imsk, 64) < 0)
			return -1;

		wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: IMSK from EMSK",
				imsk, 32);

		res = eap_teap_tls_prf(prev_s_imck_emsk, EAP_TEAP_SIMCK_LEN,
				       "Inner Methods Compound Keys",
				       imsk, 32, imck, EAP_TEAP_IMCK_LEN);
		forced_memzero(imsk, sizeof(imsk));
		if (res < 0)
			return -1;

		os_memcpy(s_imck_emsk, imck, EAP_TEAP_SIMCK_LEN);
		wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: EMSK S-IMCK[j]",
				s_imck_emsk, EAP_TEAP_SIMCK_LEN);
		os_memcpy(cmk_emsk, &imck[EAP_TEAP_SIMCK_LEN],
			  EAP_TEAP_CMK_LEN);
		wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: EMSK CMK[j]",
				cmk_emsk, EAP_TEAP_CMK_LEN);
		forced_memzero(imck, EAP_TEAP_IMCK_LEN);
	}

	if (msk && msk_len > 0) {
		size_t copy_len = msk_len;

		os_memset(imsk, 0, 32); /* zero pad, if needed */
		if (copy_len > 32)
			copy_len = 32;
		os_memcpy(imsk, msk, copy_len);
		wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: IMSK from MSK", imsk, 32);
	} else {
		os_memset(imsk, 0, 32);
		wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: Zero IMSK", imsk, 32);
	}

	res = eap_teap_tls_prf(prev_s_imck_msk, EAP_TEAP_SIMCK_LEN,
			       "Inner Methods Compound Keys",
			       imsk, 32, imck, EAP_TEAP_IMCK_LEN);
	forced_memzero(imsk, sizeof(imsk));
	if (res < 0)
		return -1;

	os_memcpy(s_imck_msk, imck, EAP_TEAP_SIMCK_LEN);
	wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: MSK S-IMCK[j]",
			s_imck_msk, EAP_TEAP_SIMCK_LEN);
	os_memcpy(cmk_msk, &imck[EAP_TEAP_SIMCK_LEN], EAP_TEAP_CMK_LEN);
	wpa_hexdump_key(MSG_DEBUG, "EAP-TEAP: MSK CMK[j]",
			cmk_msk, EAP_TEAP_CMK_LEN);
	forced_memzero(imck, EAP_TEAP_IMCK_LEN);

	return 0;
}


static int tls_cipher_suite_match(const u16 *list, size_t count, u16 cs)
{
	size_t i;

	for (i = 0; i < count; i++) {
		if (list[i] == cs)
			return 1;
	}

	return 0;
}


static int tls_cipher_suite_mac_sha1(u16 cs)
{
	static const u16 sha1_cs[] = {
		0x0005, 0x0007, 0x000a, 0x000d, 0x0010, 0x0013, 0x0016, 0x001b,
		0x002f, 0x0030, 0x0031, 0x0032, 0x0033, 0x0034, 0x0035, 0x0036,
		0x0037, 0x0038, 0x0039, 0x003a, 0x0041, 0x0042, 0x0043, 0x0044,
		0x0045, 0x0046, 0x0084, 0x0085, 0x0086, 0x0087, 0x0088, 0x0089,
		0x008a, 0x008b, 0x008c, 0x008d, 0x008e, 0x008f, 0x0090, 0x0091,
		0x0092, 0x0093, 0x0094, 0x0095, 0x0096, 0x0097, 0x0098, 0x0099,
		0x009a, 0x009b,
		0xc002, 0xc003, 0xc004, 0xc005, 0xc007, 0xc008, 0xc009, 0xc009,
		0xc00a, 0xc00c, 0xc00d, 0xc00e, 0xc00f, 0xc011, 0xc012, 0xc013,
		0xc014, 0xc016, 0xc017, 0xc018, 0xc019, 0xc01a, 0xc01b, 0xc01c,
		0xc014, 0xc01e, 0xc01f, 0xc020, 0xc021, 0xc022, 0xc033, 0xc034,
		0xc035, 0xc036
	};

	return tls_cipher_suite_match(sha1_cs, ARRAY_SIZE(sha1_cs), cs);
}


static int tls_cipher_suite_mac_sha256(u16 cs)
{
	static const u16 sha256_cs[] = {
		0x003c, 0x003d, 0x003e, 0x003f, 0x0040, 0x0067, 0x0068, 0x0069,
		0x006a, 0x006b, 0x006c, 0x006d, 0x009c, 0x009e, 0x00a0, 0x00a2,
		0x00a4, 0x00a6, 0x00a8, 0x00aa, 0x00ac, 0x00ae, 0x00b2, 0x00b6,
		0x00ba, 0x00bb, 0x00bc, 0x00bd, 0x00be, 0x00bd, 0x00be, 0x00be,
		0x00bf, 0x00bf, 0x00c0, 0x00c1, 0x00c2, 0x00c3, 0x00c4, 0x00c5,
		0x1301, 0x1303, 0x1304, 0x1305,
		0xc023, 0xc025, 0xc027, 0xc029, 0xc02b, 0xc02d, 0xc02f, 0xc031,
		0xc037, 0xc03c, 0xc03e, 0xc040, 0xc040, 0xc042, 0xc044, 0xc046,
		0xc048, 0xc04a, 0xc04c, 0xc04e, 0xc050, 0xc052, 0xc054, 0xc056,
		0xc058, 0xc05a, 0xc05c, 0xc05e, 0xc060, 0xc062, 0xc064, 0xc066,
		0xc068, 0xc06a, 0xc06c, 0xc06e, 0xc070, 0xc072, 0xc074, 0xc076,
		0xc078, 0xc07a, 0xc07c, 0xc07e, 0xc080, 0xc082, 0xc084, 0xc086,
		0xc088, 0xc08a, 0xc08c, 0xc08e, 0xc090, 0xc092, 0xc094, 0xc096,
		0xc098, 0xc09a, 0xc0b0, 0xc0b2, 0xc0b4,
		0xcca8, 0xcca9, 0xccaa, 0xccab, 0xccac, 0xccad, 0xccae,
		0xd001, 0xd003, 0xd005
	};

	return tls_cipher_suite_match(sha256_cs, ARRAY_SIZE(sha256_cs), cs);
}


static int tls_cipher_suite_mac_sha384(u16 cs)
{
	static const u16 sha384_cs[] = {
		0x009d, 0x009f, 0x00a1, 0x00a3, 0x00a5, 0x00a7, 0x00a9, 0x00ab,
		0x00ad, 0x00af, 0x00b3, 0x00b7, 0x1302,
		0xc024, 0xc026, 0xc028, 0xc02a, 0xc02c, 0xc02e, 0xc030, 0xc032,
		0xc038, 0xc03d, 0xc03f, 0xc041, 0xc043, 0xc045, 0xc047, 0xc049,
		0xc04b, 0xc04d, 0xc04f, 0xc051, 0xc053, 0xc055, 0xc057, 0xc059,
		0xc05b, 0xc05d, 0xc05f, 0xc061, 0xc063, 0xc065, 0xc067, 0xc069,
		0xc06b, 0xc06d, 0xc06f, 0xc071, 0xc073, 0xc075, 0xc077, 0xc079,
		0xc07b, 0xc07d, 0xc07f, 0xc081, 0xc083, 0xc085, 0xc087, 0xc089,
		0xc08b, 0xc08d, 0xc08f, 0xc091, 0xc093, 0xc095, 0xc097, 0xc099,
		0xc09b, 0xc0b1, 0xc0b3, 0xc0b5,
		0xd002
	};

	return tls_cipher_suite_match(sha384_cs, ARRAY_SIZE(sha384_cs), cs);
}


static int eap_teap_tls_mac(u16 tls_cs, const u8 *cmk, size_t cmk_len,
			    const u8 *buffer, size_t buffer_len,
			    u8 *mac, size_t mac_len)
{
	int res;
	u8 tmp[48];

	os_memset(tmp, 0, sizeof(tmp));
	os_memset(mac, 0, mac_len);

	if (tls_cipher_suite_mac_sha1(tls_cs)) {
		wpa_printf(MSG_DEBUG, "EAP-TEAP: MAC algorithm: HMAC-SHA1");
		res = hmac_sha1(cmk, cmk_len, buffer, buffer_len, tmp);
	} else if (tls_cipher_suite_mac_sha256(tls_cs)) {
		wpa_printf(MSG_DEBUG, "EAP-TEAP: MAC algorithm: HMAC-SHA256");
		res = hmac_sha256(cmk, cmk_len, buffer, buffer_len, tmp);
	} else if (tls_cipher_suite_mac_sha384(tls_cs)) {
		wpa_printf(MSG_DEBUG, "EAP-TEAP: MAC algorithm: HMAC-SHA384");
		res = hmac_sha384(cmk, cmk_len, buffer, buffer_len, tmp);
	} else {
		wpa_printf(MSG_INFO,
			   "EAP-TEAP: Unsupported TLS cipher suite 0x%04x",
			   tls_cs);
		res = -1;
	}
	if (res < 0)
		return res;

	/* FIX: RFC 7170 does not describe how to handle truncation of the
	 * Compound MAC or if the fields are supposed to be of variable length
	 * based on the negotiated TLS cipher suite (they are defined as having
	 * fixed size of 20 octets in the TLV description) */
	if (mac_len > sizeof(tmp))
		mac_len = sizeof(tmp);
	os_memcpy(mac, tmp, mac_len);
	return 0;
}


int eap_teap_compound_mac(u16 tls_cs, const struct teap_tlv_crypto_binding *cb,
			  const struct wpabuf *server_outer_tlvs,
			  const struct wpabuf *peer_outer_tlvs,
			  const u8 *cmk, u8 *compound_mac)
{
	u8 *pos, *buffer;
	size_t bind_len, buffer_len;
	struct teap_tlv_crypto_binding *tmp_cb;
	int res;

	/* RFC 7170, Section 5.3 */
	bind_len = sizeof(struct teap_tlv_hdr) + be_to_host16(cb->length);
	buffer_len = bind_len + 1;
	if (server_outer_tlvs)
		buffer_len += wpabuf_len(server_outer_tlvs);
	if (peer_outer_tlvs)
		buffer_len += wpabuf_len(peer_outer_tlvs);
	buffer = os_malloc(buffer_len);
	if (!buffer)
		return -1;

	pos = buffer;
	/* 1. The entire Crypto-Binding TLV attribute with both the EMSK and MSK
	 * Compound MAC fields zeroed out. */
	os_memcpy(pos, cb, bind_len);
	pos += bind_len;
	tmp_cb = (struct teap_tlv_crypto_binding *) buffer;
	os_memset(tmp_cb->emsk_compound_mac, 0, EAP_TEAP_COMPOUND_MAC_LEN);
	os_memset(tmp_cb->msk_compound_mac, 0, EAP_TEAP_COMPOUND_MAC_LEN);

	/* 2. The EAP Type sent by the other party in the first TEAP message. */
	/* This is supposed to be the EAP Type sent by the other party in the
	 * first TEAP message, but since we cannot get here without having
	 * successfully negotiated use of TEAP, this can only be the fixed EAP
	 * Type of TEAP. */
	*pos++ = EAP_TYPE_TEAP;

	/* 3. All the Outer TLVs from the first TEAP message sent by EAP server
	 * to peer. */
	if (server_outer_tlvs) {
		os_memcpy(pos, wpabuf_head(server_outer_tlvs),
			  wpabuf_len(server_outer_tlvs));
		pos += wpabuf_len(server_outer_tlvs);
	}

	/* 4. All the Outer TLVs from the first TEAP message sent by the peer to
	 * the EAP server. */
	if (peer_outer_tlvs) {
		os_memcpy(pos, wpabuf_head(peer_outer_tlvs),
			  wpabuf_len(peer_outer_tlvs));
		pos += wpabuf_len(peer_outer_tlvs);
	}

	buffer_len = pos - buffer;

	wpa_hexdump_key(MSG_MSGDUMP,
			"EAP-TEAP: CMK for Compound MAC calculation",
			cmk, EAP_TEAP_CMK_LEN);
	wpa_hexdump(MSG_MSGDUMP,
		    "EAP-TEAP: BUFFER for Compound MAC calculation",
		    buffer, buffer_len);
	res = eap_teap_tls_mac(tls_cs, cmk, EAP_TEAP_CMK_LEN,
			       buffer, buffer_len,
			       compound_mac, EAP_TEAP_COMPOUND_MAC_LEN);
	os_free(buffer);

	return res;
}


int eap_teap_parse_tlv(struct eap_teap_tlv_parse *tlv,
		       int tlv_type, u8 *pos, size_t len)
{
	switch (tlv_type) {
	case TEAP_TLV_RESULT:
		wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Result TLV", pos, len);
		if (tlv->result) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: More than one Result TLV in the message");
			tlv->result = TEAP_STATUS_FAILURE;
			return -2;
		}
		if (len < 2) {
			wpa_printf(MSG_INFO, "EAP-TEAP: Too short Result TLV");
			tlv->result = TEAP_STATUS_FAILURE;
			break;
		}
		tlv->result = WPA_GET_BE16(pos);
		if (tlv->result != TEAP_STATUS_SUCCESS &&
		    tlv->result != TEAP_STATUS_FAILURE) {
			wpa_printf(MSG_INFO, "EAP-TEAP: Unknown Result %d",
				   tlv->result);
			tlv->result = TEAP_STATUS_FAILURE;
		}
		wpa_printf(MSG_DEBUG, "EAP-TEAP: Result: %s",
			   tlv->result == TEAP_STATUS_SUCCESS ?
			   "Success" : "Failure");
		break;
	case TEAP_TLV_NAK:
		wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: NAK TLV", pos, len);
		if (len < 6) {
			wpa_printf(MSG_INFO, "EAP-TEAP: Too short NAK TLV");
			tlv->result = TEAP_STATUS_FAILURE;
			break;
		}
		tlv->nak = pos;
		tlv->nak_len = len;
		break;
	case TEAP_TLV_REQUEST_ACTION:
		wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Request-Action TLV",
			    pos, len);
		if (tlv->request_action) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: More than one Request-Action TLV in the message");
			tlv->iresult = TEAP_STATUS_FAILURE;
			return -2;
		}
		if (len < 2) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: Too short Request-Action TLV");
			tlv->iresult = TEAP_STATUS_FAILURE;
			break;
		}
		tlv->request_action_status = pos[0];
		tlv->request_action = pos[1];
		wpa_printf(MSG_DEBUG,
			   "EAP-TEAP: Request-Action: Status=%u Action=%u",
			   tlv->request_action_status, tlv->request_action);
		break;
	case TEAP_TLV_EAP_PAYLOAD:
		wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: EAP-Payload TLV",
			    pos, len);
		if (tlv->eap_payload_tlv) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: More than one EAP-Payload TLV in the message");
			tlv->iresult = TEAP_STATUS_FAILURE;
			return -2;
		}
		tlv->eap_payload_tlv = pos;
		tlv->eap_payload_tlv_len = len;
		break;
	case TEAP_TLV_INTERMEDIATE_RESULT:
		wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Intermediate-Result TLV",
			    pos, len);
		if (len < 2) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: Too short Intermediate-Result TLV");
			tlv->iresult = TEAP_STATUS_FAILURE;
			break;
		}
		if (tlv->iresult) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: More than one Intermediate-Result TLV in the message");
			tlv->iresult = TEAP_STATUS_FAILURE;
			return -2;
		}
		tlv->iresult = WPA_GET_BE16(pos);
		if (tlv->iresult != TEAP_STATUS_SUCCESS &&
		    tlv->iresult != TEAP_STATUS_FAILURE) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: Unknown Intermediate Result %d",
				   tlv->iresult);
			tlv->iresult = TEAP_STATUS_FAILURE;
		}
		wpa_printf(MSG_DEBUG, "EAP-TEAP: Intermediate Result: %s",
			   tlv->iresult == TEAP_STATUS_SUCCESS ?
			   "Success" : "Failure");
		break;
	case TEAP_TLV_PAC:
		wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: PAC TLV", pos, len);
		if (tlv->pac) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: More than one PAC TLV in the message");
			tlv->iresult = TEAP_STATUS_FAILURE;
			return -2;
		}
		tlv->pac = pos;
		tlv->pac_len = len;
		break;
	case TEAP_TLV_CRYPTO_BINDING:
		wpa_hexdump(MSG_MSGDUMP, "EAP-TEAP: Crypto-Binding TLV",
			    pos, len);
		if (tlv->crypto_binding) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: More than one Crypto-Binding TLV in the message");
			tlv->iresult = TEAP_STATUS_FAILURE;
			return -2;
		}
		tlv->crypto_binding_len = sizeof(struct teap_tlv_hdr) + len;
		if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: Too short Crypto-Binding TLV");
			tlv->iresult = TEAP_STATUS_FAILURE;
			return -2;
		}
		tlv->crypto_binding = (struct teap_tlv_crypto_binding *)
			(pos - sizeof(struct teap_tlv_hdr));
		break;
	case TEAP_TLV_BASIC_PASSWORD_AUTH_REQ:
		wpa_hexdump_ascii(MSG_MSGDUMP,
				  "EAP-TEAP: Basic-Password-Auth-Req TLV",
				  pos, len);
		if (tlv->basic_auth_req) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: More than one Basic-Password-Auth-Req TLV in the message");
			tlv->iresult = TEAP_STATUS_FAILURE;
			return -2;
		}
		tlv->basic_auth_req = pos;
		tlv->basic_auth_req_len = len;
		break;
	case TEAP_TLV_BASIC_PASSWORD_AUTH_RESP:
		wpa_hexdump_ascii(MSG_MSGDUMP,
				  "EAP-TEAP: Basic-Password-Auth-Resp TLV",
				  pos, len);
		if (tlv->basic_auth_resp) {
			wpa_printf(MSG_INFO,
				   "EAP-TEAP: More than one Basic-Password-Auth-Resp TLV in the message");
			tlv->iresult = TEAP_STATUS_FAILURE;
			return -2;
		}
		tlv->basic_auth_resp = pos;
		tlv->basic_auth_resp_len = len;
		break;
	default:
		/* Unknown TLV */
		return -1;
	}

	return 0;
}


const char * eap_teap_tlv_type_str(enum teap_tlv_types type)
{
	switch (type) {
	case TEAP_TLV_AUTHORITY_ID:
		return "Authority-ID";
	case TEAP_TLV_IDENTITY_TYPE:
		return "Identity-Type";
	case TEAP_TLV_RESULT:
		return "Result";
	case TEAP_TLV_NAK:
		return "NAK";
	case TEAP_TLV_ERROR:
		return "Error";
	case TEAP_TLV_CHANNEL_BINDING:
		return "Channel-Binding";
	case TEAP_TLV_VENDOR_SPECIFIC:
		return "Vendor-Specific";
	case TEAP_TLV_REQUEST_ACTION:
		return "Request-Action";
	case TEAP_TLV_EAP_PAYLOAD:
		return "EAP-Payload";
	case TEAP_TLV_INTERMEDIATE_RESULT:
		return "Intermediate-Result";
	case TEAP_TLV_PAC:
		return "PAC";
	case TEAP_TLV_CRYPTO_BINDING:
		return "Crypto-Binding";
	case TEAP_TLV_BASIC_PASSWORD_AUTH_REQ:
		return "Basic-Password-Auth-Req";
	case TEAP_TLV_BASIC_PASSWORD_AUTH_RESP:
		return "Basic-Password-Auth-Resp";
	case TEAP_TLV_PKCS7:
		return "PKCS#7";
	case TEAP_TLV_PKCS10:
		return "PKCS#10";
	case TEAP_TLV_TRUSTED_SERVER_ROOT:
		return "Trusted-Server-Root";
	}

	return "?";
}


struct wpabuf * eap_teap_tlv_result(int status, int intermediate)
{
	struct wpabuf *buf;
	struct teap_tlv_result *result;

	if (status != TEAP_STATUS_FAILURE && status != TEAP_STATUS_SUCCESS)
		return NULL;

	buf = wpabuf_alloc(sizeof(*result));
	if (!buf)
		return NULL;
	wpa_printf(MSG_DEBUG, "EAP-TEAP: Add %sResult TLV(status=%s)",
		   intermediate ? "Intermediate-" : "",
		   status == TEAP_STATUS_SUCCESS ? "Success" : "Failure");
	result = wpabuf_put(buf, sizeof(*result));
	result->tlv_type = host_to_be16(TEAP_TLV_MANDATORY |
					(intermediate ?
					 TEAP_TLV_INTERMEDIATE_RESULT :
					 TEAP_TLV_RESULT));
	result->length = host_to_be16(2);
	result->status = host_to_be16(status);
	return buf;
}


struct wpabuf * eap_teap_tlv_error(enum teap_error_codes error)
{
	struct wpabuf *buf;

	buf = wpabuf_alloc(4 + 4);
	if (!buf)
		return NULL;
	wpa_printf(MSG_DEBUG, "EAP-TEAP: Add Error TLV(Error Code=%d)",
		   error);
	wpabuf_put_be16(buf, TEAP_TLV_MANDATORY | TEAP_TLV_ERROR);
	wpabuf_put_be16(buf, 4);
	wpabuf_put_be32(buf, error);
	return buf;
}


int eap_teap_allowed_anon_prov_phase2_method(u8 type)
{
	/* RFC 7170, Section 3.8.3: MUST provide mutual authentication,
	 * provide key generation, and be resistant to dictionary attack.
	 * Section 3.8 also mentions requirement for using EMSK Compound MAC. */
	return type == EAP_TYPE_PWD || type == EAP_TYPE_EKE;
}


int eap_teap_allowed_anon_prov_cipher_suite(u16 cs)
{
	/* RFC 7170, Section 3.8.3: anonymous ciphersuites MAY be supported as
	 * long as the TLS pre-master secret is generated form contribution from
	 * both peers. Accept the recommended TLS_DH_anon_WITH_AES_128_CBC_SHA
	 * cipher suite and other ciphersuites that use DH in some form, have
	 * SHA-1 or stronger MAC function, and use reasonable strong cipher. */
	static const u16 ok_cs[] = {
		/* DH-anon */
		0x0034, 0x003a, 0x006c, 0x006d, 0x00a6, 0x00a7,
		/* DHE-RSA */
		0x0033, 0x0039, 0x0067, 0x006b, 0x009e, 0x009f,
		/* ECDH-anon */
		0xc018, 0xc019,
		/* ECDH-RSA */
		0xc003, 0xc00f, 0xc029, 0xc02a, 0xc031, 0xc032,
		/* ECDH-ECDSA */
		0xc004, 0xc005, 0xc025, 0xc026, 0xc02d, 0xc02e,
		/* ECDHE-RSA */
		0xc013, 0xc014, 0xc027, 0xc028, 0xc02f, 0xc030,
		/* ECDHE-ECDSA */
		0xc009, 0xc00a, 0xc023, 0xc024, 0xc02b, 0xc02c,
	};

	return tls_cipher_suite_match(ok_cs, ARRAY_SIZE(ok_cs), cs);
}