EAP-FAST: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message payload. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
f153e41bb2
commit
07f9034d14
1 changed files with 10 additions and 12 deletions
|
|
@ -1172,7 +1172,7 @@ static struct wpabuf * eap_fast_pac_request(void)
|
||||||
static int eap_fast_process_decrypted(struct eap_sm *sm,
|
static int eap_fast_process_decrypted(struct eap_sm *sm,
|
||||||
struct eap_fast_data *data,
|
struct eap_fast_data *data,
|
||||||
struct eap_method_ret *ret,
|
struct eap_method_ret *ret,
|
||||||
const struct eap_hdr *req,
|
u8 identifier,
|
||||||
struct wpabuf *decrypted,
|
struct wpabuf *decrypted,
|
||||||
struct wpabuf **out_data)
|
struct wpabuf **out_data)
|
||||||
{
|
{
|
||||||
|
|
@ -1184,18 +1184,18 @@ static int eap_fast_process_decrypted(struct eap_sm *sm,
|
||||||
return 0;
|
return 0;
|
||||||
if (resp)
|
if (resp)
|
||||||
return eap_fast_encrypt_response(sm, data, resp,
|
return eap_fast_encrypt_response(sm, data, resp,
|
||||||
req->identifier, out_data);
|
identifier, out_data);
|
||||||
|
|
||||||
if (tlv.result == EAP_TLV_RESULT_FAILURE) {
|
if (tlv.result == EAP_TLV_RESULT_FAILURE) {
|
||||||
resp = eap_fast_tlv_result(EAP_TLV_RESULT_FAILURE, 0);
|
resp = eap_fast_tlv_result(EAP_TLV_RESULT_FAILURE, 0);
|
||||||
return eap_fast_encrypt_response(sm, data, resp,
|
return eap_fast_encrypt_response(sm, data, resp,
|
||||||
req->identifier, out_data);
|
identifier, out_data);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tlv.iresult == EAP_TLV_RESULT_FAILURE) {
|
if (tlv.iresult == EAP_TLV_RESULT_FAILURE) {
|
||||||
resp = eap_fast_tlv_result(EAP_TLV_RESULT_FAILURE, 1);
|
resp = eap_fast_tlv_result(EAP_TLV_RESULT_FAILURE, 1);
|
||||||
return eap_fast_encrypt_response(sm, data, resp,
|
return eap_fast_encrypt_response(sm, data, resp,
|
||||||
req->identifier, out_data);
|
identifier, out_data);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tlv.crypto_binding) {
|
if (tlv.crypto_binding) {
|
||||||
|
|
@ -1277,14 +1277,13 @@ static int eap_fast_process_decrypted(struct eap_sm *sm,
|
||||||
resp = wpabuf_alloc(1);
|
resp = wpabuf_alloc(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
return eap_fast_encrypt_response(sm, data, resp, req->identifier,
|
return eap_fast_encrypt_response(sm, data, resp, identifier,
|
||||||
out_data);
|
out_data);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static int eap_fast_decrypt(struct eap_sm *sm, struct eap_fast_data *data,
|
static int eap_fast_decrypt(struct eap_sm *sm, struct eap_fast_data *data,
|
||||||
struct eap_method_ret *ret,
|
struct eap_method_ret *ret, u8 identifier,
|
||||||
const struct eap_hdr *req,
|
|
||||||
const struct wpabuf *in_data,
|
const struct wpabuf *in_data,
|
||||||
struct wpabuf **out_data)
|
struct wpabuf **out_data)
|
||||||
{
|
{
|
||||||
|
|
@ -1309,7 +1308,7 @@ static int eap_fast_decrypt(struct eap_sm *sm, struct eap_fast_data *data,
|
||||||
/* Received TLS ACK - requesting more fragments */
|
/* Received TLS ACK - requesting more fragments */
|
||||||
return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_FAST,
|
return eap_peer_tls_encrypt(sm, &data->ssl, EAP_TYPE_FAST,
|
||||||
data->fast_version,
|
data->fast_version,
|
||||||
req->identifier, NULL, out_data);
|
identifier, NULL, out_data);
|
||||||
}
|
}
|
||||||
|
|
||||||
res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
|
res = eap_peer_tls_decrypt(sm, &data->ssl, in_data, &in_decrypted);
|
||||||
|
|
@ -1328,7 +1327,7 @@ continue_req:
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
res = eap_fast_process_decrypted(sm, data, ret, req,
|
res = eap_fast_process_decrypted(sm, data, ret, identifier,
|
||||||
in_decrypted, out_data);
|
in_decrypted, out_data);
|
||||||
|
|
||||||
wpabuf_free(in_decrypted);
|
wpabuf_free(in_decrypted);
|
||||||
|
|
@ -1551,7 +1550,7 @@ static struct wpabuf * eap_fast_process(struct eap_sm *sm, void *priv,
|
||||||
/* Process tunneled (encrypted) phase 2 data. */
|
/* Process tunneled (encrypted) phase 2 data. */
|
||||||
struct wpabuf msg;
|
struct wpabuf msg;
|
||||||
wpabuf_set(&msg, pos, left);
|
wpabuf_set(&msg, pos, left);
|
||||||
res = eap_fast_decrypt(sm, data, ret, req, &msg, &resp);
|
res = eap_fast_decrypt(sm, data, ret, id, &msg, &resp);
|
||||||
if (res < 0) {
|
if (res < 0) {
|
||||||
ret->methodState = METHOD_DONE;
|
ret->methodState = METHOD_DONE;
|
||||||
ret->decision = DECISION_FAIL;
|
ret->decision = DECISION_FAIL;
|
||||||
|
|
@ -1598,8 +1597,7 @@ static struct wpabuf * eap_fast_process(struct eap_sm *sm, void *priv,
|
||||||
data->pending_phase2_req = resp;
|
data->pending_phase2_req = resp;
|
||||||
resp = NULL;
|
resp = NULL;
|
||||||
wpabuf_set(&msg, pos, left);
|
wpabuf_set(&msg, pos, left);
|
||||||
res = eap_fast_decrypt(sm, data, ret, req, &msg,
|
res = eap_fast_decrypt(sm, data, ret, id, &msg, &resp);
|
||||||
&resp);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue