Rename EAP TLS variables to make server and peer code consistent
This commit is contained in:
Jouni Malinen
parent
09e47a0768
commit
2a29f0d45c
10 changed files with 119 additions and 92 deletions
|
|
@ -1445,9 +1445,9 @@ static int eap_fast_process_start(struct eap_sm *sm,
|
||||||
|
|
||||||
/* EAP-FAST Version negotiation (section 3.1) */
|
/* EAP-FAST Version negotiation (section 3.1) */
|
||||||
wpa_printf(MSG_DEBUG, "EAP-FAST: Start (server ver=%d, own ver=%d)",
|
wpa_printf(MSG_DEBUG, "EAP-FAST: Start (server ver=%d, own ver=%d)",
|
||||||
flags & EAP_PEAP_VERSION_MASK, data->fast_version);
|
flags & EAP_TLS_VERSION_MASK, data->fast_version);
|
||||||
if ((flags & EAP_PEAP_VERSION_MASK) < data->fast_version)
|
if ((flags & EAP_TLS_VERSION_MASK) < data->fast_version)
|
||||||
data->fast_version = flags & EAP_PEAP_VERSION_MASK;
|
data->fast_version = flags & EAP_TLS_VERSION_MASK;
|
||||||
wpa_printf(MSG_DEBUG, "EAP-FAST: Using FAST version %d",
|
wpa_printf(MSG_DEBUG, "EAP-FAST: Using FAST version %d",
|
||||||
data->fast_version);
|
data->fast_version);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1048,10 +1048,10 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
|
||||||
|
|
||||||
if (flags & EAP_TLS_FLAGS_START) {
|
if (flags & EAP_TLS_FLAGS_START) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own "
|
wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own "
|
||||||
"ver=%d)", flags & EAP_PEAP_VERSION_MASK,
|
"ver=%d)", flags & EAP_TLS_VERSION_MASK,
|
||||||
data->peap_version);
|
data->peap_version);
|
||||||
if ((flags & EAP_PEAP_VERSION_MASK) < data->peap_version)
|
if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version)
|
||||||
data->peap_version = flags & EAP_PEAP_VERSION_MASK;
|
data->peap_version = flags & EAP_TLS_VERSION_MASK;
|
||||||
if (data->force_peap_version >= 0 &&
|
if (data->force_peap_version >= 0 &&
|
||||||
data->force_peap_version != data->peap_version) {
|
data->force_peap_version != data->peap_version) {
|
||||||
wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select "
|
wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select "
|
||||||
|
|
|
||||||
|
|
@ -71,7 +71,7 @@ struct eap_ssl_data {
|
||||||
int tls_ia;
|
int tls_ia;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* eap - Pointer to EAP state machine allocated with eap_peer_sm_init()
|
* eap - EAP state machine allocated with eap_peer_sm_init()
|
||||||
*/
|
*/
|
||||||
struct eap_sm *eap;
|
struct eap_sm *eap;
|
||||||
};
|
};
|
||||||
|
|
@ -81,7 +81,7 @@ struct eap_ssl_data {
|
||||||
#define EAP_TLS_FLAGS_LENGTH_INCLUDED 0x80
|
#define EAP_TLS_FLAGS_LENGTH_INCLUDED 0x80
|
||||||
#define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40
|
#define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40
|
||||||
#define EAP_TLS_FLAGS_START 0x20
|
#define EAP_TLS_FLAGS_START 0x20
|
||||||
#define EAP_PEAP_VERSION_MASK 0x07
|
#define EAP_TLS_VERSION_MASK 0x07
|
||||||
|
|
||||||
/* could be up to 128 bytes, but only the first 64 bytes are used */
|
/* could be up to 128 bytes, but only the first 64 bytes are used */
|
||||||
#define EAP_TLS_KEY_LEN 64
|
#define EAP_TLS_KEY_LEN 64
|
||||||
|
|
|
||||||
|
|
@ -1669,10 +1669,10 @@ static int eap_ttls_process_start(struct eap_sm *sm,
|
||||||
struct eap_peer_config *config = eap_get_config(sm);
|
struct eap_peer_config *config = eap_get_config(sm);
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own ver=%d)",
|
wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own ver=%d)",
|
||||||
flags & EAP_PEAP_VERSION_MASK, data->ttls_version);
|
flags & EAP_TLS_VERSION_MASK, data->ttls_version);
|
||||||
#if EAP_TTLS_VERSION > 0
|
#if EAP_TTLS_VERSION > 0
|
||||||
if ((flags & EAP_PEAP_VERSION_MASK) < data->ttls_version)
|
if ((flags & EAP_TLS_VERSION_MASK) < data->ttls_version)
|
||||||
data->ttls_version = flags & EAP_PEAP_VERSION_MASK;
|
data->ttls_version = flags & EAP_TLS_VERSION_MASK;
|
||||||
if (data->force_ttls_version >= 0 &&
|
if (data->force_ttls_version >= 0 &&
|
||||||
data->force_ttls_version != data->ttls_version) {
|
data->force_ttls_version != data->ttls_version) {
|
||||||
wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to select "
|
wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to select "
|
||||||
|
|
|
||||||
|
|
@ -819,25 +819,25 @@ static int eap_fast_encrypt_phase2(struct eap_sm *sm,
|
||||||
encr = eap_server_tls_encrypt(sm, &data->ssl, plain);
|
encr = eap_server_tls_encrypt(sm, &data->ssl, plain);
|
||||||
wpabuf_free(plain);
|
wpabuf_free(plain);
|
||||||
|
|
||||||
if (data->ssl.out_buf && piggyback) {
|
if (data->ssl.tls_out && piggyback) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data "
|
wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data "
|
||||||
"(len=%d) with last Phase 1 Message (len=%d "
|
"(len=%d) with last Phase 1 Message (len=%d "
|
||||||
"used=%d)",
|
"used=%d)",
|
||||||
(int) wpabuf_len(encr),
|
(int) wpabuf_len(encr),
|
||||||
(int) wpabuf_len(data->ssl.out_buf),
|
(int) wpabuf_len(data->ssl.tls_out),
|
||||||
(int) data->ssl.out_used);
|
(int) data->ssl.tls_out_pos);
|
||||||
if (wpabuf_resize(&data->ssl.out_buf, wpabuf_len(encr)) < 0) {
|
if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) {
|
||||||
wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize "
|
wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize "
|
||||||
"output buffer");
|
"output buffer");
|
||||||
wpabuf_free(encr);
|
wpabuf_free(encr);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
wpabuf_put_buf(data->ssl.out_buf, encr);
|
wpabuf_put_buf(data->ssl.tls_out, encr);
|
||||||
wpabuf_free(encr);
|
wpabuf_free(encr);
|
||||||
} else {
|
} else {
|
||||||
wpabuf_free(data->ssl.out_buf);
|
wpabuf_free(data->ssl.tls_out);
|
||||||
data->ssl.out_used = 0;
|
data->ssl.tls_out_pos = 0;
|
||||||
data->ssl.out_buf = encr;
|
data->ssl.tls_out = encr;
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -1448,7 +1448,7 @@ static int eap_fast_process_phase1(struct eap_sm *sm,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
|
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
|
||||||
wpabuf_len(data->ssl.out_buf) > 0)
|
wpabuf_len(data->ssl.tls_out) > 0)
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
@ -1514,7 +1514,7 @@ static void eap_fast_process_msg(struct eap_sm *sm, void *priv,
|
||||||
case PHASE2_METHOD:
|
case PHASE2_METHOD:
|
||||||
case CRYPTO_BINDING:
|
case CRYPTO_BINDING:
|
||||||
case REQUEST_PAC:
|
case REQUEST_PAC:
|
||||||
eap_fast_process_phase2(sm, data, data->ssl.in_buf);
|
eap_fast_process_phase2(sm, data, data->ssl.tls_in);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s",
|
wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s",
|
||||||
|
|
|
||||||
|
|
@ -515,32 +515,32 @@ static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
|
||||||
break;
|
break;
|
||||||
case PHASE2_ID:
|
case PHASE2_ID:
|
||||||
case PHASE2_METHOD:
|
case PHASE2_METHOD:
|
||||||
wpabuf_free(data->ssl.out_buf);
|
wpabuf_free(data->ssl.tls_out);
|
||||||
data->ssl.out_used = 0;
|
data->ssl.tls_out_pos = 0;
|
||||||
data->ssl.out_buf = eap_peap_build_phase2_req(sm, data, id);
|
data->ssl.tls_out = eap_peap_build_phase2_req(sm, data, id);
|
||||||
break;
|
break;
|
||||||
#ifdef EAP_SERVER_TNC
|
#ifdef EAP_SERVER_TNC
|
||||||
case PHASE2_SOH:
|
case PHASE2_SOH:
|
||||||
wpabuf_free(data->ssl.out_buf);
|
wpabuf_free(data->ssl.tls_out);
|
||||||
data->ssl.out_used = 0;
|
data->ssl.tls_out_pos = 0;
|
||||||
data->ssl.out_buf = eap_peap_build_phase2_soh(sm, data, id);
|
data->ssl.tls_out = eap_peap_build_phase2_soh(sm, data, id);
|
||||||
break;
|
break;
|
||||||
#endif /* EAP_SERVER_TNC */
|
#endif /* EAP_SERVER_TNC */
|
||||||
case PHASE2_TLV:
|
case PHASE2_TLV:
|
||||||
wpabuf_free(data->ssl.out_buf);
|
wpabuf_free(data->ssl.tls_out);
|
||||||
data->ssl.out_used = 0;
|
data->ssl.tls_out_pos = 0;
|
||||||
data->ssl.out_buf = eap_peap_build_phase2_tlv(sm, data, id);
|
data->ssl.tls_out = eap_peap_build_phase2_tlv(sm, data, id);
|
||||||
break;
|
break;
|
||||||
case SUCCESS_REQ:
|
case SUCCESS_REQ:
|
||||||
wpabuf_free(data->ssl.out_buf);
|
wpabuf_free(data->ssl.tls_out);
|
||||||
data->ssl.out_used = 0;
|
data->ssl.tls_out_pos = 0;
|
||||||
data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
|
data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
|
||||||
1);
|
1);
|
||||||
break;
|
break;
|
||||||
case FAILURE_REQ:
|
case FAILURE_REQ:
|
||||||
wpabuf_free(data->ssl.out_buf);
|
wpabuf_free(data->ssl.tls_out);
|
||||||
data->ssl.out_used = 0;
|
data->ssl.tls_out_pos = 0;
|
||||||
data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
|
data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
|
||||||
0);
|
0);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
|
|
@ -1207,11 +1207,11 @@ static int eap_peapv2_start_phase2(struct eap_sm *sm,
|
||||||
buf);
|
buf);
|
||||||
|
|
||||||
/* Append TLS data into the pending buffer after the Server Finished */
|
/* Append TLS data into the pending buffer after the Server Finished */
|
||||||
if (wpabuf_resize(&data->ssl.out_buf, wpabuf_len(buf)) < 0) {
|
if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(buf)) < 0) {
|
||||||
wpabuf_free(buf);
|
wpabuf_free(buf);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
wpabuf_put_buf(data->ssl.out_buf, buf);
|
wpabuf_put_buf(data->ssl.tls_out, buf);
|
||||||
wpabuf_free(buf);
|
wpabuf_free(buf);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -1270,7 +1270,7 @@ static void eap_peap_process_msg(struct eap_sm *sm, void *priv,
|
||||||
case PHASE2_METHOD:
|
case PHASE2_METHOD:
|
||||||
case PHASE2_SOH:
|
case PHASE2_SOH:
|
||||||
case PHASE2_TLV:
|
case PHASE2_TLV:
|
||||||
eap_peap_process_phase2(sm, data, respData, data->ssl.in_buf);
|
eap_peap_process_phase2(sm, data, respData, data->ssl.tls_in);
|
||||||
break;
|
break;
|
||||||
case SUCCESS_REQ:
|
case SUCCESS_REQ:
|
||||||
eap_peap_state(data, SUCCESS);
|
eap_peap_state(data, SUCCESS);
|
||||||
|
|
|
||||||
|
|
@ -169,7 +169,7 @@ static void eap_tls_process_msg(struct eap_sm *sm, void *priv,
|
||||||
const struct wpabuf *respData)
|
const struct wpabuf *respData)
|
||||||
{
|
{
|
||||||
struct eap_tls_data *data = priv;
|
struct eap_tls_data *data = priv;
|
||||||
if (data->state == SUCCESS && wpabuf_len(data->ssl.in_buf) == 0) {
|
if (data->state == SUCCESS && wpabuf_len(data->ssl.tls_in) == 0) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-TLS: Client acknowledged final TLS "
|
wpa_printf(MSG_DEBUG, "EAP-TLS: Client acknowledged final TLS "
|
||||||
"handshake message");
|
"handshake message");
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -58,8 +58,8 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
||||||
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
|
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
|
||||||
{
|
{
|
||||||
tls_connection_deinit(sm->ssl_ctx, data->conn);
|
tls_connection_deinit(sm->ssl_ctx, data->conn);
|
||||||
os_free(data->in_buf);
|
os_free(data->tls_in);
|
||||||
os_free(data->out_buf);
|
os_free(data->tls_out);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -114,17 +114,17 @@ struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
|
||||||
size_t send_len, plen;
|
size_t send_len, plen;
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "SSL: Generating Request");
|
wpa_printf(MSG_DEBUG, "SSL: Generating Request");
|
||||||
if (data->out_buf == NULL) {
|
if (data->tls_out == NULL) {
|
||||||
wpa_printf(MSG_ERROR, "SSL: out_buf NULL in %s", __func__);
|
wpa_printf(MSG_ERROR, "SSL: tls_out NULL in %s", __func__);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
flags = version;
|
flags = version;
|
||||||
send_len = wpabuf_len(data->out_buf) - data->out_used;
|
send_len = wpabuf_len(data->tls_out) - data->tls_out_pos;
|
||||||
if (1 + send_len > data->tls_out_limit) {
|
if (1 + send_len > data->tls_out_limit) {
|
||||||
send_len = data->tls_out_limit - 1;
|
send_len = data->tls_out_limit - 1;
|
||||||
flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
|
flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
|
||||||
if (data->out_used == 0) {
|
if (data->tls_out_pos == 0) {
|
||||||
flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
|
flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
|
||||||
send_len -= 4;
|
send_len -= 4;
|
||||||
}
|
}
|
||||||
|
|
@ -141,25 +141,25 @@ struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
|
||||||
|
|
||||||
wpabuf_put_u8(req, flags); /* Flags */
|
wpabuf_put_u8(req, flags); /* Flags */
|
||||||
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
|
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
|
||||||
wpabuf_put_be32(req, wpabuf_len(data->out_buf));
|
wpabuf_put_be32(req, wpabuf_len(data->tls_out));
|
||||||
|
|
||||||
wpabuf_put_data(req, wpabuf_head_u8(data->out_buf) + data->out_used,
|
wpabuf_put_data(req, wpabuf_head_u8(data->tls_out) + data->tls_out_pos,
|
||||||
send_len);
|
send_len);
|
||||||
data->out_used += send_len;
|
data->tls_out_pos += send_len;
|
||||||
|
|
||||||
if (data->out_used == wpabuf_len(data->out_buf)) {
|
if (data->tls_out_pos == wpabuf_len(data->tls_out)) {
|
||||||
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
|
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
|
||||||
"(message sent completely)",
|
"(message sent completely)",
|
||||||
(unsigned long) send_len);
|
(unsigned long) send_len);
|
||||||
wpabuf_free(data->out_buf);
|
wpabuf_free(data->tls_out);
|
||||||
data->out_buf = NULL;
|
data->tls_out = NULL;
|
||||||
data->out_used = 0;
|
data->tls_out_pos = 0;
|
||||||
data->state = MSG;
|
data->state = MSG;
|
||||||
} else {
|
} else {
|
||||||
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
|
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
|
||||||
"(%lu more to send)", (unsigned long) send_len,
|
"(%lu more to send)", (unsigned long) send_len,
|
||||||
(unsigned long) wpabuf_len(data->out_buf) -
|
(unsigned long) wpabuf_len(data->tls_out) -
|
||||||
data->out_used);
|
data->tls_out_pos);
|
||||||
data->state = WAIT_FRAG_ACK;
|
data->state = WAIT_FRAG_ACK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -185,15 +185,15 @@ static int eap_server_tls_process_cont(struct eap_ssl_data *data,
|
||||||
const u8 *buf, size_t len)
|
const u8 *buf, size_t len)
|
||||||
{
|
{
|
||||||
/* Process continuation of a pending message */
|
/* Process continuation of a pending message */
|
||||||
if (len > wpabuf_tailroom(data->in_buf)) {
|
if (len > wpabuf_tailroom(data->tls_in)) {
|
||||||
wpa_printf(MSG_DEBUG, "SSL: Fragment overflow");
|
wpa_printf(MSG_DEBUG, "SSL: Fragment overflow");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
wpabuf_put_data(data->in_buf, buf, len);
|
wpabuf_put_data(data->tls_in, buf, len);
|
||||||
wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu "
|
wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu "
|
||||||
"bytes more", (unsigned long) len,
|
"bytes more", (unsigned long) len,
|
||||||
(unsigned long) wpabuf_tailroom(data->in_buf));
|
(unsigned long) wpabuf_tailroom(data->tls_in));
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
@ -204,13 +204,13 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
|
||||||
const u8 *buf, size_t len)
|
const u8 *buf, size_t len)
|
||||||
{
|
{
|
||||||
/* Process a fragment that is not the last one of the message */
|
/* Process a fragment that is not the last one of the message */
|
||||||
if (data->in_buf == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) {
|
if (data->tls_in == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) {
|
||||||
wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a "
|
wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a "
|
||||||
"fragmented packet");
|
"fragmented packet");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (data->in_buf == NULL) {
|
if (data->tls_in == NULL) {
|
||||||
/* First fragment of the message */
|
/* First fragment of the message */
|
||||||
|
|
||||||
/* Limit length to avoid rogue peers from causing large
|
/* Limit length to avoid rogue peers from causing large
|
||||||
|
|
@ -221,16 +221,16 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
data->in_buf = wpabuf_alloc(message_length);
|
data->tls_in = wpabuf_alloc(message_length);
|
||||||
if (data->in_buf == NULL) {
|
if (data->tls_in == NULL) {
|
||||||
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
|
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
wpabuf_put_data(data->in_buf, buf, len);
|
wpabuf_put_data(data->tls_in, buf, len);
|
||||||
wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first "
|
wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first "
|
||||||
"fragment, waiting for %lu bytes more",
|
"fragment, waiting for %lu bytes more",
|
||||||
(unsigned long) len,
|
(unsigned long) len,
|
||||||
(unsigned long) wpabuf_tailroom(data->in_buf));
|
(unsigned long) wpabuf_tailroom(data->tls_in));
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -239,24 +239,24 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
|
||||||
|
|
||||||
int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
|
int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
|
||||||
{
|
{
|
||||||
if (data->out_buf) {
|
if (data->tls_out) {
|
||||||
/* This should not happen.. */
|
/* This should not happen.. */
|
||||||
wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
|
wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
|
||||||
"processing new message");
|
"processing new message");
|
||||||
wpabuf_free(data->out_buf);
|
wpabuf_free(data->tls_out);
|
||||||
WPA_ASSERT(data->out_buf == NULL);
|
WPA_ASSERT(data->tls_out == NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
data->out_buf = tls_connection_server_handshake(sm->ssl_ctx,
|
data->tls_out = tls_connection_server_handshake(sm->ssl_ctx,
|
||||||
data->conn,
|
data->conn,
|
||||||
data->in_buf, NULL);
|
data->tls_in, NULL);
|
||||||
if (data->out_buf == NULL) {
|
if (data->tls_out == NULL) {
|
||||||
wpa_printf(MSG_INFO, "SSL: TLS processing failed");
|
wpa_printf(MSG_INFO, "SSL: TLS processing failed");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
|
if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
|
||||||
/* TLS processing has failed - return error */
|
/* TLS processing has failed - return error */
|
||||||
wpa_printf(MSG_DEBUG, "SSL: Failed - out_buf available to "
|
wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
|
||||||
"report error");
|
"report error");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
@ -297,7 +297,7 @@ static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (data->in_buf &&
|
if (data->tls_in &&
|
||||||
eap_server_tls_process_cont(data, *pos, end - *pos) < 0)
|
eap_server_tls_process_cont(data, *pos, end - *pos) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
|
@ -315,10 +315,10 @@ static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
|
||||||
data->state = MSG;
|
data->state = MSG;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (data->in_buf == NULL) {
|
if (data->tls_in == NULL) {
|
||||||
/* Wrap unfragmented messages as wpabuf without extra copy */
|
/* Wrap unfragmented messages as wpabuf without extra copy */
|
||||||
wpabuf_set(&data->tmpbuf, *pos, end - *pos);
|
wpabuf_set(&data->tmpbuf, *pos, end - *pos);
|
||||||
data->in_buf = &data->tmpbuf;
|
data->tls_in = &data->tmpbuf;
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
@ -327,9 +327,9 @@ static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
|
||||||
|
|
||||||
static void eap_server_tls_free_in_buf(struct eap_ssl_data *data)
|
static void eap_server_tls_free_in_buf(struct eap_ssl_data *data)
|
||||||
{
|
{
|
||||||
if (data->in_buf != &data->tmpbuf)
|
if (data->tls_in != &data->tmpbuf)
|
||||||
wpabuf_free(data->in_buf);
|
wpabuf_free(data->tls_in);
|
||||||
data->in_buf = NULL;
|
data->tls_in = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,19 +15,46 @@
|
||||||
#ifndef EAP_TLS_COMMON_H
|
#ifndef EAP_TLS_COMMON_H
|
||||||
#define EAP_TLS_COMMON_H
|
#define EAP_TLS_COMMON_H
|
||||||
|
|
||||||
|
/**
|
||||||
|
* struct eap_ssl_data - TLS data for EAP methods
|
||||||
|
*/
|
||||||
struct eap_ssl_data {
|
struct eap_ssl_data {
|
||||||
|
/**
|
||||||
|
* conn - TLS connection context data from tls_connection_init()
|
||||||
|
*/
|
||||||
struct tls_connection *conn;
|
struct tls_connection *conn;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* tls_out - TLS message to be sent out in fragments
|
||||||
|
*/
|
||||||
|
struct wpabuf *tls_out;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* tls_out_pos - The current position in the outgoing TLS message
|
||||||
|
*/
|
||||||
|
size_t tls_out_pos;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* tls_out_limit - Maximum fragment size for outgoing TLS messages
|
||||||
|
*/
|
||||||
size_t tls_out_limit;
|
size_t tls_out_limit;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* tls_in - Received TLS message buffer for re-assembly
|
||||||
|
*/
|
||||||
|
struct wpabuf *tls_in;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* phase2 - Whether this TLS connection is used in EAP phase 2 (tunnel)
|
||||||
|
*/
|
||||||
int phase2;
|
int phase2;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* eap - EAP state machine allocated with eap_server_sm_init()
|
||||||
|
*/
|
||||||
struct eap_sm *eap;
|
struct eap_sm *eap;
|
||||||
|
|
||||||
enum { MSG, FRAG_ACK, WAIT_FRAG_ACK } state;
|
enum { MSG, FRAG_ACK, WAIT_FRAG_ACK } state;
|
||||||
struct wpabuf *in_buf;
|
|
||||||
struct wpabuf *out_buf;
|
|
||||||
size_t out_used;
|
|
||||||
struct wpabuf tmpbuf;
|
struct wpabuf tmpbuf;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -549,20 +549,20 @@ static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case PHASE2_METHOD:
|
case PHASE2_METHOD:
|
||||||
wpabuf_free(data->ssl.out_buf);
|
wpabuf_free(data->ssl.tls_out);
|
||||||
data->ssl.out_used = 0;
|
data->ssl.tls_out_pos = 0;
|
||||||
data->ssl.out_buf = eap_ttls_build_phase2_eap_req(sm, data,
|
data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
|
||||||
id);
|
id);
|
||||||
break;
|
break;
|
||||||
case PHASE2_MSCHAPV2_RESP:
|
case PHASE2_MSCHAPV2_RESP:
|
||||||
wpabuf_free(data->ssl.out_buf);
|
wpabuf_free(data->ssl.tls_out);
|
||||||
data->ssl.out_used = 0;
|
data->ssl.tls_out_pos = 0;
|
||||||
data->ssl.out_buf = eap_ttls_build_phase2_mschapv2(sm, data);
|
data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
|
||||||
break;
|
break;
|
||||||
case PHASE_FINISHED:
|
case PHASE_FINISHED:
|
||||||
wpabuf_free(data->ssl.out_buf);
|
wpabuf_free(data->ssl.tls_out);
|
||||||
data->ssl.out_used = 0;
|
data->ssl.tls_out_pos = 0;
|
||||||
data->ssl.out_buf = eap_ttls_build_phase_finished(sm, data, 1);
|
data->ssl.tls_out = eap_ttls_build_phase_finished(sm, data, 1);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
|
wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
|
||||||
|
|
@ -1271,11 +1271,11 @@ static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
|
||||||
case PHASE2_START:
|
case PHASE2_START:
|
||||||
case PHASE2_METHOD:
|
case PHASE2_METHOD:
|
||||||
case PHASE_FINISHED:
|
case PHASE_FINISHED:
|
||||||
eap_ttls_process_phase2(sm, data, data->ssl.in_buf);
|
eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
|
||||||
eap_ttls_start_tnc(sm, data);
|
eap_ttls_start_tnc(sm, data);
|
||||||
break;
|
break;
|
||||||
case PHASE2_MSCHAPV2_RESP:
|
case PHASE2_MSCHAPV2_RESP:
|
||||||
if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.in_buf) ==
|
if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
|
||||||
0) {
|
0) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
|
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
|
||||||
"acknowledged response");
|
"acknowledged response");
|
||||||
|
|
@ -1290,7 +1290,7 @@ static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
|
||||||
"frame from peer (payload len %lu, "
|
"frame from peer (payload len %lu, "
|
||||||
"expected empty frame)",
|
"expected empty frame)",
|
||||||
(unsigned long)
|
(unsigned long)
|
||||||
wpabuf_len(data->ssl.in_buf));
|
wpabuf_len(data->ssl.tls_in));
|
||||||
eap_ttls_state(data, FAILURE);
|
eap_ttls_state(data, FAILURE);
|
||||||
}
|
}
|
||||||
eap_ttls_start_tnc(sm, data);
|
eap_ttls_start_tnc(sm, data);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue