Rename EAP TLS variables to make server and peer code consistent

This commit is contained in:
Jouni Malinen 2009-12-24 00:16:58 +02:00
parent 09e47a0768
commit 2a29f0d45c
10 changed files with 119 additions and 92 deletions

View file

@ -1445,9 +1445,9 @@ static int eap_fast_process_start(struct eap_sm *sm,
/* EAP-FAST Version negotiation (section 3.1) */
wpa_printf(MSG_DEBUG, "EAP-FAST: Start (server ver=%d, own ver=%d)",
flags & EAP_PEAP_VERSION_MASK, data->fast_version);
if ((flags & EAP_PEAP_VERSION_MASK) < data->fast_version)
data->fast_version = flags & EAP_PEAP_VERSION_MASK;
flags & EAP_TLS_VERSION_MASK, data->fast_version);
if ((flags & EAP_TLS_VERSION_MASK) < data->fast_version)
data->fast_version = flags & EAP_TLS_VERSION_MASK;
wpa_printf(MSG_DEBUG, "EAP-FAST: Using FAST version %d",
data->fast_version);

View file

@ -1048,10 +1048,10 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
if (flags & EAP_TLS_FLAGS_START) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own "
"ver=%d)", flags & EAP_PEAP_VERSION_MASK,
"ver=%d)", flags & EAP_TLS_VERSION_MASK,
data->peap_version);
if ((flags & EAP_PEAP_VERSION_MASK) < data->peap_version)
data->peap_version = flags & EAP_PEAP_VERSION_MASK;
if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version)
data->peap_version = flags & EAP_TLS_VERSION_MASK;
if (data->force_peap_version >= 0 &&
data->force_peap_version != data->peap_version) {
wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select "

View file

@ -71,7 +71,7 @@ struct eap_ssl_data {
int tls_ia;
/**
* eap - Pointer to EAP state machine allocated with eap_peer_sm_init()
* eap - EAP state machine allocated with eap_peer_sm_init()
*/
struct eap_sm *eap;
};
@ -81,7 +81,7 @@ struct eap_ssl_data {
#define EAP_TLS_FLAGS_LENGTH_INCLUDED 0x80
#define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40
#define EAP_TLS_FLAGS_START 0x20
#define EAP_PEAP_VERSION_MASK 0x07
#define EAP_TLS_VERSION_MASK 0x07
/* could be up to 128 bytes, but only the first 64 bytes are used */
#define EAP_TLS_KEY_LEN 64

View file

@ -1669,10 +1669,10 @@ static int eap_ttls_process_start(struct eap_sm *sm,
struct eap_peer_config *config = eap_get_config(sm);
wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own ver=%d)",
flags & EAP_PEAP_VERSION_MASK, data->ttls_version);
flags & EAP_TLS_VERSION_MASK, data->ttls_version);
#if EAP_TTLS_VERSION > 0
if ((flags & EAP_PEAP_VERSION_MASK) < data->ttls_version)
data->ttls_version = flags & EAP_PEAP_VERSION_MASK;
if ((flags & EAP_TLS_VERSION_MASK) < data->ttls_version)
data->ttls_version = flags & EAP_TLS_VERSION_MASK;
if (data->force_ttls_version >= 0 &&
data->force_ttls_version != data->ttls_version) {
wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to select "

View file

@ -819,25 +819,25 @@ static int eap_fast_encrypt_phase2(struct eap_sm *sm,
encr = eap_server_tls_encrypt(sm, &data->ssl, plain);
wpabuf_free(plain);
if (data->ssl.out_buf && piggyback) {
if (data->ssl.tls_out && piggyback) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data "
"(len=%d) with last Phase 1 Message (len=%d "
"used=%d)",
(int) wpabuf_len(encr),
(int) wpabuf_len(data->ssl.out_buf),
(int) data->ssl.out_used);
if (wpabuf_resize(&data->ssl.out_buf, wpabuf_len(encr)) < 0) {
(int) wpabuf_len(data->ssl.tls_out),
(int) data->ssl.tls_out_pos);
if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) {
wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize "
"output buffer");
wpabuf_free(encr);
return -1;
}
wpabuf_put_buf(data->ssl.out_buf, encr);
wpabuf_put_buf(data->ssl.tls_out, encr);
wpabuf_free(encr);
} else {
wpabuf_free(data->ssl.out_buf);
data->ssl.out_used = 0;
data->ssl.out_buf = encr;
wpabuf_free(data->ssl.tls_out);
data->ssl.tls_out_pos = 0;
data->ssl.tls_out = encr;
}
return 0;
@ -1448,7 +1448,7 @@ static int eap_fast_process_phase1(struct eap_sm *sm,
}
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
wpabuf_len(data->ssl.out_buf) > 0)
wpabuf_len(data->ssl.tls_out) > 0)
return 1;
/*
@ -1514,7 +1514,7 @@ static void eap_fast_process_msg(struct eap_sm *sm, void *priv,
case PHASE2_METHOD:
case CRYPTO_BINDING:
case REQUEST_PAC:
eap_fast_process_phase2(sm, data, data->ssl.in_buf);
eap_fast_process_phase2(sm, data, data->ssl.tls_in);
break;
default:
wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s",

View file

@ -515,32 +515,32 @@ static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
break;
case PHASE2_ID:
case PHASE2_METHOD:
wpabuf_free(data->ssl.out_buf);
data->ssl.out_used = 0;
data->ssl.out_buf = eap_peap_build_phase2_req(sm, data, id);
wpabuf_free(data->ssl.tls_out);
data->ssl.tls_out_pos = 0;
data->ssl.tls_out = eap_peap_build_phase2_req(sm, data, id);
break;
#ifdef EAP_SERVER_TNC
case PHASE2_SOH:
wpabuf_free(data->ssl.out_buf);
data->ssl.out_used = 0;
data->ssl.out_buf = eap_peap_build_phase2_soh(sm, data, id);
wpabuf_free(data->ssl.tls_out);
data->ssl.tls_out_pos = 0;
data->ssl.tls_out = eap_peap_build_phase2_soh(sm, data, id);
break;
#endif /* EAP_SERVER_TNC */
case PHASE2_TLV:
wpabuf_free(data->ssl.out_buf);
data->ssl.out_used = 0;
data->ssl.out_buf = eap_peap_build_phase2_tlv(sm, data, id);
wpabuf_free(data->ssl.tls_out);
data->ssl.tls_out_pos = 0;
data->ssl.tls_out = eap_peap_build_phase2_tlv(sm, data, id);
break;
case SUCCESS_REQ:
wpabuf_free(data->ssl.out_buf);
data->ssl.out_used = 0;
data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
wpabuf_free(data->ssl.tls_out);
data->ssl.tls_out_pos = 0;
data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
1);
break;
case FAILURE_REQ:
wpabuf_free(data->ssl.out_buf);
data->ssl.out_used = 0;
data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
wpabuf_free(data->ssl.tls_out);
data->ssl.tls_out_pos = 0;
data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
0);
break;
default:
@ -1207,11 +1207,11 @@ static int eap_peapv2_start_phase2(struct eap_sm *sm,
buf);
/* Append TLS data into the pending buffer after the Server Finished */
if (wpabuf_resize(&data->ssl.out_buf, wpabuf_len(buf)) < 0) {
if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(buf)) < 0) {
wpabuf_free(buf);
return -1;
}
wpabuf_put_buf(data->ssl.out_buf, buf);
wpabuf_put_buf(data->ssl.tls_out, buf);
wpabuf_free(buf);
return 0;
@ -1270,7 +1270,7 @@ static void eap_peap_process_msg(struct eap_sm *sm, void *priv,
case PHASE2_METHOD:
case PHASE2_SOH:
case PHASE2_TLV:
eap_peap_process_phase2(sm, data, respData, data->ssl.in_buf);
eap_peap_process_phase2(sm, data, respData, data->ssl.tls_in);
break;
case SUCCESS_REQ:
eap_peap_state(data, SUCCESS);

View file

@ -169,7 +169,7 @@ static void eap_tls_process_msg(struct eap_sm *sm, void *priv,
const struct wpabuf *respData)
{
struct eap_tls_data *data = priv;
if (data->state == SUCCESS && wpabuf_len(data->ssl.in_buf) == 0) {
if (data->state == SUCCESS && wpabuf_len(data->ssl.tls_in) == 0) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Client acknowledged final TLS "
"handshake message");
return;

View file

@ -58,8 +58,8 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
{
tls_connection_deinit(sm->ssl_ctx, data->conn);
os_free(data->in_buf);
os_free(data->out_buf);
os_free(data->tls_in);
os_free(data->tls_out);
}
@ -114,17 +114,17 @@ struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
size_t send_len, plen;
wpa_printf(MSG_DEBUG, "SSL: Generating Request");
if (data->out_buf == NULL) {
wpa_printf(MSG_ERROR, "SSL: out_buf NULL in %s", __func__);
if (data->tls_out == NULL) {
wpa_printf(MSG_ERROR, "SSL: tls_out NULL in %s", __func__);
return NULL;
}
flags = version;
send_len = wpabuf_len(data->out_buf) - data->out_used;
send_len = wpabuf_len(data->tls_out) - data->tls_out_pos;
if (1 + send_len > data->tls_out_limit) {
send_len = data->tls_out_limit - 1;
flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
if (data->out_used == 0) {
if (data->tls_out_pos == 0) {
flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
send_len -= 4;
}
@ -141,25 +141,25 @@ struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
wpabuf_put_u8(req, flags); /* Flags */
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
wpabuf_put_be32(req, wpabuf_len(data->out_buf));
wpabuf_put_be32(req, wpabuf_len(data->tls_out));
wpabuf_put_data(req, wpabuf_head_u8(data->out_buf) + data->out_used,
wpabuf_put_data(req, wpabuf_head_u8(data->tls_out) + data->tls_out_pos,
send_len);
data->out_used += send_len;
data->tls_out_pos += send_len;
if (data->out_used == wpabuf_len(data->out_buf)) {
if (data->tls_out_pos == wpabuf_len(data->tls_out)) {
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
"(message sent completely)",
(unsigned long) send_len);
wpabuf_free(data->out_buf);
data->out_buf = NULL;
data->out_used = 0;
wpabuf_free(data->tls_out);
data->tls_out = NULL;
data->tls_out_pos = 0;
data->state = MSG;
} else {
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
"(%lu more to send)", (unsigned long) send_len,
(unsigned long) wpabuf_len(data->out_buf) -
data->out_used);
(unsigned long) wpabuf_len(data->tls_out) -
data->tls_out_pos);
data->state = WAIT_FRAG_ACK;
}
@ -185,15 +185,15 @@ static int eap_server_tls_process_cont(struct eap_ssl_data *data,
const u8 *buf, size_t len)
{
/* Process continuation of a pending message */
if (len > wpabuf_tailroom(data->in_buf)) {
if (len > wpabuf_tailroom(data->tls_in)) {
wpa_printf(MSG_DEBUG, "SSL: Fragment overflow");
return -1;
}
wpabuf_put_data(data->in_buf, buf, len);
wpabuf_put_data(data->tls_in, buf, len);
wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu "
"bytes more", (unsigned long) len,
(unsigned long) wpabuf_tailroom(data->in_buf));
(unsigned long) wpabuf_tailroom(data->tls_in));
return 0;
}
@ -204,13 +204,13 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
const u8 *buf, size_t len)
{
/* Process a fragment that is not the last one of the message */
if (data->in_buf == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) {
if (data->tls_in == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) {
wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a "
"fragmented packet");
return -1;
}
if (data->in_buf == NULL) {
if (data->tls_in == NULL) {
/* First fragment of the message */
/* Limit length to avoid rogue peers from causing large
@ -221,16 +221,16 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
return -1;
}
data->in_buf = wpabuf_alloc(message_length);
if (data->in_buf == NULL) {
data->tls_in = wpabuf_alloc(message_length);
if (data->tls_in == NULL) {
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
return -1;
}
wpabuf_put_data(data->in_buf, buf, len);
wpabuf_put_data(data->tls_in, buf, len);
wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first "
"fragment, waiting for %lu bytes more",
(unsigned long) len,
(unsigned long) wpabuf_tailroom(data->in_buf));
(unsigned long) wpabuf_tailroom(data->tls_in));
}
return 0;
@ -239,24 +239,24 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
{
if (data->out_buf) {
if (data->tls_out) {
/* This should not happen.. */
wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
"processing new message");
wpabuf_free(data->out_buf);
WPA_ASSERT(data->out_buf == NULL);
wpabuf_free(data->tls_out);
WPA_ASSERT(data->tls_out == NULL);
}
data->out_buf = tls_connection_server_handshake(sm->ssl_ctx,
data->tls_out = tls_connection_server_handshake(sm->ssl_ctx,
data->conn,
data->in_buf, NULL);
if (data->out_buf == NULL) {
data->tls_in, NULL);
if (data->tls_out == NULL) {
wpa_printf(MSG_INFO, "SSL: TLS processing failed");
return -1;
}
if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
/* TLS processing has failed - return error */
wpa_printf(MSG_DEBUG, "SSL: Failed - out_buf available to "
wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
"report error");
return -1;
}
@ -297,7 +297,7 @@ static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
return 1;
}
if (data->in_buf &&
if (data->tls_in &&
eap_server_tls_process_cont(data, *pos, end - *pos) < 0)
return -1;
@ -315,10 +315,10 @@ static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
data->state = MSG;
}
if (data->in_buf == NULL) {
if (data->tls_in == NULL) {
/* Wrap unfragmented messages as wpabuf without extra copy */
wpabuf_set(&data->tmpbuf, *pos, end - *pos);
data->in_buf = &data->tmpbuf;
data->tls_in = &data->tmpbuf;
}
return 0;
@ -327,9 +327,9 @@ static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
static void eap_server_tls_free_in_buf(struct eap_ssl_data *data)
{
if (data->in_buf != &data->tmpbuf)
wpabuf_free(data->in_buf);
data->in_buf = NULL;
if (data->tls_in != &data->tmpbuf)
wpabuf_free(data->tls_in);
data->tls_in = NULL;
}

View file

@ -15,19 +15,46 @@
#ifndef EAP_TLS_COMMON_H
#define EAP_TLS_COMMON_H
/**
* struct eap_ssl_data - TLS data for EAP methods
*/
struct eap_ssl_data {
/**
* conn - TLS connection context data from tls_connection_init()
*/
struct tls_connection *conn;
/**
* tls_out - TLS message to be sent out in fragments
*/
struct wpabuf *tls_out;
/**
* tls_out_pos - The current position in the outgoing TLS message
*/
size_t tls_out_pos;
/**
* tls_out_limit - Maximum fragment size for outgoing TLS messages
*/
size_t tls_out_limit;
/**
* tls_in - Received TLS message buffer for re-assembly
*/
struct wpabuf *tls_in;
/**
* phase2 - Whether this TLS connection is used in EAP phase 2 (tunnel)
*/
int phase2;
/**
* eap - EAP state machine allocated with eap_server_sm_init()
*/
struct eap_sm *eap;
enum { MSG, FRAG_ACK, WAIT_FRAG_ACK } state;
struct wpabuf *in_buf;
struct wpabuf *out_buf;
size_t out_used;
struct wpabuf tmpbuf;
};

View file

@ -549,20 +549,20 @@ static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
}
break;
case PHASE2_METHOD:
wpabuf_free(data->ssl.out_buf);
data->ssl.out_used = 0;
data->ssl.out_buf = eap_ttls_build_phase2_eap_req(sm, data,
wpabuf_free(data->ssl.tls_out);
data->ssl.tls_out_pos = 0;
data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
id);
break;
case PHASE2_MSCHAPV2_RESP:
wpabuf_free(data->ssl.out_buf);
data->ssl.out_used = 0;
data->ssl.out_buf = eap_ttls_build_phase2_mschapv2(sm, data);
wpabuf_free(data->ssl.tls_out);
data->ssl.tls_out_pos = 0;
data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
break;
case PHASE_FINISHED:
wpabuf_free(data->ssl.out_buf);
data->ssl.out_used = 0;
data->ssl.out_buf = eap_ttls_build_phase_finished(sm, data, 1);
wpabuf_free(data->ssl.tls_out);
data->ssl.tls_out_pos = 0;
data->ssl.tls_out = eap_ttls_build_phase_finished(sm, data, 1);
break;
default:
wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
@ -1271,11 +1271,11 @@ static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
case PHASE2_START:
case PHASE2_METHOD:
case PHASE_FINISHED:
eap_ttls_process_phase2(sm, data, data->ssl.in_buf);
eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
eap_ttls_start_tnc(sm, data);
break;
case PHASE2_MSCHAPV2_RESP:
if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.in_buf) ==
if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
0) {
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
"acknowledged response");
@ -1290,7 +1290,7 @@ static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
"frame from peer (payload len %lu, "
"expected empty frame)",
(unsigned long)
wpabuf_len(data->ssl.in_buf));
wpabuf_len(data->ssl.tls_in));
eap_ttls_state(data, FAILURE);
}
eap_ttls_start_tnc(sm, data);