/*
- * WPA Supplicant / SSL/TLS interface definition
- * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
+ * SSL/TLS interface definition
+ * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* tls_connection_handshake - Process TLS handshake (client side)
* @tls_ctx: TLS context data from tls_init()
* @conn: Connection context data from tls_connection_init()
- * @in_data: Input data from TLS peer
- * @in_len: Input data length
- * @out_len: Length of the output buffer.
+ * @in_data: Input data from TLS server
* @appl_data: Pointer to application data pointer, or %NULL if dropped
- * @appl_data_len: Pointer to variable that is set to appl_data length
- * Returns: Pointer to output data, %NULL on failure
+ * Returns: Output data, %NULL on failure
*
- * Caller is responsible for freeing returned output data. If the final
+ * The caller is responsible for freeing the returned output data. If the final
* handshake message includes application data, this is decrypted and
- * appl_data (if not %NULL) is set to point this data. Caller is responsible
- * for freeing appl_data.
+ * appl_data (if not %NULL) is set to point this data. The caller is
+ * responsible for freeing appl_data.
*
* This function is used during TLS handshake. The first call is done with
* in_data == %NULL and the library is expected to return ClientHello packet.
* tls_connection_established() should return 1 once the TLS handshake has been
* completed successfully.
*/
-u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len, u8 **appl_data,
- size_t *appl_data_len);
+struct wpabuf * tls_connection_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data);
/**
* tls_connection_server_handshake - Process TLS handshake (server side)
* @tls_ctx: TLS context data from tls_init()
* @conn: Connection context data from tls_connection_init()
* @in_data: Input data from TLS peer
- * @in_len: Input data length
- * @out_len: Length of the output buffer.
- * Returns: pointer to output data, %NULL on failure
+ * @appl_data: Pointer to application data pointer, or %NULL if dropped
+ * Returns: Output data, %NULL on failure
*
- * Caller is responsible for freeing returned output data.
+ * The caller is responsible for freeing the returned output data.
*/
-u8 * tls_connection_server_handshake(void *tls_ctx,
- struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len);
+struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data);
/**
* tls_connection_encrypt - Encrypt data into TLS tunnel
* @tls_ctx: TLS context data from tls_init()
* @conn: Connection context data from tls_connection_init()
- * @in_data: Pointer to plaintext data to be encrypted
- * @in_len: Input buffer length
- * @out_data: Pointer to output buffer (encrypted TLS data)
- * @out_len: Maximum out_data length
- * Returns: Number of bytes written to out_data, -1 on failure
+ * @in_data: Plaintext data to be encrypted
+ * Returns: Encrypted TLS data or %NULL on failure
*
* This function is used after TLS handshake has been completed successfully to
- * send data in the encrypted tunnel.
+ * send data in the encrypted tunnel. The caller is responsible for freeing the
+ * returned output data.
*/
-int __must_check tls_connection_encrypt(void *tls_ctx,
- struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len);
+struct wpabuf * tls_connection_encrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data);
/**
* tls_connection_decrypt - Decrypt data from TLS tunnel
* @tls_ctx: TLS context data from tls_init()
* @conn: Connection context data from tls_connection_init()
- * @in_data: Pointer to input buffer (encrypted TLS data)
- * @in_len: Input buffer length
- * @out_data: Pointer to output buffer (decrypted data from TLS tunnel)
- * @out_len: Maximum out_data length
- * Returns: Number of bytes written to out_data, -1 on failure
+ * @in_data: Encrypted TLS data
+ * Returns: Decrypted TLS data or %NULL on failure
*
* This function is used after TLS handshake has been completed successfully to
- * receive data from the encrypted tunnel.
+ * receive data from the encrypted tunnel. The caller is responsible for
+ * freeing the returned output data.
*/
-int __must_check tls_connection_decrypt(void *tls_ctx,
- struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len);
+struct wpabuf * tls_connection_decrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data);
/**
* tls_connection_resumed - Was session resumption used
/*
- * WPA Supplicant / SSL/TLS interface functions for openssl
- * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
+ * SSL/TLS interface functions for GnuTLS
+ * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
}
-u8 * tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len, u8 **appl_data,
- size_t *appl_data_len)
+struct wpabuf * tls_connection_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
- struct tls_global *global = ssl_ctx;
- u8 *out_data;
+ struct tls_global *global = tls_ctx;
+ struct wpabuf *out_data;
int ret;
if (appl_data)
*appl_data = NULL;
- if (in_data && in_len) {
+ if (in_data && wpabuf_len(in_data) > 0) {
if (conn->pull_buf) {
wpa_printf(MSG_DEBUG, "%s - %lu bytes remaining in "
"pull_buf", __func__,
(unsigned long) conn->pull_buf_len);
os_free(conn->pull_buf);
}
- conn->pull_buf = os_malloc(in_len);
+ conn->pull_buf = os_malloc(wpabuf_len(in_data));
if (conn->pull_buf == NULL)
return NULL;
- os_memcpy(conn->pull_buf, in_data, in_len);
+ os_memcpy(conn->pull_buf, wpabuf_head(in_data),
+ wpabuf_len(in_data));
conn->pull_buf_offset = conn->pull_buf;
- conn->pull_buf_len = in_len;
+ conn->pull_buf_len = wpabuf_len(in_data);
}
ret = gnutls_handshake(conn->session);
}
}
- out_data = conn->push_buf;
- *out_len = conn->push_buf_len;
+ if (conn->push_buf == NULL)
+ return NULL;
+ out_data = wpabuf_alloc_ext_data(conn->push_buf, conn->push_buf_len);
+ if (out_data == NULL)
+ os_free(conn->push_buf);
conn->push_buf = NULL;
conn->push_buf_len = 0;
return out_data;
}
-u8 * tls_connection_server_handshake(void *ssl_ctx,
- struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len)
+struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
- return tls_connection_handshake(ssl_ctx, conn, in_data, in_len,
- out_len, NULL, NULL);
+ return tls_connection_handshake(tls_ctx, conn, in_data, appl_data);
}
-int tls_connection_encrypt(void *ssl_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_encrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
ssize_t res;
+ struct wpabuf *buf;
#ifdef GNUTLS_IA
if (conn->tls_ia)
- res = gnutls_ia_send(conn->session, (char *) in_data, in_len);
+ res = gnutls_ia_send(conn->session, wpabuf_head(in_data),
+ wpabuf_len(in_data));
else
#endif /* GNUTLS_IA */
- res = gnutls_record_send(conn->session, in_data, in_len);
+ res = gnutls_record_send(conn->session, wpabuf_head(in_data),
+ wpabuf_len(in_data));
if (res < 0) {
wpa_printf(MSG_INFO, "%s: Encryption failed: %s",
__func__, gnutls_strerror(res));
- return -1;
+ return NULL;
}
if (conn->push_buf == NULL)
- return -1;
- if (conn->push_buf_len < out_len)
- out_len = conn->push_buf_len;
- else if (conn->push_buf_len > out_len) {
- wpa_printf(MSG_INFO, "GnuTLS: Not enough buffer space for "
- "encrypted message (in_len=%lu push_buf_len=%lu "
- "out_len=%lu",
- (unsigned long) in_len,
- (unsigned long) conn->push_buf_len,
- (unsigned long) out_len);
- }
- os_memcpy(out_data, conn->push_buf, out_len);
- os_free(conn->push_buf);
+ return NULL;
+ buf = wpabuf_alloc_ext_data(conn->push_buf, conn->push_buf_len);
+ if (buf == NULL)
+ os_free(conn->push_buf);
conn->push_buf = NULL;
conn->push_buf_len = 0;
- return out_len;
+ return buf;
}
-int tls_connection_decrypt(void *ssl_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_decrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
ssize_t res;
+ struct wpabuf *out;
if (conn->pull_buf) {
wpa_printf(MSG_DEBUG, "%s - %lu bytes remaining in "
(unsigned long) conn->pull_buf_len);
os_free(conn->pull_buf);
}
- conn->pull_buf = os_malloc(in_len);
+ conn->pull_buf = os_malloc(wpabuf_len(in_data));
if (conn->pull_buf == NULL)
- return -1;
- os_memcpy(conn->pull_buf, in_data, in_len);
+ return NULL;
+ os_memcpy(conn->pull_buf, wpabuf_head(in_data), wpabuf_len(in_data));
conn->pull_buf_offset = conn->pull_buf;
- conn->pull_buf_len = in_len;
+ conn->pull_buf_len = wpabuf_len(in_data);
+
+ /*
+ * Even though we try to disable TLS compression, it is possible that
+ * this cannot be done with all TLS libraries. Add extra buffer space
+ * to handle the possibility of the decrypted data being longer than
+ * input data.
+ */
+ out = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
+ if (out == NULL)
+ return NULL;
#ifdef GNUTLS_IA
if (conn->tls_ia) {
- res = gnutls_ia_recv(conn->session, (char *) out_data,
- out_len);
- if (out_len >= 12 &&
- (res == GNUTLS_E_WARNING_IA_IPHF_RECEIVED ||
- res == GNUTLS_E_WARNING_IA_FPHF_RECEIVED)) {
+ res = gnutls_ia_recv(conn->session, wpabuf_mhead(out),
+ wpabuf_size(out));
+ if (res == GNUTLS_E_WARNING_IA_IPHF_RECEIVED ||
+ res == GNUTLS_E_WARNING_IA_FPHF_RECEIVED) {
int final = res == GNUTLS_E_WARNING_IA_FPHF_RECEIVED;
wpa_printf(MSG_DEBUG, "%s: Received %sPhaseFinished",
__func__, final ? "Final" : "Intermediate");
wpa_printf(MSG_DEBUG, "%s: Failed to permute "
"inner secret: %s",
__func__, gnutls_strerror(res));
- return -1;
+ wpabuf_free(out);
+ return NULL;
}
res = gnutls_ia_verify_endphase(conn->session,
- (char *) out_data);
+ wpabuf_head(out));
if (res == 0) {
wpa_printf(MSG_DEBUG, "%s: Correct endphase "
"checksum", __func__);
wpa_printf(MSG_INFO, "%s: Endphase "
"verification failed: %s",
__func__, gnutls_strerror(res));
- return -1;
+ wpabuf_free(out);
+ return NULL;
}
if (final)
conn->final_phase_finished = 1;
- return 0;
+ return out;
}
if (res < 0) {
wpa_printf(MSG_DEBUG, "%s - gnutls_ia_recv failed: %d "
"(%s)", __func__, (int) res,
gnutls_strerror(res));
+ wpabuf_free(out);
+ return NULL;
}
- return res;
+ wpabuf_put(out, res);
+ return out;
}
#endif /* GNUTLS_IA */
- res = gnutls_record_recv(conn->session, out_data, out_len);
+ res = gnutls_record_recv(conn->session, wpabuf_mhead(out),
+ wpabuf_size(out));
if (res < 0) {
wpa_printf(MSG_DEBUG, "%s - gnutls_record_recv failed: %d "
"(%s)", __func__, (int) res, gnutls_strerror(res));
+ wpabuf_free(out);
+ return NULL;
}
+ wpabuf_put(out, res);
- return res;
+ return out;
}
/*
- * WPA Supplicant / TLS interface functions and an internal TLS implementation
- * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi>
+ * TLS interface functions and an internal TLS implementation
+ * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
}
-u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len, u8 **appl_data,
- size_t *appl_data_len)
+struct wpabuf * tls_connection_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
+ u8 *res, *ad;
+ size_t res_len, ad_len;
+ struct wpabuf *out;
+
if (conn->client == NULL)
return NULL;
- if (appl_data)
- *appl_data = NULL;
+ ad = NULL;
+ res = tlsv1_client_handshake(conn->client,
+ in_data ? wpabuf_head(in_data) : NULL,
+ in_data ? wpabuf_len(in_data) : 0,
+ &res_len, &ad, &ad_len);
+ if (res == NULL)
+ return NULL;
+ out = wpabuf_alloc_ext_data(res, res_len);
+ if (out == NULL) {
+ os_free(res);
+ os_free(ad);
+ return NULL;
+ }
+ if (appl_data) {
+ if (ad) {
+ *appl_data = wpabuf_alloc_ext_data(ad, ad_len);
+ if (*appl_data == NULL)
+ os_free(ad);
+ } else
+ *appl_data = NULL;
+ } else
+ os_free(ad);
- wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)",
- __func__, in_data, (unsigned long) in_len);
- return tlsv1_client_handshake(conn->client, in_data, in_len, out_len,
- appl_data, appl_data_len);
+ return out;
#else /* CONFIG_TLS_INTERNAL_CLIENT */
return NULL;
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
}
-u8 * tls_connection_server_handshake(void *tls_ctx,
- struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len)
+struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
#ifdef CONFIG_TLS_INTERNAL_SERVER
- u8 *out;
+ u8 *res;
+ size_t res_len;
+ struct wpabuf *out;
+
if (conn->server == NULL)
return NULL;
- wpa_printf(MSG_DEBUG, "TLS: %s(in_data=%p in_len=%lu)",
- __func__, in_data, (unsigned long) in_len);
- out = tlsv1_server_handshake(conn->server, in_data, in_len, out_len);
- if (out == NULL && tlsv1_server_established(conn->server)) {
- out = os_malloc(1);
- *out_len = 0;
+ if (appl_data)
+ *appl_data = NULL;
+
+ res = tlsv1_server_handshake(conn->server, wpabuf_head(in_data),
+ wpabuf_len(in_data), &res_len);
+ if (res == NULL && tlsv1_server_established(conn->server))
+ return wpabuf_alloc(0);
+ if (res == NULL)
+ return NULL;
+ out = wpabuf_alloc_ext_data(res, res_len);
+ if (out == NULL) {
+ os_free(res);
+ return NULL;
}
+
return out;
#else /* CONFIG_TLS_INTERNAL_SERVER */
return NULL;
}
-int tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_encrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
if (conn->client) {
- return tlsv1_client_encrypt(conn->client, in_data, in_len,
- out_data, out_len);
+ struct wpabuf *buf;
+ int res;
+ buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
+ if (buf == NULL)
+ return NULL;
+ res = tlsv1_client_encrypt(conn->client, wpabuf_head(in_data),
+ wpabuf_len(in_data),
+ wpabuf_mhead(buf),
+ wpabuf_size(buf));
+ if (res < 0) {
+ wpabuf_free(buf);
+ return NULL;
+ }
+ wpabuf_put(buf, res);
+ return buf;
}
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
if (conn->server) {
- return tlsv1_server_encrypt(conn->server, in_data, in_len,
- out_data, out_len);
+ struct wpabuf *buf;
+ int res;
+ buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
+ if (buf == NULL)
+ return NULL;
+ res = tlsv1_server_encrypt(conn->server, wpabuf_head(in_data),
+ wpabuf_len(in_data),
+ wpabuf_mhead(buf),
+ wpabuf_size(buf));
+ if (res < 0) {
+ wpabuf_free(buf);
+ return NULL;
+ }
+ wpabuf_put(buf, res);
+ return buf;
}
#endif /* CONFIG_TLS_INTERNAL_SERVER */
- return -1;
+ return NULL;
}
-int tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_decrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
#ifdef CONFIG_TLS_INTERNAL_CLIENT
if (conn->client) {
- return tlsv1_client_decrypt(conn->client, in_data, in_len,
- out_data, out_len);
+ struct wpabuf *buf;
+ int res;
+ buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
+ if (buf == NULL)
+ return NULL;
+ res = tlsv1_client_decrypt(conn->client, wpabuf_head(in_data),
+ wpabuf_len(in_data),
+ wpabuf_mhead(buf),
+ wpabuf_size(buf));
+ if (res < 0) {
+ wpabuf_free(buf);
+ return NULL;
+ }
+ wpabuf_put(buf, res);
+ return buf;
}
#endif /* CONFIG_TLS_INTERNAL_CLIENT */
#ifdef CONFIG_TLS_INTERNAL_SERVER
if (conn->server) {
- return tlsv1_server_decrypt(conn->server, in_data, in_len,
- out_data, out_len);
+ struct wpabuf *buf;
+ int res;
+ buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
+ if (buf == NULL)
+ return NULL;
+ res = tlsv1_server_decrypt(conn->server, wpabuf_head(in_data),
+ wpabuf_len(in_data),
+ wpabuf_mhead(buf),
+ wpabuf_size(buf));
+ if (res < 0) {
+ wpabuf_free(buf);
+ return NULL;
+ }
+ wpabuf_put(buf, res);
+ return buf;
}
#endif /* CONFIG_TLS_INTERNAL_SERVER */
- return -1;
+ return NULL;
}
/*
- * WPA Supplicant / SSL/TLS interface functions for no TLS case
- * Copyright (c) 2004, Jouni Malinen <j@w1.fi>
+ * SSL/TLS interface functions for no TLS case
+ * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
return (void *) 1;
}
+
void tls_deinit(void *ssl_ctx)
{
}
-#ifdef EAP_TLS_NONE
-
int tls_get_errors(void *tls_ctx)
{
return 0;
}
-u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len, u8 **appl_data,
- size_t *appl_data_len)
+struct wpabuf * tls_connection_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
return NULL;
}
-u8 * tls_connection_server_handshake(void *tls_ctx,
- struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len)
+struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
return NULL;
}
-int tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_encrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
- return -1;
+ return NULL;
}
-int tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_decrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
- return -1;
+ return NULL;
}
{
return -1;
}
-
-#endif /* EAP_TLS_NONE */
}
-u8 * tls_connection_handshake(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len, u8 **appl_data,
- size_t *appl_data_len)
+struct wpabuf * tls_connection_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
- u8 *out_data;
+ struct wpabuf *out_data;
wpa_printf(MSG_DEBUG, "NSS: handshake: in_len=%u",
- (unsigned int) in_len);
+ in_data ? (unsigned int) wpabuf_len(in_data) : 0);
if (appl_data)
*appl_data = NULL;
- if (in_data && in_len) {
+ if (in_data && wpabuf_len(in_data) > 0) {
if (conn->pull_buf) {
wpa_printf(MSG_DEBUG, "%s - %lu bytes remaining in "
"pull_buf", __func__,
(unsigned long) conn->pull_buf_len);
os_free(conn->pull_buf);
}
- conn->pull_buf = os_malloc(in_len);
+ conn->pull_buf = os_malloc(wpabuf_len(in_data));
if (conn->pull_buf == NULL)
return NULL;
- os_memcpy(conn->pull_buf, in_data, in_len);
+ os_memcpy(conn->pull_buf, wpabuf_head(in_data),
+ wpabuf_len(in_data));
conn->pull_buf_offset = conn->pull_buf;
- conn->pull_buf_len = in_len;
+ conn->pull_buf_len = wpabuf_len(in_data);
}
SSL_ForceHandshake(conn->fd);
conn->push_buf = os_malloc(1);
}
- out_data = conn->push_buf;
- *out_len = conn->push_buf_len;
+ if (conn->push_buf == NULL)
+ return NULL;
+ out_data = wpabuf_alloc_ext_data(conn->push_buf, conn->push_buf_len);
+ if (out_data == NULL)
+ os_free(conn->push_buf);
conn->push_buf = NULL;
conn->push_buf_len = 0;
return out_data;
}
-u8 * tls_connection_server_handshake(void *tls_ctx,
- struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len)
+struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
return NULL;
}
-int tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_encrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
PRInt32 res;
+ struct wpabuf *buf;
- wpa_printf(MSG_DEBUG, "NSS: encrypt %d bytes", (int) in_len);
- res = PR_Send(conn->fd, in_data, in_len, 0, 0);
+ wpa_printf(MSG_DEBUG, "NSS: encrypt %d bytes",
+ (int) wpabuf_len(in_data));
+ res = PR_Send(conn->fd, wpabuf_head(in_data), wpabuf_len(in_data), 0,
+ 0);
if (res < 0) {
wpa_printf(MSG_ERROR, "NSS: Encryption failed");
- return -1;
+ return NULL;
}
if (conn->push_buf == NULL)
- return -1;
- if (conn->push_buf_len < out_len)
- out_len = conn->push_buf_len;
- else if (conn->push_buf_len > out_len) {
- wpa_printf(MSG_INFO, "NSS: Not enough buffer space for "
- "encrypted message (in_len=%lu push_buf_len=%lu "
- "out_len=%lu",
- (unsigned long) in_len,
- (unsigned long) conn->push_buf_len,
- (unsigned long) out_len);
- }
- os_memcpy(out_data, conn->push_buf, out_len);
- os_free(conn->push_buf);
+ return NULL;
+ buf = wpabuf_alloc_ext_data(conn->push_buf, conn->push_buf_len);
+ if (buf == NULL)
+ os_free(conn->push_buf);
conn->push_buf = NULL;
conn->push_buf_len = 0;
- return out_len;
+ return buf;
}
-int tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_decrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
PRInt32 res;
+ struct wpabuf *out;
- wpa_printf(MSG_DEBUG, "NSS: decrypt %d bytes", (int) in_len);
+ wpa_printf(MSG_DEBUG, "NSS: decrypt %d bytes",
+ (int) wpabuf_len(in_data));
if (conn->pull_buf) {
wpa_printf(MSG_DEBUG, "%s - %lu bytes remaining in "
"pull_buf", __func__,
(unsigned long) conn->pull_buf_len);
os_free(conn->pull_buf);
}
- conn->pull_buf = os_malloc(in_len);
+ conn->pull_buf = os_malloc(wpabuf_len(in_data));
if (conn->pull_buf == NULL)
- return -1;
- os_memcpy(conn->pull_buf, in_data, in_len);
+ return NULL;
+ os_memcpy(conn->pull_buf, wpabuf_head(in_data), wpabuf_len(in_data));
conn->pull_buf_offset = conn->pull_buf;
- conn->pull_buf_len = in_len;
+ conn->pull_buf_len = wpabuf_len(in_data);
+
+ /*
+ * Even though we try to disable TLS compression, it is possible that
+ * this cannot be done with all TLS libraries. Add extra buffer space
+ * to handle the possibility of the decrypted data being longer than
+ * input data.
+ */
+ out = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
+ if (out == NULL)
+ return NULL;
- res = PR_Recv(conn->fd, out_data, out_len, 0, 0);
+ res = PR_Recv(conn->fd, wpabuf_mhead(out), wpabuf_size(out), 0, 0);
wpa_printf(MSG_DEBUG, "NSS: PR_Recv: %d", res);
+ if (res < 0) {
+ wpabuf_free(out);
+ return NULL;
+ }
+ wpabuf_put(out, res);
- return res;
+ return out;
}
/*
- * WPA Supplicant / SSL/TLS interface functions for openssl
+ * SSL/TLS interface functions for OpenSSL
* Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
}
-u8 * tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len, u8 **appl_data,
- size_t *appl_data_len)
+static struct wpabuf *
+openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data,
+ int server)
{
int res;
- u8 *out_data;
-
- if (appl_data)
- *appl_data = NULL;
+ struct wpabuf *out_data;
/*
* Give TLS handshake data from the server (if available) to OpenSSL
* for processing.
*/
if (in_data &&
- BIO_write(conn->ssl_in, in_data, in_len) < 0) {
+ BIO_write(conn->ssl_in, wpabuf_head(in_data), wpabuf_len(in_data))
+ < 0) {
tls_show_errors(MSG_INFO, __func__,
"Handshake failed - BIO_write");
return NULL;
}
/* Initiate TLS handshake or continue the existing handshake */
- res = SSL_connect(conn->ssl);
+ if (server)
+ res = SSL_accept(conn->ssl);
+ else
+ res = SSL_connect(conn->ssl);
if (res != 1) {
int err = SSL_get_error(conn->ssl, res);
if (err == SSL_ERROR_WANT_READ)
/* Get the TLS handshake data to be sent to the server */
res = BIO_ctrl_pending(conn->ssl_out);
wpa_printf(MSG_DEBUG, "SSL: %d bytes pending from ssl_out", res);
- out_data = os_malloc(res == 0 ? 1 : res);
+ out_data = wpabuf_alloc(res);
if (out_data == NULL) {
wpa_printf(MSG_DEBUG, "SSL: Failed to allocate memory for "
"handshake output (%d bytes)", res);
tls_show_errors(MSG_INFO, __func__,
"BIO_reset failed");
}
- *out_len = 0;
return NULL;
}
- res = res == 0 ? 0 : BIO_read(conn->ssl_out, out_data, res);
+ res = res == 0 ? 0 : BIO_read(conn->ssl_out, wpabuf_mhead(out_data),
+ res);
if (res < 0) {
tls_show_errors(MSG_INFO, __func__,
"Handshake failed - BIO_read");
tls_show_errors(MSG_INFO, __func__,
"BIO_reset failed");
}
- *out_len = 0;
+ wpabuf_free(out_data);
return NULL;
}
- *out_len = res;
-
- if (SSL_is_init_finished(conn->ssl) && appl_data) {
- *appl_data = os_malloc(in_len);
- if (*appl_data) {
- res = SSL_read(conn->ssl, *appl_data, in_len);
- if (res < 0) {
- int err = SSL_get_error(conn->ssl, res);
- if (err == SSL_ERROR_WANT_READ ||
- err == SSL_ERROR_WANT_WRITE) {
- wpa_printf(MSG_DEBUG,
- "SSL: No Application Data "
- "included");
- } else {
- tls_show_errors(MSG_INFO, __func__,
- "Failed to read "
- "possible "
- "Application Data");
- }
- os_free(*appl_data);
- *appl_data = NULL;
- } else {
- *appl_data_len = res;
- wpa_hexdump_key(MSG_MSGDUMP, "SSL: Application"
- " Data in Finish message",
- *appl_data, *appl_data_len);
- }
- }
- }
+ wpabuf_put(out_data, res);
return out_data;
}
-u8 * tls_connection_server_handshake(void *ssl_ctx,
- struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len)
+static struct wpabuf *
+openssl_get_appl_data(struct tls_connection *conn, size_t max_len)
{
+ struct wpabuf *appl_data;
int res;
- u8 *out_data;
- /*
- * Give TLS handshake data from the client (if available) to OpenSSL
- * for processing.
- */
- if (in_data &&
- BIO_write(conn->ssl_in, in_data, in_len) < 0) {
- tls_show_errors(MSG_INFO, __func__,
- "Handshake failed - BIO_write");
+ appl_data = wpabuf_alloc(max_len + 100);
+ if (appl_data == NULL)
return NULL;
- }
- /* Initiate TLS handshake or continue the existing handshake */
- res = SSL_accept(conn->ssl);
- if (res != 1) {
+ res = SSL_read(conn->ssl, wpabuf_mhead(appl_data),
+ wpabuf_size(appl_data));
+ if (res < 0) {
int err = SSL_get_error(conn->ssl, res);
- if (err == SSL_ERROR_WANT_READ)
- wpa_printf(MSG_DEBUG, "SSL: SSL_accept - want "
- "more data");
- else if (err == SSL_ERROR_WANT_WRITE)
- wpa_printf(MSG_DEBUG, "SSL: SSL_accept - want to "
- "write");
- else {
- tls_show_errors(MSG_INFO, __func__, "SSL_accept");
- return NULL;
- }
- }
-
- /* Get the TLS handshake data to be sent to the client */
- res = BIO_ctrl_pending(conn->ssl_out);
- wpa_printf(MSG_DEBUG, "SSL: %d bytes pending from ssl_out", res);
- out_data = os_malloc(res == 0 ? 1 : res);
- if (out_data == NULL) {
- wpa_printf(MSG_DEBUG, "SSL: Failed to allocate memory for "
- "handshake output (%d bytes)", res);
- if (BIO_reset(conn->ssl_out) < 0) {
+ if (err == SSL_ERROR_WANT_READ ||
+ err == SSL_ERROR_WANT_WRITE) {
+ wpa_printf(MSG_DEBUG, "SSL: No Application Data "
+ "included");
+ } else {
tls_show_errors(MSG_INFO, __func__,
- "BIO_reset failed");
+ "Failed to read possible "
+ "Application Data");
}
- *out_len = 0;
+ wpabuf_free(appl_data);
return NULL;
}
- res = res == 0 ? 0 : BIO_read(conn->ssl_out, out_data, res);
- if (res < 0) {
- tls_show_errors(MSG_INFO, __func__,
- "Handshake failed - BIO_read");
- if (BIO_reset(conn->ssl_out) < 0) {
- tls_show_errors(MSG_INFO, __func__,
- "BIO_reset failed");
- }
- *out_len = 0;
+
+ wpabuf_put(appl_data, res);
+ wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application Data in Finished "
+ "message", appl_data);
+
+ return appl_data;
+}
+
+
+static struct wpabuf *
+openssl_connection_handshake(struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data, int server)
+{
+ struct wpabuf *out_data;
+
+ if (appl_data)
+ *appl_data = NULL;
+
+ out_data = openssl_handshake(conn, in_data, server);
+ if (out_data == NULL)
return NULL;
- }
- *out_len = res;
+
+ if (SSL_is_init_finished(conn->ssl) && appl_data && in_data)
+ *appl_data = openssl_get_appl_data(conn, wpabuf_len(in_data));
+
return out_data;
}
-int tls_connection_encrypt(void *ssl_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf *
+tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
+{
+ return openssl_connection_handshake(conn, in_data, appl_data, 0);
+}
+
+
+struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
+{
+ return openssl_connection_handshake(conn, in_data, appl_data, 1);
+}
+
+
+struct wpabuf * tls_connection_encrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
int res;
+ struct wpabuf *buf;
if (conn == NULL)
- return -1;
+ return NULL;
/* Give plaintext data for OpenSSL to encrypt into the TLS tunnel. */
if ((res = BIO_reset(conn->ssl_in)) < 0 ||
(res = BIO_reset(conn->ssl_out)) < 0) {
tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
- return res;
+ return NULL;
}
- res = SSL_write(conn->ssl, in_data, in_len);
+ res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data));
if (res < 0) {
tls_show_errors(MSG_INFO, __func__,
"Encryption failed - SSL_write");
- return res;
+ return NULL;
}
/* Read encrypted data to be sent to the server */
- res = BIO_read(conn->ssl_out, out_data, out_len);
+ buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
+ if (buf == NULL)
+ return NULL;
+ res = BIO_read(conn->ssl_out, wpabuf_mhead(buf), wpabuf_size(buf));
if (res < 0) {
tls_show_errors(MSG_INFO, __func__,
"Encryption failed - BIO_read");
- return res;
+ wpabuf_free(buf);
+ return NULL;
}
+ wpabuf_put(buf, res);
- return res;
+ return buf;
}
-int tls_connection_decrypt(void *ssl_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_decrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
int res;
+ struct wpabuf *buf;
/* Give encrypted data from TLS tunnel for OpenSSL to decrypt. */
- res = BIO_write(conn->ssl_in, in_data, in_len);
+ res = BIO_write(conn->ssl_in, wpabuf_head(in_data),
+ wpabuf_len(in_data));
if (res < 0) {
tls_show_errors(MSG_INFO, __func__,
"Decryption failed - BIO_write");
- return res;
+ return NULL;
}
if (BIO_reset(conn->ssl_out) < 0) {
tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
- return res;
+ return NULL;
}
/* Read decrypted data for further processing */
- res = SSL_read(conn->ssl, out_data, out_len);
+ /*
+ * Even though we try to disable TLS compression, it is possible that
+ * this cannot be done with all TLS libraries. Add extra buffer space
+ * to handle the possibility of the decrypted data being longer than
+ * input data.
+ */
+ buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
+ if (buf == NULL)
+ return NULL;
+ res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf));
if (res < 0) {
tls_show_errors(MSG_INFO, __func__,
"Decryption failed - SSL_read");
- return res;
+ return NULL;
}
+ wpabuf_put(buf, res);
- return res;
+ return buf;
}
/*
- * WPA Supplicant / SSL/TLS interface functions for Microsoft Schannel
- * Copyright (c) 2005, Jouni Malinen <j@w1.fi>
+ * SSL/TLS interface functions for Microsoft Schannel
+ * Copyright (c) 2005-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
}
-static u8 * tls_conn_hs_clienthello(struct tls_global *global,
- struct tls_connection *conn,
- size_t *out_len)
+static struct wpabuf * tls_conn_hs_clienthello(struct tls_global *global,
+ struct tls_connection *conn)
{
DWORD sspi_flags, sspi_flags_out;
SecBufferDesc outbuf;
}
if (outbufs[0].cbBuffer != 0 && outbufs[0].pvBuffer) {
- u8 *buf;
+ struct wpabuf *buf;
wpa_hexdump(MSG_MSGDUMP, "SChannel - ClientHello",
outbufs[0].pvBuffer, outbufs[0].cbBuffer);
conn->start = 0;
- *out_len = outbufs[0].cbBuffer;
- buf = os_malloc(*out_len);
+ buf = wpabuf_alloc_copy(outbufs[0].pvBuffer,
+ outbufs[0].cbBuffer);
if (buf == NULL)
return NULL;
- os_memcpy(buf, outbufs[0].pvBuffer, *out_len);
global->sspi->FreeContextBuffer(outbufs[0].pvBuffer);
return buf;
}
}
-u8 * tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len, u8 **appl_data,
- size_t *appl_data_len)
+struct wpabuf * tls_connection_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
- struct tls_global *global = ssl_ctx;
+ struct tls_global *global = tls_ctx;
DWORD sspi_flags, sspi_flags_out;
SecBufferDesc inbuf, outbuf;
SecBuffer inbufs[2], outbufs[1];
SECURITY_STATUS status;
TimeStamp ts_expiry;
- u8 *out_buf = NULL;
+ struct wpabuf *out_buf = NULL;
if (appl_data)
*appl_data = NULL;
- if (conn->start) {
- return tls_conn_hs_clienthello(global, conn, out_len);
- }
+ if (conn->start)
+ return tls_conn_hs_clienthello(global, conn);
wpa_printf(MSG_DEBUG, "SChannel: %d bytes handshake data to process",
- in_len);
+ (int) wpabuf_len(in_data));
sspi_flags = ISC_REQ_REPLAY_DETECT |
ISC_REQ_CONFIDENTIALITY |
ISC_REQ_MANUAL_CRED_VALIDATION;
/* Input buffer for Schannel */
- inbufs[0].pvBuffer = (u8 *) in_data;
- inbufs[0].cbBuffer = in_len;
+ inbufs[0].pvBuffer = (u8 *) wpabuf_head(in_data);
+ inbufs[0].cbBuffer = wpabuf_len(in_data);
inbufs[0].BufferType = SECBUFFER_TOKEN;
/* Place for leftover data from Schannel */
if (outbufs[0].cbBuffer != 0 && outbufs[0].pvBuffer) {
wpa_hexdump(MSG_MSGDUMP, "SChannel - output",
outbufs[0].pvBuffer, outbufs[0].cbBuffer);
- *out_len = outbufs[0].cbBuffer;
- out_buf = os_malloc(*out_len);
- if (out_buf)
- os_memcpy(out_buf, outbufs[0].pvBuffer,
- *out_len);
+ out_buf = wpabuf_alloc_copy(outbufs[0].pvBuffer,
+ outbufs[0].cbBuffer);
global->sspi->FreeContextBuffer(outbufs[0].pvBuffer);
outbufs[0].pvBuffer = NULL;
if (out_buf == NULL)
/* Need to return something to get final TLS ACK. */
if (out_buf == NULL)
- out_buf = os_malloc(1);
+ out_buf = wpabuf_alloc(0);
if (inbufs[1].BufferType == SECBUFFER_EXTRA) {
wpa_hexdump(MSG_MSGDUMP, "SChannel - Encrypted "
"application data",
inbufs[1].pvBuffer, inbufs[1].cbBuffer);
if (appl_data) {
- *appl_data_len = outbufs[1].cbBuffer;
- appl_data = os_malloc(*appl_data_len);
- if (appl_data)
- os_memcpy(appl_data,
- outbufs[1].pvBuffer,
- *appl_data_len);
+ *appl_data = wpabuf_alloc_copy(
+ outbufs[1].pvBuffer,
+ outbufs[1].cbBuffer);
}
global->sspi->FreeContextBuffer(inbufs[1].pvBuffer);
inbufs[1].pvBuffer = NULL;
}
-u8 * tls_connection_server_handshake(void *ssl_ctx,
- struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- size_t *out_len)
+struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data,
+ struct wpabuf **appl_data)
{
return NULL;
}
-int tls_connection_encrypt(void *ssl_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_encrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
- struct tls_global *global = ssl_ctx;
+ struct tls_global *global = tls_ctx;
SECURITY_STATUS status;
SecBufferDesc buf;
SecBuffer bufs[4];
SecPkgContext_StreamSizes sizes;
int i;
- size_t total_len;
+ struct wpabuf *out;
status = global->sspi->QueryContextAttributes(&conn->context,
SECPKG_ATTR_STREAM_SIZES,
if (status != SEC_E_OK) {
wpa_printf(MSG_DEBUG, "%s: QueryContextAttributes failed",
__func__);
- return -1;
+ return NULL;
}
wpa_printf(MSG_DEBUG, "%s: Stream sizes: header=%u trailer=%u",
__func__,
(unsigned int) sizes.cbHeader,
(unsigned int) sizes.cbTrailer);
- total_len = sizes.cbHeader + in_len + sizes.cbTrailer;
-
- if (out_len < total_len) {
- wpa_printf(MSG_DEBUG, "%s: too short out_data (out_len=%lu "
- "in_len=%lu total_len=%lu)", __func__,
- (unsigned long) out_len, (unsigned long) in_len,
- (unsigned long) total_len);
- return -1;
- }
+ out = wpabuf_alloc(sizes.cbHeader + wpabuf_len(in_data) +
+ sizes.cbTrailer);
os_memset(&bufs, 0, sizeof(bufs));
- bufs[0].pvBuffer = out_data;
+ bufs[0].pvBuffer = wpabuf_put(out, sizes.cbHeader);
bufs[0].cbBuffer = sizes.cbHeader;
bufs[0].BufferType = SECBUFFER_STREAM_HEADER;
- os_memcpy(out_data + sizes.cbHeader, in_data, in_len);
- bufs[1].pvBuffer = out_data + sizes.cbHeader;
- bufs[1].cbBuffer = in_len;
+ bufs[1].pvBuffer = wpabuf_put(out, 0);
+ wpabuf_put_buf(out, in_data);
+ bufs[1].cbBuffer = wpabuf_len(in_data);
bufs[1].BufferType = SECBUFFER_DATA;
- bufs[2].pvBuffer = out_data + sizes.cbHeader + in_len;
+ bufs[2].pvBuffer = wpabuf_put(out, sizes.cbTrailer);
bufs[2].cbBuffer = sizes.cbTrailer;
bufs[2].BufferType = SECBUFFER_STREAM_TRAILER;
(int) bufs[2].cbBuffer, (int) bufs[2].BufferType);
wpa_printf(MSG_MSGDUMP, "Schannel: EncryptMessage pointers: "
"out_data=%p bufs %p %p %p",
- out_data, bufs[0].pvBuffer, bufs[1].pvBuffer,
+ wpabuf_head(out), bufs[0].pvBuffer, bufs[1].pvBuffer,
bufs[2].pvBuffer);
for (i = 0; i < 3; i++) {
if (status == SEC_E_OK) {
wpa_printf(MSG_DEBUG, "%s: SEC_E_OK", __func__);
- wpa_hexdump_key(MSG_MSGDUMP, "Schannel: Encrypted data from "
- "EncryptMessage", out_data, total_len);
- return total_len;
+ wpa_hexdump_buf_key(MSG_MSGDUMP, "Schannel: Encrypted data "
+ "from EncryptMessage", out);
+ return out;
}
wpa_printf(MSG_DEBUG, "%s: Failed - status=%d",
__func__, (int) status);
- return -1;
+ wpabuf_free(out);
+ return NULL;
}
-int tls_connection_decrypt(void *ssl_ctx, struct tls_connection *conn,
- const u8 *in_data, size_t in_len,
- u8 *out_data, size_t out_len)
+struct wpabuf * tls_connection_decrypt(void *tls_ctx,
+ struct tls_connection *conn,
+ const struct wpabuf *in_data)
{
- struct tls_global *global = ssl_ctx;
+ struct tls_global *global = tls_ctx;
SECURITY_STATUS status;
SecBufferDesc buf;
SecBuffer bufs[4];
int i;
+ struct wpabuf *out, *tmp;
- if (out_len < in_len) {
- wpa_printf(MSG_DEBUG, "%s: out_len=%lu < in_len=%lu", __func__,
- (unsigned long) out_len, (unsigned long) in_len);
- return -1;
- }
-
- wpa_hexdump(MSG_MSGDUMP, "Schannel: Encrypted data to DecryptMessage",
- in_data, in_len);
+ wpa_hexdump_buf(MSG_MSGDUMP,
+ "Schannel: Encrypted data to DecryptMessage", in_data);
os_memset(&bufs, 0, sizeof(bufs));
- os_memcpy(out_data, in_data, in_len);
- bufs[0].pvBuffer = out_data;
- bufs[0].cbBuffer = in_len;
+ tmp = wpabuf_dup(in_data);
+ if (tmp == NULL)
+ return NULL;
+ bufs[0].pvBuffer = wpabuf_mhead(tmp);
+ bufs[0].cbBuffer = wpabuf_len(in_data);
bufs[0].BufferType = SECBUFFER_DATA;
bufs[1].BufferType = SECBUFFER_EMPTY;
(int) bufs[3].cbBuffer, (int) bufs[3].BufferType);
wpa_printf(MSG_MSGDUMP, "Schannel: DecryptMessage pointers: "
"out_data=%p bufs %p %p %p %p",
- out_data, bufs[0].pvBuffer, bufs[1].pvBuffer,
+ wpabuf_head(tmp), bufs[0].pvBuffer, bufs[1].pvBuffer,
bufs[2].pvBuffer, bufs[3].pvBuffer);
switch (status) {
if (i == 4) {
wpa_printf(MSG_DEBUG, "%s: No output data from "
"DecryptMessage", __func__);
- return -1;
+ wpabuf_free(tmp);
+ return NULL;
}
wpa_hexdump_key(MSG_MSGDUMP, "Schannel: Decrypted data from "
"DecryptMessage",
bufs[i].pvBuffer, bufs[i].cbBuffer);
- if (bufs[i].cbBuffer > out_len) {
- wpa_printf(MSG_DEBUG, "%s: Too long output data",
- __func__);
- return -1;
- }
- os_memmove(out_data, bufs[i].pvBuffer, bufs[i].cbBuffer);
- return bufs[i].cbBuffer;
+ out = wpabuf_alloc_copy(bufs[i].pvBuffer, bufs[i].cbBuffer);
+ wpabuf_free(tmp);
+ return out;
}
wpa_printf(MSG_DEBUG, "%s: Failed - status=%d",
__func__, (int) status);
- return -1;
+ wpabuf_free(tmp);
+ return NULL;
}
/*
* EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions
- * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* eap_peer_tls_reassemble_fragment - Reassemble a received fragment
* @data: Data for TLS processing
* @in_data: Next incoming TLS segment
- * @in_len: Length of in_data
* Returns: 0 on success, 1 if more data is needed for the full message, or
* -1 on error
*/
static int eap_peer_tls_reassemble_fragment(struct eap_ssl_data *data,
- const u8 *in_data, size_t in_len)
+ const struct wpabuf *in_data)
{
- u8 *buf;
+ size_t tls_in_len, in_len;
+
+ tls_in_len = data->tls_in ? wpabuf_len(data->tls_in) : 0;
+ in_len = in_data ? wpabuf_len(in_data) : 0;
- if (data->tls_in_len + in_len == 0) {
+ if (tls_in_len + in_len == 0) {
/* No message data received?! */
wpa_printf(MSG_WARNING, "SSL: Invalid reassembly state: "
"tls_in_left=%lu tls_in_len=%lu in_len=%lu",
(unsigned long) data->tls_in_left,
- (unsigned long) data->tls_in_len,
+ (unsigned long) tls_in_len,
(unsigned long) in_len);
eap_peer_tls_reset_input(data);
return -1;
}
- if (data->tls_in_len + in_len > 65536) {
+ if (tls_in_len + in_len > 65536) {
/*
* Limit length to avoid rogue servers from causing large
* memory allocations.
return -1;
}
- buf = os_realloc(data->tls_in, data->tls_in_len + in_len);
- if (buf == NULL) {
+ if (wpabuf_resize(&data->tls_in, in_len) < 0) {
wpa_printf(MSG_INFO, "SSL: Could not allocate memory for TLS "
"data");
eap_peer_tls_reset_input(data);
return -1;
}
- os_memcpy(buf + data->tls_in_len, in_data, in_len);
- data->tls_in = buf;
- data->tls_in_len += in_len;
+ wpabuf_put_buf(data->tls_in, in_data);
data->tls_in_left -= in_len;
if (data->tls_in_left > 0) {
* eap_peer_tls_data_reassemble - Reassemble TLS data
* @data: Data for TLS processing
* @in_data: Next incoming TLS segment
- * @in_len: Length of in_data
- * @out_len: Variable for returning length of the reassembled message
* @need_more_input: Variable for returning whether more input data is needed
* to reassemble this TLS packet
* Returns: Pointer to output data, %NULL on error or when more data is needed
* This function reassembles TLS fragments. Caller must not free the returned
* data buffer since an internal pointer to it is maintained.
*/
-const u8 * eap_peer_tls_data_reassemble(
- struct eap_ssl_data *data, const u8 *in_data, size_t in_len,
- size_t *out_len, int *need_more_input)
+static const struct wpabuf * eap_peer_tls_data_reassemble(
+ struct eap_ssl_data *data, const struct wpabuf *in_data,
+ int *need_more_input)
{
*need_more_input = 0;
- if (data->tls_in_left > in_len || data->tls_in) {
+ if (data->tls_in_left > wpabuf_len(in_data) || data->tls_in) {
/* Message has fragments */
- int res = eap_peer_tls_reassemble_fragment(data, in_data,
- in_len);
+ int res = eap_peer_tls_reassemble_fragment(data, in_data);
if (res) {
if (res == 1)
*need_more_input = 1;
} else {
/* No fragments in this message, so just make a copy of it. */
data->tls_in_left = 0;
- data->tls_in = os_malloc(in_len ? in_len : 1);
+ data->tls_in = wpabuf_dup(in_data);
if (data->tls_in == NULL)
return NULL;
- os_memcpy(data->tls_in, in_data, in_len);
- data->tls_in_len = in_len;
}
- *out_len = data->tls_in_len;
return data->tls_in;
}
const u8 *in_data, size_t in_len,
struct wpabuf **out_data)
{
- const u8 *msg;
- size_t msg_len;
+ const struct wpabuf *msg;
int need_more_input;
- u8 *appl_data;
- size_t appl_data_len;
+ struct wpabuf *appl_data;
+ struct wpabuf buf;
- msg = eap_peer_tls_data_reassemble(data, in_data, in_len,
- &msg_len, &need_more_input);
+ wpabuf_set(&buf, in_data, in_len);
+ msg = eap_peer_tls_data_reassemble(data, &buf, &need_more_input);
if (msg == NULL)
return need_more_input ? 1 : -1;
/* This should not happen.. */
wpa_printf(MSG_INFO, "SSL: eap_tls_process_input - pending "
"tls_out data even though tls_out_len = 0");
- os_free(data->tls_out);
+ wpabuf_free(data->tls_out);
WPA_ASSERT(data->tls_out == NULL);
}
appl_data = NULL;
data->tls_out = tls_connection_handshake(sm->ssl_ctx, data->conn,
- msg, msg_len,
- &data->tls_out_len,
- &appl_data, &appl_data_len);
+ msg, &appl_data);
eap_peer_tls_reset_input(data);
if (appl_data &&
tls_connection_established(sm->ssl_ctx, data->conn) &&
!tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
- wpa_hexdump_key(MSG_MSGDUMP, "SSL: Application data",
- appl_data, appl_data_len);
- *out_data = wpabuf_alloc_ext_data(appl_data, appl_data_len);
- if (*out_data == NULL) {
- os_free(appl_data);
- return -1;
- }
+ wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application data",
+ appl_data);
+ *out_data = appl_data;
return 2;
}
- os_free(appl_data);
+ wpabuf_free(appl_data);
return 0;
}
size_t len;
u8 *flags;
int more_fragments, length_included;
-
- len = data->tls_out_len - data->tls_out_pos;
+
+ if (data->tls_out == NULL)
+ return -1;
+ len = wpabuf_len(data->tls_out) - data->tls_out_pos;
wpa_printf(MSG_DEBUG, "SSL: %lu bytes left to be sent out (of total "
"%lu bytes)",
- (unsigned long) len, (unsigned long) data->tls_out_len);
+ (unsigned long) len,
+ (unsigned long) wpabuf_len(data->tls_out));
/*
* Limit outgoing message to the configured maximum size. Fragment
more_fragments = 0;
length_included = data->tls_out_pos == 0 &&
- (data->tls_out_len > data->tls_out_limit ||
+ (wpabuf_len(data->tls_out) > data->tls_out_limit ||
data->include_tls_length);
if (!length_included &&
eap_type == EAP_TYPE_PEAP && peap_version == 0 &&
*flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
if (length_included) {
*flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
- wpabuf_put_be32(*out_data, data->tls_out_len);
+ wpabuf_put_be32(*out_data, wpabuf_len(data->tls_out));
}
- wpabuf_put_data(*out_data, &data->tls_out[data->tls_out_pos], len);
+ wpabuf_put_data(*out_data,
+ wpabuf_head_u8(data->tls_out) + data->tls_out_pos,
+ len);
data->tls_out_pos += len;
if (!more_fragments)
*out_data = NULL;
- if (data->tls_out_len > 0 && in_len > 0) {
+ if (data->tls_out && wpabuf_len(data->tls_out) > 0 && in_len > 0) {
wpa_printf(MSG_DEBUG, "SSL: Received non-ACK when output "
"fragments are waiting to be sent out");
return -1;
}
- if (data->tls_out_len == 0) {
+ if (data->tls_out == NULL || wpabuf_len(data->tls_out) == 0) {
/*
* No more data to send out - expect to receive more data from
* the AS.
/* TODO: clean pin if engine used? */
}
- if (data->tls_out_len == 0) {
+ if (data->tls_out == NULL || wpabuf_len(data->tls_out) == 0) {
/*
* TLS negotiation should now be complete since all other cases
* needing more data should have been caught above based on
* the TLS Message Length field.
*/
wpa_printf(MSG_DEBUG, "SSL: No data to be sent out");
- os_free(data->tls_out);
+ wpabuf_free(data->tls_out);
data->tls_out = NULL;
return 1;
}
if (data->tls_in_left == 0) {
data->tls_in_total = tls_msg_len;
data->tls_in_left = tls_msg_len;
- os_free(data->tls_in);
+ wpabuf_free(data->tls_in);
data->tls_in = NULL;
- data->tls_in_len = 0;
}
pos += 4;
left -= 4;
*/
void eap_peer_tls_reset_input(struct eap_ssl_data *data)
{
- data->tls_in_left = data->tls_in_total = data->tls_in_len = 0;
- os_free(data->tls_in);
+ data->tls_in_left = data->tls_in_total = 0;
+ wpabuf_free(data->tls_in);
data->tls_in = NULL;
}
*/
void eap_peer_tls_reset_output(struct eap_ssl_data *data)
{
- data->tls_out_len = 0;
data->tls_out_pos = 0;
- os_free(data->tls_out);
+ wpabuf_free(data->tls_out);
data->tls_out = NULL;
}
const struct wpabuf *in_data,
struct wpabuf **in_decrypted)
{
- int res;
- const u8 *msg;
- size_t msg_len, buf_len;
+ const struct wpabuf *msg;
int need_more_input;
- msg = eap_peer_tls_data_reassemble(data, wpabuf_head(in_data),
- wpabuf_len(in_data), &msg_len,
- &need_more_input);
+ msg = eap_peer_tls_data_reassemble(data, in_data, &need_more_input);
if (msg == NULL)
return need_more_input ? 1 : -1;
- buf_len = wpabuf_len(in_data);
- if (data->tls_in_total > buf_len)
- buf_len = data->tls_in_total;
- /*
- * Even though we try to disable TLS compression, it is possible that
- * this cannot be done with all TLS libraries. Add extra buffer space
- * to handle the possibility of the decrypted data being longer than
- * input data.
- */
- buf_len += 500;
- buf_len *= 3;
- *in_decrypted = wpabuf_alloc(buf_len ? buf_len : 1);
- if (*in_decrypted == NULL) {
- eap_peer_tls_reset_input(data);
- wpa_printf(MSG_WARNING, "SSL: Failed to allocate memory for "
- "decryption");
- return -1;
- }
-
- res = tls_connection_decrypt(sm->ssl_ctx, data->conn, msg, msg_len,
- wpabuf_mhead(*in_decrypted), buf_len);
+ *in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->conn, msg);
eap_peer_tls_reset_input(data);
- if (res < 0) {
+ if (*in_decrypted == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to decrypt Phase 2 data");
return -1;
}
- wpabuf_put(*in_decrypted, res);
return 0;
}
const struct wpabuf *in_data,
struct wpabuf **out_data)
{
- int res;
- size_t len;
-
if (in_data) {
eap_peer_tls_reset_output(data);
- len = wpabuf_len(in_data) + 300;
- data->tls_out = os_malloc(len);
- if (data->tls_out == NULL)
- return -1;
-
- res = tls_connection_encrypt(sm->ssl_ctx, data->conn,
- wpabuf_head(in_data),
- wpabuf_len(in_data),
- data->tls_out, len);
- if (res < 0) {
+ data->tls_out = tls_connection_encrypt(sm->ssl_ctx, data->conn,
+ in_data);
+ if (data->tls_out == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 "
"data (in_len=%lu)",
(unsigned long) wpabuf_len(in_data));
eap_peer_tls_reset_output(data);
return -1;
}
-
- data->tls_out_len = res;
}
return eap_tls_process_output(data, eap_type, peap_version, id, 0,
/*
* EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions
- * Copyright (c) 2004-2006, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
/**
* tls_out - TLS message to be sent out in fragments
*/
- u8 *tls_out;
-
- /**
- * tls_out_len - Total length of the outgoing TLS message
- */
- size_t tls_out_len;
+ struct wpabuf *tls_out;
/**
* tls_out_pos - The current position in the outgoing TLS message
/**
* tls_in - Received TLS message buffer for re-assembly
*/
- u8 *tls_in;
-
- /**
- * tls_in_len - Number of bytes of the received TLS message in tls_in
- */
- size_t tls_in_len;
+ struct wpabuf *tls_in;
/**
* tls_in_left - Number of remaining bytes in the incoming TLS message
void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data);
u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
const char *label, size_t len);
-const u8 * eap_peer_tls_data_reassemble(
- struct eap_ssl_data *data, const u8 *in_data, size_t in_len,
- size_t *out_len, int *need_more_input);
int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data,
EapType eap_type, int peap_version,
u8 id, const u8 *in_data, size_t in_len,
wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Encrypting Phase 2 TLVs",
plain);
- encr = eap_server_tls_encrypt(sm, &data->ssl, wpabuf_mhead(plain),
- wpabuf_len(plain));
+ encr = eap_server_tls_encrypt(sm, &data->ssl, plain);
wpabuf_free(plain);
if (data->ssl.out_buf && piggyback) {
}
-static int eap_fast_parse_tlvs(u8 *data, size_t data_len,
+static int eap_fast_parse_tlvs(struct wpabuf *data,
struct eap_fast_tlv_parse *tlv)
{
int mandatory, tlv_type, len, res;
os_memset(tlv, 0, sizeof(*tlv));
- pos = data;
- end = data + data_len;
+ pos = wpabuf_mhead(data);
+ end = pos + wpabuf_len(data);
while (pos + 4 < end) {
mandatory = pos[0] & 0x80;
tlv_type = WPA_GET_BE16(pos) & 0x3fff;
static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
struct eap_fast_data *data,
- u8 *in_data, size_t in_len)
+ struct wpabuf *in_data)
{
struct eap_fast_tlv_parse tlv;
int check_crypto_binding = data->state == CRYPTO_BINDING;
- if (eap_fast_parse_tlvs(in_data, in_len, &tlv) < 0) {
+ if (eap_fast_parse_tlvs(in_data, &tlv) < 0) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to parse received "
"Phase 2 TLVs");
return;
struct eap_fast_data *data,
struct wpabuf *in_buf)
{
- u8 *in_decrypted;
- int len_decrypted;
- size_t buf_len;
- u8 *in_data;
- size_t in_len;
-
- in_data = wpabuf_mhead(in_buf);
- in_len = wpabuf_len(in_buf);
+ struct wpabuf *in_decrypted;
wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for"
- " Phase 2", (unsigned long) in_len);
+ " Phase 2", (unsigned long) wpabuf_len(in_buf));
if (data->pending_phase2_resp) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
"skip decryption and use old data");
- eap_fast_process_phase2_tlvs(
- sm, data, wpabuf_mhead(data->pending_phase2_resp),
- wpabuf_len(data->pending_phase2_resp));
+ eap_fast_process_phase2_tlvs(sm, data,
+ data->pending_phase2_resp);
wpabuf_free(data->pending_phase2_resp);
data->pending_phase2_resp = NULL;
return;
}
- buf_len = in_len;
- /*
- * Even though we try to disable TLS compression, it is possible that
- * this cannot be done with all TLS libraries. Add extra buffer space
- * to handle the possibility of the decrypted data being longer than
- * input data.
- */
- buf_len += 500;
- buf_len *= 3;
- in_decrypted = os_malloc(buf_len);
+ in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+ in_buf);
if (in_decrypted == NULL) {
- wpa_printf(MSG_WARNING, "EAP-FAST: Failed to allocate memory "
- "for decryption");
- return;
- }
-
- len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
- in_data, in_len,
- in_decrypted, buf_len);
- if (len_decrypted < 0) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 "
"data");
- os_free(in_decrypted);
eap_fast_state(data, FAILURE);
return;
}
- wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs",
- in_decrypted, len_decrypted);
+ wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs",
+ in_decrypted);
- eap_fast_process_phase2_tlvs(sm, data, in_decrypted, len_decrypted);
+ eap_fast_process_phase2_tlvs(sm, data, in_decrypted);
if (sm->method_pending == METHOD_PENDING_WAIT) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in "
"pending wait state - save decrypted response");
wpabuf_free(data->pending_phase2_resp);
- data->pending_phase2_resp = wpabuf_alloc_copy(in_decrypted,
- len_decrypted);
+ data->pending_phase2_resp = in_decrypted;
+ return;
}
- os_free(in_decrypted);
+ wpabuf_free(in_decrypted);
}
struct eap_peap_data *data,
u8 id)
{
- struct wpabuf *buf, *encr_req;
+ struct wpabuf *buf, *encr_req, msgbuf;
const u8 *req;
size_t req_len;
req_len -= sizeof(struct eap_hdr);
}
- encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
+ wpabuf_set(&msgbuf, req, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
wpabuf_free(buf);
return encr_req;
struct eap_peap_data *data,
u8 id)
{
- struct wpabuf *buf1, *buf, *encr_req;
+ struct wpabuf *buf1, *buf, *encr_req, msgbuf;
const u8 *req;
size_t req_len;
req += sizeof(struct eap_hdr);
req_len -= sizeof(struct eap_hdr);
+ wpabuf_set(&msgbuf, req, req_len);
- encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
wpabuf_free(buf);
return encr_req;
wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 TLV data",
buf);
- encr_req = eap_server_tls_encrypt(sm, &data->ssl, wpabuf_head(buf),
- wpabuf_len(buf));
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
wpabuf_free(buf);
return encr_req;
struct eap_peap_data *data,
u8 id, int success)
{
- struct wpabuf *encr_req;
+ struct wpabuf *encr_req, msgbuf;
size_t req_len;
struct eap_hdr *hdr;
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
(u8 *) hdr, req_len);
- encr_req = eap_server_tls_encrypt(sm, &data->ssl, (u8 *) hdr, req_len);
+ wpabuf_set(&msgbuf, hdr, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
os_free(hdr);
return encr_req;
struct wpabuf *in_buf)
{
struct wpabuf *in_decrypted;
- int len_decrypted;
const struct eap_hdr *hdr;
- size_t buf_len, len;
- u8 *in_data;
- size_t in_len;
-
- in_data = wpabuf_mhead(in_buf);
- in_len = wpabuf_len(in_buf);
+ size_t len;
wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
- " Phase 2", (unsigned long) in_len);
+ " Phase 2", (unsigned long) wpabuf_len(in_buf));
if (data->pending_phase2_resp) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
return;
}
- buf_len = in_len;
- /*
- * Even though we try to disable TLS compression, it is possible that
- * this cannot be done with all TLS libraries. Add extra buffer space
- * to handle the possibility of the decrypted data being longer than
- * input data.
- */
- buf_len += 500;
- buf_len *= 3;
- in_decrypted = wpabuf_alloc(buf_len);
+ in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+ in_buf);
if (in_decrypted == NULL) {
- wpa_printf(MSG_WARNING, "EAP-PEAP: failed to allocate memory "
- "for decryption");
- return;
- }
-
- len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
- in_data, in_len,
- wpabuf_mhead(in_decrypted),
- buf_len);
- if (len_decrypted < 0) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
"data");
- wpabuf_free(in_decrypted);
eap_peap_state(data, FAILURE);
return;
}
- wpabuf_put(in_decrypted, len_decrypted);
wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Decrypted Phase 2 EAP",
in_decrypted);
break;
}
- os_free(in_decrypted);
+ wpabuf_free(in_decrypted);
}
struct eap_peap_data *data)
{
struct wpabuf *buf, *buf2;
- int res;
wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Phase1 done, include first Phase2 "
"payload in the same message");
wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAPv2: Identity Request", buf2);
- buf = wpabuf_alloc(data->ssl.tls_out_limit);
- if (buf == NULL) {
- wpabuf_free(buf2);
- return -1;
- }
-
- res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
- wpabuf_head(buf2), wpabuf_len(buf2),
- wpabuf_put(buf, 0),
- data->ssl.tls_out_limit);
+ buf = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
+ buf2);
wpabuf_free(buf2);
- if (res < 0) {
+ if (buf == NULL) {
wpa_printf(MSG_INFO, "EAP-PEAPv2: Failed to encrypt Phase 2 "
"data");
- wpabuf_free(buf);
return -1;
}
- wpabuf_put(buf, res);
wpa_hexdump_buf(MSG_DEBUG, "EAP-PEAPv2: Encrypted Identity Request",
buf);
/*
- * hostapd / EAP-TLS/PEAP/TTLS/FAST common functions
- * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
+ * EAP-TLS/PEAP/TTLS/FAST server common functions
+ * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
{
- u8 *next;
- size_t next_len;
-
- next = tls_connection_server_handshake(
- sm->ssl_ctx, data->conn,
- wpabuf_mhead(data->in_buf),
- wpabuf_len(data->in_buf),
- &next_len);
- if (next == NULL) {
- wpa_printf(MSG_INFO, "SSL: TLS processing failed");
- return -1;
- }
if (data->out_buf) {
/* This should not happen.. */
wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
"processing new message");
- os_free(data->out_buf);
+ wpabuf_free(data->out_buf);
WPA_ASSERT(data->out_buf == NULL);
}
- data->out_buf = wpabuf_alloc_ext_data(next, next_len);
+
+ data->out_buf = tls_connection_server_handshake(sm->ssl_ctx,
+ data->conn,
+ data->in_buf, NULL);
if (data->out_buf == NULL) {
- os_free(next);
+ wpa_printf(MSG_INFO, "SSL: TLS processing failed");
return -1;
}
+
return 0;
}
struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
struct eap_ssl_data *data,
- const u8 *plain, size_t plain_len)
+ const struct wpabuf *plain)
{
- int res;
struct wpabuf *buf;
- size_t buf_len;
- /* reserve some extra room for encryption overhead */
- buf_len = plain_len + 300;
- buf = wpabuf_alloc(buf_len);
- if (buf == NULL)
- return NULL;
- res = tls_connection_encrypt(sm->ssl_ctx, data->conn,
- plain, plain_len, wpabuf_put(buf, 0),
- buf_len);
- if (res < 0) {
+ buf = tls_connection_encrypt(sm->ssl_ctx, data->conn,
+ plain);
+ if (buf == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data");
- wpabuf_free(buf);
return NULL;
}
- wpabuf_put(buf, res);
-
return buf;
}
/*
- * hostapd / EAP-TLS/PEAP/TTLS/FAST common functions
- * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
+ * EAP-TLS/PEAP/TTLS/FAST server common functions
+ * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data);
struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
struct eap_ssl_data *data,
- const u8 *plain, size_t plain_len);
+ const struct wpabuf *plain);
int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
struct wpabuf *respData, void *priv, int eap_type,
int (*proc_version)(struct eap_sm *sm, void *priv,
};
-static int eap_ttls_avp_parse(u8 *buf, size_t len, struct eap_ttls_avp *parse)
+static int eap_ttls_avp_parse(struct wpabuf *buf, struct eap_ttls_avp *parse)
{
struct ttls_avp *avp;
u8 *pos;
int left;
- pos = buf;
- left = len;
+ pos = wpabuf_mhead(buf);
+ left = wpabuf_len(buf);
os_memset(parse, 0, sizeof(*parse));
while (left > 0) {
struct eap_sm *sm, struct eap_ttls_data *data, u8 id)
{
struct wpabuf *buf, *encr_req;
- u8 *req;
- size_t req_len;
buf = data->phase2_method->buildReq(sm, data->phase2_priv, id);
return NULL;
}
- req = wpabuf_mhead(buf);
- req_len = wpabuf_len(buf);
- wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated Phase "
- "2 data", req, req_len);
+ wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/EAP: Encrypt encapsulated "
+ "Phase 2 data", buf);
- encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, buf);
wpabuf_free(buf);
return encr_req;
static struct wpabuf * eap_ttls_build_phase2_mschapv2(
struct eap_sm *sm, struct eap_ttls_data *data)
{
- struct wpabuf *encr_req;
+ struct wpabuf *encr_req, msgbuf;
u8 *req, *pos, *end;
int ret;
- size_t req_len;
pos = req = os_malloc(100);
if (req == NULL)
AVP_PAD(req, pos);
}
- req_len = pos - req;
- wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
- "data", req, req_len);
+ wpabuf_set(&msgbuf, req, pos - req);
+ wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Encrypting Phase 2 "
+ "data", &msgbuf);
- encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, &msgbuf);
os_free(req);
return encr_req;
struct eap_ttls_data *data,
struct wpabuf *in_buf)
{
- u8 *in_decrypted;
- int len_decrypted;
+ struct wpabuf *in_decrypted;
struct eap_ttls_avp parse;
- size_t buf_len;
- u8 *in_data;
- size_t in_len;
-
- in_data = wpabuf_mhead(in_buf);
- in_len = wpabuf_len(in_buf);
wpa_printf(MSG_DEBUG, "EAP-TTLS: received %lu bytes encrypted data for"
- " Phase 2", (unsigned long) in_len);
+ " Phase 2", (unsigned long) wpabuf_len(in_buf));
if (data->pending_phase2_eap_resp) {
wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 EAP response "
return;
}
- buf_len = in_len;
- /*
- * Even though we try to disable TLS compression, it is possible that
- * this cannot be done with all TLS libraries. Add extra buffer space
- * to handle the possibility of the decrypted data being longer than
- * input data.
- */
- buf_len += 500;
- buf_len *= 3;
- in_decrypted = os_malloc(buf_len);
+ in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+ in_buf);
if (in_decrypted == NULL) {
- wpa_printf(MSG_WARNING, "EAP-TTLS: failed to allocate memory "
- "for decryption");
- return;
- }
-
- len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
- in_data, in_len,
- in_decrypted, buf_len);
- if (len_decrypted < 0) {
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
"data");
- os_free(in_decrypted);
eap_ttls_state(data, FAILURE);
return;
}
if (data->state == PHASE_FINISHED) {
- if (len_decrypted == 0 &&
+ if (wpabuf_len(in_decrypted) == 0 &&
tls_connection_ia_final_phase_finished(sm->ssl_ctx,
data->ssl.conn)) {
wpa_printf(MSG_DEBUG, "EAP-TTLS: FinalPhaseFinished "
eap_ttls_state(data, FAILURE);
}
- os_free(in_decrypted);
+ wpabuf_free(in_decrypted);
return;
}
- wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
- in_decrypted, len_decrypted);
+ wpa_hexdump_buf_key(MSG_DEBUG, "EAP-TTLS: Decrypted Phase 2 EAP",
+ in_decrypted);
- if (eap_ttls_avp_parse(in_decrypted, len_decrypted, &parse) < 0) {
+ if (eap_ttls_avp_parse(in_decrypted, &parse) < 0) {
wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to parse AVPs");
- os_free(in_decrypted);
+ wpabuf_free(in_decrypted);
eap_ttls_state(data, FAILURE);
return;
}
}
done:
- os_free(in_decrypted);
+ wpabuf_free(in_decrypted);
os_free(parse.eap);
}
projects / thirdparty / hostap.git / commitdiff
