/* EAP-FAST Version negotiation (section 3.1) */
wpa_printf(MSG_DEBUG, "EAP-FAST: Start (server ver=%d, own ver=%d)",
- flags & EAP_PEAP_VERSION_MASK, data->fast_version);
- if ((flags & EAP_PEAP_VERSION_MASK) < data->fast_version)
- data->fast_version = flags & EAP_PEAP_VERSION_MASK;
+ flags & EAP_TLS_VERSION_MASK, data->fast_version);
+ if ((flags & EAP_TLS_VERSION_MASK) < data->fast_version)
+ data->fast_version = flags & EAP_TLS_VERSION_MASK;
wpa_printf(MSG_DEBUG, "EAP-FAST: Using FAST version %d",
data->fast_version);
if (flags & EAP_TLS_FLAGS_START) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Start (server ver=%d, own "
- "ver=%d)", flags & EAP_PEAP_VERSION_MASK,
+ "ver=%d)", flags & EAP_TLS_VERSION_MASK,
data->peap_version);
- if ((flags & EAP_PEAP_VERSION_MASK) < data->peap_version)
- data->peap_version = flags & EAP_PEAP_VERSION_MASK;
+ if ((flags & EAP_TLS_VERSION_MASK) < data->peap_version)
+ data->peap_version = flags & EAP_TLS_VERSION_MASK;
if (data->force_peap_version >= 0 &&
data->force_peap_version != data->peap_version) {
wpa_printf(MSG_WARNING, "EAP-PEAP: Failed to select "
int tls_ia;
/**
- * eap - Pointer to EAP state machine allocated with eap_peer_sm_init()
+ * eap - EAP state machine allocated with eap_peer_sm_init()
*/
struct eap_sm *eap;
};
#define EAP_TLS_FLAGS_LENGTH_INCLUDED 0x80
#define EAP_TLS_FLAGS_MORE_FRAGMENTS 0x40
#define EAP_TLS_FLAGS_START 0x20
-#define EAP_PEAP_VERSION_MASK 0x07
+#define EAP_TLS_VERSION_MASK 0x07
/* could be up to 128 bytes, but only the first 64 bytes are used */
#define EAP_TLS_KEY_LEN 64
struct eap_peer_config *config = eap_get_config(sm);
wpa_printf(MSG_DEBUG, "EAP-TTLS: Start (server ver=%d, own ver=%d)",
- flags & EAP_PEAP_VERSION_MASK, data->ttls_version);
+ flags & EAP_TLS_VERSION_MASK, data->ttls_version);
#if EAP_TTLS_VERSION > 0
- if ((flags & EAP_PEAP_VERSION_MASK) < data->ttls_version)
- data->ttls_version = flags & EAP_PEAP_VERSION_MASK;
+ if ((flags & EAP_TLS_VERSION_MASK) < data->ttls_version)
+ data->ttls_version = flags & EAP_TLS_VERSION_MASK;
if (data->force_ttls_version >= 0 &&
data->force_ttls_version != data->ttls_version) {
wpa_printf(MSG_WARNING, "EAP-TTLS: Failed to select "
encr = eap_server_tls_encrypt(sm, &data->ssl, plain);
wpabuf_free(plain);
- if (data->ssl.out_buf && piggyback) {
+ if (data->ssl.tls_out && piggyback) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Piggyback Phase 2 data "
"(len=%d) with last Phase 1 Message (len=%d "
"used=%d)",
(int) wpabuf_len(encr),
- (int) wpabuf_len(data->ssl.out_buf),
- (int) data->ssl.out_used);
- if (wpabuf_resize(&data->ssl.out_buf, wpabuf_len(encr)) < 0) {
+ (int) wpabuf_len(data->ssl.tls_out),
+ (int) data->ssl.tls_out_pos);
+ if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) {
wpa_printf(MSG_WARNING, "EAP-FAST: Failed to resize "
"output buffer");
wpabuf_free(encr);
return -1;
}
- wpabuf_put_buf(data->ssl.out_buf, encr);
+ wpabuf_put_buf(data->ssl.tls_out, encr);
wpabuf_free(encr);
} else {
- wpabuf_free(data->ssl.out_buf);
- data->ssl.out_used = 0;
- data->ssl.out_buf = encr;
+ wpabuf_free(data->ssl.tls_out);
+ data->ssl.tls_out_pos = 0;
+ data->ssl.tls_out = encr;
}
return 0;
}
if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
- wpabuf_len(data->ssl.out_buf) > 0)
+ wpabuf_len(data->ssl.tls_out) > 0)
return 1;
/*
case PHASE2_METHOD:
case CRYPTO_BINDING:
case REQUEST_PAC:
- eap_fast_process_phase2(sm, data, data->ssl.in_buf);
+ eap_fast_process_phase2(sm, data, data->ssl.tls_in);
break;
default:
wpa_printf(MSG_DEBUG, "EAP-FAST: Unexpected state %d in %s",
break;
case PHASE2_ID:
case PHASE2_METHOD:
- wpabuf_free(data->ssl.out_buf);
- data->ssl.out_used = 0;
- data->ssl.out_buf = eap_peap_build_phase2_req(sm, data, id);
+ wpabuf_free(data->ssl.tls_out);
+ data->ssl.tls_out_pos = 0;
+ data->ssl.tls_out = eap_peap_build_phase2_req(sm, data, id);
break;
#ifdef EAP_SERVER_TNC
case PHASE2_SOH:
- wpabuf_free(data->ssl.out_buf);
- data->ssl.out_used = 0;
- data->ssl.out_buf = eap_peap_build_phase2_soh(sm, data, id);
+ wpabuf_free(data->ssl.tls_out);
+ data->ssl.tls_out_pos = 0;
+ data->ssl.tls_out = eap_peap_build_phase2_soh(sm, data, id);
break;
#endif /* EAP_SERVER_TNC */
case PHASE2_TLV:
- wpabuf_free(data->ssl.out_buf);
- data->ssl.out_used = 0;
- data->ssl.out_buf = eap_peap_build_phase2_tlv(sm, data, id);
+ wpabuf_free(data->ssl.tls_out);
+ data->ssl.tls_out_pos = 0;
+ data->ssl.tls_out = eap_peap_build_phase2_tlv(sm, data, id);
break;
case SUCCESS_REQ:
- wpabuf_free(data->ssl.out_buf);
- data->ssl.out_used = 0;
- data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
+ wpabuf_free(data->ssl.tls_out);
+ data->ssl.tls_out_pos = 0;
+ data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
1);
break;
case FAILURE_REQ:
- wpabuf_free(data->ssl.out_buf);
- data->ssl.out_used = 0;
- data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
+ wpabuf_free(data->ssl.tls_out);
+ data->ssl.tls_out_pos = 0;
+ data->ssl.tls_out = eap_peap_build_phase2_term(sm, data, id,
0);
break;
default:
buf);
/* Append TLS data into the pending buffer after the Server Finished */
- if (wpabuf_resize(&data->ssl.out_buf, wpabuf_len(buf)) < 0) {
+ if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(buf)) < 0) {
wpabuf_free(buf);
return -1;
}
- wpabuf_put_buf(data->ssl.out_buf, buf);
+ wpabuf_put_buf(data->ssl.tls_out, buf);
wpabuf_free(buf);
return 0;
case PHASE2_METHOD:
case PHASE2_SOH:
case PHASE2_TLV:
- eap_peap_process_phase2(sm, data, respData, data->ssl.in_buf);
+ eap_peap_process_phase2(sm, data, respData, data->ssl.tls_in);
break;
case SUCCESS_REQ:
eap_peap_state(data, SUCCESS);
const struct wpabuf *respData)
{
struct eap_tls_data *data = priv;
- if (data->state == SUCCESS && wpabuf_len(data->ssl.in_buf) == 0) {
+ if (data->state == SUCCESS && wpabuf_len(data->ssl.tls_in) == 0) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Client acknowledged final TLS "
"handshake message");
return;
void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
{
tls_connection_deinit(sm->ssl_ctx, data->conn);
- os_free(data->in_buf);
- os_free(data->out_buf);
+ os_free(data->tls_in);
+ os_free(data->tls_out);
}
size_t send_len, plen;
wpa_printf(MSG_DEBUG, "SSL: Generating Request");
- if (data->out_buf == NULL) {
- wpa_printf(MSG_ERROR, "SSL: out_buf NULL in %s", __func__);
+ if (data->tls_out == NULL) {
+ wpa_printf(MSG_ERROR, "SSL: tls_out NULL in %s", __func__);
return NULL;
}
flags = version;
- send_len = wpabuf_len(data->out_buf) - data->out_used;
+ send_len = wpabuf_len(data->tls_out) - data->tls_out_pos;
if (1 + send_len > data->tls_out_limit) {
send_len = data->tls_out_limit - 1;
flags |= EAP_TLS_FLAGS_MORE_FRAGMENTS;
- if (data->out_used == 0) {
+ if (data->tls_out_pos == 0) {
flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
send_len -= 4;
}
wpabuf_put_u8(req, flags); /* Flags */
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)
- wpabuf_put_be32(req, wpabuf_len(data->out_buf));
+ wpabuf_put_be32(req, wpabuf_len(data->tls_out));
- wpabuf_put_data(req, wpabuf_head_u8(data->out_buf) + data->out_used,
+ wpabuf_put_data(req, wpabuf_head_u8(data->tls_out) + data->tls_out_pos,
send_len);
- data->out_used += send_len;
+ data->tls_out_pos += send_len;
- if (data->out_used == wpabuf_len(data->out_buf)) {
+ if (data->tls_out_pos == wpabuf_len(data->tls_out)) {
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
"(message sent completely)",
(unsigned long) send_len);
- wpabuf_free(data->out_buf);
- data->out_buf = NULL;
- data->out_used = 0;
+ wpabuf_free(data->tls_out);
+ data->tls_out = NULL;
+ data->tls_out_pos = 0;
data->state = MSG;
} else {
wpa_printf(MSG_DEBUG, "SSL: Sending out %lu bytes "
"(%lu more to send)", (unsigned long) send_len,
- (unsigned long) wpabuf_len(data->out_buf) -
- data->out_used);
+ (unsigned long) wpabuf_len(data->tls_out) -
+ data->tls_out_pos);
data->state = WAIT_FRAG_ACK;
}
const u8 *buf, size_t len)
{
/* Process continuation of a pending message */
- if (len > wpabuf_tailroom(data->in_buf)) {
+ if (len > wpabuf_tailroom(data->tls_in)) {
wpa_printf(MSG_DEBUG, "SSL: Fragment overflow");
return -1;
}
- wpabuf_put_data(data->in_buf, buf, len);
+ wpabuf_put_data(data->tls_in, buf, len);
wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes, waiting for %lu "
"bytes more", (unsigned long) len,
- (unsigned long) wpabuf_tailroom(data->in_buf));
+ (unsigned long) wpabuf_tailroom(data->tls_in));
return 0;
}
const u8 *buf, size_t len)
{
/* Process a fragment that is not the last one of the message */
- if (data->in_buf == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) {
+ if (data->tls_in == NULL && !(flags & EAP_TLS_FLAGS_LENGTH_INCLUDED)) {
wpa_printf(MSG_DEBUG, "SSL: No Message Length field in a "
"fragmented packet");
return -1;
}
- if (data->in_buf == NULL) {
+ if (data->tls_in == NULL) {
/* First fragment of the message */
/* Limit length to avoid rogue peers from causing large
return -1;
}
- data->in_buf = wpabuf_alloc(message_length);
- if (data->in_buf == NULL) {
+ data->tls_in = wpabuf_alloc(message_length);
+ if (data->tls_in == NULL) {
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
return -1;
}
- wpabuf_put_data(data->in_buf, buf, len);
+ wpabuf_put_data(data->tls_in, buf, len);
wpa_printf(MSG_DEBUG, "SSL: Received %lu bytes in first "
"fragment, waiting for %lu bytes more",
(unsigned long) len,
- (unsigned long) wpabuf_tailroom(data->in_buf));
+ (unsigned long) wpabuf_tailroom(data->tls_in));
}
return 0;
int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
{
- if (data->out_buf) {
+ if (data->tls_out) {
/* This should not happen.. */
wpa_printf(MSG_INFO, "SSL: pending tls_out data when "
"processing new message");
- wpabuf_free(data->out_buf);
- WPA_ASSERT(data->out_buf == NULL);
+ wpabuf_free(data->tls_out);
+ WPA_ASSERT(data->tls_out == NULL);
}
- data->out_buf = tls_connection_server_handshake(sm->ssl_ctx,
+ data->tls_out = tls_connection_server_handshake(sm->ssl_ctx,
data->conn,
- data->in_buf, NULL);
- if (data->out_buf == NULL) {
+ data->tls_in, NULL);
+ if (data->tls_out == NULL) {
wpa_printf(MSG_INFO, "SSL: TLS processing failed");
return -1;
}
if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
/* TLS processing has failed - return error */
- wpa_printf(MSG_DEBUG, "SSL: Failed - out_buf available to "
+ wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
"report error");
return -1;
}
return 1;
}
- if (data->in_buf &&
+ if (data->tls_in &&
eap_server_tls_process_cont(data, *pos, end - *pos) < 0)
return -1;
data->state = MSG;
}
- if (data->in_buf == NULL) {
+ if (data->tls_in == NULL) {
/* Wrap unfragmented messages as wpabuf without extra copy */
wpabuf_set(&data->tmpbuf, *pos, end - *pos);
- data->in_buf = &data->tmpbuf;
+ data->tls_in = &data->tmpbuf;
}
return 0;
static void eap_server_tls_free_in_buf(struct eap_ssl_data *data)
{
- if (data->in_buf != &data->tmpbuf)
- wpabuf_free(data->in_buf);
- data->in_buf = NULL;
+ if (data->tls_in != &data->tmpbuf)
+ wpabuf_free(data->tls_in);
+ data->tls_in = NULL;
}
#ifndef EAP_TLS_COMMON_H
#define EAP_TLS_COMMON_H
+/**
+ * struct eap_ssl_data - TLS data for EAP methods
+ */
struct eap_ssl_data {
+ /**
+ * conn - TLS connection context data from tls_connection_init()
+ */
struct tls_connection *conn;
+ /**
+ * tls_out - TLS message to be sent out in fragments
+ */
+ struct wpabuf *tls_out;
+
+ /**
+ * tls_out_pos - The current position in the outgoing TLS message
+ */
+ size_t tls_out_pos;
+
+ /**
+ * tls_out_limit - Maximum fragment size for outgoing TLS messages
+ */
size_t tls_out_limit;
+ /**
+ * tls_in - Received TLS message buffer for re-assembly
+ */
+ struct wpabuf *tls_in;
+
+ /**
+ * phase2 - Whether this TLS connection is used in EAP phase 2 (tunnel)
+ */
int phase2;
+ /**
+ * eap - EAP state machine allocated with eap_server_sm_init()
+ */
struct eap_sm *eap;
enum { MSG, FRAG_ACK, WAIT_FRAG_ACK } state;
- struct wpabuf *in_buf;
- struct wpabuf *out_buf;
- size_t out_used;
struct wpabuf tmpbuf;
};
}
break;
case PHASE2_METHOD:
- wpabuf_free(data->ssl.out_buf);
- data->ssl.out_used = 0;
- data->ssl.out_buf = eap_ttls_build_phase2_eap_req(sm, data,
+ wpabuf_free(data->ssl.tls_out);
+ data->ssl.tls_out_pos = 0;
+ data->ssl.tls_out = eap_ttls_build_phase2_eap_req(sm, data,
id);
break;
case PHASE2_MSCHAPV2_RESP:
- wpabuf_free(data->ssl.out_buf);
- data->ssl.out_used = 0;
- data->ssl.out_buf = eap_ttls_build_phase2_mschapv2(sm, data);
+ wpabuf_free(data->ssl.tls_out);
+ data->ssl.tls_out_pos = 0;
+ data->ssl.tls_out = eap_ttls_build_phase2_mschapv2(sm, data);
break;
case PHASE_FINISHED:
- wpabuf_free(data->ssl.out_buf);
- data->ssl.out_used = 0;
- data->ssl.out_buf = eap_ttls_build_phase_finished(sm, data, 1);
+ wpabuf_free(data->ssl.tls_out);
+ data->ssl.tls_out_pos = 0;
+ data->ssl.tls_out = eap_ttls_build_phase_finished(sm, data, 1);
break;
default:
wpa_printf(MSG_DEBUG, "EAP-TTLS: %s - unexpected state %d",
case PHASE2_START:
case PHASE2_METHOD:
case PHASE_FINISHED:
- eap_ttls_process_phase2(sm, data, data->ssl.in_buf);
+ eap_ttls_process_phase2(sm, data, data->ssl.tls_in);
eap_ttls_start_tnc(sm, data);
break;
case PHASE2_MSCHAPV2_RESP:
- if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.in_buf) ==
+ if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.tls_in) ==
0) {
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
"acknowledged response");
"frame from peer (payload len %lu, "
"expected empty frame)",
(unsigned long)
- wpabuf_len(data->ssl.in_buf));
+ wpabuf_len(data->ssl.tls_in));
eap_ttls_state(data, FAILURE);
}
eap_ttls_start_tnc(sm, data);
projects / thirdparty / hostap.git / commitdiff
