EAP-SAKE: Pass EAP identifier instead of full request

This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-05-03 10:46:17 +03:00
parent 354e3f7959
commit 0dfb7be470

View file

@ -141,7 +141,7 @@ static struct wpabuf * eap_sake_build_msg(struct eap_sake_data *data,
static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm, static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm,
struct eap_sake_data *data, struct eap_sake_data *data,
struct eap_method_ret *ret, struct eap_method_ret *ret,
const struct wpabuf *reqData, u8 id,
const u8 *payload, const u8 *payload,
size_t payload_len) size_t payload_len)
{ {
@ -166,8 +166,7 @@ static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Identity"); wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Identity");
resp = eap_sake_build_msg(data, eap_get_id(reqData), resp = eap_sake_build_msg(data, id, 2 + data->peerid_len,
2 + data->peerid_len,
EAP_SAKE_SUBTYPE_IDENTITY); EAP_SAKE_SUBTYPE_IDENTITY);
if (resp == NULL) if (resp == NULL)
return NULL; return NULL;
@ -185,7 +184,7 @@ static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm,
static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm, static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm,
struct eap_sake_data *data, struct eap_sake_data *data,
struct eap_method_ret *ret, struct eap_method_ret *ret,
const struct wpabuf *reqData, u8 id,
const u8 *payload, const u8 *payload,
size_t payload_len) size_t payload_len)
{ {
@ -247,8 +246,7 @@ static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm,
rlen = 2 + EAP_SAKE_RAND_LEN + 2 + EAP_SAKE_MIC_LEN; rlen = 2 + EAP_SAKE_RAND_LEN + 2 + EAP_SAKE_MIC_LEN;
if (data->peerid) if (data->peerid)
rlen += 2 + data->peerid_len; rlen += 2 + data->peerid_len;
resp = eap_sake_build_msg(data, eap_get_id(reqData), rlen, resp = eap_sake_build_msg(data, id, rlen, EAP_SAKE_SUBTYPE_CHALLENGE);
EAP_SAKE_SUBTYPE_CHALLENGE);
if (resp == NULL) if (resp == NULL)
return NULL; return NULL;
@ -285,6 +283,7 @@ static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm,
static struct wpabuf * eap_sake_process_confirm(struct eap_sm *sm, static struct wpabuf * eap_sake_process_confirm(struct eap_sm *sm,
struct eap_sake_data *data, struct eap_sake_data *data,
struct eap_method_ret *ret, struct eap_method_ret *ret,
u8 id,
const struct wpabuf *reqData, const struct wpabuf *reqData,
const u8 *payload, const u8 *payload,
size_t payload_len) size_t payload_len)
@ -323,14 +322,13 @@ static struct wpabuf * eap_sake_process_confirm(struct eap_sm *sm,
ret->allowNotifications = FALSE; ret->allowNotifications = FALSE;
wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending " wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending "
"Response/Auth-Reject"); "Response/Auth-Reject");
return eap_sake_build_msg(data, eap_get_id(reqData), 0, return eap_sake_build_msg(data, id, 0,
EAP_SAKE_SUBTYPE_AUTH_REJECT); EAP_SAKE_SUBTYPE_AUTH_REJECT);
} }
wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Confirm"); wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Confirm");
resp = eap_sake_build_msg(data, eap_get_id(reqData), resp = eap_sake_build_msg(data, id, 2 + EAP_SAKE_MIC_LEN,
2 + EAP_SAKE_MIC_LEN,
EAP_SAKE_SUBTYPE_CONFIRM); EAP_SAKE_SUBTYPE_CONFIRM);
if (resp == NULL) if (resp == NULL)
return NULL; return NULL;
@ -367,7 +365,7 @@ static struct wpabuf * eap_sake_process(struct eap_sm *sm, void *priv,
struct wpabuf *resp; struct wpabuf *resp;
const u8 *pos, *end; const u8 *pos, *end;
size_t len; size_t len;
u8 subtype, session_id; u8 subtype, session_id, id;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SAKE, reqData, &len); pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SAKE, reqData, &len);
if (pos == NULL || len < sizeof(struct eap_sake_hdr)) { if (pos == NULL || len < sizeof(struct eap_sake_hdr)) {
@ -377,6 +375,7 @@ static struct wpabuf * eap_sake_process(struct eap_sm *sm, void *priv,
req = (const struct eap_sake_hdr *) pos; req = (const struct eap_sake_hdr *) pos;
end = pos + len; end = pos + len;
id = eap_get_id(reqData);
subtype = req->subtype; subtype = req->subtype;
session_id = req->session_id; session_id = req->session_id;
pos = (const u8 *) (req + 1); pos = (const u8 *) (req + 1);
@ -402,15 +401,15 @@ static struct wpabuf * eap_sake_process(struct eap_sm *sm, void *priv,
switch (subtype) { switch (subtype) {
case EAP_SAKE_SUBTYPE_IDENTITY: case EAP_SAKE_SUBTYPE_IDENTITY:
resp = eap_sake_process_identity(sm, data, ret, reqData, resp = eap_sake_process_identity(sm, data, ret, id,
pos, end - pos); pos, end - pos);
break; break;
case EAP_SAKE_SUBTYPE_CHALLENGE: case EAP_SAKE_SUBTYPE_CHALLENGE:
resp = eap_sake_process_challenge(sm, data, ret, reqData, resp = eap_sake_process_challenge(sm, data, ret, id,
pos, end - pos); pos, end - pos);
break; break;
case EAP_SAKE_SUBTYPE_CONFIRM: case EAP_SAKE_SUBTYPE_CONFIRM:
resp = eap_sake_process_confirm(sm, data, ret, reqData, resp = eap_sake_process_confirm(sm, data, ret, id, reqData,
pos, end - pos); pos, end - pos);
break; break;
default: default: