DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Share EAP-TLS/PEAP/TTLS/FAST core process() functionality

Browse source 
Move the basic processing of received frames into eap_tls_common.c and use
callback functions to handle EAP type specific processing of the version
field and payload.
This commit is contained in:
Jouni Malinen 2008-05-28 17:15:17 +03:00
parent 3c724cc564
commit cda97d11bb
6 changed files with 131 additions and 141 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
src/eap_server/eap_fast.c
View file

@ -1334,16 +1334,17 @@ static void eap_fast_process_phase2(struct eap_sm *sm,
} }
static int eap_fast_process_version(struct eap_fast_data *data, static int eap_fast_process_version(struct eap_sm *sm, void *priv,
int peer_version) int peer_version)
{ {
struct eap_fast_data *data = priv;
data->peer_version = peer_version; data->peer_version = peer_version;
if (data->force_version >= 0 && peer_version != data->force_version) { if (data->force_version >= 0 && peer_version != data->force_version) {
wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced" wpa_printf(MSG_INFO, "EAP-FAST: peer did not select the forced"
" version (forced=%d peer=%d) - reject", " version (forced=%d peer=%d) - reject",
data->force_version, peer_version); data->force_version, peer_version);
eap_fast_state(data, FAILURE);
return -1; return -1;
} }
@ -1416,34 +1417,10 @@ static void eap_fast_process_phase2_start(struct eap_sm *sm,
} }
static void eap_fast_process(struct eap_sm *sm, void *priv, static void eap_fast_process_msg(struct eap_sm *sm, void *priv,
struct wpabuf *respData) const struct wpabuf *respData)
{ {
struct eap_fast_data *data = priv; struct eap_fast_data *data = priv;
const u8 *pos;
u8 flags;
size_t left;
int ret;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_FAST, respData,
&left);
if (pos == NULL || left < 1)
return;
flags = *pos++;
left--;
wpa_printf(MSG_DEBUG, "EAP-FAST: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) wpabuf_len(respData),
flags);
if (eap_fast_process_version(data, flags & EAP_TLS_VERSION_MASK))
return;
ret = eap_server_tls_reassemble(&data->ssl, flags, &pos, &left);
if (ret < 0) {
eap_fast_state(data, FAILURE);
return;
} else if (ret == 1)
return;
switch (data->state) { switch (data->state) {
case PHASE1: case PHASE1:
@ -1465,14 +1442,17 @@ static void eap_fast_process(struct eap_sm *sm, void *priv,
data->state, __func__); data->state, __func__);
break; break;
} }
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
wpa_printf(MSG_INFO, "EAP-FAST: Locally detected fatal error "
"in TLS processing");
eap_fast_state(data, FAILURE);
} }
eap_server_tls_free_in_buf(&data->ssl);
static void eap_fast_process(struct eap_sm *sm, void *priv,
struct wpabuf *respData)
{
struct eap_fast_data *data = priv;
if (eap_server_tls_process(sm, &data->ssl, respData, data,
EAP_TYPE_FAST, eap_fast_process_version,
eap_fast_process_msg) < 0)
eap_fast_state(data, FAILURE);
} }

61
src/eap_server/eap_peap.c
View file

@ -1110,12 +1110,17 @@ static void eap_peap_process_phase2_response(struct eap_sm *sm,
static void eap_peap_process_phase2(struct eap_sm *sm, static void eap_peap_process_phase2(struct eap_sm *sm,
struct eap_peap_data *data, struct eap_peap_data *data,
const struct wpabuf *respData, const struct wpabuf *respData,
const u8 *in_data, size_t in_len) struct wpabuf *in_buf)
{ {
struct wpabuf *in_decrypted; struct wpabuf *in_decrypted;
int len_decrypted; int len_decrypted;
const struct eap_hdr *hdr; const struct eap_hdr *hdr;
size_t buf_len, len; size_t buf_len, len;
u8 *in_data;
size_t in_len;
in_data = wpabuf_mhead(in_buf);
in_len = wpabuf_len(in_buf);
wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for" wpa_printf(MSG_DEBUG, "EAP-PEAP: received %lu bytes encrypted data for"
" Phase 2", (unsigned long) in_len); " Phase 2", (unsigned long) in_len);
@ -1332,32 +1337,17 @@ static int eap_peapv2_start_phase2(struct eap_sm *sm,
} }
static void eap_peap_process(struct eap_sm *sm, void *priv, static int eap_peap_process_version(struct eap_sm *sm, void *priv,
struct wpabuf *respData) int peer_version)
{ {
struct eap_peap_data *data = priv; struct eap_peap_data *data = priv;
const u8 *pos;
u8 flags;
size_t left;
int peer_version;
int ret;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData, data->recv_version = peer_version;
&left);
if (pos == NULL || left < 1)
return;
flags = *pos++;
left--;
wpa_printf(MSG_DEBUG, "EAP-PEAP: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) wpabuf_len(respData),
flags);
data->recv_version = peer_version = flags & EAP_TLS_VERSION_MASK;
if (data->force_version >= 0 && peer_version != data->force_version) { if (data->force_version >= 0 && peer_version != data->force_version) {
wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced" wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
" version (forced=%d peer=%d) - reject", " version (forced=%d peer=%d) - reject",
data->force_version, peer_version); data->force_version, peer_version);
eap_peap_state(data, FAILURE); return -1;
return;
} }
if (peer_version < data->peap_version) { if (peer_version < data->peap_version) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; " wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; "
@ -1366,12 +1356,14 @@ static void eap_peap_process(struct eap_sm *sm, void *priv,
data->peap_version = peer_version; data->peap_version = peer_version;
} }
ret = eap_server_tls_reassemble(&data->ssl, flags, &pos, &left); return 0;
if (ret < 0) { }
eap_peap_state(data, FAILURE);
return;
} else if (ret == 1) static void eap_peap_process_msg(struct eap_sm *sm, void *priv,
return; const struct wpabuf *respData)
{
struct eap_peap_data *data = priv;
switch (data->state) { switch (data->state) {
case PHASE1: case PHASE1:
@ -1397,7 +1389,7 @@ static void eap_peap_process(struct eap_sm *sm, void *priv,
case PHASE2_METHOD: case PHASE2_METHOD:
case PHASE2_SOH: case PHASE2_SOH:
case PHASE2_TLV: case PHASE2_TLV:
eap_peap_process_phase2(sm, data, respData, pos, left); eap_peap_process_phase2(sm, data, respData, data->ssl.in_buf);
break; break;
case SUCCESS_REQ: case SUCCESS_REQ:
eap_peap_state(data, SUCCESS); eap_peap_state(data, SUCCESS);
@ -1410,14 +1402,17 @@ static void eap_peap_process(struct eap_sm *sm, void *priv,
data->state, __func__); data->state, __func__);
break; break;
} }
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
wpa_printf(MSG_INFO, "EAP-PEAP: Locally detected fatal error "
"in TLS processing");
eap_peap_state(data, FAILURE);
} }
eap_server_tls_free_in_buf(&data->ssl);
static void eap_peap_process(struct eap_sm *sm, void *priv,
struct wpabuf *respData)
{
struct eap_peap_data *data = priv;
if (eap_server_tls_process(sm, &data->ssl, respData, data,
EAP_TYPE_PEAP, eap_peap_process_version,
eap_peap_process_msg) < 0)
eap_peap_state(data, FAILURE);
} }

42
src/eap_server/eap_tls.c
View file

@ -129,41 +129,23 @@ static Boolean eap_tls_check(struct eap_sm *sm, void *priv,
} }
static void eap_tls_process_msg(struct eap_sm *sm, void *priv,
const struct wpabuf *respData)
{
struct eap_tls_data *data = priv;
if (eap_server_tls_phase1(sm, &data->ssl) < 0)
data->state = FAILURE;
}
static void eap_tls_process(struct eap_sm *sm, void *priv, static void eap_tls_process(struct eap_sm *sm, void *priv,
struct wpabuf *respData) struct wpabuf *respData)
{ {
struct eap_tls_data *data = priv; struct eap_tls_data *data = priv;
const u8 *pos; if (eap_server_tls_process(sm, &data->ssl, respData, data,
u8 flags; EAP_TYPE_TLS, NULL, eap_tls_process_msg) <
size_t left; 0)
int ret;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TLS, respData, &left);
if (pos == NULL || left < 1)
return; /* Should not happen - frame already validated */
flags = *pos++;
left--;
wpa_printf(MSG_DEBUG, "EAP-TLS: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) wpabuf_len(respData),
flags);
ret = eap_server_tls_reassemble(&data->ssl, flags, &pos, &left);
if (ret < 0) {
data->state = FAILURE; data->state = FAILURE;
return;
} else if (ret == 1)
return;
if (eap_server_tls_phase1(sm, &data->ssl) < 0)
data->state = FAILURE;
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
wpa_printf(MSG_INFO, "EAP-TLS: Locally detected fatal error "
"in TLS processing");
data->state = FAILURE;
}
eap_server_tls_free_in_buf(&data->ssl);
} }

51
src/eap_server/eap_tls_common.c
View file

@ -263,7 +263,7 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
} }
int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags, static int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
const u8 **pos, size_t *left) const u8 **pos, size_t *left)
{ {
unsigned int tls_msg_len = 0; unsigned int tls_msg_len = 0;
@ -323,7 +323,7 @@ int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
} }
void eap_server_tls_free_in_buf(struct eap_ssl_data *data) static void eap_server_tls_free_in_buf(struct eap_ssl_data *data)
{ {
if (data->in_buf != &data->tmpbuf) if (data->in_buf != &data->tmpbuf)
wpabuf_free(data->in_buf); wpabuf_free(data->in_buf);
@ -355,3 +355,50 @@ struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
return buf; return buf;
} }
int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
struct wpabuf *respData, void *priv, int eap_type,
int (*proc_version)(struct eap_sm *sm, void *priv,
int peer_version),
void (*proc_msg)(struct eap_sm *sm, void *priv,
const struct wpabuf *respData))
{
const u8 *pos;
u8 flags;
size_t left;
int ret, res = 0;
pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, respData, &left);
if (pos == NULL || left < 1)
return 0; /* Should not happen - frame already validated */
flags = *pos++;
left--;
wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - Flags 0x%02x",
(unsigned long) wpabuf_len(respData), flags);
if (proc_version &&
proc_version(sm, priv, flags & EAP_TLS_VERSION_MASK) < 0)
return -1;
ret = eap_server_tls_reassemble(data, flags, &pos, &left);
if (ret < 0) {
res = -1;
goto done;
} else if (ret == 1)
return 0;
if (proc_msg)
proc_msg(sm, priv, respData);
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) {
wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in "
"TLS processing");
res = -1;
}
done:
eap_server_tls_free_in_buf(data);
return res;
}

9
src/eap_server/eap_tls_common.h
View file

@ -51,11 +51,14 @@ struct wpabuf * eap_server_tls_build_msg(struct eap_ssl_data *data,
int eap_type, int version, u8 id); int eap_type, int version, u8 id);
struct wpabuf * eap_server_tls_build_ack(u8 id, int eap_type, int version); struct wpabuf * eap_server_tls_build_ack(u8 id, int eap_type, int version);
int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data); int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data);
int eap_server_tls_reassemble(struct eap_ssl_data *data, u8 flags,
const u8 **pos, size_t *left);
void eap_server_tls_free_in_buf(struct eap_ssl_data *data);
struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm, struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
struct eap_ssl_data *data, struct eap_ssl_data *data,
const u8 *plain, size_t plain_len); const u8 *plain, size_t plain_len);
int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
struct wpabuf *respData, void *priv, int eap_type,
int (*proc_version)(struct eap_sm *sm, void *priv,
int peer_version),
void (*proc_msg)(struct eap_sm *sm, void *priv,
const struct wpabuf *respData));
#endif /* EAP_TLS_COMMON_H */ #endif /* EAP_TLS_COMMON_H */

57
src/eap_server/eap_ttls.c
View file

@ -1272,10 +1272,10 @@ static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
} }
static void eap_ttls_process_version(struct eap_sm *sm, static int eap_ttls_process_version(struct eap_sm *sm, void *priv,
struct eap_ttls_data *data,
int peer_version) int peer_version)
{ {
struct eap_ttls_data *data = priv;
if (peer_version < data->ttls_version) { if (peer_version < data->ttls_version) {
wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; " wpa_printf(MSG_DEBUG, "EAP-TTLS: peer ver=%d, own ver=%d; "
"use version %d", "use version %d",
@ -1287,41 +1287,19 @@ static void eap_ttls_process_version(struct eap_sm *sm,
if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) { if (tls_connection_set_ia(sm->ssl_ctx, data->ssl.conn, 1)) {
wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable " wpa_printf(MSG_INFO, "EAP-TTLS: Failed to enable "
"TLS/IA"); "TLS/IA");
eap_ttls_state(data, FAILURE); return -1;
return;
} }
data->tls_ia_configured = 1; data->tls_ia_configured = 1;
} }
return 0;
} }
static void eap_ttls_process(struct eap_sm *sm, void *priv, static void eap_ttls_process_msg(struct eap_sm *sm, void *priv,
struct wpabuf *respData) const struct wpabuf *respData)
{ {
struct eap_ttls_data *data = priv; struct eap_ttls_data *data = priv;
const u8 *pos;
u8 flags;
size_t left;
int ret;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData,
&left);
if (pos == NULL || left < 1)
return;
flags = *pos++;
left--;
wpa_printf(MSG_DEBUG, "EAP-TTLS: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) wpabuf_len(respData),
flags);
eap_ttls_process_version(sm, data, flags & EAP_TLS_VERSION_MASK);
ret = eap_server_tls_reassemble(&data->ssl, flags, &pos, &left);
if (ret < 0) {
eap_ttls_state(data, FAILURE);
return;
} else if (ret == 1)
return;
switch (data->state) { switch (data->state) {
case PHASE1: case PHASE1:
@ -1335,7 +1313,8 @@ static void eap_ttls_process(struct eap_sm *sm, void *priv,
eap_ttls_start_tnc(sm, data); eap_ttls_start_tnc(sm, data);
break; break;
case PHASE2_MSCHAPV2_RESP: case PHASE2_MSCHAPV2_RESP:
if (data->mschapv2_resp_ok && left == 0) { if (data->mschapv2_resp_ok && wpabuf_len(data->ssl.in_buf) ==
0) {
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer " wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Peer "
"acknowledged response"); "acknowledged response");
eap_ttls_state(data, data->ttls_version > 0 ? eap_ttls_state(data, data->ttls_version > 0 ?
@ -1348,7 +1327,8 @@ static void eap_ttls_process(struct eap_sm *sm, void *priv,
wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected " wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAPV2: Unexpected "
"frame from peer (payload len %lu, " "frame from peer (payload len %lu, "
"expected empty frame)", "expected empty frame)",
(unsigned long) left); (unsigned long)
wpabuf_len(data->ssl.in_buf));
eap_ttls_state(data, FAILURE); eap_ttls_state(data, FAILURE);
} }
eap_ttls_start_tnc(sm, data); eap_ttls_start_tnc(sm, data);
@ -1358,14 +1338,17 @@ static void eap_ttls_process(struct eap_sm *sm, void *priv,
data->state, __func__); data->state, __func__);
break; break;
} }
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
wpa_printf(MSG_INFO, "EAP-TTLS: Locally detected fatal error "
"in TLS processing");
eap_ttls_state(data, FAILURE);
} }
eap_server_tls_free_in_buf(&data->ssl);
static void eap_ttls_process(struct eap_sm *sm, void *priv,
struct wpabuf *respData)
{
struct eap_ttls_data *data = priv;
if (eap_server_tls_process(sm, &data->ssl, respData, data,
EAP_TYPE_TTLS, eap_ttls_process_version,
eap_ttls_process_msg) < 0)
eap_ttls_state(data, FAILURE);
} }