static u8 * eap_tls_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
const u8 *reqData, size_t reqDataLen,
size_t *respDataLen)
{
const struct eap_hdr *req;
size_t left;
int res;
u8 flags, *resp, id;
const u8 *pos;
struct eap_tls_data *data = priv;
pos = eap_tls_process_init(sm, &data->ssl, EAP_TYPE_TLS, ret,
reqData, reqDataLen, &left, &flags);
if (pos == NULL)
return NULL;
req = (const struct eap_hdr *) reqData;
id = req->identifier;
if (flags & EAP_TLS_FLAGS_START) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Start");
left = 0; /* make sure that this frame is empty, even though it
* should always be, anyway */
}
resp = NULL;
res = eap_tls_process_helper(sm, &data->ssl, EAP_TYPE_TLS, 0, id, pos,
left, &resp, respDataLen);
if (res < 0) {
return eap_tls_failure(sm, data, ret, res, resp, id,
respDataLen);
}
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn))
eap_tls_success(sm, data, ret);
if (res == 1) {
return eap_tls_build_ack(&data->ssl, respDataLen, id,
EAP_TYPE_TLS, 0);
}
return resp;
}
static void eap_tls_process(struct eap_sm *sm, void *priv,
u8 *respData, size_t respDataLen)
{
struct eap_tls_data *data = priv;
struct eap_hdr *resp;
u8 *pos, flags;
int left;
unsigned int tls_msg_len;
resp = (struct eap_hdr *) respData;
pos = (u8 *) (resp + 1);
pos++;
flags = *pos++;
left = htons(resp->length) - sizeof(struct eap_hdr) - 2;
wpa_printf(MSG_DEBUG, "EAP-TLS: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) respDataLen, flags);
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
if (left < 4) {
wpa_printf(MSG_INFO, "EAP-TLS: Short frame with TLS "
"length");
data->state = FAILURE;
return;
}
tls_msg_len = (pos[0] << 24) | (pos[1] << 16) | (pos[2] << 8) |
pos[3];
wpa_printf(MSG_DEBUG, "EAP-TLS: TLS Message Length: %d",
tls_msg_len);
if (data->ssl.tls_in_left == 0) {
data->ssl.tls_in_total = tls_msg_len;
data->ssl.tls_in_left = tls_msg_len;
free(data->ssl.tls_in);
data->ssl.tls_in = NULL;
data->ssl.tls_in_len = 0;
}
pos += 4;
left -= 4;
}
if (eap_tls_process_helper(sm, &data->ssl, pos, left) < 0) {
wpa_printf(MSG_INFO, "EAP-TLS: TLS processing failed");
data->state = FAILURE;
return;
}
}
static u8 * eap_tls_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
const u8 *reqData, size_t reqDataLen,
size_t *respDataLen)
{
struct wpa_ssid *config = eap_get_config(sm);
const struct eap_hdr *req;
size_t left;
int res;
u8 flags, *resp, id;
const u8 *pos;
struct eap_tls_data *data = priv;
pos = eap_tls_process_init(sm, &data->ssl, EAP_TYPE_TLS, ret,
reqData, reqDataLen, &left, &flags);
if (pos == NULL)
return NULL;
req = (const struct eap_hdr *) reqData;
id = req->identifier;
if (flags & EAP_TLS_FLAGS_START) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Start");
left = 0; /* make sure that this frame is empty, even though it
* should always be, anyway */
}
resp = NULL;
res = eap_tls_process_helper(sm, &data->ssl, EAP_TYPE_TLS, 0, id, pos,
left, &resp, respDataLen);
if (res < 0) {
wpa_printf(MSG_DEBUG, "EAP-TLS: TLS processing failed");
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_FAIL;
if (res == -1) {
/*
* The TLS handshake failed. So better forget the old
* PIN. It may be wrong, we can't be sure but trying
* the wrong one again might block it on the card - so
* better ask the user again.
*/
free(config->pin);
config->pin = NULL;
}
if (resp) {
/* This is likely an alert message, so send it instead
* of just ACKing the error. */
return resp;
}
return eap_tls_build_ack(&data->ssl, respDataLen, id,
EAP_TYPE_TLS, 0);
}
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
ret->methodState = METHOD_DONE;
ret->decision = DECISION_UNCOND_SUCC;
free(data->key_data);
data->key_data = eap_tls_derive_key(sm, &data->ssl,
"client EAP encryption",
EAP_TLS_KEY_LEN);
if (data->key_data) {
wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived key",
data->key_data, EAP_TLS_KEY_LEN);
} else {
wpa_printf(MSG_DEBUG, "EAP-TLS: Failed to derive key");
}
}
if (res == 1) {
return eap_tls_build_ack(&data->ssl, respDataLen, id,
EAP_TYPE_TLS, 0);
}
return resp;
}
static void eap_peap_process(struct eap_sm *sm, void *priv,
u8 *respData, size_t respDataLen)
{
struct eap_peap_data *data = priv;
struct eap_hdr *resp;
u8 *pos, flags;
int left;
unsigned int tls_msg_len;
int peer_version;
resp = (struct eap_hdr *) respData;
pos = (u8 *) (resp + 1);
pos++;
flags = *pos++;
left = htons(resp->length) - sizeof(struct eap_hdr) - 2;
wpa_printf(MSG_DEBUG, "EAP-PEAP: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) respDataLen, flags);
peer_version = flags & EAP_PEAP_VERSION_MASK;
if (data->force_version >= 0 && peer_version != data->force_version) {
wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
" version (forced=%d peer=%d) - reject",
data->force_version, peer_version);
eap_peap_state(data, FAILURE);
return;
}
if (peer_version < data->peap_version) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; "
"use version %d",
peer_version, data->peap_version, peer_version);
data->peap_version = peer_version;
}
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
if (left < 4) {
wpa_printf(MSG_INFO, "EAP-PEAP: Short frame with TLS "
"length");
eap_peap_state(data, FAILURE);
return;
}
tls_msg_len = (pos[0] << 24) | (pos[1] << 16) | (pos[2] << 8) |
pos[3];
wpa_printf(MSG_DEBUG, "EAP-PEAP: TLS Message Length: %d",
tls_msg_len);
if (data->ssl.tls_in_left == 0) {
data->ssl.tls_in_total = tls_msg_len;
data->ssl.tls_in_left = tls_msg_len;
free(data->ssl.tls_in);
data->ssl.tls_in = NULL;
data->ssl.tls_in_len = 0;
}
pos += 4;
left -= 4;
}
switch (data->state) {
case PHASE1:
if (eap_tls_process_helper(sm, &data->ssl, pos, left) < 0) {
wpa_printf(MSG_INFO, "EAP-PEAP: TLS processing "
"failed");
eap_peap_state(data, FAILURE);
}
break;
case PHASE2_START:
eap_peap_state(data, PHASE2_ID);
eap_peap_phase2_init(sm, data, EAP_TYPE_IDENTITY);
break;
case PHASE2_ID:
case PHASE2_METHOD:
case PHASE2_TLV:
eap_peap_process_phase2(sm, data, resp, pos, left);
break;
case SUCCESS_REQ:
eap_peap_state(data, SUCCESS);
break;
case FAILURE_REQ:
eap_peap_state(data, FAILURE);
break;
default:
wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected state %d in %s",
data->state, __func__);
break;
}
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
wpa_printf(MSG_INFO, "EAP-PEAP: Locally detected fatal error "
"in TLS processing");
eap_peap_state(data, FAILURE);
}
}
