struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
struct tls_connection *conn,
const struct wpabuf *in_data,
struct wpabuf **appl_data)
{
return tls_connection_handshake(tls_ctx, conn, in_data, appl_data);
}
u8 * tls_connection_server_handshake(void *ssl_ctx,
struct tls_connection *conn,
const u8 *in_data, size_t in_len,
size_t *out_len)
{
return tls_connection_handshake(ssl_ctx, conn, in_data, in_len,
out_len);
}
static int eap_tls_process_input(struct eap_sm *sm, struct eap_ssl_data *data,
const u8 *in_data, size_t in_len,
u8 **out_data, size_t *out_len)
{
const u8 *msg;
size_t msg_len;
int need_more_input;
u8 *appl_data;
size_t appl_data_len;
msg = eap_tls_data_reassemble(sm, data, in_data, in_len,
&msg_len, &need_more_input);
if (msg == NULL)
return need_more_input ? 1 : -1;
/* Full TLS message reassembled - continue handshake processing */
if (data->tls_out) {
/* This should not happen.. */
wpa_printf(MSG_INFO, "SSL: eap_tls_process_helper - pending "
"tls_out data even though tls_out_len = 0");
os_free(data->tls_out);
WPA_ASSERT(data->tls_out == NULL);
}
appl_data = NULL;
data->tls_out = tls_connection_handshake(sm->ssl_ctx, data->conn,
msg, msg_len,
&data->tls_out_len,
&appl_data, &appl_data_len);
/* Clear reassembled input data (if the buffer was needed). */
data->tls_in_left = data->tls_in_total = data->tls_in_len = 0;
os_free(data->tls_in);
data->tls_in = NULL;
if (appl_data &&
tls_connection_established(sm->ssl_ctx, data->conn) &&
!tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
wpa_hexdump_key(MSG_MSGDUMP, "SSL: Application data",
appl_data, appl_data_len);
*out_data = appl_data;
*out_len = appl_data_len;
return 2;
}
os_free(appl_data);
return 0;
}
/**
* eap_tls_process_input - Process incoming TLS message
* @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
* @data: Data for TLS processing
* @in_data: Message received from the server
* @in_len: Length of in_data
* @out_data: Buffer for returning a pointer to application data (if available)
* Returns: 0 on success, 1 if more input data is needed, 2 if application data
* is available, -1 on failure
*/
static int eap_tls_process_input(struct eap_sm *sm, struct eap_ssl_data *data,
const u8 *in_data, size_t in_len,
struct wpabuf **out_data)
{
const u8 *msg;
size_t msg_len;
int need_more_input;
u8 *appl_data;
size_t appl_data_len;
msg = eap_peer_tls_data_reassemble(data, in_data, in_len,
&msg_len, &need_more_input);
if (msg == NULL)
return need_more_input ? 1 : -1;
/* Full TLS message reassembled - continue handshake processing */
if (data->tls_out) {
/* This should not happen.. */
wpa_printf(MSG_INFO, "SSL: eap_tls_process_input - pending "
"tls_out data even though tls_out_len = 0");
os_free(data->tls_out);
WPA_ASSERT(data->tls_out == NULL);
}
appl_data = NULL;
data->tls_out = tls_connection_handshake(sm->ssl_ctx, data->conn,
msg, msg_len,
&data->tls_out_len,
&appl_data, &appl_data_len);
eap_peer_tls_reset_input(data);
if (appl_data &&
tls_connection_established(sm->ssl_ctx, data->conn) &&
!tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
wpa_hexdump_key(MSG_MSGDUMP, "SSL: Application data",
appl_data, appl_data_len);
*out_data = wpabuf_alloc_ext_data(appl_data, appl_data_len);
if (*out_data == NULL) {
os_free(appl_data);
return -1;
}
return 2;
}
os_free(appl_data);
return 0;
}
int eap_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data,
int eap_type, int peap_version,
u8 id, const u8 *in_data, size_t in_len,
u8 **out_data, size_t *out_len)
{
size_t len;
u8 *pos, *flags;
struct eap_hdr *resp;
int ret = 0;
WPA_ASSERT(data->tls_out_len == 0 || in_len == 0);
*out_len = 0;
if (data->tls_out_len == 0) {
/* No more data to send out - expect to receive more data from
* the AS. */
const u8 *msg;
size_t msg_len;
int need_more_input;
msg = eap_tls_data_reassemble(sm, data, in_data, in_len,
&msg_len, &need_more_input);
if (msg == NULL)
return need_more_input ? 1 : -1;
/* Full TLS message reassembled - continue handshake processing
*/
if (data->tls_out) {
/* This should not happen.. */
wpa_printf(MSG_INFO, "SSL: eap_tls_process_helper - "
"pending tls_out data even though "
"tls_out_len = 0");
free(data->tls_out);
WPA_ASSERT(data->tls_out == NULL);
}
data->tls_out = tls_connection_handshake(sm->ssl_ctx,
data->conn,
msg, msg_len,
&data->tls_out_len);
/* Clear reassembled input data (if the buffer was needed). */
data->tls_in_left = data->tls_in_total = data->tls_in_len = 0;
free(data->tls_in);
data->tls_in = NULL;
}
if (data->tls_out == NULL) {
data->tls_out_len = 0;
return -1;
}
if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
"report error");
ret = -1;
/* TODO: clean pin if engine used? */
}
if (data->tls_out_len == 0) {
/* TLS negotiation should now be complete since all other cases
* needing more that should have been catched above based on
* the TLS Message Length field. */
wpa_printf(MSG_DEBUG, "SSL: No data to be sent out");
free(data->tls_out);
data->tls_out = NULL;
return 1;
}
wpa_printf(MSG_DEBUG, "SSL: %lu bytes left to be sent out (of total "
"%lu bytes)",
(unsigned long) data->tls_out_len - data->tls_out_pos,
(unsigned long) data->tls_out_len);
resp = malloc(sizeof(struct eap_hdr) + 2 + 4 + data->tls_out_limit);
if (resp == NULL) {
*out_data = NULL;
return -1;
}
resp->code = EAP_CODE_RESPONSE;
resp->identifier = id;
pos = (u8 *) (resp + 1);
*pos++ = eap_type;
flags = pos++;
*flags = peap_version;
if (data->tls_out_pos == 0 &&
(data->tls_out_len > data->tls_out_limit ||
data->include_tls_length)) {
*flags |= EAP_TLS_FLAGS_LENGTH_INCLUDED;
*pos++ = (data->tls_out_len >> 24) & 0xff;
*pos++ = (data->tls_out_len >> 16) & 0xff;
*pos++ = (data->tls_out_len >> 8) & 0xff;
*pos++ = data->tls_out_len & 0xff;
}
