static void eap_fast_process_phase2(struct eap_sm *sm,
struct eap_fast_data *data,
struct wpabuf *in_buf)
{
struct wpabuf *in_decrypted;
wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for"
" Phase 2", (unsigned long) wpabuf_len(in_buf));
if (data->pending_phase2_resp) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
"skip decryption and use old data");
eap_fast_process_phase2_tlvs(sm, data,
data->pending_phase2_resp);
wpabuf_free(data->pending_phase2_resp);
data->pending_phase2_resp = NULL;
return;
}
in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
in_buf);
if (in_decrypted == NULL) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 "
"data");
eap_fast_state(data, FAILURE);
return;
}
wpa_hexdump_buf_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs",
in_decrypted);
eap_fast_process_phase2_tlvs(sm, data, in_decrypted);
if (sm->method_pending == METHOD_PENDING_WAIT) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in "
"pending wait state - save decrypted response");
wpabuf_free(data->pending_phase2_resp);
data->pending_phase2_resp = in_decrypted;
return;
}
wpabuf_free(in_decrypted);
}
static void eap_fast_process_phase2(struct eap_sm *sm,
struct eap_fast_data *data,
struct wpabuf *in_buf)
{
u8 *in_decrypted;
int len_decrypted;
size_t buf_len;
u8 *in_data;
size_t in_len;
in_data = wpabuf_mhead(in_buf);
in_len = wpabuf_len(in_buf);
wpa_printf(MSG_DEBUG, "EAP-FAST: Received %lu bytes encrypted data for"
" Phase 2", (unsigned long) in_len);
if (data->pending_phase2_resp) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 response - "
"skip decryption and use old data");
eap_fast_process_phase2_tlvs(
sm, data, wpabuf_mhead(data->pending_phase2_resp),
wpabuf_len(data->pending_phase2_resp));
wpabuf_free(data->pending_phase2_resp);
data->pending_phase2_resp = NULL;
return;
}
buf_len = in_len;
/*
* Even though we try to disable TLS compression, it is possible that
* this cannot be done with all TLS libraries. Add extra buffer space
* to handle the possibility of the decrypted data being longer than
* input data.
*/
buf_len += 500;
buf_len *= 3;
in_decrypted = os_malloc(buf_len);
if (in_decrypted == NULL) {
wpa_printf(MSG_WARNING, "EAP-FAST: Failed to allocate memory "
"for decryption");
return;
}
len_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
in_data, in_len,
in_decrypted, buf_len);
if (len_decrypted < 0) {
wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 "
"data");
os_free(in_decrypted);
eap_fast_state(data, FAILURE);
return;
}
wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Decrypted Phase 2 TLVs",
in_decrypted, len_decrypted);
eap_fast_process_phase2_tlvs(sm, data, in_decrypted, len_decrypted);
if (sm->method_pending == METHOD_PENDING_WAIT) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Phase2 method is in "
"pending wait state - save decrypted response");
wpabuf_free(data->pending_phase2_resp);
data->pending_phase2_resp = wpabuf_alloc_copy(in_decrypted,
len_decrypted);
}
os_free(in_decrypted);
}
