static u8 * eap_tls_failure(struct eap_sm *sm, struct eap_tls_data *data,
struct eap_method_ret *ret, int res, u8 *resp,
u8 id, size_t *respDataLen)
{
wpa_printf(MSG_DEBUG, "EAP-TLS: TLS processing failed");
ret->methodState = METHOD_DONE;
ret->decision = DECISION_FAIL;
if (res == -1) {
struct wpa_ssid *config = eap_get_config(sm);
if (config) {
/*
* The TLS handshake failed. So better forget the old
* PIN. It may be wrong, we cannot be sure but trying
* the wrong one again might block it on the card--so
* better ask the user again.
*/
os_free(config->pin);
config->pin = NULL;
}
}
if (resp) {
/*
* This is likely an alert message, so send it instead of just
* ACKing the error.
*/
return resp;
}
return eap_tls_build_ack(&data->ssl, respDataLen, id, EAP_TYPE_TLS, 0);
}
static u8 * eap_tls_build_req(struct eap_sm *sm, struct eap_tls_data *data,
int id, size_t *reqDataLen)
{
int res;
u8 *req;
res = eap_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_TLS, 0, id,
&req, reqDataLen);
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
data->state = SUCCESS;
}
if (res == 1)
return eap_tls_build_ack(reqDataLen, id, EAP_TYPE_TLS, 0);
return req;
}
static u8 * eap_tls_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
const u8 *reqData, size_t reqDataLen,
size_t *respDataLen)
{
const struct eap_hdr *req;
size_t left;
int res;
u8 flags, *resp, id;
const u8 *pos;
struct eap_tls_data *data = priv;
pos = eap_tls_process_init(sm, &data->ssl, EAP_TYPE_TLS, ret,
reqData, reqDataLen, &left, &flags);
if (pos == NULL)
return NULL;
req = (const struct eap_hdr *) reqData;
id = req->identifier;
if (flags & EAP_TLS_FLAGS_START) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Start");
left = 0; /* make sure that this frame is empty, even though it
* should always be, anyway */
}
resp = NULL;
res = eap_tls_process_helper(sm, &data->ssl, EAP_TYPE_TLS, 0, id, pos,
left, &resp, respDataLen);
if (res < 0) {
return eap_tls_failure(sm, data, ret, res, resp, id,
respDataLen);
}
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn))
eap_tls_success(sm, data, ret);
if (res == 1) {
return eap_tls_build_ack(&data->ssl, respDataLen, id,
EAP_TYPE_TLS, 0);
}
return resp;
}
static u8 * eap_peap_build_req(struct eap_sm *sm, struct eap_peap_data *data,
int id, size_t *reqDataLen)
{
int res;
u8 *req;
res = eap_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_PEAP,
data->peap_version, id, &req,
reqDataLen);
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, starting "
"Phase2");
eap_peap_state(data, PHASE2_START);
}
if (res == 1)
return eap_tls_build_ack(reqDataLen, id, EAP_TYPE_PEAP,
data->peap_version);
return req;
}
static u8 * eap_tls_process(struct eap_sm *sm, void *priv,
struct eap_method_ret *ret,
const u8 *reqData, size_t reqDataLen,
size_t *respDataLen)
{
struct wpa_ssid *config = eap_get_config(sm);
const struct eap_hdr *req;
size_t left;
int res;
u8 flags, *resp, id;
const u8 *pos;
struct eap_tls_data *data = priv;
pos = eap_tls_process_init(sm, &data->ssl, EAP_TYPE_TLS, ret,
reqData, reqDataLen, &left, &flags);
if (pos == NULL)
return NULL;
req = (const struct eap_hdr *) reqData;
id = req->identifier;
if (flags & EAP_TLS_FLAGS_START) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Start");
left = 0; /* make sure that this frame is empty, even though it
* should always be, anyway */
}
resp = NULL;
res = eap_tls_process_helper(sm, &data->ssl, EAP_TYPE_TLS, 0, id, pos,
left, &resp, respDataLen);
if (res < 0) {
wpa_printf(MSG_DEBUG, "EAP-TLS: TLS processing failed");
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_FAIL;
if (res == -1) {
/*
* The TLS handshake failed. So better forget the old
* PIN. It may be wrong, we can't be sure but trying
* the wrong one again might block it on the card - so
* better ask the user again.
*/
free(config->pin);
config->pin = NULL;
}
if (resp) {
/* This is likely an alert message, so send it instead
* of just ACKing the error. */
return resp;
}
return eap_tls_build_ack(&data->ssl, respDataLen, id,
EAP_TYPE_TLS, 0);
}
if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
ret->methodState = METHOD_DONE;
ret->decision = DECISION_UNCOND_SUCC;
free(data->key_data);
data->key_data = eap_tls_derive_key(sm, &data->ssl,
"client EAP encryption",
EAP_TLS_KEY_LEN);
if (data->key_data) {
wpa_hexdump_key(MSG_DEBUG, "EAP-TLS: Derived key",
data->key_data, EAP_TLS_KEY_LEN);
} else {
wpa_printf(MSG_DEBUG, "EAP-TLS: Failed to derive key");
}
}
if (res == 1) {
return eap_tls_build_ack(&data->ssl, respDataLen, id,
EAP_TYPE_TLS, 0);
}
return resp;
}
