/**
* eap_tls_process_input - Process incoming TLS message
* @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
* @data: Data for TLS processing
* @in_data: Message received from the server
* @in_len: Length of in_data
* @out_data: Buffer for returning a pointer to application data (if available)
* Returns: 0 on success, 1 if more input data is needed, 2 if application data
* is available, -1 on failure
*/
static int eap_tls_process_input(struct eap_sm *sm, struct eap_ssl_data *data,
const u8 *in_data, size_t in_len,
struct wpabuf **out_data)
{
const u8 *msg;
size_t msg_len;
int need_more_input;
u8 *appl_data;
size_t appl_data_len;
msg = eap_peer_tls_data_reassemble(data, in_data, in_len,
&msg_len, &need_more_input);
if (msg == NULL)
return need_more_input ? 1 : -1;
/* Full TLS message reassembled - continue handshake processing */
if (data->tls_out) {
/* This should not happen.. */
wpa_printf(MSG_INFO, "SSL: eap_tls_process_input - pending "
"tls_out data even though tls_out_len = 0");
os_free(data->tls_out);
WPA_ASSERT(data->tls_out == NULL);
}
appl_data = NULL;
data->tls_out = tls_connection_handshake(sm->ssl_ctx, data->conn,
msg, msg_len,
&data->tls_out_len,
&appl_data, &appl_data_len);
eap_peer_tls_reset_input(data);
if (appl_data &&
tls_connection_established(sm->ssl_ctx, data->conn) &&
!tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
wpa_hexdump_key(MSG_MSGDUMP, "SSL: Application data",
appl_data, appl_data_len);
*out_data = wpabuf_alloc_ext_data(appl_data, appl_data_len);
if (*out_data == NULL) {
os_free(appl_data);
return -1;
}
return 2;
}
os_free(appl_data);
return 0;
}
/**
* eap_peer_tls_decrypt - Decrypt received phase 2 TLS message
* @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
* @data: Data for TLS processing
* @in_data: Message received from the server
* @in_decrypted: Buffer for returning a pointer to the decrypted message
* Returns: 0 on success, 1 if more input data is needed, or -1 on failure
*/
int eap_peer_tls_decrypt(struct eap_sm *sm, struct eap_ssl_data *data,
const struct wpabuf *in_data,
struct wpabuf **in_decrypted)
{
int res;
const u8 *msg;
size_t msg_len, buf_len;
int need_more_input;
msg = eap_peer_tls_data_reassemble(data, wpabuf_head(in_data),
wpabuf_len(in_data), &msg_len,
&need_more_input);
if (msg == NULL)
return need_more_input ? 1 : -1;
buf_len = wpabuf_len(in_data);
if (data->tls_in_total > buf_len)
buf_len = data->tls_in_total;
/*
* Even though we try to disable TLS compression, it is possible that
* this cannot be done with all TLS libraries. Add extra buffer space
* to handle the possibility of the decrypted data being longer than
* input data.
*/
buf_len += 500;
buf_len *= 3;
*in_decrypted = wpabuf_alloc(buf_len ? buf_len : 1);
if (*in_decrypted == NULL) {
eap_peer_tls_reset_input(data);
wpa_printf(MSG_WARNING, "SSL: Failed to allocate memory for "
"decryption");
return -1;
}
res = tls_connection_decrypt(sm->ssl_ctx, data->conn, msg, msg_len,
wpabuf_mhead(*in_decrypted), buf_len);
eap_peer_tls_reset_input(data);
if (res < 0) {
wpa_printf(MSG_INFO, "SSL: Failed to decrypt Phase 2 data");
return -1;
}
wpabuf_put(*in_decrypted, res);
return 0;
}
/**
* eap_peer_tls_decrypt - Decrypt received phase 2 TLS message
* @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
* @data: Data for TLS processing
* @in_data: Message received from the server
* @in_decrypted: Buffer for returning a pointer to the decrypted message
* Returns: 0 on success, 1 if more input data is needed, or -1 on failure
*/
int eap_peer_tls_decrypt(struct eap_sm *sm, struct eap_ssl_data *data,
const struct wpabuf *in_data,
struct wpabuf **in_decrypted)
{
const struct wpabuf *msg;
int need_more_input;
msg = eap_peer_tls_data_reassemble(data, in_data, &need_more_input);
if (msg == NULL)
return need_more_input ? 1 : -1;
*in_decrypted = tls_connection_decrypt(data->ssl_ctx, data->conn, msg);
eap_peer_tls_reset_input(data);
if (*in_decrypted == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to decrypt Phase 2 data");
return -1;
}
return 0;
}
