int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
struct wpabuf *respData, void *priv, int eap_type,
int (*proc_version)(struct eap_sm *sm, void *priv,
int peer_version),
void (*proc_msg)(struct eap_sm *sm, void *priv,
const struct wpabuf *respData))
{
const u8 *pos;
u8 flags;
size_t left;
int ret, res = 0;
if (eap_type == EAP_UNAUTH_TLS_TYPE)
pos = eap_hdr_validate(EAP_VENDOR_UNAUTH_TLS,
EAP_VENDOR_TYPE_UNAUTH_TLS, respData,
&left);
else if (eap_type == EAP_WFA_UNAUTH_TLS_TYPE)
pos = eap_hdr_validate(EAP_VENDOR_WFA_NEW,
EAP_VENDOR_WFA_UNAUTH_TLS, respData,
&left);
else
pos = eap_hdr_validate(EAP_VENDOR_IETF, eap_type, respData,
&left);
if (pos == NULL || left < 1)
return 0; /* Should not happen - frame already validated */
flags = *pos++;
left--;
wpa_printf(MSG_DEBUG, "SSL: Received packet(len=%lu) - Flags 0x%02x",
(unsigned long) wpabuf_len(respData), flags);
if (proc_version &&
proc_version(sm, priv, flags & EAP_TLS_VERSION_MASK) < 0)
return -1;
ret = eap_server_tls_reassemble(data, flags, &pos, &left);
if (ret < 0) {
res = -1;
goto done;
} else if (ret == 1)
return 0;
if (proc_msg)
proc_msg(sm, priv, respData);
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) {
wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in "
"TLS processing");
res = -1;
}
done:
eap_server_tls_free_in_buf(data);
return res;
}
static void eap_peap_process(struct eap_sm *sm, void *priv,
u8 *respData, size_t respDataLen)
{
struct eap_peap_data *data = priv;
struct eap_hdr *resp;
u8 *pos, flags;
int left;
unsigned int tls_msg_len;
int peer_version;
resp = (struct eap_hdr *) respData;
pos = (u8 *) (resp + 1);
pos++;
flags = *pos++;
left = htons(resp->length) - sizeof(struct eap_hdr) - 2;
wpa_printf(MSG_DEBUG, "EAP-PEAP: Received packet(len=%lu) - "
"Flags 0x%02x", (unsigned long) respDataLen, flags);
peer_version = flags & EAP_PEAP_VERSION_MASK;
if (data->force_version >= 0 && peer_version != data->force_version) {
wpa_printf(MSG_INFO, "EAP-PEAP: peer did not select the forced"
" version (forced=%d peer=%d) - reject",
data->force_version, peer_version);
eap_peap_state(data, FAILURE);
return;
}
if (peer_version < data->peap_version) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: peer ver=%d, own ver=%d; "
"use version %d",
peer_version, data->peap_version, peer_version);
data->peap_version = peer_version;
}
if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
if (left < 4) {
wpa_printf(MSG_INFO, "EAP-PEAP: Short frame with TLS "
"length");
eap_peap_state(data, FAILURE);
return;
}
tls_msg_len = (pos[0] << 24) | (pos[1] << 16) | (pos[2] << 8) |
pos[3];
wpa_printf(MSG_DEBUG, "EAP-PEAP: TLS Message Length: %d",
tls_msg_len);
if (data->ssl.tls_in_left == 0) {
data->ssl.tls_in_total = tls_msg_len;
data->ssl.tls_in_left = tls_msg_len;
free(data->ssl.tls_in);
data->ssl.tls_in = NULL;
data->ssl.tls_in_len = 0;
}
pos += 4;
left -= 4;
}
switch (data->state) {
case PHASE1:
if (eap_tls_process_helper(sm, &data->ssl, pos, left) < 0) {
wpa_printf(MSG_INFO, "EAP-PEAP: TLS processing "
"failed");
eap_peap_state(data, FAILURE);
}
break;
case PHASE2_START:
eap_peap_state(data, PHASE2_ID);
eap_peap_phase2_init(sm, data, EAP_TYPE_IDENTITY);
break;
case PHASE2_ID:
case PHASE2_METHOD:
case PHASE2_TLV:
eap_peap_process_phase2(sm, data, resp, pos, left);
break;
case SUCCESS_REQ:
eap_peap_state(data, SUCCESS);
break;
case FAILURE_REQ:
eap_peap_state(data, FAILURE);
break;
default:
wpa_printf(MSG_DEBUG, "EAP-PEAP: Unexpected state %d in %s",
data->state, __func__);
break;
}
if (tls_connection_get_write_alerts(sm->ssl_ctx, data->ssl.conn) > 1) {
wpa_printf(MSG_INFO, "EAP-PEAP: Locally detected fatal error "
"in TLS processing");
eap_peap_state(data, FAILURE);
}
}
