}
-static struct wpabuf * eap_peap_build_req(struct eap_sm *sm,
- struct eap_peap_data *data, u8 id)
-{
- int res;
- struct wpabuf *req;
-
- res = eap_server_tls_buildReq_helper(sm, &data->ssl, EAP_TYPE_PEAP,
- data->peap_version, id, &req);
-
- if (data->peap_version < 2 &&
- tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
- wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, starting "
- "Phase2");
- eap_peap_state(data, PHASE2_START);
- }
-
- if (res == 1)
- return eap_server_tls_build_ack(id, EAP_TYPE_PEAP,
- data->peap_version);
- return req;
-}
-
-
-static struct wpabuf * eap_peap_encrypt(struct eap_sm *sm,
- struct eap_peap_data *data,
- u8 id, const u8 *plain,
- size_t plain_len)
-{
- int res;
- struct wpabuf *buf;
-
- /* TODO: add support for fragmentation, if needed. This will need to
- * add TLS Message Length field, if the frame is fragmented. */
- buf = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PEAP,
- 1 + data->ssl.tls_out_limit,
- EAP_CODE_REQUEST, id);
- if (buf == NULL)
- return NULL;
-
- wpabuf_put_u8(buf, data->peap_version);
-
- res = tls_connection_encrypt(sm->ssl_ctx, data->ssl.conn,
- plain, plain_len, wpabuf_put(buf, 0),
- data->ssl.tls_out_limit);
- if (res < 0) {
- wpa_printf(MSG_INFO, "EAP-PEAP: Failed to encrypt Phase 2 "
- "data");
- wpabuf_free(buf);
- return NULL;
- }
-
- wpabuf_put(buf, res);
- eap_update_len(buf);
-
- return buf;
-}
-
-
static struct wpabuf * eap_peap_build_phase2_req(struct eap_sm *sm,
struct eap_peap_data *data,
u8 id)
req_len -= sizeof(struct eap_hdr);
}
- encr_req = eap_peap_encrypt(sm, data, id, req, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
wpabuf_free(buf);
return encr_req;
req += sizeof(struct eap_hdr);
req_len -= sizeof(struct eap_hdr);
- encr_req = eap_peap_encrypt(sm, data, id, req, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, req, req_len);
wpabuf_free(buf);
return encr_req;
wpa_hexdump_buf_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 TLV data",
buf);
- encr_req = eap_peap_encrypt(sm, data, id, wpabuf_head(buf),
- wpabuf_len(buf));
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, wpabuf_head(buf),
+ wpabuf_len(buf));
wpabuf_free(buf);
return encr_req;
wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: Encrypting Phase 2 data",
(u8 *) hdr, req_len);
- encr_req = eap_peap_encrypt(sm, data, id, (u8 *) hdr, req_len);
+ encr_req = eap_server_tls_encrypt(sm, &data->ssl, (u8 *) hdr, req_len);
os_free(hdr);
return encr_req;
{
struct eap_peap_data *data = priv;
+ if (data->ssl.state == FRAG_ACK) {
+ return eap_server_tls_build_ack(id, EAP_TYPE_PEAP,
+ data->peap_version);
+ }
+
+ if (data->ssl.state == WAIT_FRAG_ACK) {
+ return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
+ data->peap_version, id);
+ }
+
switch (data->state) {
case START:
return eap_peap_build_start(sm, data, id);
case PHASE1:
case PHASE1_ID2:
- return eap_peap_build_req(sm, data, id);
+ if (data->peap_version < 2 &&
+ tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, "
+ "starting Phase2");
+ eap_peap_state(data, PHASE2_START);
+ }
+ break;
case PHASE2_ID:
case PHASE2_METHOD:
- return eap_peap_build_phase2_req(sm, data, id);
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_req(sm, data, id);
+ break;
#ifdef EAP_TNC
case PHASE2_SOH:
- return eap_peap_build_phase2_soh(sm, data, id);
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_soh(sm, data, id);
+ break;
#endif /* EAP_TNC */
case PHASE2_TLV:
- return eap_peap_build_phase2_tlv(sm, data, id);
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_tlv(sm, data, id);
+ break;
case SUCCESS_REQ:
- return eap_peap_build_phase2_term(sm, data, id, 1);
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
+ 1);
+ break;
case FAILURE_REQ:
- return eap_peap_build_phase2_term(sm, data, id, 0);
+ wpabuf_free(data->ssl.out_buf);
+ data->ssl.out_used = 0;
+ data->ssl.out_buf = eap_peap_build_phase2_term(sm, data, id,
+ 0);
+ break;
default:
wpa_printf(MSG_DEBUG, "EAP-PEAP: %s - unexpected state %d",
__func__, data->state);
return NULL;
}
+
+ return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_PEAP,
+ data->peap_version, id);
}
const u8 *in_data, size_t in_len)
{
struct wpabuf *in_decrypted;
- int len_decrypted, res;
+ int len_decrypted;
const struct eap_hdr *hdr;
size_t buf_len, len;
return;
}
- /* FIX: get rid of const -> non-const typecast */
- res = eap_server_tls_data_reassemble(sm, &data->ssl, (u8 **) &in_data,
- &in_len);
- if (res < 0 || res == 1)
- return;
-
buf_len = in_len;
- if (data->ssl.tls_in_total > buf_len)
- buf_len = data->ssl.tls_in_total;
/*
* Even though we try to disable TLS compression, it is possible that
* this cannot be done with all TLS libraries. Add extra buffer space
buf_len *= 3;
in_decrypted = wpabuf_alloc(buf_len);
if (in_decrypted == NULL) {
- os_free(data->ssl.tls_in);
- data->ssl.tls_in = NULL;
- data->ssl.tls_in_len = 0;
wpa_printf(MSG_WARNING, "EAP-PEAP: failed to allocate memory "
"for decryption");
return;
in_data, in_len,
wpabuf_mhead(in_decrypted),
buf_len);
- os_free(data->ssl.tls_in);
- data->ssl.tls_in = NULL;
- data->ssl.tls_in_len = 0;
if (len_decrypted < 0) {
wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
"data");
{
struct wpabuf *buf, *buf2;
int res;
- u8 *tls_out;
wpa_printf(MSG_DEBUG, "EAP-PEAPv2: Phase1 done, include first Phase2 "
"payload in the same message");
buf);
/* Append TLS data into the pending buffer after the Server Finished */
- tls_out = os_realloc(data->ssl.tls_out,
- data->ssl.tls_out_len + wpabuf_len(buf));
- if (tls_out == NULL) {
+ if (wpabuf_resize(&data->ssl.out_buf, wpabuf_len(buf)) < 0) {
wpabuf_free(buf);
return -1;
}
-
- os_memcpy(tls_out + data->ssl.tls_out_len, wpabuf_head(buf),
- wpabuf_len(buf));
- data->ssl.tls_out = tls_out;
- data->ssl.tls_out_len += wpabuf_len(buf);
-
+ wpabuf_put_buf(data->ssl.out_buf, buf);
wpabuf_free(buf);
return 0;
const u8 *pos;
u8 flags;
size_t left;
- unsigned int tls_msg_len;
int peer_version;
+ int ret;
pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PEAP, respData,
&left);
peer_version, data->peap_version, peer_version);
data->peap_version = peer_version;
}
- if (flags & EAP_TLS_FLAGS_LENGTH_INCLUDED) {
- if (left < 4) {
- wpa_printf(MSG_INFO, "EAP-PEAP: Short frame with TLS "
- "length");
- eap_peap_state(data, FAILURE);
- return;
- }
- tls_msg_len = WPA_GET_BE32(pos);
- wpa_printf(MSG_DEBUG, "EAP-PEAP: TLS Message Length: %d",
- tls_msg_len);
- if (data->ssl.tls_in_left == 0) {
- data->ssl.tls_in_total = tls_msg_len;
- data->ssl.tls_in_left = tls_msg_len;
- os_free(data->ssl.tls_in);
- data->ssl.tls_in = NULL;
- data->ssl.tls_in_len = 0;
- }
- pos += 4;
- left -= 4;
- }
+
+ ret = eap_server_tls_reassemble(&data->ssl, flags, &pos, &left);
+ if (ret < 0) {
+ eap_peap_state(data, FAILURE);
+ return;
+ } else if (ret == 1)
+ return;
switch (data->state) {
case PHASE1:
- if (eap_server_tls_process_helper(sm, &data->ssl, pos, left) <
- 0) {
- wpa_printf(MSG_INFO, "EAP-PEAP: TLS processing "
- "failed");
+ if (eap_server_tls_phase1(sm, &data->ssl) < 0) {
eap_peap_state(data, FAILURE);
break;
}
"in TLS processing");
eap_peap_state(data, FAILURE);
}
+
+ eap_server_tls_free_in_buf(&data->ssl);
}
projects / libeap.git / blobdiff