diff options
Diffstat (limited to 'contrib/wpa/src/eap_server/eap_server_ttls.c')
-rw-r--r-- | contrib/wpa/src/eap_server/eap_server_ttls.c | 96 |
1 files changed, 64 insertions, 32 deletions
diff --git a/contrib/wpa/src/eap_server/eap_server_ttls.c b/contrib/wpa/src/eap_server/eap_server_ttls.c index 52bff8afe42d..b89352244148 100644 --- a/contrib/wpa/src/eap_server/eap_server_ttls.c +++ b/contrib/wpa/src/eap_server/eap_server_ttls.c @@ -81,7 +81,7 @@ static void eap_ttls_valid_session(struct eap_sm *sm, { struct wpabuf *buf; - if (!sm->tls_session_lifetime) + if (!sm->cfg->tls_session_lifetime) return; buf = wpabuf_alloc(1 + 1 + sm->identity_len); @@ -480,7 +480,8 @@ static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id) case START: return eap_ttls_build_start(sm, data, id); case PHASE1: - if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) { + if (tls_connection_established(sm->cfg->ssl_ctx, + data->ssl.conn)) { wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, " "starting Phase2"); eap_ttls_state(data, PHASE2_START); @@ -508,8 +509,8 @@ static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id) } -static Boolean eap_ttls_check(struct eap_sm *sm, void *priv, - struct wpabuf *respData) +static bool eap_ttls_check(struct eap_sm *sm, void *priv, + struct wpabuf *respData) { const u8 *pos; size_t len; @@ -517,10 +518,10 @@ static Boolean eap_ttls_check(struct eap_sm *sm, void *priv, pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_TTLS, respData, &len); if (pos == NULL || len < 1) { wpa_printf(MSG_INFO, "EAP-TTLS: Invalid frame"); - return TRUE; + return true; } - return FALSE; + return false; } @@ -827,15 +828,14 @@ static void eap_ttls_process_phase2_mschapv2(struct eap_sm *sm, static int eap_ttls_phase2_eap_init(struct eap_sm *sm, struct eap_ttls_data *data, - EapType eap_type) + int vendor, enum eap_type eap_type) { if (data->phase2_priv && data->phase2_method) { data->phase2_method->reset(sm, data->phase2_priv); data->phase2_method = NULL; data->phase2_priv = NULL; } - data->phase2_method = eap_server_get_eap_method(EAP_VENDOR_IETF, - eap_type); + data->phase2_method = eap_server_get_eap_method(vendor, eap_type); if (!data->phase2_method) return -1; @@ -850,7 +850,8 @@ static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm, struct eap_ttls_data *data, u8 *in_data, size_t in_len) { - u8 next_type = EAP_TYPE_NONE; + int next_vendor = EAP_VENDOR_IETF; + enum eap_type next_type = EAP_TYPE_NONE; struct eap_hdr *hdr; u8 *pos; size_t left; @@ -875,14 +876,17 @@ static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm, if (sm->user && sm->user_eap_method_index < EAP_MAX_METHODS && sm->user->methods[sm->user_eap_method_index].method != EAP_TYPE_NONE) { + next_vendor = sm->user->methods[ + sm->user_eap_method_index].vendor; next_type = sm->user->methods[ sm->user_eap_method_index++].method; - wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", - next_type); - if (eap_ttls_phase2_eap_init(sm, data, next_type)) { - wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to " - "initialize EAP type %d", - next_type); + wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %u:%u", + next_vendor, next_type); + if (eap_ttls_phase2_eap_init(sm, data, next_vendor, + next_type)) { + wpa_printf(MSG_DEBUG, + "EAP-TTLS: Failed to initialize EAP type %u:%u", + next_vendor, next_type); eap_ttls_state(data, FAILURE); return; } @@ -930,12 +934,16 @@ static void eap_ttls_process_phase2_eap_response(struct eap_sm *sm, } eap_ttls_state(data, PHASE2_METHOD); + next_vendor = sm->user->methods[0].vendor; next_type = sm->user->methods[0].method; sm->user_eap_method_index = 1; - wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %d", next_type); - if (eap_ttls_phase2_eap_init(sm, data, next_type)) { - wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize " - "EAP type %d", next_type); + wpa_printf(MSG_DEBUG, "EAP-TTLS: try EAP type %u:%u", + next_vendor, next_type); + if (eap_ttls_phase2_eap_init(sm, data, next_vendor, + next_type)) { + wpa_printf(MSG_DEBUG, + "EAP-TTLS: Failed to initialize EAP type %u:%u", + next_vendor, next_type); eap_ttls_state(data, FAILURE); } break; @@ -962,8 +970,8 @@ static void eap_ttls_process_phase2_eap(struct eap_sm *sm, if (data->state == PHASE2_START) { wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: initializing Phase 2"); - if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_IDENTITY) < 0) - { + if (eap_ttls_phase2_eap_init(sm, data, EAP_VENDOR_IETF, + EAP_TYPE_IDENTITY) < 0) { wpa_printf(MSG_DEBUG, "EAP-TTLS/EAP: failed to " "initialize EAP-Identity"); return; @@ -1022,7 +1030,7 @@ static void eap_ttls_process_phase2(struct eap_sm *sm, return; } - in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn, + in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn, in_buf); if (in_decrypted == NULL) { wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 " @@ -1112,11 +1120,11 @@ done: static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data) { #ifdef EAP_SERVER_TNC - if (!sm->tnc || data->state != SUCCESS || data->tnc_started) + if (!sm->cfg->tnc || data->state != SUCCESS || data->tnc_started) return; wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC"); - if (eap_ttls_phase2_eap_init(sm, data, EAP_TYPE_TNC)) { + if (eap_ttls_phase2_eap_init(sm, data, EAP_VENDOR_IETF, EAP_TYPE_TNC)) { wpa_printf(MSG_DEBUG, "EAP-TTLS: Failed to initialize TNC"); eap_ttls_state(data, FAILURE); return; @@ -1202,8 +1210,8 @@ static void eap_ttls_process(struct eap_sm *sm, void *priv, return; } - if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) || - !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) + if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) || + !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) return; buf = tls_connection_get_success_data(data->ssl.conn); @@ -1252,7 +1260,7 @@ static void eap_ttls_process(struct eap_sm *sm, void *priv, } -static Boolean eap_ttls_isDone(struct eap_sm *sm, void *priv) +static bool eap_ttls_isDone(struct eap_sm *sm, void *priv) { struct eap_ttls_data *data = priv; return data->state == SUCCESS || data->state == FAILURE; @@ -1263,13 +1271,25 @@ static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) { struct eap_ttls_data *data = priv; u8 *eapKeyData; + const char *label; + const u8 eap_tls13_context[1] = { EAP_TYPE_TTLS }; + const u8 *context = NULL; + size_t context_len = 0; if (data->state != SUCCESS) return NULL; + if (data->ssl.tls_v13) { + label = "EXPORTER_EAP_TLS_Key_Material"; + context = eap_tls13_context; + context_len = sizeof(eap_tls13_context); + } else { + label = "ttls keying material"; + } + eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, - "ttls keying material", NULL, 0, - EAP_TLS_KEY_LEN); + label, context, context_len, + EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (eapKeyData) { *len = EAP_TLS_KEY_LEN; wpa_hexdump_key(MSG_DEBUG, "EAP-TTLS: Derived key", @@ -1282,7 +1302,7 @@ static u8 * eap_ttls_getKey(struct eap_sm *sm, void *priv, size_t *len) } -static Boolean eap_ttls_isSuccess(struct eap_sm *sm, void *priv) +static bool eap_ttls_isSuccess(struct eap_sm *sm, void *priv) { struct eap_ttls_data *data = priv; return data->state == SUCCESS; @@ -1305,12 +1325,24 @@ static u8 * eap_ttls_get_emsk(struct eap_sm *sm, void *priv, size_t *len) { struct eap_ttls_data *data = priv; u8 *eapKeyData, *emsk; + const char *label; + const u8 eap_tls13_context[1] = { EAP_TYPE_TTLS }; + const u8 *context = NULL; + size_t context_len = 0; if (data->state != SUCCESS) return NULL; + if (data->ssl.tls_v13) { + label = "EXPORTER_EAP_TLS_Key_Material"; + context = eap_tls13_context; + context_len = sizeof(eap_tls13_context); + } else { + label = "ttls keying material"; + } + eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, - "ttls keying material", NULL, 0, + label, context, context_len, EAP_TLS_KEY_LEN + EAP_EMSK_LEN); if (eapKeyData) { emsk = os_malloc(EAP_EMSK_LEN); |