Line data Source code
1 : /*
2 : * EAP common peer/server definitions
3 : * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
4 : *
5 : * This software may be distributed under the terms of the BSD license.
6 : * See README for more details.
7 : */
8 :
9 : #include "includes.h"
10 :
11 : #include "common.h"
12 : #include "eap_defs.h"
13 : #include "eap_common.h"
14 :
15 : /**
16 : * eap_hdr_len_valid - Validate EAP header length field
17 : * @msg: EAP frame (starting with EAP header)
18 : * @min_payload: Minimum payload length needed
19 : * Returns: 1 for valid header, 0 for invalid
20 : *
21 : * This is a helper function that does minimal validation of EAP messages. The
22 : * length field is verified to be large enough to include the header and not
23 : * too large to go beyond the end of the buffer.
24 : */
25 42665 : int eap_hdr_len_valid(const struct wpabuf *msg, size_t min_payload)
26 : {
27 : const struct eap_hdr *hdr;
28 : size_t len;
29 :
30 42665 : if (msg == NULL)
31 0 : return 0;
32 :
33 42665 : hdr = wpabuf_head(msg);
34 :
35 42665 : if (wpabuf_len(msg) < sizeof(*hdr)) {
36 0 : wpa_printf(MSG_INFO, "EAP: Too short EAP frame");
37 0 : return 0;
38 : }
39 :
40 42665 : len = be_to_host16(hdr->length);
41 42665 : if (len < sizeof(*hdr) + min_payload || len > wpabuf_len(msg)) {
42 0 : wpa_printf(MSG_INFO, "EAP: Invalid EAP length");
43 0 : return 0;
44 : }
45 :
46 42665 : return 1;
47 : }
48 :
49 :
50 : /**
51 : * eap_hdr_validate - Validate EAP header
52 : * @vendor: Expected EAP Vendor-Id (0 = IETF)
53 : * @eap_type: Expected EAP type number
54 : * @msg: EAP frame (starting with EAP header)
55 : * @plen: Pointer to variable to contain the returned payload length
56 : * Returns: Pointer to EAP payload (after type field), or %NULL on failure
57 : *
58 : * This is a helper function for EAP method implementations. This is usually
59 : * called in the beginning of struct eap_method::process() function to verify
60 : * that the received EAP request packet has a valid header. This function is
61 : * able to process both legacy and expanded EAP headers and in most cases, the
62 : * caller can just use the returned payload pointer (into *plen) for processing
63 : * the payload regardless of whether the packet used the expanded EAP header or
64 : * not.
65 : */
66 22224 : const u8 * eap_hdr_validate(int vendor, EapType eap_type,
67 : const struct wpabuf *msg, size_t *plen)
68 : {
69 : const struct eap_hdr *hdr;
70 : const u8 *pos;
71 : size_t len;
72 :
73 22224 : if (!eap_hdr_len_valid(msg, 1))
74 0 : return NULL;
75 :
76 22224 : hdr = wpabuf_head(msg);
77 22224 : len = be_to_host16(hdr->length);
78 22224 : pos = (const u8 *) (hdr + 1);
79 :
80 22224 : if (*pos == EAP_TYPE_EXPANDED) {
81 : int exp_vendor;
82 : u32 exp_type;
83 5458 : if (len < sizeof(*hdr) + 8) {
84 0 : wpa_printf(MSG_INFO, "EAP: Invalid expanded EAP "
85 : "length");
86 0 : return NULL;
87 : }
88 5458 : pos++;
89 5458 : exp_vendor = WPA_GET_BE24(pos);
90 5458 : pos += 3;
91 5458 : exp_type = WPA_GET_BE32(pos);
92 5458 : pos += 4;
93 5458 : if (exp_vendor != vendor || exp_type != (u32) eap_type) {
94 0 : wpa_printf(MSG_INFO, "EAP: Invalid expanded frame "
95 : "type");
96 0 : return NULL;
97 : }
98 :
99 5458 : *plen = len - sizeof(*hdr) - 8;
100 5458 : return pos;
101 : } else {
102 16766 : if (vendor != EAP_VENDOR_IETF || *pos != eap_type) {
103 0 : wpa_printf(MSG_INFO, "EAP: Invalid frame type");
104 0 : return NULL;
105 : }
106 16766 : *plen = len - sizeof(*hdr) - 1;
107 16766 : return pos + 1;
108 : }
109 : }
110 :
111 :
112 : /**
113 : * eap_msg_alloc - Allocate a buffer for an EAP message
114 : * @vendor: Vendor-Id (0 = IETF)
115 : * @type: EAP type
116 : * @payload_len: Payload length in bytes (data after Type)
117 : * @code: Message Code (EAP_CODE_*)
118 : * @identifier: Identifier
119 : * Returns: Pointer to the allocated message buffer or %NULL on error
120 : *
121 : * This function can be used to allocate a buffer for an EAP message and fill
122 : * in the EAP header. This function is automatically using expanded EAP header
123 : * if the selected Vendor-Id is not IETF. In other words, most EAP methods do
124 : * not need to separately select which header type to use when using this
125 : * function to allocate the message buffers. The returned buffer has room for
126 : * payload_len bytes and has the EAP header and Type field already filled in.
127 : */
128 13383 : struct wpabuf * eap_msg_alloc(int vendor, EapType type, size_t payload_len,
129 : u8 code, u8 identifier)
130 : {
131 : struct wpabuf *buf;
132 : struct eap_hdr *hdr;
133 : size_t len;
134 :
135 13383 : len = sizeof(struct eap_hdr) + (vendor == EAP_VENDOR_IETF ? 1 : 8) +
136 : payload_len;
137 13383 : buf = wpabuf_alloc(len);
138 13383 : if (buf == NULL)
139 15 : return NULL;
140 :
141 13368 : hdr = wpabuf_put(buf, sizeof(*hdr));
142 13368 : hdr->code = code;
143 13368 : hdr->identifier = identifier;
144 13368 : hdr->length = host_to_be16(len);
145 :
146 13368 : if (vendor == EAP_VENDOR_IETF) {
147 9688 : wpabuf_put_u8(buf, type);
148 : } else {
149 3680 : wpabuf_put_u8(buf, EAP_TYPE_EXPANDED);
150 3680 : wpabuf_put_be24(buf, vendor);
151 3680 : wpabuf_put_be32(buf, type);
152 : }
153 :
154 13368 : return buf;
155 : }
156 :
157 :
158 : /**
159 : * eap_update_len - Update EAP header length
160 : * @msg: EAP message from eap_msg_alloc
161 : *
162 : * This function updates the length field in the EAP header to match with the
163 : * current length for the buffer. This allows eap_msg_alloc() to be used to
164 : * allocate a larger buffer than the exact message length (e.g., if exact
165 : * message length is not yet known).
166 : */
167 166 : void eap_update_len(struct wpabuf *msg)
168 : {
169 : struct eap_hdr *hdr;
170 166 : hdr = wpabuf_mhead(msg);
171 166 : if (wpabuf_len(msg) < sizeof(*hdr))
172 166 : return;
173 166 : hdr->length = host_to_be16(wpabuf_len(msg));
174 : }
175 :
176 :
177 : /**
178 : * eap_get_id - Get EAP Identifier from wpabuf
179 : * @msg: Buffer starting with an EAP header
180 : * Returns: The Identifier field from the EAP header
181 : */
182 12860 : u8 eap_get_id(const struct wpabuf *msg)
183 : {
184 : const struct eap_hdr *eap;
185 :
186 12860 : if (wpabuf_len(msg) < sizeof(*eap))
187 0 : return 0;
188 :
189 12860 : eap = wpabuf_head(msg);
190 12860 : return eap->identifier;
191 : }
192 :
193 :
194 : /**
195 : * eap_get_type - Get EAP Type from wpabuf
196 : * @msg: Buffer starting with an EAP header
197 : * Returns: The EAP Type after the EAP header
198 : */
199 8676 : EapType eap_get_type(const struct wpabuf *msg)
200 : {
201 8676 : if (wpabuf_len(msg) < sizeof(struct eap_hdr) + 1)
202 1385 : return EAP_TYPE_NONE;
203 :
204 7291 : return ((const u8 *) wpabuf_head(msg))[sizeof(struct eap_hdr)];
205 : }
206 :
207 :
208 : #ifdef CONFIG_ERP
209 140 : int erp_parse_tlvs(const u8 *pos, const u8 *end, struct erp_tlvs *tlvs,
210 : int stop_at_keyname)
211 : {
212 140 : os_memset(tlvs, 0, sizeof(*tlvs));
213 :
214 362 : while (pos < end) {
215 : u8 tlv_type, tlv_len;
216 :
217 140 : tlv_type = *pos++;
218 140 : switch (tlv_type) {
219 : case EAP_ERP_TV_RRK_LIFETIME:
220 : case EAP_ERP_TV_RMSK_LIFETIME:
221 : /* 4-octet TV */
222 0 : if (pos + 4 > end) {
223 0 : wpa_printf(MSG_DEBUG, "EAP: Too short TV");
224 0 : return -1;
225 : }
226 0 : pos += 4;
227 0 : break;
228 : case EAP_ERP_TLV_DOMAIN_NAME:
229 : case EAP_ERP_TLV_KEYNAME_NAI:
230 : case EAP_ERP_TLV_CRYPTOSUITES:
231 : case EAP_ERP_TLV_AUTHORIZATION_INDICATION:
232 : case EAP_ERP_TLV_CALLED_STATION_ID:
233 : case EAP_ERP_TLV_CALLING_STATION_ID:
234 : case EAP_ERP_TLV_NAS_IDENTIFIER:
235 : case EAP_ERP_TLV_NAS_IP_ADDRESS:
236 : case EAP_ERP_TLV_NAS_IPV6_ADDRESS:
237 140 : if (pos >= end) {
238 0 : wpa_printf(MSG_DEBUG, "EAP: Too short TLV");
239 0 : return -1;
240 : }
241 140 : tlv_len = *pos++;
242 140 : if (tlv_len > (unsigned) (end - pos)) {
243 0 : wpa_printf(MSG_DEBUG, "EAP: Truncated TLV");
244 0 : return -1;
245 : }
246 140 : if (tlv_type == EAP_ERP_TLV_KEYNAME_NAI) {
247 99 : if (tlvs->keyname) {
248 0 : wpa_printf(MSG_DEBUG,
249 : "EAP: More than one keyName-NAI");
250 0 : return -1;
251 : }
252 99 : tlvs->keyname = pos;
253 99 : tlvs->keyname_len = tlv_len;
254 99 : if (stop_at_keyname)
255 58 : return 0;
256 41 : } else if (tlv_type == EAP_ERP_TLV_DOMAIN_NAME) {
257 41 : tlvs->domain = pos;
258 41 : tlvs->domain_len = tlv_len;
259 : }
260 82 : pos += tlv_len;
261 82 : break;
262 : default:
263 0 : if (tlv_type >= 128 && tlv_type <= 191) {
264 : /* Undefined TLV */
265 0 : if (pos >= end) {
266 0 : wpa_printf(MSG_DEBUG,
267 : "EAP: Too short TLV");
268 0 : return -1;
269 : }
270 0 : tlv_len = *pos++;
271 0 : if (tlv_len > (unsigned) (end - pos)) {
272 0 : wpa_printf(MSG_DEBUG,
273 : "EAP: Truncated TLV");
274 0 : return -1;
275 : }
276 0 : pos += tlv_len;
277 0 : break;
278 : }
279 0 : wpa_printf(MSG_DEBUG, "EAP: Unknown TV/TLV type %u",
280 : tlv_type);
281 0 : pos = end;
282 0 : break;
283 : }
284 : }
285 :
286 82 : return 0;
287 : }
288 : #endif /* CONFIG_ERP */
|
