1189251Ssam/* 2189251Ssam * EAP common peer/server definitions 3281806Srpaulo * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi> 4189251Ssam * 5252726Srpaulo * This software may be distributed under the terms of the BSD license. 6252726Srpaulo * See README for more details. 7189251Ssam */ 8189251Ssam 9189251Ssam#include "includes.h" 10189251Ssam 11189251Ssam#include "common.h" 12189251Ssam#include "eap_defs.h" 13189251Ssam#include "eap_common.h" 14189251Ssam 15189251Ssam/** 16252726Srpaulo * eap_hdr_len_valid - Validate EAP header length field 17252726Srpaulo * @msg: EAP frame (starting with EAP header) 18252726Srpaulo * @min_payload: Minimum payload length needed 19252726Srpaulo * Returns: 1 for valid header, 0 for invalid 20252726Srpaulo * 21252726Srpaulo * This is a helper function that does minimal validation of EAP messages. The 22252726Srpaulo * length field is verified to be large enough to include the header and not 23252726Srpaulo * too large to go beyond the end of the buffer. 24252726Srpaulo */ 25252726Srpauloint eap_hdr_len_valid(const struct wpabuf *msg, size_t min_payload) 26252726Srpaulo{ 27252726Srpaulo const struct eap_hdr *hdr; 28252726Srpaulo size_t len; 29252726Srpaulo 30252726Srpaulo if (msg == NULL) 31252726Srpaulo return 0; 32252726Srpaulo 33252726Srpaulo hdr = wpabuf_head(msg); 34252726Srpaulo 35252726Srpaulo if (wpabuf_len(msg) < sizeof(*hdr)) { 36252726Srpaulo wpa_printf(MSG_INFO, "EAP: Too short EAP frame"); 37252726Srpaulo return 0; 38252726Srpaulo } 39252726Srpaulo 40252726Srpaulo len = be_to_host16(hdr->length); 41252726Srpaulo if (len < sizeof(*hdr) + min_payload || len > wpabuf_len(msg)) { 42252726Srpaulo wpa_printf(MSG_INFO, "EAP: Invalid EAP length"); 43252726Srpaulo return 0; 44252726Srpaulo } 45252726Srpaulo 46252726Srpaulo return 1; 47252726Srpaulo} 48252726Srpaulo 49252726Srpaulo 50252726Srpaulo/** 51189251Ssam * eap_hdr_validate - Validate EAP header 52189251Ssam * @vendor: Expected EAP Vendor-Id (0 = IETF) 53189251Ssam * @eap_type: Expected EAP type number 54189251Ssam * @msg: EAP frame (starting with EAP header) 55189251Ssam * @plen: Pointer to variable to contain the returned payload length 56189251Ssam * Returns: Pointer to EAP payload (after type field), or %NULL on failure 57189251Ssam * 58189251Ssam * This is a helper function for EAP method implementations. This is usually 59189251Ssam * called in the beginning of struct eap_method::process() function to verify 60189251Ssam * that the received EAP request packet has a valid header. This function is 61189251Ssam * able to process both legacy and expanded EAP headers and in most cases, the 62189251Ssam * caller can just use the returned payload pointer (into *plen) for processing 63189251Ssam * the payload regardless of whether the packet used the expanded EAP header or 64189251Ssam * not. 65189251Ssam */ 66189251Ssamconst u8 * eap_hdr_validate(int vendor, EapType eap_type, 67189251Ssam const struct wpabuf *msg, size_t *plen) 68189251Ssam{ 69189251Ssam const struct eap_hdr *hdr; 70189251Ssam const u8 *pos; 71189251Ssam size_t len; 72189251Ssam 73252726Srpaulo if (!eap_hdr_len_valid(msg, 1)) 74189251Ssam return NULL; 75189251Ssam 76252726Srpaulo hdr = wpabuf_head(msg); 77189251Ssam len = be_to_host16(hdr->length); 78189251Ssam pos = (const u8 *) (hdr + 1); 79189251Ssam 80189251Ssam if (*pos == EAP_TYPE_EXPANDED) { 81189251Ssam int exp_vendor; 82189251Ssam u32 exp_type; 83189251Ssam if (len < sizeof(*hdr) + 8) { 84189251Ssam wpa_printf(MSG_INFO, "EAP: Invalid expanded EAP " 85189251Ssam "length"); 86189251Ssam return NULL; 87189251Ssam } 88189251Ssam pos++; 89189251Ssam exp_vendor = WPA_GET_BE24(pos); 90189251Ssam pos += 3; 91189251Ssam exp_type = WPA_GET_BE32(pos); 92189251Ssam pos += 4; 93189251Ssam if (exp_vendor != vendor || exp_type != (u32) eap_type) { 94189251Ssam wpa_printf(MSG_INFO, "EAP: Invalid expanded frame " 95189251Ssam "type"); 96189251Ssam return NULL; 97189251Ssam } 98189251Ssam 99189251Ssam *plen = len - sizeof(*hdr) - 8; 100189251Ssam return pos; 101189251Ssam } else { 102189251Ssam if (vendor != EAP_VENDOR_IETF || *pos != eap_type) { 103189251Ssam wpa_printf(MSG_INFO, "EAP: Invalid frame type"); 104189251Ssam return NULL; 105189251Ssam } 106189251Ssam *plen = len - sizeof(*hdr) - 1; 107189251Ssam return pos + 1; 108189251Ssam } 109189251Ssam} 110189251Ssam 111189251Ssam 112189251Ssam/** 113189251Ssam * eap_msg_alloc - Allocate a buffer for an EAP message 114189251Ssam * @vendor: Vendor-Id (0 = IETF) 115189251Ssam * @type: EAP type 116189251Ssam * @payload_len: Payload length in bytes (data after Type) 117189251Ssam * @code: Message Code (EAP_CODE_*) 118189251Ssam * @identifier: Identifier 119189251Ssam * Returns: Pointer to the allocated message buffer or %NULL on error 120189251Ssam * 121189251Ssam * This function can be used to allocate a buffer for an EAP message and fill 122189251Ssam * in the EAP header. This function is automatically using expanded EAP header 123189251Ssam * if the selected Vendor-Id is not IETF. In other words, most EAP methods do 124189251Ssam * not need to separately select which header type to use when using this 125189251Ssam * function to allocate the message buffers. The returned buffer has room for 126189251Ssam * payload_len bytes and has the EAP header and Type field already filled in. 127189251Ssam */ 128189251Ssamstruct wpabuf * eap_msg_alloc(int vendor, EapType type, size_t payload_len, 129189251Ssam u8 code, u8 identifier) 130189251Ssam{ 131189251Ssam struct wpabuf *buf; 132189251Ssam struct eap_hdr *hdr; 133189251Ssam size_t len; 134189251Ssam 135189251Ssam len = sizeof(struct eap_hdr) + (vendor == EAP_VENDOR_IETF ? 1 : 8) + 136189251Ssam payload_len; 137189251Ssam buf = wpabuf_alloc(len); 138189251Ssam if (buf == NULL) 139189251Ssam return NULL; 140189251Ssam 141189251Ssam hdr = wpabuf_put(buf, sizeof(*hdr)); 142189251Ssam hdr->code = code; 143189251Ssam hdr->identifier = identifier; 144189251Ssam hdr->length = host_to_be16(len); 145189251Ssam 146189251Ssam if (vendor == EAP_VENDOR_IETF) { 147189251Ssam wpabuf_put_u8(buf, type); 148189251Ssam } else { 149189251Ssam wpabuf_put_u8(buf, EAP_TYPE_EXPANDED); 150189251Ssam wpabuf_put_be24(buf, vendor); 151189251Ssam wpabuf_put_be32(buf, type); 152189251Ssam } 153189251Ssam 154189251Ssam return buf; 155189251Ssam} 156189251Ssam 157189251Ssam 158189251Ssam/** 159189251Ssam * eap_update_len - Update EAP header length 160189251Ssam * @msg: EAP message from eap_msg_alloc 161189251Ssam * 162189251Ssam * This function updates the length field in the EAP header to match with the 163189251Ssam * current length for the buffer. This allows eap_msg_alloc() to be used to 164189251Ssam * allocate a larger buffer than the exact message length (e.g., if exact 165189251Ssam * message length is not yet known). 166189251Ssam */ 167189251Ssamvoid eap_update_len(struct wpabuf *msg) 168189251Ssam{ 169189251Ssam struct eap_hdr *hdr; 170189251Ssam hdr = wpabuf_mhead(msg); 171189251Ssam if (wpabuf_len(msg) < sizeof(*hdr)) 172189251Ssam return; 173189251Ssam hdr->length = host_to_be16(wpabuf_len(msg)); 174189251Ssam} 175189251Ssam 176189251Ssam 177189251Ssam/** 178189251Ssam * eap_get_id - Get EAP Identifier from wpabuf 179189251Ssam * @msg: Buffer starting with an EAP header 180189251Ssam * Returns: The Identifier field from the EAP header 181189251Ssam */ 182189251Ssamu8 eap_get_id(const struct wpabuf *msg) 183189251Ssam{ 184189251Ssam const struct eap_hdr *eap; 185189251Ssam 186189251Ssam if (wpabuf_len(msg) < sizeof(*eap)) 187189251Ssam return 0; 188189251Ssam 189189251Ssam eap = wpabuf_head(msg); 190189251Ssam return eap->identifier; 191189251Ssam} 192189251Ssam 193189251Ssam 194189251Ssam/** 195289549Srpaulo * eap_get_type - Get EAP Type from wpabuf 196189251Ssam * @msg: Buffer starting with an EAP header 197189251Ssam * Returns: The EAP Type after the EAP header 198189251Ssam */ 199189251SsamEapType eap_get_type(const struct wpabuf *msg) 200189251Ssam{ 201189251Ssam if (wpabuf_len(msg) < sizeof(struct eap_hdr) + 1) 202189251Ssam return EAP_TYPE_NONE; 203189251Ssam 204189251Ssam return ((const u8 *) wpabuf_head(msg))[sizeof(struct eap_hdr)]; 205189251Ssam} 206281806Srpaulo 207281806Srpaulo 208281806Srpaulo#ifdef CONFIG_ERP 209281806Srpauloint erp_parse_tlvs(const u8 *pos, const u8 *end, struct erp_tlvs *tlvs, 210281806Srpaulo int stop_at_keyname) 211281806Srpaulo{ 212281806Srpaulo os_memset(tlvs, 0, sizeof(*tlvs)); 213281806Srpaulo 214281806Srpaulo while (pos < end) { 215281806Srpaulo u8 tlv_type, tlv_len; 216281806Srpaulo 217281806Srpaulo tlv_type = *pos++; 218281806Srpaulo switch (tlv_type) { 219281806Srpaulo case EAP_ERP_TV_RRK_LIFETIME: 220281806Srpaulo case EAP_ERP_TV_RMSK_LIFETIME: 221281806Srpaulo /* 4-octet TV */ 222281806Srpaulo if (pos + 4 > end) { 223281806Srpaulo wpa_printf(MSG_DEBUG, "EAP: Too short TV"); 224281806Srpaulo return -1; 225281806Srpaulo } 226281806Srpaulo pos += 4; 227281806Srpaulo break; 228281806Srpaulo case EAP_ERP_TLV_DOMAIN_NAME: 229281806Srpaulo case EAP_ERP_TLV_KEYNAME_NAI: 230281806Srpaulo case EAP_ERP_TLV_CRYPTOSUITES: 231281806Srpaulo case EAP_ERP_TLV_AUTHORIZATION_INDICATION: 232281806Srpaulo case EAP_ERP_TLV_CALLED_STATION_ID: 233281806Srpaulo case EAP_ERP_TLV_CALLING_STATION_ID: 234281806Srpaulo case EAP_ERP_TLV_NAS_IDENTIFIER: 235281806Srpaulo case EAP_ERP_TLV_NAS_IP_ADDRESS: 236281806Srpaulo case EAP_ERP_TLV_NAS_IPV6_ADDRESS: 237281806Srpaulo if (pos >= end) { 238281806Srpaulo wpa_printf(MSG_DEBUG, "EAP: Too short TLV"); 239281806Srpaulo return -1; 240281806Srpaulo } 241281806Srpaulo tlv_len = *pos++; 242281806Srpaulo if (tlv_len > (unsigned) (end - pos)) { 243281806Srpaulo wpa_printf(MSG_DEBUG, "EAP: Truncated TLV"); 244281806Srpaulo return -1; 245281806Srpaulo } 246281806Srpaulo if (tlv_type == EAP_ERP_TLV_KEYNAME_NAI) { 247281806Srpaulo if (tlvs->keyname) { 248281806Srpaulo wpa_printf(MSG_DEBUG, 249281806Srpaulo "EAP: More than one keyName-NAI"); 250281806Srpaulo return -1; 251281806Srpaulo } 252281806Srpaulo tlvs->keyname = pos; 253281806Srpaulo tlvs->keyname_len = tlv_len; 254281806Srpaulo if (stop_at_keyname) 255281806Srpaulo return 0; 256281806Srpaulo } else if (tlv_type == EAP_ERP_TLV_DOMAIN_NAME) { 257281806Srpaulo tlvs->domain = pos; 258281806Srpaulo tlvs->domain_len = tlv_len; 259281806Srpaulo } 260281806Srpaulo pos += tlv_len; 261281806Srpaulo break; 262281806Srpaulo default: 263281806Srpaulo if (tlv_type >= 128 && tlv_type <= 191) { 264281806Srpaulo /* Undefined TLV */ 265281806Srpaulo if (pos >= end) { 266281806Srpaulo wpa_printf(MSG_DEBUG, 267281806Srpaulo "EAP: Too short TLV"); 268281806Srpaulo return -1; 269281806Srpaulo } 270281806Srpaulo tlv_len = *pos++; 271281806Srpaulo if (tlv_len > (unsigned) (end - pos)) { 272281806Srpaulo wpa_printf(MSG_DEBUG, 273281806Srpaulo "EAP: Truncated TLV"); 274281806Srpaulo return -1; 275281806Srpaulo } 276281806Srpaulo pos += tlv_len; 277281806Srpaulo break; 278281806Srpaulo } 279281806Srpaulo wpa_printf(MSG_DEBUG, "EAP: Unknown TV/TLV type %u", 280281806Srpaulo tlv_type); 281281806Srpaulo pos = end; 282281806Srpaulo break; 283281806Srpaulo } 284281806Srpaulo } 285281806Srpaulo 286281806Srpaulo return 0; 287281806Srpaulo} 288281806Srpaulo#endif /* CONFIG_ERP */ 289