1189251Ssam/*
2189251Ssam * EAP common peer/server definitions
3281806Srpaulo * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
4189251Ssam *
5252726Srpaulo * This software may be distributed under the terms of the BSD license.
6252726Srpaulo * See README for more details.
7189251Ssam */
8189251Ssam
9189251Ssam#include "includes.h"
10189251Ssam
11189251Ssam#include "common.h"
12189251Ssam#include "eap_defs.h"
13189251Ssam#include "eap_common.h"
14189251Ssam
15189251Ssam/**
16252726Srpaulo * eap_hdr_len_valid - Validate EAP header length field
17252726Srpaulo * @msg: EAP frame (starting with EAP header)
18252726Srpaulo * @min_payload: Minimum payload length needed
19252726Srpaulo * Returns: 1 for valid header, 0 for invalid
20252726Srpaulo *
21252726Srpaulo * This is a helper function that does minimal validation of EAP messages. The
22252726Srpaulo * length field is verified to be large enough to include the header and not
23252726Srpaulo * too large to go beyond the end of the buffer.
24252726Srpaulo */
25252726Srpauloint eap_hdr_len_valid(const struct wpabuf *msg, size_t min_payload)
26252726Srpaulo{
27252726Srpaulo	const struct eap_hdr *hdr;
28252726Srpaulo	size_t len;
29252726Srpaulo
30252726Srpaulo	if (msg == NULL)
31252726Srpaulo		return 0;
32252726Srpaulo
33252726Srpaulo	hdr = wpabuf_head(msg);
34252726Srpaulo
35252726Srpaulo	if (wpabuf_len(msg) < sizeof(*hdr)) {
36252726Srpaulo		wpa_printf(MSG_INFO, "EAP: Too short EAP frame");
37252726Srpaulo		return 0;
38252726Srpaulo	}
39252726Srpaulo
40252726Srpaulo	len = be_to_host16(hdr->length);
41252726Srpaulo	if (len < sizeof(*hdr) + min_payload || len > wpabuf_len(msg)) {
42252726Srpaulo		wpa_printf(MSG_INFO, "EAP: Invalid EAP length");
43252726Srpaulo		return 0;
44252726Srpaulo	}
45252726Srpaulo
46252726Srpaulo	return 1;
47252726Srpaulo}
48252726Srpaulo
49252726Srpaulo
50252726Srpaulo/**
51189251Ssam * eap_hdr_validate - Validate EAP header
52189251Ssam * @vendor: Expected EAP Vendor-Id (0 = IETF)
53189251Ssam * @eap_type: Expected EAP type number
54189251Ssam * @msg: EAP frame (starting with EAP header)
55189251Ssam * @plen: Pointer to variable to contain the returned payload length
56189251Ssam * Returns: Pointer to EAP payload (after type field), or %NULL on failure
57189251Ssam *
58189251Ssam * This is a helper function for EAP method implementations. This is usually
59189251Ssam * called in the beginning of struct eap_method::process() function to verify
60189251Ssam * that the received EAP request packet has a valid header. This function is
61189251Ssam * able to process both legacy and expanded EAP headers and in most cases, the
62189251Ssam * caller can just use the returned payload pointer (into *plen) for processing
63189251Ssam * the payload regardless of whether the packet used the expanded EAP header or
64189251Ssam * not.
65189251Ssam */
66189251Ssamconst u8 * eap_hdr_validate(int vendor, EapType eap_type,
67189251Ssam			    const struct wpabuf *msg, size_t *plen)
68189251Ssam{
69189251Ssam	const struct eap_hdr *hdr;
70189251Ssam	const u8 *pos;
71189251Ssam	size_t len;
72189251Ssam
73252726Srpaulo	if (!eap_hdr_len_valid(msg, 1))
74189251Ssam		return NULL;
75189251Ssam
76252726Srpaulo	hdr = wpabuf_head(msg);
77189251Ssam	len = be_to_host16(hdr->length);
78189251Ssam	pos = (const u8 *) (hdr + 1);
79189251Ssam
80189251Ssam	if (*pos == EAP_TYPE_EXPANDED) {
81189251Ssam		int exp_vendor;
82189251Ssam		u32 exp_type;
83189251Ssam		if (len < sizeof(*hdr) + 8) {
84189251Ssam			wpa_printf(MSG_INFO, "EAP: Invalid expanded EAP "
85189251Ssam				   "length");
86189251Ssam			return NULL;
87189251Ssam		}
88189251Ssam		pos++;
89189251Ssam		exp_vendor = WPA_GET_BE24(pos);
90189251Ssam		pos += 3;
91189251Ssam		exp_type = WPA_GET_BE32(pos);
92189251Ssam		pos += 4;
93189251Ssam		if (exp_vendor != vendor || exp_type != (u32) eap_type) {
94189251Ssam			wpa_printf(MSG_INFO, "EAP: Invalid expanded frame "
95189251Ssam				   "type");
96189251Ssam			return NULL;
97189251Ssam		}
98189251Ssam
99189251Ssam		*plen = len - sizeof(*hdr) - 8;
100189251Ssam		return pos;
101189251Ssam	} else {
102189251Ssam		if (vendor != EAP_VENDOR_IETF || *pos != eap_type) {
103189251Ssam			wpa_printf(MSG_INFO, "EAP: Invalid frame type");
104189251Ssam			return NULL;
105189251Ssam		}
106189251Ssam		*plen = len - sizeof(*hdr) - 1;
107189251Ssam		return pos + 1;
108189251Ssam	}
109189251Ssam}
110189251Ssam
111189251Ssam
112189251Ssam/**
113189251Ssam * eap_msg_alloc - Allocate a buffer for an EAP message
114189251Ssam * @vendor: Vendor-Id (0 = IETF)
115189251Ssam * @type: EAP type
116189251Ssam * @payload_len: Payload length in bytes (data after Type)
117189251Ssam * @code: Message Code (EAP_CODE_*)
118189251Ssam * @identifier: Identifier
119189251Ssam * Returns: Pointer to the allocated message buffer or %NULL on error
120189251Ssam *
121189251Ssam * This function can be used to allocate a buffer for an EAP message and fill
122189251Ssam * in the EAP header. This function is automatically using expanded EAP header
123189251Ssam * if the selected Vendor-Id is not IETF. In other words, most EAP methods do
124189251Ssam * not need to separately select which header type to use when using this
125189251Ssam * function to allocate the message buffers. The returned buffer has room for
126189251Ssam * payload_len bytes and has the EAP header and Type field already filled in.
127189251Ssam */
128189251Ssamstruct wpabuf * eap_msg_alloc(int vendor, EapType type, size_t payload_len,
129189251Ssam			      u8 code, u8 identifier)
130189251Ssam{
131189251Ssam	struct wpabuf *buf;
132189251Ssam	struct eap_hdr *hdr;
133189251Ssam	size_t len;
134189251Ssam
135189251Ssam	len = sizeof(struct eap_hdr) + (vendor == EAP_VENDOR_IETF ? 1 : 8) +
136189251Ssam		payload_len;
137189251Ssam	buf = wpabuf_alloc(len);
138189251Ssam	if (buf == NULL)
139189251Ssam		return NULL;
140189251Ssam
141189251Ssam	hdr = wpabuf_put(buf, sizeof(*hdr));
142189251Ssam	hdr->code = code;
143189251Ssam	hdr->identifier = identifier;
144189251Ssam	hdr->length = host_to_be16(len);
145189251Ssam
146189251Ssam	if (vendor == EAP_VENDOR_IETF) {
147189251Ssam		wpabuf_put_u8(buf, type);
148189251Ssam	} else {
149189251Ssam		wpabuf_put_u8(buf, EAP_TYPE_EXPANDED);
150189251Ssam		wpabuf_put_be24(buf, vendor);
151189251Ssam		wpabuf_put_be32(buf, type);
152189251Ssam	}
153189251Ssam
154189251Ssam	return buf;
155189251Ssam}
156189251Ssam
157189251Ssam
158189251Ssam/**
159189251Ssam * eap_update_len - Update EAP header length
160189251Ssam * @msg: EAP message from eap_msg_alloc
161189251Ssam *
162189251Ssam * This function updates the length field in the EAP header to match with the
163189251Ssam * current length for the buffer. This allows eap_msg_alloc() to be used to
164189251Ssam * allocate a larger buffer than the exact message length (e.g., if exact
165189251Ssam * message length is not yet known).
166189251Ssam */
167189251Ssamvoid eap_update_len(struct wpabuf *msg)
168189251Ssam{
169189251Ssam	struct eap_hdr *hdr;
170189251Ssam	hdr = wpabuf_mhead(msg);
171189251Ssam	if (wpabuf_len(msg) < sizeof(*hdr))
172189251Ssam		return;
173189251Ssam	hdr->length = host_to_be16(wpabuf_len(msg));
174189251Ssam}
175189251Ssam
176189251Ssam
177189251Ssam/**
178189251Ssam * eap_get_id - Get EAP Identifier from wpabuf
179189251Ssam * @msg: Buffer starting with an EAP header
180189251Ssam * Returns: The Identifier field from the EAP header
181189251Ssam */
182189251Ssamu8 eap_get_id(const struct wpabuf *msg)
183189251Ssam{
184189251Ssam	const struct eap_hdr *eap;
185189251Ssam
186189251Ssam	if (wpabuf_len(msg) < sizeof(*eap))
187189251Ssam		return 0;
188189251Ssam
189189251Ssam	eap = wpabuf_head(msg);
190189251Ssam	return eap->identifier;
191189251Ssam}
192189251Ssam
193189251Ssam
194189251Ssam/**
195289549Srpaulo * eap_get_type - Get EAP Type from wpabuf
196189251Ssam * @msg: Buffer starting with an EAP header
197189251Ssam * Returns: The EAP Type after the EAP header
198189251Ssam */
199189251SsamEapType eap_get_type(const struct wpabuf *msg)
200189251Ssam{
201189251Ssam	if (wpabuf_len(msg) < sizeof(struct eap_hdr) + 1)
202189251Ssam		return EAP_TYPE_NONE;
203189251Ssam
204189251Ssam	return ((const u8 *) wpabuf_head(msg))[sizeof(struct eap_hdr)];
205189251Ssam}
206281806Srpaulo
207281806Srpaulo
208281806Srpaulo#ifdef CONFIG_ERP
209281806Srpauloint erp_parse_tlvs(const u8 *pos, const u8 *end, struct erp_tlvs *tlvs,
210281806Srpaulo		   int stop_at_keyname)
211281806Srpaulo{
212281806Srpaulo	os_memset(tlvs, 0, sizeof(*tlvs));
213281806Srpaulo
214281806Srpaulo	while (pos < end) {
215281806Srpaulo		u8 tlv_type, tlv_len;
216281806Srpaulo
217281806Srpaulo		tlv_type = *pos++;
218281806Srpaulo		switch (tlv_type) {
219281806Srpaulo		case EAP_ERP_TV_RRK_LIFETIME:
220281806Srpaulo		case EAP_ERP_TV_RMSK_LIFETIME:
221281806Srpaulo			/* 4-octet TV */
222281806Srpaulo			if (pos + 4 > end) {
223281806Srpaulo				wpa_printf(MSG_DEBUG, "EAP: Too short TV");
224281806Srpaulo				return -1;
225281806Srpaulo			}
226281806Srpaulo			pos += 4;
227281806Srpaulo			break;
228281806Srpaulo		case EAP_ERP_TLV_DOMAIN_NAME:
229281806Srpaulo		case EAP_ERP_TLV_KEYNAME_NAI:
230281806Srpaulo		case EAP_ERP_TLV_CRYPTOSUITES:
231281806Srpaulo		case EAP_ERP_TLV_AUTHORIZATION_INDICATION:
232281806Srpaulo		case EAP_ERP_TLV_CALLED_STATION_ID:
233281806Srpaulo		case EAP_ERP_TLV_CALLING_STATION_ID:
234281806Srpaulo		case EAP_ERP_TLV_NAS_IDENTIFIER:
235281806Srpaulo		case EAP_ERP_TLV_NAS_IP_ADDRESS:
236281806Srpaulo		case EAP_ERP_TLV_NAS_IPV6_ADDRESS:
237281806Srpaulo			if (pos >= end) {
238281806Srpaulo				wpa_printf(MSG_DEBUG, "EAP: Too short TLV");
239281806Srpaulo				return -1;
240281806Srpaulo			}
241281806Srpaulo			tlv_len = *pos++;
242281806Srpaulo			if (tlv_len > (unsigned) (end - pos)) {
243281806Srpaulo				wpa_printf(MSG_DEBUG, "EAP: Truncated TLV");
244281806Srpaulo				return -1;
245281806Srpaulo			}
246281806Srpaulo			if (tlv_type == EAP_ERP_TLV_KEYNAME_NAI) {
247281806Srpaulo				if (tlvs->keyname) {
248281806Srpaulo					wpa_printf(MSG_DEBUG,
249281806Srpaulo						   "EAP: More than one keyName-NAI");
250281806Srpaulo					return -1;
251281806Srpaulo				}
252281806Srpaulo				tlvs->keyname = pos;
253281806Srpaulo				tlvs->keyname_len = tlv_len;
254281806Srpaulo				if (stop_at_keyname)
255281806Srpaulo					return 0;
256281806Srpaulo			} else if (tlv_type == EAP_ERP_TLV_DOMAIN_NAME) {
257281806Srpaulo				tlvs->domain = pos;
258281806Srpaulo				tlvs->domain_len = tlv_len;
259281806Srpaulo			}
260281806Srpaulo			pos += tlv_len;
261281806Srpaulo			break;
262281806Srpaulo		default:
263281806Srpaulo			if (tlv_type >= 128 && tlv_type <= 191) {
264281806Srpaulo				/* Undefined TLV */
265281806Srpaulo				if (pos >= end) {
266281806Srpaulo					wpa_printf(MSG_DEBUG,
267281806Srpaulo						   "EAP: Too short TLV");
268281806Srpaulo					return -1;
269281806Srpaulo				}
270281806Srpaulo				tlv_len = *pos++;
271281806Srpaulo				if (tlv_len > (unsigned) (end - pos)) {
272281806Srpaulo					wpa_printf(MSG_DEBUG,
273281806Srpaulo						   "EAP: Truncated TLV");
274281806Srpaulo					return -1;
275281806Srpaulo				}
276281806Srpaulo				pos += tlv_len;
277281806Srpaulo				break;
278281806Srpaulo			}
279281806Srpaulo			wpa_printf(MSG_DEBUG, "EAP: Unknown TV/TLV type %u",
280281806Srpaulo				   tlv_type);
281281806Srpaulo			pos = end;
282281806Srpaulo			break;
283281806Srpaulo		}
284281806Srpaulo	}
285281806Srpaulo
286281806Srpaulo	return 0;
287281806Srpaulo}
288281806Srpaulo#endif /* CONFIG_ERP */
289