xref: /netbsd-src/external/bsd/wpa/dist/src/eap_common/eap_common.c (revision bb6183629cf165db498d8e1f4e2de129f7efb21c)

/*
 * EAP common peer/server definitions
 * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "eap_defs.h"
#include "eap_common.h"

/**
 * eap_hdr_len_valid - Validate EAP header length field
 * @msg: EAP frame (starting with EAP header)
 * @min_payload: Minimum payload length needed
 * Returns: 1 for valid header, 0 for invalid
 *
 * This is a helper function that does minimal validation of EAP messages. The
 * length field is verified to be large enough to include the header and not
 * too large to go beyond the end of the buffer.
 */
int eap_hdr_len_valid(const struct wpabuf *msg, size_t min_payload)
{
	const struct eap_hdr *hdr;
	size_t len;

	if (msg == NULL)
		return 0;

	hdr = wpabuf_head(msg);

	if (wpabuf_len(msg) < sizeof(*hdr)) {
		wpa_printf(MSG_INFO, "EAP: Too short EAP frame");
		return 0;
	}

	len = be_to_host16(hdr->length);
	if (len < sizeof(*hdr) + min_payload || len > wpabuf_len(msg)) {
		wpa_printf(MSG_INFO, "EAP: Invalid EAP length");
		return 0;
	}

	return 1;
}


/**
 * eap_hdr_validate - Validate EAP header
 * @vendor: Expected EAP Vendor-Id (0 = IETF)
 * @eap_type: Expected EAP type number
 * @msg: EAP frame (starting with EAP header)
 * @plen: Pointer to variable to contain the returned payload length
 * Returns: Pointer to EAP payload (after type field), or %NULL on failure
 *
 * This is a helper function for EAP method implementations. This is usually
 * called in the beginning of struct eap_method::process() function to verify
 * that the received EAP request packet has a valid header. This function is
 * able to process both legacy and expanded EAP headers and in most cases, the
 * caller can just use the returned payload pointer (into *plen) for processing
 * the payload regardless of whether the packet used the expanded EAP header or
 * not.
 */
const u8 * eap_hdr_validate(int vendor, enum eap_type eap_type,
			    const struct wpabuf *msg, size_t *plen)
{
	const struct eap_hdr *hdr;
	const u8 *pos;
	size_t len;

	if (!eap_hdr_len_valid(msg, 1))
		return NULL;

	hdr = wpabuf_head(msg);
	len = be_to_host16(hdr->length);
	pos = (const u8 *) (hdr + 1);

	if (*pos == EAP_TYPE_EXPANDED) {
		int exp_vendor;
		u32 exp_type;
		if (len < sizeof(*hdr) + 8) {
			wpa_printf(MSG_INFO, "EAP: Invalid expanded EAP "
				   "length");
			return NULL;
		}
		pos++;
		exp_vendor = WPA_GET_BE24(pos);
		pos += 3;
		exp_type = WPA_GET_BE32(pos);
		pos += 4;
		if (exp_vendor != vendor || exp_type != (u32) eap_type) {
			wpa_printf(MSG_INFO, "EAP: Invalid expanded frame "
				   "type");
			return NULL;
		}

		*plen = len - sizeof(*hdr) - 8;
		return pos;
	} else {
		if (vendor != EAP_VENDOR_IETF || *pos != eap_type) {
			wpa_printf(MSG_INFO, "EAP: Invalid frame type");
			return NULL;
		}
		*plen = len - sizeof(*hdr) - 1;
		return pos + 1;
	}
}


/**
 * eap_msg_alloc - Allocate a buffer for an EAP message
 * @vendor: Vendor-Id (0 = IETF)
 * @type: EAP type
 * @payload_len: Payload length in bytes (data after Type)
 * @code: Message Code (EAP_CODE_*)
 * @identifier: Identifier
 * Returns: Pointer to the allocated message buffer or %NULL on error
 *
 * This function can be used to allocate a buffer for an EAP message and fill
 * in the EAP header. This function is automatically using expanded EAP header
 * if the selected Vendor-Id is not IETF. In other words, most EAP methods do
 * not need to separately select which header type to use when using this
 * function to allocate the message buffers. The returned buffer has room for
 * payload_len bytes and has the EAP header and Type field already filled in.
 */
struct wpabuf * eap_msg_alloc(int vendor, enum eap_type type,
			      size_t payload_len, u8 code, u8 identifier)
{
	struct wpabuf *buf;
	struct eap_hdr *hdr;
	size_t len;

	len = sizeof(struct eap_hdr) + (vendor == EAP_VENDOR_IETF ? 1 : 8) +
		payload_len;
	buf = wpabuf_alloc(len);
	if (buf == NULL)
		return NULL;

	hdr = wpabuf_put(buf, sizeof(*hdr));
	hdr->code = code;
	hdr->identifier = identifier;
	hdr->length = host_to_be16(len);

	if (vendor == EAP_VENDOR_IETF) {
		wpabuf_put_u8(buf, type);
	} else {
		wpabuf_put_u8(buf, EAP_TYPE_EXPANDED);
		wpabuf_put_be24(buf, vendor);
		wpabuf_put_be32(buf, type);
	}

	return buf;
}


/**
 * eap_update_len - Update EAP header length
 * @msg: EAP message from eap_msg_alloc
 *
 * This function updates the length field in the EAP header to match with the
 * current length for the buffer. This allows eap_msg_alloc() to be used to
 * allocate a larger buffer than the exact message length (e.g., if exact
 * message length is not yet known).
 */
void eap_update_len(struct wpabuf *msg)
{
	struct eap_hdr *hdr;
	hdr = wpabuf_mhead(msg);
	if (wpabuf_len(msg) < sizeof(*hdr))
		return;
	hdr->length = host_to_be16(wpabuf_len(msg));
}


/**
 * eap_get_id - Get EAP Identifier from wpabuf
 * @msg: Buffer starting with an EAP header
 * Returns: The Identifier field from the EAP header
 */
u8 eap_get_id(const struct wpabuf *msg)
{
	const struct eap_hdr *eap;

	if (wpabuf_len(msg) < sizeof(*eap))
		return 0;

	eap = wpabuf_head(msg);
	return eap->identifier;
}


/**
 * eap_get_type - Get EAP Type from wpabuf
 * @msg: Buffer starting with an EAP header
 * Returns: The EAP Type after the EAP header
 */
enum eap_type eap_get_type(const struct wpabuf *msg)
{
	if (wpabuf_len(msg) < sizeof(struct eap_hdr) + 1)
		return EAP_TYPE_NONE;

	return ((const u8 *) wpabuf_head(msg))[sizeof(struct eap_hdr)];
}


#ifdef CONFIG_ERP
int erp_parse_tlvs(const u8 *pos, const u8 *end, struct erp_tlvs *tlvs,
		   int stop_at_keyname)
{
	os_memset(tlvs, 0, sizeof(*tlvs));

	while (pos < end) {
		u8 tlv_type, tlv_len;

		tlv_type = *pos++;
		switch (tlv_type) {
		case EAP_ERP_TV_RRK_LIFETIME:
		case EAP_ERP_TV_RMSK_LIFETIME:
			/* 4-octet TV */
			if (pos + 4 > end) {
				wpa_printf(MSG_DEBUG, "EAP: Too short TV");
				return -1;
			}
			pos += 4;
			break;
		case EAP_ERP_TLV_DOMAIN_NAME:
		case EAP_ERP_TLV_KEYNAME_NAI:
		case EAP_ERP_TLV_CRYPTOSUITES:
		case EAP_ERP_TLV_AUTHORIZATION_INDICATION:
		case EAP_ERP_TLV_CALLED_STATION_ID:
		case EAP_ERP_TLV_CALLING_STATION_ID:
		case EAP_ERP_TLV_NAS_IDENTIFIER:
		case EAP_ERP_TLV_NAS_IP_ADDRESS:
		case EAP_ERP_TLV_NAS_IPV6_ADDRESS:
			if (pos >= end) {
				wpa_printf(MSG_DEBUG, "EAP: Too short TLV");
				return -1;
			}
			tlv_len = *pos++;
			if (tlv_len > (unsigned) (end - pos)) {
				wpa_printf(MSG_DEBUG, "EAP: Truncated TLV");
				return -1;
			}
			if (tlv_type == EAP_ERP_TLV_KEYNAME_NAI) {
				if (tlvs->keyname) {
					wpa_printf(MSG_DEBUG,
						   "EAP: More than one keyName-NAI");
					return -1;
				}
				tlvs->keyname = pos;
				tlvs->keyname_len = tlv_len;
				if (stop_at_keyname)
					return 0;
			} else if (tlv_type == EAP_ERP_TLV_DOMAIN_NAME) {
				tlvs->domain = pos;
				tlvs->domain_len = tlv_len;
			}
			pos += tlv_len;
			break;
		default:
			if (tlv_type >= 128 && tlv_type <= 191) {
				/* Undefined TLV */
				if (pos >= end) {
					wpa_printf(MSG_DEBUG,
						   "EAP: Too short TLV");
					return -1;
				}
				tlv_len = *pos++;
				if (tlv_len > (unsigned) (end - pos)) {
					wpa_printf(MSG_DEBUG,
						   "EAP: Truncated TLV");
					return -1;
				}
				pos += tlv_len;
				break;
			}
			wpa_printf(MSG_DEBUG, "EAP: Unknown TV/TLV type %u",
				   tlv_type);
			pos = end;
			break;
		}
	}

	return 0;
}
#endif /* CONFIG_ERP */