eaptls.cpp

source_code 实现无线局域网中的802.1x功能

/**************************************************************************/
/* WIRE1x Version 1.0: A client-side 802.1x implementation                */
/* based on xsupplicant of Open1x for Windows XP, 2000, 98, and Me        */
/*                                                                        */
/* This code is released under both the GPL version 2 and BSD licenses.   */
/* Either license may be used.  The respective licenses are found below.  */
/*                                                                        */
/* Copyright (C) 2004, WIRE Lab, National Tsing Hua Univ., Hsinchu, Taiwan*/
/* All Rights Reserved                                                    */
/**************************************************************************/

/**
 * A client-side 802.1x implementation supporting EAP/TLS
 *
 * This code is released under both the GPL version 2 and BSD licenses.
 * Either license may be used.  The respective licenses are found below.
 * 
 * Copyright (C) 2002 Bryan D. Payne & Nick L. Petroni Jr.
 * All Rights Reserved
 *
 * --- GPL Version 2 License ---
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 *
 * --- BSD License ---
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 *  - Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *  - Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *  - All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *       This product includes software developed by the University of
 *       Maryland at College Park and its contributors.
 *  - Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */


/***
 *** Specifics for EAPTLS can be found in 
 *** IETF RFC 2716
 ***/
#include <stdafx.h>
#ifndef SSL_DEBUG
#define SSL_DEBUG 0  /* turn debug info on  deprecated- Use --with-tls-debug*/
#endif

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#ifdef WIN32
#include <winsock.h>
#else
#include <netinet/in.h>
#endif


#include <openssl/err.h>

#include "eaptls.h"
#include "eapcrypt.h"
#include "userconf.h"
#include "auth_tools.h"

/** GLOBAL VARS **/
char *eaptls_netid;
char *eaptls_config;

int root_cert_loaded = 0;
int user_cert_loaded = 0;

// The number of bytes that make up our certificate.
uint32_t cert_size = 0;
char pw[100];
/** FUNCTION DEFINITIONS **/
 
/**
 * Initialization function for EAPTLS.  This initializes the
 * data needed for the protocol and initializes variables needed to
 * start the eaptls handshake.
 * CHANGED by npetroni to only do those things which happen *once*
 * at TLS startup. Added function eaptls_reset() to prepare TLS
 * for a new handshake
 *
 * (IN)  file name to the config file
 * (OUT) success = 0, failure = -1
 */

int init_eaptls (char *config, char *netid)
{
  eaptls_netid = netid;
  eaptls_config = config;
  printf("EAPTLS changed state to 0\n");

  return eapcrypt_tls_init();
}

// Shutdown and cleanup anything we need to.
int eaptls_shutdown()
{
  // Don't free one_x_globals here.  That will be handled by shutdown_eap.
  printf("EAPTLS Cleaning up.\n");
  return eapcrypt_tls_shutdown();
}


/**
 * Decodes a packet and creates the data needed for a new packet.
 * This function is called by the eap layer with new packets as
 * they are received.  The input buffer points to the beginning
 * of the EAPTLS portion of the packet (the flags).  The reply
 * packet should be placed in the output buffer.
 *
 * The memory for the output buffer is created here, but will be 
 * freed by the eap layer when it is done using it.
 *
 * (IN)  input and output packet buffers, with lengths
 * (OUT) success = 0, failure = -1
 */
int eaptls_decode_packet (u_char *in, int in_size, u_char *out, int *out_size)
{
  int rtnVal = 0;
  u_char *p = NULL;
  uint8_t *tptr = NULL;
  uint32_t len_long;
  int tcnt;
  unsigned long err;
  long temp_size;
  char *temp = NULL;

  *out_size = 0;

  err = ERR_get_error();
  if (err != 0)
    {
      printf("SSL Error -- %s\n", ERR_error_string(err, temp));
    }

  // since we are acting as the supplicant, we can safely assume
  // that the request bit is set on all packets that we receive
  
  // see what type of packet this is
  switch(in[0]){
    case (EAPTLS_START):
      /* prepare to start a new handshake */
      eapcrypt_tls_reset();  //This will reset the TLS.

      printf("Changed state to INIT\n");
      rtnVal = eapcrypt_tls_parse_data(NULL, 0);

      if (rtnVal < 0)
	{
	  printf("(EAPTLS) Parse data failed!\n");
	  return rtnVal;
	}

      rtnVal = eapcrypt_tls_return_data(out, out_size);

      break;
//---------------------------------------------------------------------------
    case (EAPTLS_LENGTH_MORE):
    case (EAPTLS_MORE_FRAGS):
    case (EAPTLS_LENGTH_INCL):
      /* This is a fragment of data we care about.  So, stash it away.  If
         it is the final fragment, start returning data, instead of ACKs. */

      p = in + 1;
      
      // If we have a Length Included tag, then there are two extra bytes.
      if ((in[0] == EAPTLS_LENGTH_MORE) || (in[0] == EAPTLS_LENGTH_INCL))
	{
	  memcpy(&len_long, &in[1], 4);
	  temp_size = ntohl(len_long);
	  cert_size = temp_size;
	  p=&in[5]; // Skip our length bytes.
	  in_size-=1;  // And skip them.
	} else {
	  in_size+=3;
	}

      /* sanity check on the given packet length */
      if (in_size == 0) {
	printf("(EAPTLS) Packet has 0 length! (We should *NEVER* get here!\n");
	rtnVal = eapcrypt_tls_return_data(out, out_size);
	return rtnVal;
      }
      
      if (save_data_fragment((char *)p, in_size) != 0)  
	{
	  printf("(EAPTLS) Couldn't store packet fragment!\n");
	  return -1;
	} else {
	  printf("(EAPTLS) Saved packet fragment.\n");
	}

      printf("(EAPTLS) Saved packet fragment\n");

      if (in[0] != EAPTLS_LENGTH_INCL)
	{
	  // we should also return an ack when we are done
	  rtnVal = eaptls_build_ack(out, out_size);
	} else {
	  rtnVal = eapcrypt_tls_parse_data((u_char *)get_data_fragment(), get_data_frag_size());
	  destroy_data_frags();
	  rtnVal = eapcrypt_tls_return_data(out, out_size);
	}
      break;
//---------------------------------------------------------------------------
    case (0x00): 
      // We have a 0x00 signal, which could be an ACK, if there isn't
      // any data.  Otherwise, we need to pass some data in.
      if (in_size > 1)
	{
	  p = in +1;

	  if (save_data_fragment((char *)p, in_size+3) != 0)
	    {
	      printf("(TLS) Couldn't save final data fragment!\n");
	      return -1;
	    } else {
	      printf("(TLS) Saved final data fragment!\n");
	    }
          tptr = (uint8_t *)get_data_fragment();         //char<->uchar
          tcnt = get_data_frag_size();

	  if (tcnt != (int)cert_size)  // Make sure we have enough data in the cert!
	    {
	      printf("(TLS) Not enough data to form the certificate!!!!\n");
	    }

	  rtnVal = eapcrypt_tls_parse_data((uint8_t *)get_data_fragment(), get_data_frag_size());
	  destroy_data_frags();
	}

      // We got an ACK, so return some of our data.
     	rtnVal = eapcrypt_tls_return_data(out, out_size);
      break;
//---------------------------------------------------------------------------
    default:
      // we should never get here, return an error and do 
      // absolutly nothing...this packet has funky flags
      printf("(EAPTLS) Recieved packet with incorrect flags!\n");
      rtnVal = -1;
      break;
  }

  return rtnVal;
}

/**
 * Builds a simple "ACK" packet.  These packets are just sent to
 * indicate the receipt of a fragmented packet and such.  The
 * packet has only one byte whose value is 0x00.
 *
 * (IN)  output buffer and length
 * (OUT) success = 0, failure = -1
 */
int eaptls_build_ack (u_char *out, int *out_size)
{
  *out_size = 1;
  out = 0x00;

	printf("(EAPTLS) Sending an ack\n");
  return 0;
}

int eaptls_auth_challenge()
{
  char *client_cert = NULL;
  char *client_key = NULL;
  char *temp_password = NULL;
  char *temp_username = NULL;
  char *root_cert = NULL;
  char *root_dir = NULL;
  char *crl_dir = NULL;

  temp_username = get_username();

  if (root_cert_loaded == 0)
    {

      // load CA cert.
      root_cert = get_root_cert();   //Get the filename/path for the root cert.
      root_dir = get_root_dir();     //Get a directory for our trusted roots (both for servers
	  								 // and to build our own chain
	  crl_dir = get_crl_dir();		 // where we might want to keep crls
      if (eapcrypt_tls_load_root_certs(root_cert, root_dir, crl_dir) < 0)
	{
	  return -1;
	}

      if (root_cert != NULL) {free(root_cert); root_cert = NULL;}
      if (root_dir != NULL) {free(root_dir); root_dir = NULL; }
      if (crl_dir != NULL) {free(crl_dir); crl_dir = NULL;}
      root_cert_loaded = 1;  // We now have the root cert loaded.
    }

  if (user_cert_loaded == 0)
    {
      // First, get the password for the private key.
      temp_password = get_password();  //See if we have one in the file.
     
	  
	  if (temp_password == NULL)
      {
          printf("(TLS Authentication) %s's Password : ", temp_username);

	  } 
     

      if (temp_password == NULL)    // This should be impossible at this point!
        {
          if (temp_username != NULL) 
	    {
	      free(temp_username);
	      temp_username = NULL;
	    }
          return -1;
        }

      // Clean up after ourselves..

      if (temp_username != NULL) 
	{
	  free(temp_username);
	  temp_username = NULL;
	}

      client_cert = get_client_cert();
      client_key = get_key_file();

      if (eapcrypt_tls_load_user_cert(client_cert, client_key, temp_password) < 0)
	{
	  printf("Couldn't load certificate! (May be an incorrect password!)\n");
	  if (client_cert)
	    {
	    free(client_cert);
	    client_cert = NULL;
	    }
	  if (client_key) 
	    {
	      free(client_key);
	      client_key = NULL;
	    }
	  return -1;
	}

      set_password(temp_password);
      user_cert_loaded = 1;
      return 0;
    }
  return 0;
}

int tls_gen_keyblock()
{
  u_char *gen_keyblock;

  gen_keyblock = eapcrypt_gen_keyblock((u_char *)EAPCRYPT_SESSION_KEY_CONST,
				       EAPCRYPT_SESSION_KEY_CONST_SIZE);
  if (!gen_keyblock)
    return -1;

  eapcrypt_set_keyblock(gen_keyblock, EAPCRYPT_SESSION_KEY_SIZE);
  if(gen_keyblock != NULL)
    {
      free(gen_keyblock);
      gen_keyblock = NULL;
    }

  return 0;
}

/*** EOF ***/