eapcrypt.c

linux下可以用来通过802.1x认证

  eapcrypt_build_session_keyblock();

  HMAC(EVP_md5(), eapcrypt_session_keyblock +32, 32
       , inbuf, len, outbuf,
       & outlen);
  return 0;

}

/* This function graciously corrected by 
   Denis Belanger <denis.belanger@colubris.com>
   along with the necessary set_key operations in eapol-wirelessext.c */
int eapcrypt_decrypt_key(u_char *enckey, u_char *deckey, int keylen,
			 u_char *iv, int ivlen)
{
  u_char *wholekey;
  RC4_KEY key;

  eapcrypt_build_session_keyblock();
    
  wholekey = (u_char *)malloc(sizeof(u_char) * (ivlen + 32));
  memcpy(wholekey, iv, ivlen);
  memcpy(wholekey + ivlen, eapcrypt_session_keyblock, 32);

  RC4_set_key(&key, ivlen + 32, wholekey);
  RC4(&key, keylen, enckey, deckey);

  if (wholekey) free(wholekey);

  return 0;
  
}

int eapcrypt_get_peer_key(u_char *enckey, int len)
{
  eapcrypt_build_session_keyblock();
  memcpy(enckey, eapcrypt_session_keyblock, len); 
  return 0;
}

int eapcrypt_tls_init()
{
  SSL_library_init();
  SSL_load_error_strings();
  ctx = SSL_CTX_new(TLSv1_method());
  if (ctx == NULL)
    {
      xlogf(DEBUG_NORMAL, "(TLS) Couldn't initalize OpenSSL TLS library!\n");
      return -1;
    }

#if TLS_DEBUG
  xlogf(DEBUG_AUTHTYPES, "(TLS) Initalized TLS Successfully!\n");
#endif
  return 0;
}

int eapcrypt_tls_shutdown()
{
#if TLS_DEBUG
  xlogf(DEBUG_AUTHTYPES, "(TLS) Cleaning up.\n");
#endif
  if (ctx) SSL_CTX_free(ctx); // Will free ssl automatically
  else if (ssl) SSL_free(ssl);

  ssl = NULL;
  ctx = NULL;
  return 0;
}

int eapcrypt_tls_reset()
{
  if (ssl) SSL_free(ssl);

  ssl = SSL_new(ctx);
  if (!ssl)
    {
       xlogf(DEBUG_NORMAL, "Couldn't create SSL object!\n");
       return -1;
    }

  ssl_in = BIO_new(BIO_s_mem());
  ssl_out = BIO_new(BIO_s_mem());
  SSL_set_bio(ssl, ssl_in, ssl_out);

  SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
		 NULL);

  if (pkt_out.packet != NULL) free(pkt_out.packet);
  pkt_out.pkt_size = 0;
  pkt_out.pkt_ptr = 0;

  return 0;
}

/**
 *  eapcrypt_tls_return_data
 *
 *  (IN)  Pointer to return TLS data, pointer to return size
 *  (OUT) Pointer to TLS data, pointer to return size.
 *
 */
int eapcrypt_tls_return_data(u_char *out_data, int *out_size)
{
  uint32_t length;
  uint32_t chunk_size;
  uint32_t next_chunk = 0;
  uint8_t  id_val = 0x00;   // Start with nothing.
  
  if ((pkt_out.pkt_size == 0) || (pkt_out.pkt_ptr == pkt_out.pkt_size))
    {
      out_data[0] = 0x00;  // Return an ACK.
      *out_size = 1;
      return 0;
    }

  // Get the size of chunks to send.
  chunk_size = get_chunk_size();

  // If the return is small enough, just return it.
  if (pkt_out.pkt_size <= chunk_size)
    {
      memcpy(&out_data[5], pkt_out.packet, pkt_out.pkt_size);
      *out_size = pkt_out.pkt_size;
      length = htonl(pkt_out.pkt_size);

      out_data[0] = 0x80;   // TLS length flag
      memcpy(&out_data[1], &length, 4);
      *out_size+=5;  //Accont for the length bytes, and TLS flag.

      // We sent everything, so destroy the buffer.
      free(pkt_out.packet);
      pkt_out.packet = NULL;
      pkt_out.pkt_size = 0;
      pkt_out.pkt_ptr = 0;

      return 0;
    }

  //  out_data[0] = 0xc0;

  if ((pkt_out.pkt_size - pkt_out.pkt_ptr) > chunk_size)
    {
      next_chunk = chunk_size;
    } else {
      next_chunk = pkt_out.pkt_size - pkt_out.pkt_ptr;
    }

  // Check if this is the first packet in the group.  If it is, send length.
  if (pkt_out.pkt_ptr == 0)
    {
      id_val = id_val | EAPTLS_LENGTH_INCL;

      // If there is more, include that...
      if ((pkt_out.pkt_ptr + next_chunk) < pkt_out.pkt_size)
	id_val = id_val | EAPTLS_MORE_FRAGS;

      out_data[0] = id_val;
      length = htonl(pkt_out.pkt_size);
      *out_size = next_chunk+5;
      memcpy(&out_data[1], &length, 4);
      memcpy(&out_data[5], &pkt_out.packet[pkt_out.pkt_ptr], next_chunk);
    } else {
      // Just add more data, and include the more value.

      if ((pkt_out.pkt_ptr + next_chunk) < pkt_out.pkt_size)
	id_val = id_val || EAPTLS_MORE_FRAGS;
      memcpy(&out_data[1], &pkt_out.packet[pkt_out.pkt_ptr], next_chunk);
      *out_size = next_chunk+1;
      out_data[0] = id_val;
    }

  // Check if this is the first packet in the group. If it is, send the length.
  if (pkt_out.pkt_ptr == 0) 
    id_val = id_val || EAPTLS_LENGTH_INCL;

  pkt_out.pkt_ptr += next_chunk;

  if (pkt_out.pkt_ptr >= pkt_out.pkt_size)  // We are done with this packet.
    {
      free(pkt_out.packet);
      pkt_out.packet = NULL;
      pkt_out.pkt_size = 0;
      pkt_out.pkt_ptr = 0;
    }

  return 0;
}

int eapcrypt_tls_parse_data(u_char *in_data, int in_size)
{
  int rc = 0;
  BUF_MEM *p = NULL;

   if (in_data != NULL)
     {
       if (in_data[0] == 0x17)  // We have an alert.
	 {
	   xlogf(DEBUG_NORMAL, "(TLS) ALERT!  There is a problem with the connection!\n");
	   return -1;
	 }

       BIO_reset(ssl_in);
       BIO_write(ssl_in, in_data, in_size);
     }

   BIO_reset(ssl_out);
   rc = SSL_connect(ssl);
   BIO_get_mem_ptr(ssl_out, &p);

   pkt_out.pkt_size = p->length;

   pkt_out.packet = (u_char *)malloc(pkt_out.pkt_size);
   memcpy(pkt_out.packet, p->data, pkt_out.pkt_size);

   return 0;
}

static void ssl_info_callback(SSL *ssl, int w, int r)
{
  xlogf(DEBUG_AUTHTYPES, "     --- SSL : %s\n", SSL_state_string_long(ssl));
  if (w & SSL_CB_ALERT)
    xlogf(DEBUG_AUTHTYPES, "     --- ALERT : %s\n", SSL_alert_desc_string_long(r));
}


static int return_password(char *buf, int size, int rwflag, void *userdata)
{
  strncpy(buf, (char *)(userdata), size);
  buf[size-1] = '\0';
  return(strlen(buf));
}

int eapcrypt_tls_load_root_cert(char *path_to_cert)
{
  if (path_to_cert == NULL)
    {
      xlogf(DEBUG_NORMAL, "Error loading cert!  Path to cert is NULL!\n");
      return -1;
    } else {
      xlogf(DEBUG_NORMAL, "Loading certificate %s . . . \n", path_to_cert);
    }

  SSL_CTX_set_info_callback(ctx, (void (*) ()) ssl_info_callback);
  
  if (SSL_CTX_load_verify_locations(ctx, path_to_cert, NULL) == 0)
    {
      xlogf(DEBUG_NORMAL, 
	    "(TLS) Failed to initalize path to root certificate!\n");
      printf("Error : %s\n", ERR_error_string(ERR_get_error(), NULL));
      SSL_CTX_free(ctx);
      ctx = NULL;
      return -1;
    }

  if (SSL_CTX_set_default_verify_paths(ctx) == 0)
    {
      xlogf(DEBUG_NORMAL, "(TLS) Failed to initalize root certificate!\n");
      printf("Error : %s\n", ERR_error_string(ERR_get_error(), NULL));
      SSL_CTX_free(ctx);
      ctx = NULL;
      return -1;
    }

  return 0;
}

int eapcrypt_tls_load_user_cert(char *path_to_user_cert, char *path_to_private_key, char *password)
{
  SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)password);
  SSL_CTX_set_default_passwd_cb(ctx, return_password);

  if (SSL_CTX_use_certificate_file(ctx, path_to_user_cert, SSL_FILETYPE_ASN1) 
      != 1 &&
      SSL_CTX_use_certificate_file(ctx, path_to_user_cert, SSL_FILETYPE_PEM) 
      != 1

      )
    {
      xlogf(DEBUG_AUTHTYPES, "(TLS) Couldn't load client certificate data!\n");
      SSL_CTX_free(ctx);
      ctx = NULL;
      return -1;
    }

  if (SSL_CTX_use_PrivateKey_file(ctx, path_to_private_key, SSL_FILETYPE_PEM) 
      != 1 &&
      SSL_CTX_use_PrivateKey_file(ctx, path_to_private_key, SSL_FILETYPE_ASN1) 
      != 1 
)
    {
      SSL_CTX_free(ctx);
      ctx = NULL;
      xlogf(DEBUG_AUTHTYPES, "(TLS) Couldn't load client private key!\n");
      return -1;
    }

  if (!SSL_CTX_check_private_key(ctx))
    {
      xlogf(DEBUG_NORMAL, "(TLS) Private key isn't valid!\n");
      return -2;
    }

  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
		      SSL_OP_SINGLE_DH_USE);

  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
		     NULL);

  if (!(RAND_load_file(get_random_file(), 1024)))
    {
      SSL_CTX_free(ctx);
      ctx = NULL;
      xlogf(DEBUG_NORMAL, "(TLS) Couldn't load random data from %s\n",get_random_file());
      return -1;
    }

  return 0;
}

/*** EOF ***/