tls_funcs.c

Linux dot1x认证的实现

  if (mytls_vars->tlsoutsize==0) 
    {
      if (indata != NULL)
	{
	  if (BIO_write(mytls_vars->ssl_in, indata, insize) < 2)
	    {
	      printf("Error : %s:%d\n", __FUNCTION__, __LINE__);
	      tls_funcs_process_error();
	    }
	} 

      if (BIO_reset(mytls_vars->ssl_out) < 0)
	{
	  printf("Error : %s:%d\n", __FUNCTION__, __LINE__);
	  tls_funcs_process_error();
	}

      if (mytls_vars->ssl == NULL) 
	{
	  debug_printf(DEBUG_NORMAL, "SSL context is NULL!!!!\n");
	  return XETLSNOCTX;
	}

      rc = SSL_connect(mytls_vars->ssl);
      if (rc < 0)
	{
	  tls_funcs_process_error();
	}

      BIO_get_mem_ptr(mytls_vars->ssl_out, &retData);
      
      mytls_vars->tlsoutdata = retData->data;
      mytls_vars->tlsoutsize = retData->length;
    }

  if (mytls_vars->tlsoutsize == 0) 
    {
      debug_printf(DEBUG_AUTHTYPES, "No data returned!\n");

      return XTLSNEEDDATA;
    }

  if ((mytls_vars->tlsoutsize - mytls_vars->tlsoutptr)>chunksize)
    {
      // Return a maximum sized chunk.
      
      if (mytls_vars->tlsoutptr == 0)  // This is our first chunk, include
	{                              // the length.
	  outdata[0] = EAPTLS_LENGTH_MORE;  // We will have a length value, and more.
	  length = htonl(mytls_vars->tlsoutsize);
	  memcpy(&outdata[1], &length, 4);
	  retVal = &outdata[5];
	  *outsize = chunksize+5; // To account for length.
	} else {
	  outdata[0] = EAPTLS_MORE_FRAGS;
	  retVal = &outdata[1];
	  *outsize = chunksize+1;
	}

      memcpy(retVal, &mytls_vars->tlsoutdata[mytls_vars->tlsoutptr], 
	     chunksize);
      mytls_vars->tlsoutptr += chunksize;

    } else {
      // Return what is left.

      if (mytls_vars->tlsoutptr == 0)  // This is our first chunk, include
	{                              // the length.
	  outdata[0] = EAPTLS_LENGTH_INCL;  // We will have a length value.
	  length = htonl(mytls_vars->tlsoutsize);
	  memcpy(&outdata[1], &length, 4);
	  retVal = &outdata[5];
	  *outsize = (mytls_vars->tlsoutsize - mytls_vars->tlsoutptr)+5;
	} else {
	  outdata[0] = EAPTLS_FINAL;
	  retVal = &outdata[1];
	  *outsize = (mytls_vars->tlsoutsize - mytls_vars->tlsoutptr)+1;
	}

      memcpy(retVal, &mytls_vars->tlsoutdata[mytls_vars->tlsoutptr], 
	     *outsize);
      
      // Clean out the data chunk.
      mytls_vars->tlsoutptr = 0;
      mytls_vars->tlsoutsize = 0;
    }

  return XENONE;
}

int tls_funcs_cn_check(struct tls_vars *mytls_vars)
{
  char *cnname = NULL;
  char *temp = NULL;

  if (!xsup_assert((mytls_vars != NULL), "mytls_vars != NULL", FALSE))
    return XEMALLOC;

  if (mytls_vars->cncheck != NULL)
    {
      cnname = get_cert_common_name(mytls_vars->ssl);

      debug_printf(DEBUG_AUTHTYPES, "Certificate CN : %s\n",cnname);

      // mytls_vars->cncheck == NULL, do nothing.
      debug_printf(DEBUG_AUTHTYPES, "Doing a CN Check!\n");

      if (mytls_vars->cnexact == 1)
	{
	  debug_printf(DEBUG_AUTHTYPES, "Looking for an exact match!\n");

	  if (cnname != NULL)
	    {
	      if (strcmp(mytls_vars->cncheck, cnname) != 0)
		{
		  debug_printf(DEBUG_AUTHTYPES, "Certificate CN didn't "
			       "match!\n");
		  free(cnname);
		  return XEBADCN;
		} else {
		  debug_printf(DEBUG_AUTHTYPES, "Certificate CN matched!\n");
		}
	    }
	} else {
	  debug_printf(DEBUG_AUTHTYPES, "Looking for a relative match!\n");

	  temp = mytls_vars->cncheck;
	  if (cnname != NULL)
	    {
	      if (strstr(cnname, temp) == NULL)
		{
		  debug_printf(DEBUG_AUTHTYPES, "Certificate CN didn't "
			       "match!\n");
		  free(cnname);
		  return XEBADCN;
		} else {
		  debug_printf(DEBUG_AUTHTYPES, "Certificate CN matched!\n");
		}
	    }
	}
    }
  if (cnname != NULL)
    {
      free(cnname);
      cnname = NULL;
    }

  return XENONE;
}

int tls_funcs_decode_packet(struct generic_eap_data *thisint, char *inframe, 
			    int insize, char *outframe, int *outsize,
			    phase2_call dophase2, int chunksize)
{
  unsigned long err;
  int rtnVal = XENONE, tlsindex;
  char *tlsptr;
  struct tls_vars *mytls_vars;

  if (!xsup_assert((thisint != NULL), "thisint != NULL", FALSE))
    return XEMALLOC;

  if (!xsup_assert((inframe != NULL), "inframe != NULL", FALSE))
    return XEMALLOC;

  if (!xsup_assert((outframe != NULL), "outframe != NULL", FALSE))
    return XEMALLOC;

  if (!xsup_assert((outsize != NULL), "outsize != NULL", FALSE))
    return XEMALLOC;

  if (insize > 1520)
    {
      debug_printf(DEBUG_NORMAL, "Packet size too big in tls_funcs_decode_packet()!  Ignoring!\n");
      return XEBADPACKETSIZE;
    }

  debug_printf(DEBUG_AUTHTYPES, "Packet in (%d) :\n", insize);
  debug_hex_dump(DEBUG_AUTHTYPES, (uint8_t *) inframe, insize);

  // First, make sure we don't have any errors.
  err = ERR_get_error();
  if (err != 0)
    {
      debug_printf(DEBUG_NORMAL, "OpenSSL Error -- %s\n", 
		   ERR_error_string(err, NULL));
    }

  mytls_vars = (struct tls_vars *)thisint->eap_data;

  if (mytls_vars == NULL)
    {
      debug_printf(DEBUG_NORMAL, "EAP data is invalid in tls_funcs_decode_packet()!\n");
      return XEMALLOC;
    }

  *outsize = 0;

  // Set up a pointer to the start of the data.
  tlsindex = 1;
  tlsptr = &inframe[tlsindex];

  rtnVal = XENONE;

  // The first byte should tell us what to do.
  switch ((uint8_t)inframe[0])
    {
    case EAPTLS_START:
      if (tls_funcs_start(mytls_vars) != XENONE)
	{
	  debug_printf(DEBUG_NORMAL, "There was an error starting the TLS "
		       "handshake!\n");
	}

      if (mytls_vars->ssl == NULL)
	{
	  debug_printf(DEBUG_NORMAL, "The SSL handle is invalid in tls_funcs_decode_packet()!\n");
	  return XETLSNOCTX;
	}
      
      rtnVal = tls_funcs_parse(thisint, NULL, 0, outframe, outsize, chunksize);
      if (rtnVal < 0)
	{
	  debug_printf(DEBUG_NORMAL, "Failed to generate TLS data!\n");
	}
      break;

    case EAPTLS_LENGTH_MORE:
    case EAPTLS_LENGTH_INCL:
      // Skip the four octets that contain the length.  OpenSSL knows when
      // we are done.
      tlsptr+=4;
      tlsindex+=4;

      // DON'T BREAK HERE!  We want to do the next case!

    case EAPTLS_MORE_FRAGS:
    case EAPTLS_ACK:
      if (!mytls_vars) printf("mytls_vars is hosed!\n");
      if (!mytls_vars->ssl) printf("mytls_vars->ssl is hosed!\n");
      if ((SSL_is_init_finished(mytls_vars->ssl) != 0) && (dophase2 != NULL))
	{
	  // Handle the phase 2 piece.  We pass in the encrypted piece of
	  // the packet, and let phase 2 deal with it!

	  // But, before we do anything, verify the CN.
	  if (tls_funcs_cn_check(mytls_vars) != XENONE)
	    {
	      debug_printf(DEBUG_NORMAL, "Failed certificate common name "
			   "check!\n");
	      *outsize = 0;
	      return XEBADCN;
	    }

	  // We are in phase 2, so indicate it.
	  mytls_vars->phase = 2;
	  
	  if ((mytls_vars->resuming != 1) || (mytls_vars->quickResponse != TRUE))
	    {
	      rtnVal = (*dophase2)(thisint, (uint8_t *) tlsptr, 
				   (insize-tlsindex), outframe, outsize);
	      if (rtnVal != XINNERSUCCESS)
		{
		  if (rtnVal != XENONE)
		    {
		      debug_printf(DEBUG_NORMAL, "Phase 2 failure!\n");
		      return XEPHASE2FAILURE;
		    }
		}
	    } else {
	      if (*outsize == 0)
		{
		  debug_printf(DEBUG_AUTHTYPES, "Resumed session, ACKing ACK!\n");
		  tls_funcs_build_ack(outframe, outsize);
		  rtnVal = XENONE;	
		}
	    }	  
	} else {
	  rtnVal = tls_funcs_parse(thisint, (uint8_t *) tlsptr, (insize-tlsindex), outframe, outsize, chunksize);
	  if (rtnVal < 0)
	    {
	      debug_printf(DEBUG_NORMAL, "Couldn't parse TLS data.\n");
	    }
      	  if ((SSL_is_init_finished(mytls_vars->ssl) != 0) && 
	      (dophase2 != NULL) && 
	      (mytls_vars->quickResponse == TRUE))
	    {
	      
	      if (tls_funcs_cn_check(mytls_vars) != XENONE)
		{
		  debug_printf(DEBUG_NORMAL, "Failed certificate common "
			       "name check!\n");
		  *outsize = 0;
		  return XEBADCN;
		}

	      // We made it to phase 2.  So, indicate it.
	      mytls_vars->phase = 2;

	      if ((mytls_vars->resuming != 1) || (mytls_vars->quickResponse != TRUE))
		{
		  if ((*dophase2)(thisint, (uint8_t *) tlsptr, (insize-tlsindex), 
				  outframe, outsize) != XENONE)
		    {
		      debug_printf(DEBUG_NORMAL, "Phase 2 Failure.\n");
		      return XEPHASE2FAILURE;
		    }
		} else {
		  if (*outsize == 0)
		    {
		      debug_printf(DEBUG_AUTHTYPES, "Resumed session, ACKing ACK!\n");
		      tls_funcs_build_ack(outframe, outsize);
		      rtnVal = XENONE;
		    }
		}
	    } else if (rtnVal == XTLSNEEDDATA)
	      {
		tls_funcs_build_ack(outframe, outsize);
		rtnVal = XENONE;
	      } 
	}
      break;

    default:
      debug_printf(DEBUG_NORMAL, "Invalid TLS flags! (%02X)\n",(uint8_t)inframe[0]);
      rtnVal = XETLSBADFLAGS;
    }

  return rtnVal;
}

char *tls_funcs_gen_keyblock(struct generic_eap_data *thisint)
{
  struct tls_vars *mydata;

  if (!xsup_assert((thisint != NULL), "thisint != NULL", FALSE))
    return NULL;

  mydata = (struct tls_vars *)thisint->eap_data;

  if (!xsup_assert((mydata != NULL), "mydata != NULL", FALSE))
    return NULL;

  return tls_crypt_gen_keyblock(thisint, mydata->sessionkeyconst,
				mydata->sessionkeylen);
}

int tls_funcs_build_ack(char *outframe, int *outsize)
{
  debug_printf(DEBUG_EVERYTHING, "Sending TLS ACK!\n");

  if (!xsup_assert((outframe != NULL), "outframe != NULL", FALSE))
    return XEMALLOC;

  if (!xsup_assert((outsize != NULL), "outsize != NULL", FALSE))
    return XEMALLOC;

  outframe[0] = 0x00;
  *outsize = 1;
  return XENONE;
}


static void ssl_info_callback(SSL *ssl, int w, int r)
{
  if (!xsup_assert((ssl != NULL), "ssl != NULL", FALSE))
    return;

  debug_printf(DEBUG_AUTHTYPES, "     --- SSL : %s\n", SSL_state_string_long(ssl));
  if (w & SSL_CB_ALERT)
    debug_printf(DEBUG_AUTHTYPES, "     --- ALERT : %s\n", SSL_alert_desc_string_long(r));
}


static int return_password(char *buf, int size, int rwflag, void *userdata)
{
  if (!xsup_assert((buf != NULL), "buf != NULL", FALSE))
    return XEMALLOC;

  if (!xsup_assert((userdata != NULL), "userdata != NULL", FALSE))
    return XEMALLOC;

  strncpy(buf, (char *)(userdata), size);
  buf[size-1] = '\0';
  return(strlen(buf));
}

int tls_funcs_load_root_certs(struct generic_eap_data *thisint, 
			      char *root_cert, char *root_dir, char *crl_dir)
{
  struct tls_vars *mytls_vars;

  if (!xsup_assert((thisint != NULL), "thisint != NULL", FALSE))
    return XEMALLOC;

  mytls_vars = (struct tls_vars *)thisint->eap_data;

  if (!mytls_vars)
    {
      debug_printf(DEBUG_NORMAL, "Invalid EAP data was passed in to tls_funcs_load_root_certs()!\n");
      return XEMALLOC;
    }

  if ((!root_cert) && (!root_dir))
    {
      debug_printf(DEBUG_NORMAL, "Error loading cert!  Path to cert is NULL!\n");
      return XETLSCERTLOAD;
    } 

  if (mytls_vars->ctx == NULL)
    {
      debug_printf(DEBUG_NORMAL, "Invalid context in tls_funcs_load_root_certs()!\n");
      return XEMALLOC;
    }

  debug_printf(DEBUG_CONFIG, "Trying to load root certificate %s or "
	       "certificate directory %s\n", root_cert, root_dir);

  SSL_CTX_set_info_callback(mytls_vars->ctx, (void (*) ()) ssl_info_callback);
  
  if (SSL_CTX_load_verify_locations(mytls_vars->ctx, root_cert, root_dir) == 0)
    {
      debug_printf(DEBUG_NORMAL, "Failed to initialize path to root certificate!\n");
      tls_funcs_process_error();

      if(mytls_vars->ctx)
	{
	  SSL_CTX_free(mytls_vars->ctx);
	  mytls_vars->ctx = NULL;
	}
      return XETLSCERTLOAD;
    }

  debug_printf(DEBUG_CONFIG, "Loaded root certificate %s and directory %s\n",
		root_cert, root_dir);

  if (crl_dir) {
    if (SSL_CTX_load_verify_locations(mytls_vars->ctx, NULL, crl_dir) == 0)
      {
	debug_printf(DEBUG_NORMAL, "Failed to initalize path to CRLs!\n");
	tls_funcs_process_error();
	//debug_printf(DEBUG_NORMAL, "Error : %s\n", ERR_error_string(ERR_get_error(), NULL));
	if(mytls_vars->ctx)
	  {
	    SSL_CTX_free(mytls_vars->ctx);
	    mytls_vars->ctx = NULL;
	  }
	return XETLSCERTLOAD;
      }
  }
  

  /* Do we really want to pick up the default paths? */
  if (SSL_CTX_set_default_verify_paths(mytls_vars->ctx) == 0)
    {
      debug_printf(DEBUG_NORMAL, "Failed to initalize default paths for root certificates!\n");
      tls_funcs_process_error();