+#endif /* PPP_WITH_SRP */
+
+#ifdef PPP_WITH_CHAPMS
+ case EAPT_MSCHAPV2:
+ if (len < 4) {
+ error("EAP: received invalid MSCHAPv2 packet, too short");
+ return;
+ }
+ unsigned char opcode;
+ GETCHAR(opcode, inp);
+ unsigned char chapid; /* Chapv2-ID */
+ GETCHAR(chapid, inp);
+ short mssize;
+ GETSHORT(mssize, inp);
+
+ /* Validate the mssize field */
+ if (len != mssize) {
+ error("EAP: received invalid MSCHAPv2 packet, invalid length");
+ return;
+ }
+ len -= 4;
+
+ /* If MSCHAPv2 digest was not found, NAK the packet */
+ if (!esp->es_client.digest) {
+ error("EAP MSCHAPv2 not supported");
+ eap_send_nak(esp, id, EAPT_SRP);
+ return;
+ }
+
+ switch (opcode) {
+ case CHAP_CHALLENGE: {
+
+ /* make_response() expects: VLEN + VALUE */
+ u_char *challenge = inp;
+
+ unsigned char vsize;
+ GETCHAR(vsize, inp);
+ len -= 1;
+
+ /* Validate the VALUE field */
+ if (vsize != MS_CHAP2_PEER_CHAL_LEN || len < MS_CHAP2_PEER_CHAL_LEN) {
+ error("EAP: received invalid MSCHAPv2 packet, invalid value-length: %d", vsize);
+ return;
+ }
+
+ /* Increment past the VALUE field */
+ INCPTR(MS_CHAP2_PEER_CHAL_LEN, inp);
+ len -= MS_CHAP2_PEER_CHAL_LEN;
+
+ /* Extract the hostname */
+ rhostname[0] = '\0';
+ if (len > 0) {
+ if (len >= sizeof (rhostname)) {
+ dbglog("EAP: trimming really long peer name down");
+ len = sizeof(rhostname) - 1;
+ }
+ BCOPY(inp, rhostname, len);
+ rhostname[len] = '\0';
+ }
+
+ /* In case the remote doesn't give us his name. */
+ if (explicit_remote || (remote_name[0] != '\0' && len == 0))
+ strlcpy(rhostname, remote_name, sizeof(rhostname));
+
+ /* Get the secret for authenticating ourselves with the specified host. */
+ if (!get_secret(esp->es_unit, esp->es_client.ea_name,
+ rhostname, secret, &secret_len, 0)) {
+ dbglog("EAP: no CHAP secret for auth to %q", rhostname);
+ eap_send_nak(esp, id, EAPT_SRP);
+ break;
+ }
+ esp->es_client.ea_namelen = strlen(esp->es_client.ea_name);
+
+ /* Create the MSCHAPv2 response (and add to cache) */
+ unsigned char response[MS_CHAP2_RESPONSE_LEN+1]; // VLEN + VALUE
+ esp->es_client.digest->make_response(response, chapid, esp->es_client.ea_name,
+ challenge, secret, secret_len, NULL);
+
+ eap_chapv2_response(esp, id, chapid, response, esp->es_client.ea_name, esp->es_client.ea_namelen);
+ break;
+ }
+ case CHAP_SUCCESS: {
+
+ /* Check response for mutual authentication */
+ u_char status = CHAP_FAILURE;
+ if (esp->es_client.digest->check_success(chapid, inp, len) == 1) {
+ info("Chap authentication succeeded! %.*v", len, inp);
+ status = CHAP_SUCCESS;
+ }
+ eap_send_response(esp, id, EAPT_MSCHAPV2, &status, sizeof(status));
+ break;
+ }
+ case CHAP_FAILURE: {
+
+ /* Process the failure string, and log appropriate information */
+ esp->es_client.digest->handle_failure(inp, len);
+
+ u_char status = CHAP_FAILURE;
+ eap_send_response(esp, id, EAPT_MSCHAPV2, &status, sizeof(status));
+ goto client_failure; /* force termination */
+ }
+ default:
+
+ error("EAP: received invalid MSCHAPv2 packet, invalid or unsupported opcode: %d", opcode);
+ eap_send_nak(esp, id, EAPT_SRP);
+ }
+
+ break;
+#endif /* PPP_WITH_CHAPMS */
+#ifdef PPP_WITH_PEAP
+ case EAPT_PEAP:
+
+ /* Initialize the PEAP context (if not already initialized) */
+ if (!esp->ea_peap) {
+ rhostname[0] = '\0';
+ if (explicit_remote || (remote_name[0] != '\0')) {
+ strlcpy(rhostname, remote_name, sizeof (rhostname));
+ }
+ if (peap_init(&esp->ea_peap, rhostname)) {
+ eap_send_nak(esp, id, EAPT_TLS);
+ break;
+ }
+ }
+
+ /* Process the PEAP packet */
+ if (peap_process(esp, id, inp, len)) {
+ eap_send_nak(esp, id, EAPT_TLS);
+ }
+
+ break;
+#endif // PPP_WITH_PEAP