AC_ARG_ENABLE([eaptls],
AS_HELP_STRING([--disable-eaptls], [Disable EAP-TLS authentication support]))
AS_IF([test "x$enable_eaptls" != "xno"],
- AC_DEFINE([USE_EAPTLS], 1, ["Have EAP-TLS authentication support"]))
-AM_CONDITIONAL(WITH_EAPTLS, test "x${enable_eaptls}" != "xno")
+ AC_DEFINE([PPP_WITH_EAPTLS], 1, [Have EAP-TLS authentication support]))
+AM_CONDITIONAL(PPP_WITH_EAPTLS, test "x${enable_eaptls}" != "xno")
#
# Disable PEAP support
pppd_LIBS += -lpam -ldl
endif
-if WITH_EAPTLS
+if PPP_WITH_EAPTLS
pppd_SOURCES += eap-tls.c tls.c
else
if WITH_PEAP
#include "upap.h"
#include "chap-new.h"
#include "eap.h"
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
#include "eap-tls.h"
#endif
#ifdef PPP_WITH_CBCP
/* Hook for a plugin to get the CHAP password for authenticating us */
int (*chap_passwd_hook)(char *user, char *passwd) = NULL;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
/* Hook for a plugin to get the EAP-TLS password for authenticating us */
int (*eaptls_passwd_hook)(char *user, char *passwd) = NULL;
#endif
bool explicit_passwd = 0; /* Set if "password" option supplied */
char remote_name[MAXNAMELEN]; /* Peer's name for authentication */
-#if defined(USE_EAPTLS) || defined(USE_PEAP)
+#if defined(PPP_WITH_EAPTLS) || defined(USE_PEAP)
char *cacert_file = NULL; /* CA certificate file (pem format) */
char *ca_path = NULL; /* Directory with CA certificates */
char *crl_dir = NULL; /* Directory containing CRL files */
bool tls_verify_key_usage = 0; /* Verify peer certificate key usage */
#endif
-#if defined(USE_EAPTLS)
+#if defined(PPP_WITH_EAPTLS)
char *cert_file = NULL; /* Client certificate file (pem format) */
char *privkey_file = NULL; /* Client private key file (pem format) */
char *pkcs12_file = NULL; /* Client private key envelope file (pkcs12 format) */
static int have_srp_secret(char *client, char *server, int need_ip,
int *lacks_ipp);
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
static int have_eaptls_secret_server
(char *client, char *server, int need_ip, int *lacks_ipp);
static int have_eaptls_secret_client (char *client, char *server);
"Set telephone number(s) which are allowed to connect",
OPT_PRIV | OPT_A2LIST },
-#if defined(USE_EAPTLS) || defined(USE_PEAP)
+#if defined(PPP_WITH_EAPTLS) || defined(USE_PEAP)
{ "ca", o_string, &cacert_file, "CA certificate in PEM format" },
{ "capath", o_string, &ca_path, "TLS CA certificate directory" },
{ "crl-dir", o_string, &crl_dir, "Use CRLs in directory" },
"Verify peer by method (none|subject|name|suffix)" },
#endif
-#if defined(USE_EAPTLS)
+#if defined(PPP_WITH_EAPTLS)
{ "cert", o_string, &cert_file, "client certificate in PEM format" },
{ "key", o_string, &privkey_file, "client private key in PEM format" },
{ "pkcs12", o_string, &pkcs12_file, "EAP-TLS client credentials in PKCS12 format" },
{ "need-peer-eap", o_bool, &need_peer_eap,
"Require the peer to authenticate us", 1 },
-#endif
+#endif /* PPP_WITH_EAPTLS */
{ NULL }
};
lcp_options *wo = &lcp_wantoptions[unit];
lcp_options *go = &lcp_gotoptions[unit];
lcp_options *ho = &lcp_hisoptions[unit];
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
lcp_options *ao = &lcp_allowoptions[unit];
#endif
int i;
}
}
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
if (need_peer_eap && !ao->neg_eap) {
warn("eap required to authenticate us but no suitable secrets");
lcp_close(unit, "couldn't negotiate eap");
our_name, 1, &lacks_ip);
}
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
if (!can_auth && wo->neg_eap) {
can_auth =
have_eaptls_secret_server((explicit_remote ? remote_name :
(hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
(explicit_remote? remote_name: NULL), 0, NULL))) ||
have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
|| have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL))
#endif
);
1, NULL))) &&
!have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
NULL)
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
&& !have_eaptls_secret_server((explicit_remote? remote_name: NULL),
our_name, 1, NULL)
#endif
}
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
static int
have_eaptls_secret_server(char *client, char *server,
int need_ip, int *lacks_ipp)
if (go->mppe) {
ccp_options *ao = &ccp_allowoptions[f->unit];
int auth_mschap_bits = auth_done[f->unit];
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
int auth_eap_bits = auth_done[f->unit];
#endif
int numbits;
return;
}
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
/*
* MPPE is also possible in combination with EAP-TLS.
* It is not possible to detect if we're doing EAP or EAP-TLS
#define SHA_DIGESTSIZE 20
#endif
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
#include "eap-tls.h"
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef PPP_WITH_CHAPMS
#include "chap_ms.h"
esp->es_server.ea_id = (u_char)(drand48() * 0x100);
esp->es_client.ea_timeout = EAP_DEFREQTIME;
esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
esp->es_client.ea_using_eaptls = 0;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef PPP_WITH_CHAPMS
esp->es_client.digest = chap_find_digest(CHAP_MICROSOFT_V2);
esp->es_server.digest = chap_find_digest(CHAP_MICROSOFT_V2);
u_char vals[2];
struct b64state bs;
#endif /* USE_SRP */
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
struct eaptls_session *ets;
int secret_len;
char secret[MAXWORDLEN];
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
esp->es_server.ea_timeout = esp->es_savedtime;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
esp->es_server.ea_prev_state = esp->es_server.ea_state;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
switch (esp->es_server.ea_state) {
case eapBadAuth:
return;
break;
}
#endif /* USE_SRP */
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
if (!get_secret(esp->es_unit, esp->es_server.ea_peer,
esp->es_server.ea_name, secret, &secret_len, 1)) {
esp->es_server.ea_state = eapTlsStart;
break;
}
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
esp->es_server.ea_state = eapMD5Chall;
break;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
case eapTlsStart:
/* Initialize ssl session */
if(!eaptls_init_ssl_server(esp)) {
case eapTlsSendAlert:
esp->es_server.ea_state = eapTlsRecvAlertAck;
break;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
case eapSRP1:
#ifdef USE_SRP
if (esp->es_server.ea_state == eapBadAuth)
eap_send_failure(esp);
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state));
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
}
#if PPP_WITH_CHAPMS
break;
#endif /* PPP_WITH_CHAPMS */
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
case eapTlsStart:
PUTCHAR(EAPT_TLS, outp);
PUTCHAR(EAP_TLS_FLAGS_START, outp);
eaptls_send(esp->es_server.ea_session, &outp);
eap_figure_next_state(esp, 0);
break;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef USE_SRP
case eapSRP1:
static void
eap_server_timeout(void *arg)
{
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
u_char *outp;
u_char *lenloc;
int outlen;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
eap_state *esp = (eap_state *) arg;
if (!eap_server_active(esp))
return;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
switch(esp->es_server.ea_prev_state) {
/*
default:
break;
}
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
/* EAP ID number must not change on timeout. */
eap_send_request(esp);
}
#endif /* USE_SRP */
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
/*
* Send an EAP-TLS response message with tls data
*/
output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
}
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
static void
eap_send_nak(eap_state *esp, u_char id, u_char type)
char rhostname[256];
MD5_CTX mdContext;
u_char hash[MD5_SIGNATURE_SIZE];
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
u_char flags;
struct eaptls_session *ets = esp->es_client.ea_session;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef USE_SRP
struct t_client *tc;
esp->es_client.ea_namelen);
break;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
case EAPT_TLS:
switch(esp->es_client.ea_state) {
}
break;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef USE_SRP
case EAPT_SRP:
u_char dig[SHA_DIGESTSIZE];
#endif /* USE_SRP */
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
struct eaptls_session *ets;
u_char flags;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef PPP_WITH_CHAPMS
u_char opcode;
int (*chap_verifier)(char *, char *, int, struct chap_digest_type *,
eap_figure_next_state(esp, 0);
break;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
case EAPT_TLS:
switch(esp->es_server.ea_state) {
break;
}
break;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
case EAPT_NOTIFICATION:
dbglog("EAP unexpected Notification; response discarded");
esp->es_server.ea_state = eapMD5Chall;
break;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
/* Send EAP-TLS start packet */
case EAPT_TLS:
esp->es_server.ea_state = eapTlsStart;
break;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef PPP_WITH_CHAPMS
case EAPT_MSCHAPV2:
eap_success(eap_state *esp, u_char *inp, int id, int len)
{
if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
&& esp->es_client.ea_state != eapTlsRecvSuccess
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
) {
dbglog("EAP unexpected success message in state %s (%d)",
eap_state_name(esp->es_client.ea_state),
return;
}
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state !=
eapTlsRecvSuccess) {
dbglog("EAP-TLS unexpected success message in state %s (%d)",
esp->es_client.ea_state);
return;
}
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
if (esp->es_client.ea_timeout > 0) {
UNTIMEOUT(eap_client_timeout, (void *)esp);
int code, id, len, rtype, vallen;
u_char *pstart;
u_int32_t uval;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
u_char flags;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef PPP_WITH_CHAPMS
u_char opcode;
#endif /* PPP_WITH_CHAPMS */
break;
#endif /* PPP_WITH_CHAPMS */
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
case EAPT_TLS:
if (len < 1)
break;
printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-");
printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
break;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef USE_SRP
case EAPT_SRP:
}
break;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
case EAPT_TLS:
if (len < 1)
break;
printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
break;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
case EAPT_NAK:
if (len <= 0) {
"TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \
"SRP1", "SRP2", "SRP3", "MD5Chall", "MSCHAPv2Chall", "Open", "SRP4", "BadAuth"
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\
(esp)->es_client.ea_state != eapPending &&\
(esp)->es_client.ea_state != eapClosed)
#else
#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#define eap_server_active(esp) \
((esp)->es_server.ea_state >= eapIdentify && \
u_short ea_namelen; /* Length of our name */
u_short ea_peerlen; /* Length of peer's name */
enum eap_state_code ea_state;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
enum eap_state_code ea_prev_state;
#endif
#ifdef PPP_WITH_CHAPMS
u_char ea_responses; /* Number of Responses */
u_char ea_type; /* One of EAPT_* */
u_int32_t ea_keyflags; /* SRP shared key usage flags */
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
bool ea_using_eaptls;
#endif
};
* Timeouts.
*/
#define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
#define EAP_DEFTRANSMITS 30 /* max # times to transmit */
/* certificates can be long ... */
#else
#define EAP_DEFTRANSMITS 10 /* max # times to transmit */
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#define EAP_DEFREQTIME 20 /* Time to wait for peer request */
#define EAP_DEFALLOWREQ 20 /* max # times to accept requests */
#define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets"
#define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets"
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client"
#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server"
#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf"
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
#define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up"
{
add_options(options);
pap_passwd_hook = promptpass;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
eaptls_passwd_hook = promptpass;
#endif
}
chap_check_hook = pwfd_check;
chap_passwd_hook = pwfd_passwd;
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
eaptls_passwd_hook = pwfd_passwd;
#endif
}
extern char path_ipv6down[]; /* pathname of ipv6-down script */
#endif
-#if defined(USE_EAPTLS) || defined(USE_PEAP)
-
+#if defined(PPP_WITH_EAPTLS) || defined(USE_PEAP)
#define TLS_VERIFY_NONE "none"
#define TLS_VERIFY_NAME "name"
#define TLS_VERIFY_SUBJECT "subject"
extern char *max_tls_version;
extern bool tls_verify_key_usage;
extern char *tls_verify_method;
-#endif /* USE_EAPTLS || USE_PEAP */
+#endif /* PPP_WITH_EAPTLS || USE_PEAP */
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
extern char *pkcs12_file;
-#endif /* USE_EAPTLS */
+#endif /* PPP_WITH_EAPTLS */
#ifdef MAXOCTETS
extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */
extern int (*chap_passwd_hook)(char *user, char *passwd);
extern void (*multilink_join_hook)(void);
-#ifdef USE_EAPTLS
+#ifdef PPP_WITH_EAPTLS
extern int (*eaptls_passwd_hook)(char *user, char *passwd);
#endif
/* "Have EAP-SRP authentication support" */
#undef USE_SRP
-/* "Have EAP-TLS authentication support" */
-#undef USE_EAPTLS
+/* Have EAP-TLS authentication support */
+#undef PPP_WITH_EAPTLS
/* "Have PEAP authentication support" */
#undef USE_PEAP
projects / ppp.git / commitdiff