X-Git-Url: https://git.ozlabs.org/?a=blobdiff_plain;f=pppd%2Feap.c;h=92d29ec8bd6c034995f3ebd6a7c737669d80a607;hb=d83b03f5ced8aa26ad937fb87d606e7c10cdc859;hp=082e95343120954abe1de82991387373344e1ba7;hpb=b1fcf16fa66159f380ee4abd7c9a76b59809dc7b;p=ppp.git diff --git a/pppd/eap.c b/pppd/eap.c index 082e953..92d29ec 100644 --- a/pppd/eap.c +++ b/pppd/eap.c @@ -43,7 +43,10 @@ * Based on draft-ietf-pppext-eap-srp-03.txt. */ -#define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" +/* + * Modification by Beniamino Galvani, Mar 2005 + * Implemented EAP-TLS authentication + */ /* * TODO: @@ -76,6 +79,9 @@ #define SHA_DIGESTSIZE 20 #endif +#ifdef USE_EAPTLS +#include "eap-tls.h" +#endif /* USE_EAPTLS */ eap_state eap_states[NUM_PPP]; /* EAP state; one for each unit */ #ifdef USE_SRP @@ -110,13 +116,13 @@ static option_t eap_option_list[] = { /* * Protocol entry points. */ -static void eap_init __P((int unit)); -static void eap_input __P((int unit, u_char *inp, int inlen)); -static void eap_protrej __P((int unit)); -static void eap_lowerup __P((int unit)); -static void eap_lowerdown __P((int unit)); -static int eap_printpkt __P((u_char *inp, int inlen, - void (*)(void *arg, char *fmt, ...), void *arg)); +static void eap_init (int unit); +static void eap_input (int unit, u_char *inp, int inlen); +static void eap_protrej (int unit); +static void eap_lowerup (int unit); +static void eap_lowerdown (int unit); +static int eap_printpkt (u_char *inp, int inlen, + void (*)(void *arg, char *fmt, ...), void *arg); struct protent eap_protent = { PPP_EAP, /* protocol number */ @@ -138,6 +144,7 @@ struct protent eap_protent = { NULL /* say whether to bring up link for this pkt */ }; +#ifdef USE_SRP /* * A well-known 2048 bit modulus. */ @@ -175,16 +182,16 @@ static const u_char wkmodulus[] = { 0x9B, 0x65, 0xE3, 0x72, 0xFC, 0xD6, 0x8E, 0xF2, 0x0F, 0xA7, 0x11, 0x1F, 0x9E, 0x4A, 0xFF, 0x73 }; +#endif /* USE_SRP */ /* Local forward declarations. */ -static void eap_server_timeout __P((void *arg)); +static void eap_server_timeout (void *arg); /* * Convert EAP state code to printable string for debug. */ static const char * -eap_state_name(esc) -enum eap_state_code esc; +eap_state_name(enum eap_state_code esc) { static const char *state_names[] = { EAP_STATES }; @@ -196,8 +203,7 @@ enum eap_state_code esc; * called once by main() during start-up. */ static void -eap_init(unit) -int unit; +eap_init(int unit) { eap_state *esp = &eap_states[unit]; @@ -208,6 +214,9 @@ int unit; esp->es_server.ea_id = (u_char)(drand48() * 0x100); esp->es_client.ea_timeout = EAP_DEFREQTIME; esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; +#ifdef USE_EAPTLS + esp->es_client.ea_using_eaptls = 0; +#endif /* USE_EAPTLS */ } /* @@ -215,8 +224,7 @@ int unit; * Request messages. */ static void -eap_client_timeout(arg) -void *arg; +eap_client_timeout(void *arg) { eap_state *esp = (eap_state *) arg; @@ -235,9 +243,7 @@ void *arg; * after eap_lowerup. */ void -eap_authwithpeer(unit, localname) -int unit; -char *localname; +eap_authwithpeer(int unit, char *localname) { eap_state *esp = &eap_states[unit]; @@ -261,8 +267,7 @@ char *localname; * (Server operation) */ static void -eap_send_failure(esp) -eap_state *esp; +eap_send_failure(eap_state *esp) { u_char *outp; @@ -286,8 +291,7 @@ eap_state *esp; * (Server operation) */ static void -eap_send_success(esp) -eap_state *esp; +eap_send_success(eap_state *esp) { u_char *outp; @@ -341,11 +345,7 @@ struct b64state { }; static int -b64enc(bs, inp, inlen, outp) -struct b64state *bs; -u_char *inp; -int inlen; -u_char *outp; +b64enc(struct b64state *bs, u_char *inp, int inlen, u_char *outp) { int outlen = 0; @@ -367,9 +367,7 @@ u_char *outp; } static int -b64flush(bs, outp) -struct b64state *bs; -u_char *outp; +b64flush(struct b64state *bs, u_char *outp) { int outlen = 0; @@ -389,11 +387,7 @@ u_char *outp; } static int -b64dec(bs, inp, inlen, outp) -struct b64state *bs; -u_char *inp; -int inlen; -u_char *outp; +b64dec(struct b64state *bs, u_char *inp, int inlen, u_char *outp) { int outlen = 0; char *cp; @@ -421,9 +415,7 @@ u_char *outp; * 0 for success and non-zero for failure. */ static void -eap_figure_next_state(esp, status) -eap_state *esp; -int status; +eap_figure_next_state(eap_state *esp, int status) { #ifdef USE_SRP unsigned char secbuf[MAXWORDLEN], clear[8], *sp, *dp; @@ -435,8 +427,16 @@ int status; u_char vals[2]; struct b64state bs; #endif /* USE_SRP */ +#ifdef USE_EAPTLS + struct eaptls_session *ets; + int secret_len; + char secret[MAXWORDLEN]; +#endif /* USE_EAPTLS */ esp->es_server.ea_timeout = esp->es_savedtime; +#ifdef USE_EAPTLS + esp->es_server.ea_prev_state = esp->es_server.ea_state; +#endif /* USE_EAPTLS */ switch (esp->es_server.ea_state) { case eapBadAuth: return; @@ -561,9 +561,81 @@ int status; break; } #endif /* USE_SRP */ +#ifdef USE_EAPTLS + if (!get_secret(esp->es_unit, esp->es_server.ea_peer, + esp->es_server.ea_name, secret, &secret_len, 1)) { + + esp->es_server.ea_state = eapTlsStart; + break; + } +#endif /* USE_EAPTLS */ + esp->es_server.ea_state = eapMD5Chall; break; +#ifdef USE_EAPTLS + case eapTlsStart: + /* Initialize ssl session */ + if(!eaptls_init_ssl_server(esp)) { + esp->es_server.ea_state = eapBadAuth; + break; + } + + esp->es_server.ea_state = eapTlsRecv; + break; + + case eapTlsRecv: + ets = (struct eaptls_session *) esp->es_server.ea_session; + + if(ets->alert_sent) { + esp->es_server.ea_state = eapTlsSendAlert; + break; + } + + if (status) { + esp->es_server.ea_state = eapBadAuth; + break; + } + ets = (struct eaptls_session *) esp->es_server.ea_session; + + if(ets->frag) + esp->es_server.ea_state = eapTlsSendAck; + else + esp->es_server.ea_state = eapTlsSend; + break; + + case eapTlsSend: + ets = (struct eaptls_session *) esp->es_server.ea_session; + + if(ets->frag) + esp->es_server.ea_state = eapTlsRecvAck; + else + if(SSL_is_init_finished(ets->ssl)) + esp->es_server.ea_state = eapTlsRecvClient; + else + /* JJK Add "TLS empty record" message here ??? */ + esp->es_server.ea_state = eapTlsRecv; + break; + + case eapTlsSendAck: + esp->es_server.ea_state = eapTlsRecv; + break; + + case eapTlsRecvAck: + if (status) + { + esp->es_server.ea_state = eapBadAuth; + break; + } + + esp->es_server.ea_state = eapTlsSend; + break; + + case eapTlsSendAlert: + esp->es_server.ea_state = eapTlsRecvAlertAck; + break; +#endif /* USE_EAPTLS */ + case eapSRP1: #ifdef USE_SRP ts = (struct t_server *)esp->es_server.ea_session; @@ -629,6 +701,10 @@ int status; } if (esp->es_server.ea_state == eapBadAuth) eap_send_failure(esp); + +#ifdef USE_EAPTLS + dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state)); +#endif /* USE_EAPTLS */ } /* @@ -636,8 +712,7 @@ int status; * type depends on current state. (Server operation) */ static void -eap_send_request(esp) -eap_state *esp; +eap_send_request(eap_state *esp) { u_char *outp; u_char *lenloc; @@ -717,6 +792,30 @@ eap_state *esp; INCPTR(esp->es_server.ea_namelen, outp); break; +#ifdef USE_EAPTLS + case eapTlsStart: + PUTCHAR(EAPT_TLS, outp); + PUTCHAR(EAP_TLS_FLAGS_START, outp); + eap_figure_next_state(esp, 0); + break; + + case eapTlsSend: + eaptls_send(esp->es_server.ea_session, &outp); + eap_figure_next_state(esp, 0); + break; + + case eapTlsSendAck: + PUTCHAR(EAPT_TLS, outp); + PUTCHAR(0, outp); + eap_figure_next_state(esp, 0); + break; + + case eapTlsSendAlert: + eaptls_send(esp->es_server.ea_session, &outp); + eap_figure_next_state(esp, 0); + break; +#endif /* USE_EAPTLS */ + #ifdef USE_SRP case eapSRP1: PUTCHAR(EAPT_SRP, outp); @@ -870,9 +969,7 @@ eap_state *esp; * after eap_lowerup. */ void -eap_authpeer(unit, localname) -int unit; -char *localname; +eap_authpeer(int unit, char *localname) { eap_state *esp = &eap_states[unit]; @@ -900,14 +997,59 @@ char *localname; * expired. */ static void -eap_server_timeout(arg) -void *arg; +eap_server_timeout(void *arg) { +#ifdef USE_EAPTLS + u_char *outp; + u_char *lenloc; + int outlen; +#endif /* USE_EAPTLS */ + eap_state *esp = (eap_state *) arg; if (!eap_server_active(esp)) return; +#ifdef USE_EAPTLS + switch(esp->es_server.ea_prev_state) { + + /* + * In eap-tls the state changes after a request, so we return to + * previous state ... + */ + case(eapTlsStart): + case(eapTlsSendAck): + esp->es_server.ea_state = esp->es_server.ea_prev_state; + break; + + /* + * ... or resend the stored data + */ + case(eapTlsSend): + case(eapTlsSendAlert): + outp = outpacket_buf; + MAKEHEADER(outp, PPP_EAP); + PUTCHAR(EAP_REQUEST, outp); + PUTCHAR(esp->es_server.ea_id, outp); + lenloc = outp; + INCPTR(2, outp); + + eaptls_retransmit(esp->es_server.ea_session, &outp); + + outlen = (outp - outpacket_buf) - PPP_HDRLEN; + PUTSHORT(outlen, lenloc); + output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); + esp->es_server.ea_requests++; + + if (esp->es_server.ea_timeout > 0) + TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); + + return; + default: + break; + } +#endif /* USE_EAPTLS */ + /* EAP ID number must not change on timeout. */ eap_send_request(esp); } @@ -918,8 +1060,7 @@ void *arg; * will restart the timer. If it fails, then the link is dropped. */ static void -eap_rechallenge(arg) -void *arg; +eap_rechallenge(void *arg) { eap_state *esp = (eap_state *)arg; @@ -935,8 +1076,7 @@ void *arg; } static void -srp_lwrechallenge(arg) -void *arg; +srp_lwrechallenge(void *arg) { eap_state *esp = (eap_state *)arg; @@ -959,8 +1099,7 @@ void *arg; * thing. */ static void -eap_lowerup(unit) -int unit; +eap_lowerup(int unit) { eap_state *esp = &eap_states[unit]; @@ -983,8 +1122,7 @@ int unit; * Cancel all timeouts and return to initial state. */ static void -eap_lowerdown(unit) -int unit; +eap_lowerdown(int unit) { eap_state *esp = &eap_states[unit]; @@ -1018,8 +1156,7 @@ int unit; * failure. */ static void -eap_protrej(unit) -int unit; +eap_protrej(int unit) { eap_state *esp = &eap_states[unit]; @@ -1038,12 +1175,8 @@ int unit; * Format and send a regular EAP Response message. */ static void -eap_send_response(esp, id, typenum, str, lenstr) -eap_state *esp; -u_char id; -u_char typenum; -u_char *str; -int lenstr; +eap_send_response(eap_state *esp, u_char id, u_char typenum, + u_char *str, int lenstr) { u_char *outp; int msglen; @@ -1069,12 +1202,8 @@ int lenstr; * Format and send an MD5-Challenge EAP Response message. */ static void -eap_chap_response(esp, id, hash, name, namelen) -eap_state *esp; -u_char id; -u_char *hash; -char *name; -int namelen; +eap_chap_response(eap_state *esp, u_char id, u_char *hash, + char *name, int namelen) { u_char *outp; int msglen; @@ -1105,12 +1234,8 @@ int namelen; * Format and send a SRP EAP Response message. */ static void -eap_srp_response(esp, id, subtypenum, str, lenstr) -eap_state *esp; -u_char id; -u_char subtypenum; -u_char *str; -int lenstr; +eap_srp_response(eap_state *esp, u_char id, u_char subtypenum, + u_char *str, int lenstr) { u_char *outp; int msglen; @@ -1137,11 +1262,7 @@ int lenstr; * Format and send a SRP EAP Client Validator Response message. */ static void -eap_srpval_response(esp, id, flags, str) -eap_state *esp; -u_char id; -u_int32_t flags; -u_char *str; +eap_srpval_response(eap_state *esp, u_char id, u_int32_t flags, u_char *str) { u_char *outp; int msglen; @@ -1165,11 +1286,77 @@ u_char *str; } #endif /* USE_SRP */ +#ifdef USE_EAPTLS +/* + * Send an EAP-TLS response message with tls data + */ static void -eap_send_nak(esp, id, type) -eap_state *esp; -u_char id; -u_char type; +eap_tls_response(eap_state *esp, u_char id) +{ + u_char *outp; + int outlen; + u_char *lenloc; + + outp = outpacket_buf; + + MAKEHEADER(outp, PPP_EAP); + + PUTCHAR(EAP_RESPONSE, outp); + PUTCHAR(id, outp); + + lenloc = outp; + INCPTR(2, outp); + + /* + If the id in the request is unchanged, we must retransmit + the old data + */ + if(id == esp->es_client.ea_id) + eaptls_retransmit(esp->es_client.ea_session, &outp); + else + eaptls_send(esp->es_client.ea_session, &outp); + + outlen = (outp - outpacket_buf) - PPP_HDRLEN; + PUTSHORT(outlen, lenloc); + + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); + + esp->es_client.ea_id = id; +} + +/* + * Send an EAP-TLS ack + */ +static void +eap_tls_sendack(eap_state *esp, u_char id) +{ + u_char *outp; + int outlen; + u_char *lenloc; + + outp = outpacket_buf; + + MAKEHEADER(outp, PPP_EAP); + + PUTCHAR(EAP_RESPONSE, outp); + PUTCHAR(id, outp); + esp->es_client.ea_id = id; + + lenloc = outp; + INCPTR(2, outp); + + PUTCHAR(EAPT_TLS, outp); + PUTCHAR(0, outp); + + outlen = (outp - outpacket_buf) - PPP_HDRLEN; + PUTSHORT(outlen, lenloc); + + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); +} +#endif /* USE_EAPTLS */ + +static void +eap_send_nak(eap_state *esp, u_char id, u_char type) { u_char *outp; int msglen; @@ -1191,7 +1378,7 @@ u_char type; #ifdef USE_SRP static char * -name_of_pn_file() +name_of_pn_file(void) { char *user, *path, *file; struct passwd *pw; @@ -1217,8 +1404,7 @@ name_of_pn_file() } static int -open_pn_file(modebits) -mode_t modebits; +open_pn_file(mode_t modebits) { char *path; int fd, err; @@ -1233,7 +1419,7 @@ mode_t modebits; } static void -remove_pn_file() +remove_pn_file(void) { char *path; @@ -1244,10 +1430,7 @@ remove_pn_file() } static void -write_pseudonym(esp, inp, len, id) -eap_state *esp; -u_char *inp; -int len, id; +write_pseudonym(eap_state *esp, u_char *inp, int len, int id) { u_char val; u_char *datp, *digp; @@ -1306,11 +1489,7 @@ int len, id; * eap_request - Receive EAP Request message (client mode). */ static void -eap_request(esp, inp, id, len) -eap_state *esp; -u_char *inp; -int id; -int len; +eap_request(eap_state *esp, u_char *inp, int id, int len) { u_char typenum; u_char vallen; @@ -1319,6 +1498,11 @@ int len; char rhostname[256]; MD5_CTX mdContext; u_char hash[MD5_SIGNATURE_SIZE]; +#ifdef USE_EAPTLS + u_char flags; + struct eaptls_session *ets = esp->es_client.ea_session; +#endif /* USE_EAPTLS */ + #ifdef USE_SRP struct t_client *tc; struct t_num sval, gval, Nval, *Ap, Bval; @@ -1390,7 +1574,7 @@ int len; esp->es_usedpseudo = 2; } #endif /* USE_SRP */ - eap_send_response(esp, id, typenum, esp->es_client.ea_name, + eap_send_response(esp, id, typenum, (u_char *)esp->es_client.ea_name, esp->es_client.ea_namelen); break; @@ -1461,6 +1645,96 @@ int len; esp->es_client.ea_namelen); break; +#ifdef USE_EAPTLS + case EAPT_TLS: + + switch(esp->es_client.ea_state) { + + case eapListen: + + if (len < 1) { + error("EAP: received EAP-TLS Listen packet with no data"); + /* Bogus request; wait for something real. */ + return; + } + GETCHAR(flags, inp); + if(flags & EAP_TLS_FLAGS_START){ + + esp->es_client.ea_using_eaptls = 1; + + if (explicit_remote){ + esp->es_client.ea_peer = strdup(remote_name); + esp->es_client.ea_peerlen = strlen(remote_name); + } else + esp->es_client.ea_peer = NULL; + + /* Init ssl session */ + if(!eaptls_init_ssl_client(esp)) { + dbglog("cannot init ssl"); + eap_send_nak(esp, id, EAPT_TLS); + esp->es_client.ea_using_eaptls = 0; + break; + } + + ets = esp->es_client.ea_session; + eap_tls_response(esp, id); + esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); + break; + } + + /* The server has sent a bad start packet. */ + eap_send_nak(esp, id, EAPT_TLS); + break; + + case eapTlsRecvAck: + eap_tls_response(esp, id); + esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); + break; + + case eapTlsRecv: + if (len < 1) { + error("EAP: discarding EAP-TLS Receive packet with no data"); + /* Bogus request; wait for something real. */ + return; + } + eaptls_receive(ets, inp, len); + + if(ets->frag) { + eap_tls_sendack(esp, id); + esp->es_client.ea_state = eapTlsRecv; + break; + } + + if(ets->alert_recv) { + eap_tls_sendack(esp, id); + esp->es_client.ea_state = eapTlsRecvFailure; + break; + } + + /* Check if TLS handshake is finished */ + if(eaptls_is_init_finished(ets)) { +#ifdef MPPE + eaptls_gen_mppe_keys(ets, 1); +#endif + eaptls_free_session(ets); + eap_tls_sendack(esp, id); + esp->es_client.ea_state = eapTlsRecvSuccess; + break; + } + + eap_tls_response(esp,id); + esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); + break; + + default: + eap_send_nak(esp, id, EAPT_TLS); + esp->es_client.ea_using_eaptls = 0; + break; + } + + break; +#endif /* USE_EAPTLS */ + #ifdef USE_SRP case EAPT_SRP: if (len < 1) { @@ -1722,11 +1996,7 @@ client_failure: * eap_response - Receive EAP Response message (server mode). */ static void -eap_response(esp, inp, id, len) -eap_state *esp; -u_char *inp; -int id; -int len; +eap_response(eap_state *esp, u_char *inp, int id, int len) { u_char typenum; u_char vallen; @@ -1740,8 +2010,15 @@ int len; struct t_num A; SHA1_CTX ctxt; u_char dig[SHA_DIGESTSIZE]; + SHA1_CTX ctxt; + u_char dig[SHA_DIGESTSIZE]; #endif /* USE_SRP */ +#ifdef USE_EAPTLS + struct eaptls_session *ets; + u_char flags; +#endif /* USE_EAPTLS */ + /* * Ignore responses if we're not open */ @@ -1787,6 +2064,64 @@ int len; eap_figure_next_state(esp, 0); break; +#ifdef USE_EAPTLS + case EAPT_TLS: + switch(esp->es_server.ea_state) { + + case eapTlsRecv: + + ets = (struct eaptls_session *) esp->es_server.ea_session; + + eap_figure_next_state(esp, + eaptls_receive(esp->es_server.ea_session, inp, len)); + + if(ets->alert_recv) { + eap_send_failure(esp); + break; + } + break; + + case eapTlsRecvAck: + if(len > 1) { + dbglog("EAP-TLS ACK with extra data"); + } + eap_figure_next_state(esp, 0); + break; + + case eapTlsRecvClient: + /* Receive authentication response from client */ + if (len > 0) { + GETCHAR(flags, inp); + + if(len == 1 && !flags) { /* Ack = ok */ +#ifdef MPPE + eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 ); +#endif + eap_send_success(esp); + } + else { /* failure */ + warn("Server authentication failed"); + eap_send_failure(esp); + } + } + else + warn("Bogus EAP-TLS packet received from client"); + + eaptls_free_session(esp->es_server.ea_session); + + break; + + case eapTlsRecvAlertAck: + eap_send_failure(esp); + break; + + default: + eap_figure_next_state(esp, 1); + break; + } + break; +#endif /* USE_EAPTLS */ + case EAPT_NOTIFICATION: dbglog("EAP unexpected Notification; response discarded"); break; @@ -1818,6 +2153,13 @@ int len; esp->es_server.ea_state = eapMD5Chall; break; +#ifdef USE_EAPTLS + /* Send EAP-TLS start packet */ + case EAPT_TLS: + esp->es_server.ea_state = eapTlsStart; + break; +#endif /* USE_EAPTLS */ + default: dbglog("EAP: peer requesting unknown Type %d", vallen); switch (esp->es_server.ea_state) { @@ -2023,19 +2365,29 @@ int len; * eap_success - Receive EAP Success message (client mode). */ static void -eap_success(esp, inp, id, len) -eap_state *esp; -u_char *inp; -int id; -int len; +eap_success(eap_state *esp, u_char *inp, int id, int len) { - if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { + if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) +#ifdef USE_EAPTLS + && esp->es_client.ea_state != eapTlsRecvSuccess +#endif /* USE_EAPTLS */ + ) { dbglog("EAP unexpected success message in state %s (%d)", eap_state_name(esp->es_client.ea_state), esp->es_client.ea_state); return; } +#ifdef USE_EAPTLS + if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != + eapTlsRecvSuccess) { + dbglog("EAP-TLS unexpected success message in state %s (%d)", + eap_state_name(esp->es_client.ea_state), + esp->es_client.ea_state); + return; + } +#endif /* USE_EAPTLS */ + if (esp->es_client.ea_timeout > 0) { UNTIMEOUT(eap_client_timeout, (void *)esp); } @@ -2053,11 +2405,7 @@ int len; * eap_failure - Receive EAP Failure message (client mode). */ static void -eap_failure(esp, inp, id, len) -eap_state *esp; -u_char *inp; -int id; -int len; +eap_failure(eap_state *esp, u_char *inp, int id, int len) { /* * Ignore failure messages if we're not open @@ -2090,10 +2438,7 @@ int len; * eap_input - Handle received EAP message. */ static void -eap_input(unit, inp, inlen) -int unit; -u_char *inp; -int inlen; +eap_input(int unit, u_char *inp, int inlen) { eap_state *esp = &eap_states[unit]; u_char code, id; @@ -2158,15 +2503,15 @@ static char *eap_typenames[] = { }; static int -eap_printpkt(inp, inlen, printer, arg) -u_char *inp; -int inlen; -void (*printer) __P((void *, char *, ...)); -void *arg; +eap_printpkt(u_char *inp, int inlen, + void (*printer) (void *, char *, ...), void *arg) { int code, id, len, rtype, vallen; u_char *pstart; u_int32_t uval; +#ifdef USE_EAPTLS + u_char flags; +#endif /* USE_EAPTLS */ if (inlen < EAP_HEADERLEN) return (0); @@ -2231,6 +2576,24 @@ void *arg; } break; +#ifdef USE_EAPTLS + case EAPT_TLS: + if (len < 1) + break; + GETCHAR(flags, inp); + len--; + + if(flags == 0 && len == 0){ + printer(arg, " Ack"); + break; + } + + printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); + printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); + printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); + break; +#endif /* USE_EAPTLS */ + case EAPT_SRP: if (len < 3) goto truncated; @@ -2342,6 +2705,25 @@ void *arg; } break; +#ifdef USE_EAPTLS + case EAPT_TLS: + if (len < 1) + break; + GETCHAR(flags, inp); + len--; + + if(flags == 0 && len == 0){ + printer(arg, " Ack"); + break; + } + + printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); + printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); + printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); + + break; +#endif /* USE_EAPTLS */ + case EAPT_NAK: if (len <= 0) { printer(arg, " ");