X-Git-Url: https://git.ozlabs.org/?a=blobdiff_plain;f=pppd%2Feap.c;h=c9b3f676bfc9e642b5558bde4a1c065155fbbd83;hb=c95c6162dd3b5774ee680f9c7df60db217cae161;hp=342d91f0897d341c4ddf6132c507cac2f67b1d97;hpb=5191399f5266bb595f03f5c4fee13153092e2baf;p=ppp.git diff --git a/pppd/eap.c b/pppd/eap.c index 342d91f..c9b3f67 100644 --- a/pppd/eap.c +++ b/pppd/eap.c @@ -48,6 +48,10 @@ * Implemented EAP-TLS authentication */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + #include #include #include @@ -63,8 +67,14 @@ #include "pathnames.h" #include "md5.h" #include "eap.h" +#ifdef USE_PEAP +#include "peap.h" +#endif /* USE_PEAP */ #ifdef USE_SRP +#ifdef HAVE_TIME_H +#include +#endif #include #include #include @@ -75,16 +85,16 @@ #define SHA_DIGESTSIZE 20 #endif -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS #include "eap-tls.h" -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS #include "chap_ms.h" #include "chap-new.h" extern int chapms_strip_domain; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ eap_state eap_states[NUM_PPP]; /* EAP state; one for each unit */ #ifdef USE_SRP @@ -217,10 +227,10 @@ eap_init(int unit) esp->es_server.ea_id = (u_char)(drand48() * 0x100); esp->es_client.ea_timeout = EAP_DEFREQTIME; esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS esp->es_client.ea_using_eaptls = 0; -#endif /* USE_EAPTLS */ -#ifdef CHAPMS +#endif /* PPP_WITH_EAPTLS */ +#ifdef PPP_WITH_CHAPMS esp->es_client.digest = chap_find_digest(CHAP_MICROSOFT_V2); esp->es_server.digest = chap_find_digest(CHAP_MICROSOFT_V2); #endif @@ -434,16 +444,16 @@ eap_figure_next_state(eap_state *esp, int status) u_char vals[2]; struct b64state bs; #endif /* USE_SRP */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS struct eaptls_session *ets; int secret_len; char secret[MAXWORDLEN]; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ esp->es_server.ea_timeout = esp->es_savedtime; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS esp->es_server.ea_prev_state = esp->es_server.ea_state; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ switch (esp->es_server.ea_state) { case eapBadAuth: return; @@ -552,7 +562,7 @@ eap_figure_next_state(eap_state *esp, int status) tpw.pebuf.name = esp->es_server.ea_peer; tpw.pebuf.password.len = t_fromb64((char *)tpw.pwbuf, cp); - tpw.pebuf.password.data = tpw.pwbuf; + tpw.pebuf.password.data = (char*) tpw.pwbuf; tpw.pebuf.salt.len = t_fromb64((char *)tpw.saltbuf, cp2); tpw.pebuf.salt.data = tpw.saltbuf; @@ -568,19 +578,19 @@ eap_figure_next_state(eap_state *esp, int status) break; } #endif /* USE_SRP */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS if (!get_secret(esp->es_unit, esp->es_server.ea_peer, esp->es_server.ea_name, secret, &secret_len, 1)) { esp->es_server.ea_state = eapTlsStart; break; } -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ esp->es_server.ea_state = eapMD5Chall; break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case eapTlsStart: /* Initialize ssl session */ if(!eaptls_init_ssl_server(esp)) { @@ -641,7 +651,7 @@ eap_figure_next_state(eap_state *esp, int status) case eapTlsSendAlert: esp->es_server.ea_state = eapTlsRecvAlertAck; break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ case eapSRP1: #ifdef USE_SRP @@ -694,7 +704,7 @@ eap_figure_next_state(eap_state *esp, int status) } break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case eapMSCHAPv2Chall: #endif case eapMD5Chall: @@ -712,12 +722,12 @@ eap_figure_next_state(eap_state *esp, int status) if (esp->es_server.ea_state == eapBadAuth) eap_send_failure(esp); -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state)); -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ } -#if CHAPMS +#if PPP_WITH_CHAPMS /* * eap_chap_verify_response - check whether the peer's response matches * what we think it should be. Returns 1 if it does (authentication @@ -785,7 +795,7 @@ eap_chapms2_send_request(eap_state *esp, u_char id, auth_peer_fail(esp->es_unit, PPP_EAP); } } -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ /* * Format an EAP Request message and send it to the peer. Message @@ -872,7 +882,7 @@ eap_send_request(eap_state *esp) INCPTR(esp->es_server.ea_namelen, outp); break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case eapMSCHAPv2Chall: esp->es_server.digest->generate_challenge(esp->es_challenge); challen = esp->es_challenge[0]; @@ -893,9 +903,9 @@ eap_send_request(eap_state *esp) esp->es_server.ea_namelen); INCPTR(esp->es_server.ea_namelen, outp); break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case eapTlsStart: PUTCHAR(EAPT_TLS, outp); PUTCHAR(EAP_TLS_FLAGS_START, outp); @@ -917,7 +927,7 @@ eap_send_request(eap_state *esp) eaptls_send(esp->es_server.ea_session, &outp); eap_figure_next_state(esp, 0); break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ #ifdef USE_SRP case eapSRP1: @@ -1102,18 +1112,18 @@ eap_authpeer(int unit, char *localname) static void eap_server_timeout(void *arg) { -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS u_char *outp; u_char *lenloc; int outlen; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ eap_state *esp = (eap_state *) arg; if (!eap_server_active(esp)) return; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS switch(esp->es_server.ea_prev_state) { /* @@ -1151,7 +1161,7 @@ eap_server_timeout(void *arg) default: break; } -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ /* EAP ID number must not change on timeout. */ eap_send_request(esp); @@ -1389,7 +1399,7 @@ eap_srpval_response(eap_state *esp, u_char id, u_int32_t flags, u_char *str) } #endif /* USE_SRP */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS /* * Send an EAP-TLS response message with tls data */ @@ -1456,7 +1466,7 @@ eap_tls_sendack(eap_state *esp, u_char id) output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); } -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ static void eap_send_nak(eap_state *esp, u_char id, u_char type) @@ -1588,7 +1598,7 @@ write_pseudonym(eap_state *esp, u_char *inp, int len, int id) } #endif /* USE_SRP */ -#if CHAPMS +#if PPP_WITH_CHAPMS /* * Format and send an CHAPV2-Challenge EAP Response message. */ @@ -1634,10 +1644,10 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) char rhostname[256]; MD5_CTX mdContext; u_char hash[MD5_SIGNATURE_SIZE]; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS u_char flags; struct eaptls_session *ets = esp->es_client.ea_session; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ #ifdef USE_SRP struct t_client *tc; @@ -1781,7 +1791,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) esp->es_client.ea_namelen); break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case EAPT_TLS: switch(esp->es_client.ea_state) { @@ -1849,7 +1859,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) /* Check if TLS handshake is finished */ if(eaptls_is_init_finished(ets)) { -#ifdef MPPE +#ifdef PPP_WITH_MPPE eaptls_gen_mppe_keys(ets, 1); #endif eaptls_free_session(ets); @@ -1869,7 +1879,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) } break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ #ifdef USE_SRP case EAPT_SRP: @@ -2103,7 +2113,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) break; #endif /* USE_SRP */ -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: if (len < 4) { error("EAP: received invalid MSCHAPv2 packet, too short"); @@ -2172,6 +2182,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) eap_send_nak(esp, id, EAPT_SRP); break; } + esp->es_client.ea_namelen = strlen(esp->es_client.ea_name); /* Create the MSCHAPv2 response (and add to cache) */ unsigned char response[MS_CHAP2_RESPONSE_LEN+1]; // VLEN + VALUE @@ -2208,7 +2219,29 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) } break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ +#ifdef USE_PEAP + case EAPT_PEAP: + + /* Initialize the PEAP context (if not already initialized) */ + if (!esp->ea_peap) { + rhostname[0] = '\0'; + if (explicit_remote || (remote_name[0] != '\0')) { + strlcpy(rhostname, remote_name, sizeof (rhostname)); + } + if (peap_init(&esp->ea_peap, rhostname)) { + eap_send_nak(esp, id, EAPT_TLS); + break; + } + } + + /* Process the PEAP packet */ + if (peap_process(esp, id, inp, len)) { + eap_send_nak(esp, id, EAPT_TLS); + } + + break; +#endif // USE_PEAP default: info("EAP: unknown authentication type %d; Naking", typenum); @@ -2253,20 +2286,18 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) struct t_num A; SHA1_CTX ctxt; u_char dig[SHA_DIGESTSIZE]; - SHA1_CTX ctxt; - u_char dig[SHA_DIGESTSIZE]; #endif /* USE_SRP */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS struct eaptls_session *ets; u_char flags; -#endif /* USE_EAPTLS */ -#ifdef CHAPMS +#endif /* PPP_WITH_EAPTLS */ +#ifdef PPP_WITH_CHAPMS u_char opcode; int (*chap_verifier)(char *, char *, int, struct chap_digest_type *, unsigned char *, unsigned char *, char *, int); char response_message[256]; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ /* * Ignore responses if we're not open @@ -2313,7 +2344,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) eap_figure_next_state(esp, 0); break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case EAPT_TLS: switch(esp->es_server.ea_state) { @@ -2343,7 +2374,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) GETCHAR(flags, inp); if(len == 1 && !flags) { /* Ack = ok */ -#ifdef MPPE +#ifdef PPP_WITH_MPPE eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 ); #endif eap_send_success(esp); @@ -2369,7 +2400,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) break; } break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ case EAPT_NOTIFICATION: dbglog("EAP unexpected Notification; response discarded"); @@ -2402,14 +2433,14 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) esp->es_server.ea_state = eapMD5Chall; break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS /* Send EAP-TLS start packet */ case EAPT_TLS: esp->es_server.ea_state = eapTlsStart; break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: info("EAP: peer proposes MSCHAPv2"); /* If MSCHAPv2 digest was not found, NAK the packet */ @@ -2420,7 +2451,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) } esp->es_server.ea_state = eapMSCHAPv2Chall; break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ default: dbglog("EAP: peer requesting unknown Type %d", vallen); @@ -2503,7 +2534,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) TIMEOUT(eap_rechallenge, esp, esp->es_rechallenge); break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: if (len < 1) { error("EAP: received MSCHAPv2 with no data"); @@ -2606,7 +2637,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) } break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ #ifdef USE_SRP case EAPT_SRP: @@ -2735,9 +2766,9 @@ static void eap_success(eap_state *esp, u_char *inp, int id, int len) { if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS && esp->es_client.ea_state != eapTlsRecvSuccess -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ ) { dbglog("EAP unexpected success message in state %s (%d)", eap_state_name(esp->es_client.ea_state), @@ -2745,7 +2776,7 @@ eap_success(eap_state *esp, u_char *inp, int id, int len) return; } -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != eapTlsRecvSuccess) { dbglog("EAP-TLS unexpected success message in state %s (%d)", @@ -2753,7 +2784,7 @@ eap_success(eap_state *esp, u_char *inp, int id, int len) esp->es_client.ea_state); return; } -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ if (esp->es_client.ea_timeout > 0) { UNTIMEOUT(eap_client_timeout, (void *)esp); @@ -2764,6 +2795,10 @@ eap_success(eap_state *esp, u_char *inp, int id, int len) PRINTMSG(inp, len); } +#ifdef USE_PEAP + peap_finish(&esp->ea_peap); +#endif + esp->es_client.ea_state = eapOpen; auth_withpeer_success(esp->es_unit, PPP_EAP, 0); } @@ -2798,6 +2833,11 @@ eap_failure(eap_state *esp, u_char *inp, int id, int len) esp->es_client.ea_state = eapBadAuth; error("EAP: peer reports authentication failure"); + +#ifdef USE_PEAP + peap_finish(&esp->ea_peap); +#endif + auth_withpeer_fail(esp->es_unit, PPP_EAP); } @@ -2878,12 +2918,12 @@ eap_printpkt(u_char *inp, int inlen, int code, id, len, rtype, vallen; u_char *pstart; u_int32_t uval; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS u_char flags; -#endif /* USE_EAPTLS */ -#ifdef CHAPMS +#endif /* PPP_WITH_EAPTLS */ +#ifdef PPP_WITH_CHAPMS u_char opcode; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ if (inlen < EAP_HEADERLEN) return (0); @@ -2948,7 +2988,7 @@ eap_printpkt(u_char *inp, int inlen, } break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: if (len <= 0) break; @@ -3001,9 +3041,9 @@ eap_printpkt(u_char *inp, int inlen, break; } break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case EAPT_TLS: if (len < 1) break; @@ -3019,8 +3059,9 @@ eap_printpkt(u_char *inp, int inlen, printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ +#ifdef USE_SRP case EAPT_SRP: if (len < 3) goto truncated; @@ -3108,6 +3149,7 @@ eap_printpkt(u_char *inp, int inlen, break; } break; +#endif /* USE_SRP */ } break; @@ -3132,7 +3174,7 @@ eap_printpkt(u_char *inp, int inlen, } break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case EAPT_TLS: if (len < 1) break; @@ -3149,7 +3191,7 @@ eap_printpkt(u_char *inp, int inlen, printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ case EAPT_NAK: if (len <= 0) { @@ -3188,7 +3230,7 @@ eap_printpkt(u_char *inp, int inlen, } break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: if (len <= 0) break; @@ -3231,8 +3273,9 @@ eap_printpkt(u_char *inp, int inlen, break; } break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ +#ifdef USE_SRP case EAPT_SRP: if (len < 1) goto truncated; @@ -3277,6 +3320,7 @@ eap_printpkt(u_char *inp, int inlen, break; } break; +#endif /* USE_SRP */ } break;