X-Git-Url: https://git.ozlabs.org/?a=blobdiff_plain;f=pppd%2Feap.c;h=c9b3f676bfc9e642b5558bde4a1c065155fbbd83;hb=c95c6162dd3b5774ee680f9c7df60db217cae161;hp=b758711117948eb29c6b0a0ce6221f5c2e641e41;hpb=4e2c49755175d05f7f4a3c1c70a42d2eef9d7839;p=ppp.git diff --git a/pppd/eap.c b/pppd/eap.c index b758711..c9b3f67 100644 --- a/pppd/eap.c +++ b/pppd/eap.c @@ -85,16 +85,16 @@ #define SHA_DIGESTSIZE 20 #endif -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS #include "eap-tls.h" -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS #include "chap_ms.h" #include "chap-new.h" extern int chapms_strip_domain; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ eap_state eap_states[NUM_PPP]; /* EAP state; one for each unit */ #ifdef USE_SRP @@ -227,10 +227,10 @@ eap_init(int unit) esp->es_server.ea_id = (u_char)(drand48() * 0x100); esp->es_client.ea_timeout = EAP_DEFREQTIME; esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS esp->es_client.ea_using_eaptls = 0; -#endif /* USE_EAPTLS */ -#ifdef CHAPMS +#endif /* PPP_WITH_EAPTLS */ +#ifdef PPP_WITH_CHAPMS esp->es_client.digest = chap_find_digest(CHAP_MICROSOFT_V2); esp->es_server.digest = chap_find_digest(CHAP_MICROSOFT_V2); #endif @@ -444,16 +444,16 @@ eap_figure_next_state(eap_state *esp, int status) u_char vals[2]; struct b64state bs; #endif /* USE_SRP */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS struct eaptls_session *ets; int secret_len; char secret[MAXWORDLEN]; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ esp->es_server.ea_timeout = esp->es_savedtime; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS esp->es_server.ea_prev_state = esp->es_server.ea_state; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ switch (esp->es_server.ea_state) { case eapBadAuth: return; @@ -578,19 +578,19 @@ eap_figure_next_state(eap_state *esp, int status) break; } #endif /* USE_SRP */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS if (!get_secret(esp->es_unit, esp->es_server.ea_peer, esp->es_server.ea_name, secret, &secret_len, 1)) { esp->es_server.ea_state = eapTlsStart; break; } -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ esp->es_server.ea_state = eapMD5Chall; break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case eapTlsStart: /* Initialize ssl session */ if(!eaptls_init_ssl_server(esp)) { @@ -651,7 +651,7 @@ eap_figure_next_state(eap_state *esp, int status) case eapTlsSendAlert: esp->es_server.ea_state = eapTlsRecvAlertAck; break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ case eapSRP1: #ifdef USE_SRP @@ -704,7 +704,7 @@ eap_figure_next_state(eap_state *esp, int status) } break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case eapMSCHAPv2Chall: #endif case eapMD5Chall: @@ -722,12 +722,12 @@ eap_figure_next_state(eap_state *esp, int status) if (esp->es_server.ea_state == eapBadAuth) eap_send_failure(esp); -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state)); -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ } -#if CHAPMS +#if PPP_WITH_CHAPMS /* * eap_chap_verify_response - check whether the peer's response matches * what we think it should be. Returns 1 if it does (authentication @@ -795,7 +795,7 @@ eap_chapms2_send_request(eap_state *esp, u_char id, auth_peer_fail(esp->es_unit, PPP_EAP); } } -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ /* * Format an EAP Request message and send it to the peer. Message @@ -882,7 +882,7 @@ eap_send_request(eap_state *esp) INCPTR(esp->es_server.ea_namelen, outp); break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case eapMSCHAPv2Chall: esp->es_server.digest->generate_challenge(esp->es_challenge); challen = esp->es_challenge[0]; @@ -903,9 +903,9 @@ eap_send_request(eap_state *esp) esp->es_server.ea_namelen); INCPTR(esp->es_server.ea_namelen, outp); break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case eapTlsStart: PUTCHAR(EAPT_TLS, outp); PUTCHAR(EAP_TLS_FLAGS_START, outp); @@ -927,7 +927,7 @@ eap_send_request(eap_state *esp) eaptls_send(esp->es_server.ea_session, &outp); eap_figure_next_state(esp, 0); break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ #ifdef USE_SRP case eapSRP1: @@ -1112,18 +1112,18 @@ eap_authpeer(int unit, char *localname) static void eap_server_timeout(void *arg) { -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS u_char *outp; u_char *lenloc; int outlen; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ eap_state *esp = (eap_state *) arg; if (!eap_server_active(esp)) return; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS switch(esp->es_server.ea_prev_state) { /* @@ -1161,7 +1161,7 @@ eap_server_timeout(void *arg) default: break; } -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ /* EAP ID number must not change on timeout. */ eap_send_request(esp); @@ -1399,7 +1399,7 @@ eap_srpval_response(eap_state *esp, u_char id, u_int32_t flags, u_char *str) } #endif /* USE_SRP */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS /* * Send an EAP-TLS response message with tls data */ @@ -1466,7 +1466,7 @@ eap_tls_sendack(eap_state *esp, u_char id) output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); } -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ static void eap_send_nak(eap_state *esp, u_char id, u_char type) @@ -1598,7 +1598,7 @@ write_pseudonym(eap_state *esp, u_char *inp, int len, int id) } #endif /* USE_SRP */ -#if CHAPMS +#if PPP_WITH_CHAPMS /* * Format and send an CHAPV2-Challenge EAP Response message. */ @@ -1644,10 +1644,10 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) char rhostname[256]; MD5_CTX mdContext; u_char hash[MD5_SIGNATURE_SIZE]; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS u_char flags; struct eaptls_session *ets = esp->es_client.ea_session; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ #ifdef USE_SRP struct t_client *tc; @@ -1791,7 +1791,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) esp->es_client.ea_namelen); break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case EAPT_TLS: switch(esp->es_client.ea_state) { @@ -1859,7 +1859,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) /* Check if TLS handshake is finished */ if(eaptls_is_init_finished(ets)) { -#ifdef MPPE +#ifdef PPP_WITH_MPPE eaptls_gen_mppe_keys(ets, 1); #endif eaptls_free_session(ets); @@ -1879,7 +1879,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) } break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ #ifdef USE_SRP case EAPT_SRP: @@ -2113,7 +2113,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) break; #endif /* USE_SRP */ -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: if (len < 4) { error("EAP: received invalid MSCHAPv2 packet, too short"); @@ -2182,6 +2182,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) eap_send_nak(esp, id, EAPT_SRP); break; } + esp->es_client.ea_namelen = strlen(esp->es_client.ea_name); /* Create the MSCHAPv2 response (and add to cache) */ unsigned char response[MS_CHAP2_RESPONSE_LEN+1]; // VLEN + VALUE @@ -2218,12 +2219,29 @@ eap_request(eap_state *esp, u_char *inp, int id, int len) } break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ #ifdef USE_PEAP case EAPT_PEAP: - peap_process(esp, id, inp, len, rhostname); + + /* Initialize the PEAP context (if not already initialized) */ + if (!esp->ea_peap) { + rhostname[0] = '\0'; + if (explicit_remote || (remote_name[0] != '\0')) { + strlcpy(rhostname, remote_name, sizeof (rhostname)); + } + if (peap_init(&esp->ea_peap, rhostname)) { + eap_send_nak(esp, id, EAPT_TLS); + break; + } + } + + /* Process the PEAP packet */ + if (peap_process(esp, id, inp, len)) { + eap_send_nak(esp, id, EAPT_TLS); + } + break; -#endif /* USE_PEAP */ +#endif // USE_PEAP default: info("EAP: unknown authentication type %d; Naking", typenum); @@ -2270,16 +2288,16 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) u_char dig[SHA_DIGESTSIZE]; #endif /* USE_SRP */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS struct eaptls_session *ets; u_char flags; -#endif /* USE_EAPTLS */ -#ifdef CHAPMS +#endif /* PPP_WITH_EAPTLS */ +#ifdef PPP_WITH_CHAPMS u_char opcode; int (*chap_verifier)(char *, char *, int, struct chap_digest_type *, unsigned char *, unsigned char *, char *, int); char response_message[256]; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ /* * Ignore responses if we're not open @@ -2326,7 +2344,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) eap_figure_next_state(esp, 0); break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case EAPT_TLS: switch(esp->es_server.ea_state) { @@ -2356,7 +2374,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) GETCHAR(flags, inp); if(len == 1 && !flags) { /* Ack = ok */ -#ifdef MPPE +#ifdef PPP_WITH_MPPE eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 ); #endif eap_send_success(esp); @@ -2382,7 +2400,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) break; } break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ case EAPT_NOTIFICATION: dbglog("EAP unexpected Notification; response discarded"); @@ -2415,14 +2433,14 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) esp->es_server.ea_state = eapMD5Chall; break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS /* Send EAP-TLS start packet */ case EAPT_TLS: esp->es_server.ea_state = eapTlsStart; break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: info("EAP: peer proposes MSCHAPv2"); /* If MSCHAPv2 digest was not found, NAK the packet */ @@ -2433,7 +2451,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) } esp->es_server.ea_state = eapMSCHAPv2Chall; break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ default: dbglog("EAP: peer requesting unknown Type %d", vallen); @@ -2516,7 +2534,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) TIMEOUT(eap_rechallenge, esp, esp->es_rechallenge); break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: if (len < 1) { error("EAP: received MSCHAPv2 with no data"); @@ -2619,7 +2637,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len) } break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ #ifdef USE_SRP case EAPT_SRP: @@ -2748,9 +2766,9 @@ static void eap_success(eap_state *esp, u_char *inp, int id, int len) { if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS && esp->es_client.ea_state != eapTlsRecvSuccess -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ ) { dbglog("EAP unexpected success message in state %s (%d)", eap_state_name(esp->es_client.ea_state), @@ -2758,7 +2776,7 @@ eap_success(eap_state *esp, u_char *inp, int id, int len) return; } -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != eapTlsRecvSuccess) { dbglog("EAP-TLS unexpected success message in state %s (%d)", @@ -2766,7 +2784,7 @@ eap_success(eap_state *esp, u_char *inp, int id, int len) esp->es_client.ea_state); return; } -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ if (esp->es_client.ea_timeout > 0) { UNTIMEOUT(eap_client_timeout, (void *)esp); @@ -2777,6 +2795,10 @@ eap_success(eap_state *esp, u_char *inp, int id, int len) PRINTMSG(inp, len); } +#ifdef USE_PEAP + peap_finish(&esp->ea_peap); +#endif + esp->es_client.ea_state = eapOpen; auth_withpeer_success(esp->es_unit, PPP_EAP, 0); } @@ -2811,6 +2833,11 @@ eap_failure(eap_state *esp, u_char *inp, int id, int len) esp->es_client.ea_state = eapBadAuth; error("EAP: peer reports authentication failure"); + +#ifdef USE_PEAP + peap_finish(&esp->ea_peap); +#endif + auth_withpeer_fail(esp->es_unit, PPP_EAP); } @@ -2891,12 +2918,12 @@ eap_printpkt(u_char *inp, int inlen, int code, id, len, rtype, vallen; u_char *pstart; u_int32_t uval; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS u_char flags; -#endif /* USE_EAPTLS */ -#ifdef CHAPMS +#endif /* PPP_WITH_EAPTLS */ +#ifdef PPP_WITH_CHAPMS u_char opcode; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ if (inlen < EAP_HEADERLEN) return (0); @@ -2961,7 +2988,7 @@ eap_printpkt(u_char *inp, int inlen, } break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: if (len <= 0) break; @@ -3014,9 +3041,9 @@ eap_printpkt(u_char *inp, int inlen, break; } break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case EAPT_TLS: if (len < 1) break; @@ -3032,7 +3059,7 @@ eap_printpkt(u_char *inp, int inlen, printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ #ifdef USE_SRP case EAPT_SRP: @@ -3147,7 +3174,7 @@ eap_printpkt(u_char *inp, int inlen, } break; -#ifdef USE_EAPTLS +#ifdef PPP_WITH_EAPTLS case EAPT_TLS: if (len < 1) break; @@ -3164,7 +3191,7 @@ eap_printpkt(u_char *inp, int inlen, printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); break; -#endif /* USE_EAPTLS */ +#endif /* PPP_WITH_EAPTLS */ case EAPT_NAK: if (len <= 0) { @@ -3203,7 +3230,7 @@ eap_printpkt(u_char *inp, int inlen, } break; -#ifdef CHAPMS +#ifdef PPP_WITH_CHAPMS case EAPT_MSCHAPV2: if (len <= 0) break; @@ -3246,7 +3273,7 @@ eap_printpkt(u_char *inp, int inlen, break; } break; -#endif /* CHAPMS */ +#endif /* PPP_WITH_CHAPMS */ #ifdef USE_SRP case EAPT_SRP: