1 /*
2 * eap.c - Extensible Authentication Protocol for PPP (RFC 2284)
3 *
4 * Copyright (c) 2001 by Sun Microsystems, Inc.
5 * All rights reserved.
6 *
7 * Non-exclusive rights to redistribute, modify, translate, and use
8 * this software in source and binary forms, in whole or in part, is
9 * hereby granted, provided that the above copyright notice is
10 * duplicated in any source form, and that neither the name of the
11 * copyright holder nor the author is used to endorse or promote
12 * products derived from this software.
13 *
14 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
16 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
17 *
18 * Original version by James Carlson
19 *
20 * This implementation of EAP supports MD5-Challenge and SRP-SHA1
21 * authentication styles. Note that support of MD5-Challenge is a
22 * requirement of RFC 2284, and that it's essentially just a
23 * reimplementation of regular RFC 1994 CHAP using EAP messages.
24 *
25 * As an authenticator ("server"), there are multiple phases for each
26 * style. In the first phase of each style, the unauthenticated peer
27 * name is queried using the EAP Identity request type. If the
28 * "remotename" option is used, then this phase is skipped, because
29 * the peer's name is presumed to be known.
30 *
31 * For MD5-Challenge, there are two phases, and the second phase
32 * consists of sending the challenge itself and handling the
33 * associated response.
34 *
35 * For SRP-SHA1, there are four phases. The second sends 's', 'N',
36 * and 'g'. The reply contains 'A'. The third sends 'B', and the
37 * reply contains 'M1'. The forth sends the 'M2' value.
38 *
39 * As an authenticatee ("client"), there's just a single phase --
40 * responding to the queries generated by the peer. EAP is an
41 * authenticator-driven protocol.
42 *
43 * Based on draft-ietf-pppext-eap-srp-03.txt.
44 */
45
46 #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $"
47
48 /*
49 * TODO:
50 */
51
52 #include <stdio.h>
53 #include <stdlib.h>
54 #include <string.h>
55 #include <unistd.h>
56 #include <pwd.h>
57 #include <sys/types.h>
58 #include <sys/stat.h>
59 #include <fcntl.h>
60 #include <assert.h>
61 #include <errno.h>
62
63 #include "pppd.h"
64 #include "pathnames.h"
65 #include "md5.h"
66 #include "eap.h"
67
68 #ifdef USE_SRP
69 #include <t_pwd.h>
70 #include <t_server.h>
71 #include <t_client.h>
72 #include "pppcrypt.h"
73 #endif /* USE_SRP */
74
75 #ifndef SHA_DIGESTSIZE
76 #define SHA_DIGESTSIZE 20
77 #endif
78
79 static const char rcsid[] = RCSID;
80
81 eap_state eap_states[NUM_PPP]; /* EAP state; one for each unit */
82 #ifdef USE_SRP
83 static char *pn_secret = NULL; /* Pseudonym generating secret */
84 #endif
85
86 /*
87 * Command-line options.
88 */
89 static option_t eap_option_list[] = {
90 { "eap-restart", o_int, &eap_states[0].es_server.ea_timeout,
91 "Set retransmit timeout for EAP Requests (server)" },
92 { "eap-max-sreq", o_int, &eap_states[0].es_server.ea_maxrequests,
93 "Set max number of EAP Requests sent (server)" },
94 { "eap-timeout", o_int, &eap_states[0].es_client.ea_timeout,
95 "Set time limit for peer EAP authentication" },
96 { "eap-max-rreq", o_int, &eap_states[0].es_client.ea_maxrequests,
97 "Set max number of EAP Requests allows (client)" },
98 { "eap-interval", o_int, &eap_states[0].es_rechallenge,
99 "Set interval for EAP rechallenge" },
100 #ifdef USE_SRP
101 { "srp-interval", o_int, &eap_states[0].es_lwrechallenge,
102 "Set interval for SRP lightweight rechallenge" },
103 { "srp-pn-secret", o_string, &pn_secret,
104 "Long term pseudonym generation secret" },
105 { "srp-use-pseudonym", o_bool, &eap_states[0].es_usepseudo,
106 "Use pseudonym if offered one by server", 1 },
107 #endif
108 { NULL }
109 };
110
111 /*
112 * Protocol entry points.
113 */
114 static void eap_init __P((int unit));
115 static void eap_input __P((int unit, u_char *inp, int inlen));
116 static void eap_protrej __P((int unit));
117 static void eap_lowerup __P((int unit));
118 static void eap_lowerdown __P((int unit));
119 static int eap_printpkt __P((u_char *inp, int inlen,
120 void (*)(void *arg, char *fmt, ...), void *arg));
121
122 struct protent eap_protent = {
123 PPP_EAP, /* protocol number */
124 eap_init, /* initialization procedure */
125 eap_input, /* process a received packet */
126 eap_protrej, /* process a received protocol-reject */
127 eap_lowerup, /* lower layer has gone up */
128 eap_lowerdown, /* lower layer has gone down */
129 NULL, /* open the protocol */
130 NULL, /* close the protocol */
131 eap_printpkt, /* print a packet in readable form */
132 NULL, /* process a received data packet */
133 1, /* protocol enabled */
134 "EAP", /* text name of protocol */
135 NULL, /* text name of corresponding data protocol */
136 eap_option_list, /* list of command-line options */
137 NULL, /* check requested options; assign defaults */
138 NULL, /* configure interface for demand-dial */
139 NULL /* say whether to bring up link for this pkt */
140 };
141
142 /*
143 * A well-known 2048 bit modulus.
144 */
145 static const u_char wkmodulus[] = {
146 0xAC, 0x6B, 0xDB, 0x41, 0x32, 0x4A, 0x9A, 0x9B,
147 0xF1, 0x66, 0xDE, 0x5E, 0x13, 0x89, 0x58, 0x2F,
148 0xAF, 0x72, 0xB6, 0x65, 0x19, 0x87, 0xEE, 0x07,
149 0xFC, 0x31, 0x92, 0x94, 0x3D, 0xB5, 0x60, 0x50,
150 0xA3, 0x73, 0x29, 0xCB, 0xB4, 0xA0, 0x99, 0xED,
151 0x81, 0x93, 0xE0, 0x75, 0x77, 0x67, 0xA1, 0x3D,
152 0xD5, 0x23, 0x12, 0xAB, 0x4B, 0x03, 0x31, 0x0D,
153 0xCD, 0x7F, 0x48, 0xA9, 0xDA, 0x04, 0xFD, 0x50,
154 0xE8, 0x08, 0x39, 0x69, 0xED, 0xB7, 0x67, 0xB0,
155 0xCF, 0x60, 0x95, 0x17, 0x9A, 0x16, 0x3A, 0xB3,
156 0x66, 0x1A, 0x05, 0xFB, 0xD5, 0xFA, 0xAA, 0xE8,
157 0x29, 0x18, 0xA9, 0x96, 0x2F, 0x0B, 0x93, 0xB8,
158 0x55, 0xF9, 0x79, 0x93, 0xEC, 0x97, 0x5E, 0xEA,
159 0xA8, 0x0D, 0x74, 0x0A, 0xDB, 0xF4, 0xFF, 0x74,
160 0x73, 0x59, 0xD0, 0x41, 0xD5, 0xC3, 0x3E, 0xA7,
161 0x1D, 0x28, 0x1E, 0x44, 0x6B, 0x14, 0x77, 0x3B,
162 0xCA, 0x97, 0xB4, 0x3A, 0x23, 0xFB, 0x80, 0x16,
163 0x76, 0xBD, 0x20, 0x7A, 0x43, 0x6C, 0x64, 0x81,
164 0xF1, 0xD2, 0xB9, 0x07, 0x87, 0x17, 0x46, 0x1A,
165 0x5B, 0x9D, 0x32, 0xE6, 0x88, 0xF8, 0x77, 0x48,
166 0x54, 0x45, 0x23, 0xB5, 0x24, 0xB0, 0xD5, 0x7D,
167 0x5E, 0xA7, 0x7A, 0x27, 0x75, 0xD2, 0xEC, 0xFA,
168 0x03, 0x2C, 0xFB, 0xDB, 0xF5, 0x2F, 0xB3, 0x78,
169 0x61, 0x60, 0x27, 0x90, 0x04, 0xE5, 0x7A, 0xE6,
170 0xAF, 0x87, 0x4E, 0x73, 0x03, 0xCE, 0x53, 0x29,
171 0x9C, 0xCC, 0x04, 0x1C, 0x7B, 0xC3, 0x08, 0xD8,
172 0x2A, 0x56, 0x98, 0xF3, 0xA8, 0xD0, 0xC3, 0x82,
173 0x71, 0xAE, 0x35, 0xF8, 0xE9, 0xDB, 0xFB, 0xB6,
174 0x94, 0xB5, 0xC8, 0x03, 0xD8, 0x9F, 0x7A, 0xE4,
175 0x35, 0xDE, 0x23, 0x6D, 0x52, 0x5F, 0x54, 0x75,
176 0x9B, 0x65, 0xE3, 0x72, 0xFC, 0xD6, 0x8E, 0xF2,
177 0x0F, 0xA7, 0x11, 0x1F, 0x9E, 0x4A, 0xFF, 0x73
178 };
179
180 /* Local forward declarations. */
181 static void eap_server_timeout __P((void *arg));
182
183 /*
184 * Convert EAP state code to printable string for debug.
185 */
186 static const char *
eap_state_name(esc)187 eap_state_name(esc)
188 enum eap_state_code esc;
189 {
190 static const char *state_names[] = { EAP_STATES };
191
192 return (state_names[(int)esc]);
193 }
194
195 /*
196 * eap_init - Initialize state for an EAP user. This is currently
197 * called once by main() during start-up.
198 */
199 static void
eap_init(unit)200 eap_init(unit)
201 int unit;
202 {
203 eap_state *esp = &eap_states[unit];
204
205 BZERO(esp, sizeof (*esp));
206 esp->es_unit = unit;
207 esp->es_server.ea_timeout = EAP_DEFTIMEOUT;
208 esp->es_server.ea_maxrequests = EAP_DEFTRANSMITS;
209 esp->es_server.ea_id = (u_char)(drand48() * 0x100);
210 esp->es_client.ea_timeout = EAP_DEFREQTIME;
211 esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ;
212 }
213
214 /*
215 * eap_client_timeout - Give up waiting for the peer to send any
216 * Request messages.
217 */
218 static void
eap_client_timeout(arg)219 eap_client_timeout(arg)
220 void *arg;
221 {
222 eap_state *esp = (eap_state *) arg;
223
224 if (!eap_client_active(esp))
225 return;
226
227 error("EAP: timeout waiting for Request from peer");
228 auth_withpeer_fail(esp->es_unit, PPP_EAP);
229 esp->es_client.ea_state = eapBadAuth;
230 }
231
232 /*
233 * eap_authwithpeer - Authenticate to our peer (behave as client).
234 *
235 * Start client state and wait for requests. This is called only
236 * after eap_lowerup.
237 */
238 void
eap_authwithpeer(unit,localname)239 eap_authwithpeer(unit, localname)
240 int unit;
241 char *localname;
242 {
243 eap_state *esp = &eap_states[unit];
244
245 /* Save the peer name we're given */
246 esp->es_client.ea_name = localname;
247 esp->es_client.ea_namelen = strlen(localname);
248
249 esp->es_client.ea_state = eapListen;
250
251 /*
252 * Start a timer so that if the other end just goes
253 * silent, we don't sit here waiting forever.
254 */
255 if (esp->es_client.ea_timeout > 0)
256 TIMEOUT(eap_client_timeout, (void *)esp,
257 esp->es_client.ea_timeout);
258 }
259
260 /*
261 * Format a standard EAP Failure message and send it to the peer.
262 * (Server operation)
263 */
264 static void
eap_send_failure(esp)265 eap_send_failure(esp)
266 eap_state *esp;
267 {
268 u_char *outp;
269
270 outp = outpacket_buf;
271
272 MAKEHEADER(outp, PPP_EAP);
273
274 PUTCHAR(EAP_FAILURE, outp);
275 esp->es_server.ea_id++;
276 PUTCHAR(esp->es_server.ea_id, outp);
277 PUTSHORT(EAP_HEADERLEN, outp);
278
279 output(esp->es_unit, outpacket_buf, EAP_HEADERLEN + PPP_HDRLEN);
280
281 esp->es_server.ea_state = eapBadAuth;
282 auth_peer_fail(esp->es_unit, PPP_EAP);
283 }
284
285 /*
286 * Format a standard EAP Success message and send it to the peer.
287 * (Server operation)
288 */
289 static void
eap_send_success(esp)290 eap_send_success(esp)
291 eap_state *esp;
292 {
293 u_char *outp;
294
295 outp = outpacket_buf;
296
297 MAKEHEADER(outp, PPP_EAP);
298
299 PUTCHAR(EAP_SUCCESS, outp);
300 esp->es_server.ea_id++;
301 PUTCHAR(esp->es_server.ea_id, outp);
302 PUTSHORT(EAP_HEADERLEN, outp);
303
304 output(esp->es_unit, outpacket_buf, PPP_HDRLEN + EAP_HEADERLEN);
305
306 auth_peer_success(esp->es_unit, PPP_EAP, 0,
307 esp->es_server.ea_peer, esp->es_server.ea_peerlen);
308 }
309
310 #ifdef USE_SRP
311 /*
312 * Set DES key according to pseudonym-generating secret and current
313 * date.
314 */
315 static bool
pncrypt_setkey(int timeoffs)316 pncrypt_setkey(int timeoffs)
317 {
318 struct tm *tp;
319 char tbuf[9];
320 SHA1_CTX ctxt;
321 u_char dig[SHA_DIGESTSIZE];
322 time_t reftime;
323
324 if (pn_secret == NULL)
325 return (0);
326 reftime = time(NULL) + timeoffs;
327 tp = localtime(&reftime);
328 SHA1Init(&ctxt);
329 SHA1Update(&ctxt, pn_secret, strlen(pn_secret));
330 strftime(tbuf, sizeof (tbuf), "%Y%m%d", tp);
331 SHA1Update(&ctxt, tbuf, strlen(tbuf));
332 SHA1Final(dig, &ctxt);
333 return (DesSetkey(dig));
334 }
335
336 static char base64[] =
337 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
338
339 struct b64state {
340 u_int32_t bs_bits;
341 int bs_offs;
342 };
343
344 static int
b64enc(bs,inp,inlen,outp)345 b64enc(bs, inp, inlen, outp)
346 struct b64state *bs;
347 u_char *inp;
348 int inlen;
349 u_char *outp;
350 {
351 int outlen = 0;
352
353 while (inlen > 0) {
354 bs->bs_bits = (bs->bs_bits << 8) | *inp++;
355 inlen--;
356 bs->bs_offs += 8;
357 if (bs->bs_offs >= 24) {
358 *outp++ = base64[(bs->bs_bits >> 18) & 0x3F];
359 *outp++ = base64[(bs->bs_bits >> 12) & 0x3F];
360 *outp++ = base64[(bs->bs_bits >> 6) & 0x3F];
361 *outp++ = base64[bs->bs_bits & 0x3F];
362 outlen += 4;
363 bs->bs_offs = 0;
364 bs->bs_bits = 0;
365 }
366 }
367 return (outlen);
368 }
369
370 static int
b64flush(bs,outp)371 b64flush(bs, outp)
372 struct b64state *bs;
373 u_char *outp;
374 {
375 int outlen = 0;
376
377 if (bs->bs_offs == 8) {
378 *outp++ = base64[(bs->bs_bits >> 2) & 0x3F];
379 *outp++ = base64[(bs->bs_bits << 4) & 0x3F];
380 outlen = 2;
381 } else if (bs->bs_offs == 16) {
382 *outp++ = base64[(bs->bs_bits >> 10) & 0x3F];
383 *outp++ = base64[(bs->bs_bits >> 4) & 0x3F];
384 *outp++ = base64[(bs->bs_bits << 2) & 0x3F];
385 outlen = 3;
386 }
387 bs->bs_offs = 0;
388 bs->bs_bits = 0;
389 return (outlen);
390 }
391
392 static int
b64dec(bs,inp,inlen,outp)393 b64dec(bs, inp, inlen, outp)
394 struct b64state *bs;
395 u_char *inp;
396 int inlen;
397 u_char *outp;
398 {
399 int outlen = 0;
400 char *cp;
401
402 while (inlen > 0) {
403 if ((cp = strchr(base64, *inp++)) == NULL)
404 break;
405 bs->bs_bits = (bs->bs_bits << 6) | (cp - base64);
406 inlen--;
407 bs->bs_offs += 6;
408 if (bs->bs_offs >= 8) {
409 *outp++ = bs->bs_bits >> (bs->bs_offs - 8);
410 outlen++;
411 bs->bs_offs -= 8;
412 }
413 }
414 return (outlen);
415 }
416 #endif /* USE_SRP */
417
418 /*
419 * Assume that current waiting server state is complete and figure
420 * next state to use based on available authentication data. 'status'
421 * indicates if there was an error in handling the last query. It is
422 * 0 for success and non-zero for failure.
423 */
424 static void
eap_figure_next_state(esp,status)425 eap_figure_next_state(esp, status)
426 eap_state *esp;
427 int status;
428 {
429 #ifdef USE_SRP
430 unsigned char secbuf[MAXWORDLEN], clear[8], *sp, *dp;
431 struct t_pw tpw;
432 struct t_confent *tce, mytce;
433 char *cp, *cp2;
434 struct t_server *ts;
435 int id, i, plen, toffs;
436 u_char vals[2];
437 struct b64state bs;
438 #endif /* USE_SRP */
439
440 esp->es_server.ea_timeout = esp->es_savedtime;
441 switch (esp->es_server.ea_state) {
442 case eapBadAuth:
443 return;
444
445 case eapIdentify:
446 #ifdef USE_SRP
447 /* Discard any previous session. */
448 ts = (struct t_server *)esp->es_server.ea_session;
449 if (ts != NULL) {
450 t_serverclose(ts);
451 esp->es_server.ea_session = NULL;
452 esp->es_server.ea_skey = NULL;
453 }
454 #endif /* USE_SRP */
455 if (status != 0) {
456 esp->es_server.ea_state = eapBadAuth;
457 break;
458 }
459 #ifdef USE_SRP
460 /* If we've got a pseudonym, try to decode to real name. */
461 if (esp->es_server.ea_peerlen > SRP_PSEUDO_LEN &&
462 strncmp(esp->es_server.ea_peer, SRP_PSEUDO_ID,
463 SRP_PSEUDO_LEN) == 0 &&
464 (esp->es_server.ea_peerlen - SRP_PSEUDO_LEN) * 3 / 4 <
465 sizeof (secbuf)) {
466 BZERO(&bs, sizeof (bs));
467 plen = b64dec(&bs,
468 esp->es_server.ea_peer + SRP_PSEUDO_LEN,
469 esp->es_server.ea_peerlen - SRP_PSEUDO_LEN,
470 secbuf);
471 toffs = 0;
472 for (i = 0; i < 5; i++) {
473 pncrypt_setkey(toffs);
474 toffs -= 86400;
475 if (!DesDecrypt(secbuf, clear)) {
476 dbglog("no DES here; cannot decode "
477 "pseudonym");
478 return;
479 }
480 id = *(unsigned char *)clear;
481 if (id + 1 <= plen && id + 9 > plen)
482 break;
483 }
484 if (plen % 8 == 0 && i < 5) {
485 /*
486 * Note that this is always shorter than the
487 * original stored string, so there's no need
488 * to realloc.
489 */
490 if ((i = plen = *(unsigned char *)clear) > 7)
491 i = 7;
492 esp->es_server.ea_peerlen = plen;
493 dp = (unsigned char *)esp->es_server.ea_peer;
494 BCOPY(clear + 1, dp, i);
495 plen -= i;
496 dp += i;
497 sp = secbuf + 8;
498 while (plen > 0) {
499 (void) DesDecrypt(sp, dp);
500 sp += 8;
501 dp += 8;
502 plen -= 8;
503 }
504 esp->es_server.ea_peer[
505 esp->es_server.ea_peerlen] = '\0';
506 dbglog("decoded pseudonym to \"%.*q\"",
507 esp->es_server.ea_peerlen,
508 esp->es_server.ea_peer);
509 } else {
510 dbglog("failed to decode real name");
511 /* Stay in eapIdentfy state; requery */
512 break;
513 }
514 }
515 /* Look up user in secrets database. */
516 if (get_srp_secret(esp->es_unit, esp->es_server.ea_peer,
517 esp->es_server.ea_name, (char *)secbuf, 1) != 0) {
518 /* Set up default in case SRP entry is bad */
519 esp->es_server.ea_state = eapMD5Chall;
520 /* Get t_confent based on index in srp-secrets */
521 id = strtol((char *)secbuf, &cp, 10);
522 if (*cp++ != ':' || id < 0)
523 break;
524 if (id == 0) {
525 mytce.index = 0;
526 mytce.modulus.data = (u_char *)wkmodulus;
527 mytce.modulus.len = sizeof (wkmodulus);
528 mytce.generator.data = (u_char *)"\002";
529 mytce.generator.len = 1;
530 tce = &mytce;
531 } else if ((tce = gettcid(id)) != NULL) {
532 /*
533 * Client will have to verify this modulus/
534 * generator combination, and that will take
535 * a while. Lengthen the timeout here.
536 */
537 if (esp->es_server.ea_timeout > 0 &&
538 esp->es_server.ea_timeout < 30)
539 esp->es_server.ea_timeout = 30;
540 } else {
541 break;
542 }
543 if ((cp2 = strchr(cp, ':')) == NULL)
544 break;
545 *cp2++ = '\0';
546 tpw.pebuf.name = esp->es_server.ea_peer;
547 tpw.pebuf.password.len = t_fromb64((char *)tpw.pwbuf,
548 cp);
549 tpw.pebuf.password.data = tpw.pwbuf;
550 tpw.pebuf.salt.len = t_fromb64((char *)tpw.saltbuf,
551 cp2);
552 tpw.pebuf.salt.data = tpw.saltbuf;
553 if ((ts = t_serveropenraw(&tpw.pebuf, tce)) == NULL)
554 break;
555 esp->es_server.ea_session = (void *)ts;
556 esp->es_server.ea_state = eapSRP1;
557 vals[0] = esp->es_server.ea_id + 1;
558 vals[1] = EAPT_SRP;
559 t_serveraddexdata(ts, vals, 2);
560 /* Generate B; must call before t_servergetkey() */
561 t_servergenexp(ts);
562 break;
563 }
564 #endif /* USE_SRP */
565 esp->es_server.ea_state = eapMD5Chall;
566 break;
567
568 case eapSRP1:
569 #ifdef USE_SRP
570 ts = (struct t_server *)esp->es_server.ea_session;
571 if (ts != NULL && status != 0) {
572 t_serverclose(ts);
573 esp->es_server.ea_session = NULL;
574 esp->es_server.ea_skey = NULL;
575 }
576 #endif /* USE_SRP */
577 if (status == 1) {
578 esp->es_server.ea_state = eapMD5Chall;
579 } else if (status != 0 || esp->es_server.ea_session == NULL) {
580 esp->es_server.ea_state = eapBadAuth;
581 } else {
582 esp->es_server.ea_state = eapSRP2;
583 }
584 break;
585
586 case eapSRP2:
587 #ifdef USE_SRP
588 ts = (struct t_server *)esp->es_server.ea_session;
589 if (ts != NULL && status != 0) {
590 t_serverclose(ts);
591 esp->es_server.ea_session = NULL;
592 esp->es_server.ea_skey = NULL;
593 }
594 #endif /* USE_SRP */
595 if (status != 0 || esp->es_server.ea_session == NULL) {
596 esp->es_server.ea_state = eapBadAuth;
597 } else {
598 esp->es_server.ea_state = eapSRP3;
599 }
600 break;
601
602 case eapSRP3:
603 case eapSRP4:
604 #ifdef USE_SRP
605 ts = (struct t_server *)esp->es_server.ea_session;
606 if (ts != NULL && status != 0) {
607 t_serverclose(ts);
608 esp->es_server.ea_session = NULL;
609 esp->es_server.ea_skey = NULL;
610 }
611 #endif /* USE_SRP */
612 if (status != 0 || esp->es_server.ea_session == NULL) {
613 esp->es_server.ea_state = eapBadAuth;
614 } else {
615 esp->es_server.ea_state = eapOpen;
616 }
617 break;
618
619 case eapMD5Chall:
620 if (status != 0) {
621 esp->es_server.ea_state = eapBadAuth;
622 } else {
623 esp->es_server.ea_state = eapOpen;
624 }
625 break;
626
627 default:
628 esp->es_server.ea_state = eapBadAuth;
629 break;
630 }
631 if (esp->es_server.ea_state == eapBadAuth)
632 eap_send_failure(esp);
633 }
634
635 /*
636 * Format an EAP Request message and send it to the peer. Message
637 * type depends on current state. (Server operation)
638 */
639 static void
eap_send_request(esp)640 eap_send_request(esp)
641 eap_state *esp;
642 {
643 u_char *outp;
644 u_char *lenloc;
645 u_char *ptr;
646 int outlen;
647 int challen;
648 char *str;
649 #ifdef USE_SRP
650 struct t_server *ts;
651 u_char clear[8], cipher[8], dig[SHA_DIGESTSIZE], *optr, *cp;
652 int i, j;
653 struct b64state b64;
654 SHA1_CTX ctxt;
655 #endif /* USE_SRP */
656
657 /* Handle both initial auth and restart */
658 if (esp->es_server.ea_state < eapIdentify &&
659 esp->es_server.ea_state != eapInitial) {
660 esp->es_server.ea_state = eapIdentify;
661 if (explicit_remote) {
662 /*
663 * If we already know the peer's
664 * unauthenticated name, then there's no
665 * reason to ask. Go to next state instead.
666 */
667 esp->es_server.ea_peer = remote_name;
668 esp->es_server.ea_peerlen = strlen(remote_name);
669 eap_figure_next_state(esp, 0);
670 }
671 }
672
673 if (esp->es_server.ea_maxrequests > 0 &&
674 esp->es_server.ea_requests >= esp->es_server.ea_maxrequests) {
675 if (esp->es_server.ea_responses > 0)
676 error("EAP: too many Requests sent");
677 else
678 error("EAP: no response to Requests");
679 eap_send_failure(esp);
680 return;
681 }
682
683 outp = outpacket_buf;
684
685 MAKEHEADER(outp, PPP_EAP);
686
687 PUTCHAR(EAP_REQUEST, outp);
688 PUTCHAR(esp->es_server.ea_id, outp);
689 lenloc = outp;
690 INCPTR(2, outp);
691
692 switch (esp->es_server.ea_state) {
693 case eapIdentify:
694 PUTCHAR(EAPT_IDENTITY, outp);
695 str = "Name";
696 challen = strlen(str);
697 BCOPY(str, outp, challen);
698 INCPTR(challen, outp);
699 break;
700
701 case eapMD5Chall:
702 PUTCHAR(EAPT_MD5CHAP, outp);
703 /*
704 * pick a random challenge length between
705 * MIN_CHALLENGE_LENGTH and MAX_CHALLENGE_LENGTH
706 */
707 challen = (drand48() *
708 (MAX_CHALLENGE_LENGTH - MIN_CHALLENGE_LENGTH)) +
709 MIN_CHALLENGE_LENGTH;
710 PUTCHAR(challen, outp);
711 esp->es_challen = challen;
712 ptr = esp->es_challenge;
713 while (--challen >= 0)
714 *ptr++ = (u_char) (drand48() * 0x100);
715 BCOPY(esp->es_challenge, outp, esp->es_challen);
716 INCPTR(esp->es_challen, outp);
717 BCOPY(esp->es_server.ea_name, outp, esp->es_server.ea_namelen);
718 INCPTR(esp->es_server.ea_namelen, outp);
719 break;
720
721 #ifdef USE_SRP
722 case eapSRP1:
723 PUTCHAR(EAPT_SRP, outp);
724 PUTCHAR(EAPSRP_CHALLENGE, outp);
725
726 PUTCHAR(esp->es_server.ea_namelen, outp);
727 BCOPY(esp->es_server.ea_name, outp, esp->es_server.ea_namelen);
728 INCPTR(esp->es_server.ea_namelen, outp);
729
730 ts = (struct t_server *)esp->es_server.ea_session;
731 assert(ts != NULL);
732 PUTCHAR(ts->s.len, outp);
733 BCOPY(ts->s.data, outp, ts->s.len);
734 INCPTR(ts->s.len, outp);
735
736 if (ts->g.len == 1 && ts->g.data[0] == 2) {
737 PUTCHAR(0, outp);
738 } else {
739 PUTCHAR(ts->g.len, outp);
740 BCOPY(ts->g.data, outp, ts->g.len);
741 INCPTR(ts->g.len, outp);
742 }
743
744 if (ts->n.len != sizeof (wkmodulus) ||
745 BCMP(ts->n.data, wkmodulus, sizeof (wkmodulus)) != 0) {
746 BCOPY(ts->n.data, outp, ts->n.len);
747 INCPTR(ts->n.len, outp);
748 }
749 break;
750
751 case eapSRP2:
752 PUTCHAR(EAPT_SRP, outp);
753 PUTCHAR(EAPSRP_SKEY, outp);
754
755 ts = (struct t_server *)esp->es_server.ea_session;
756 assert(ts != NULL);
757 BCOPY(ts->B.data, outp, ts->B.len);
758 INCPTR(ts->B.len, outp);
759 break;
760
761 case eapSRP3:
762 PUTCHAR(EAPT_SRP, outp);
763 PUTCHAR(EAPSRP_SVALIDATOR, outp);
764 PUTLONG(SRPVAL_EBIT, outp);
765 ts = (struct t_server *)esp->es_server.ea_session;
766 assert(ts != NULL);
767 BCOPY(t_serverresponse(ts), outp, SHA_DIGESTSIZE);
768 INCPTR(SHA_DIGESTSIZE, outp);
769
770 if (pncrypt_setkey(0)) {
771 /* Generate pseudonym */
772 optr = outp;
773 cp = (unsigned char *)esp->es_server.ea_peer;
774 if ((j = i = esp->es_server.ea_peerlen) > 7)
775 j = 7;
776 clear[0] = i;
777 BCOPY(cp, clear + 1, j);
778 i -= j;
779 cp += j;
780 if (!DesEncrypt(clear, cipher)) {
781 dbglog("no DES here; not generating pseudonym");
782 break;
783 }
784 BZERO(&b64, sizeof (b64));
785 outp++; /* space for pseudonym length */
786 outp += b64enc(&b64, cipher, 8, outp);
787 while (i >= 8) {
788 (void) DesEncrypt(cp, cipher);
789 outp += b64enc(&b64, cipher, 8, outp);
790 cp += 8;
791 i -= 8;
792 }
793 if (i > 0) {
794 BCOPY(cp, clear, i);
795 cp += i;
796 while (i < 8) {
797 *cp++ = drand48() * 0x100;
798 i++;
799 }
800 (void) DesEncrypt(clear, cipher);
801 outp += b64enc(&b64, cipher, 8, outp);
802 }
803 outp += b64flush(&b64, outp);
804
805 /* Set length and pad out to next 20 octet boundary */
806 i = outp - optr - 1;
807 *optr = i;
808 i %= SHA_DIGESTSIZE;
809 if (i != 0) {
810 while (i < SHA_DIGESTSIZE) {
811 *outp++ = drand48() * 0x100;
812 i++;
813 }
814 }
815
816 /* Obscure the pseudonym with SHA1 hash */
817 SHA1Init(&ctxt);
818 SHA1Update(&ctxt, &esp->es_server.ea_id, 1);
819 SHA1Update(&ctxt, esp->es_server.ea_skey,
820 SESSION_KEY_LEN);
821 SHA1Update(&ctxt, esp->es_server.ea_peer,
822 esp->es_server.ea_peerlen);
823 while (optr < outp) {
824 SHA1Final(dig, &ctxt);
825 cp = dig;
826 while (cp < dig + SHA_DIGESTSIZE)
827 *optr++ ^= *cp++;
828 SHA1Init(&ctxt);
829 SHA1Update(&ctxt, &esp->es_server.ea_id, 1);
830 SHA1Update(&ctxt, esp->es_server.ea_skey,
831 SESSION_KEY_LEN);
832 SHA1Update(&ctxt, optr - SHA_DIGESTSIZE,
833 SHA_DIGESTSIZE);
834 }
835 }
836 break;
837
838 case eapSRP4:
839 PUTCHAR(EAPT_SRP, outp);
840 PUTCHAR(EAPSRP_LWRECHALLENGE, outp);
841 challen = MIN_CHALLENGE_LENGTH +
842 ((MAX_CHALLENGE_LENGTH - MIN_CHALLENGE_LENGTH) * drand48());
843 esp->es_challen = challen;
844 ptr = esp->es_challenge;
845 while (--challen >= 0)
846 *ptr++ = drand48() * 0x100;
847 BCOPY(esp->es_challenge, outp, esp->es_challen);
848 INCPTR(esp->es_challen, outp);
849 break;
850 #endif /* USE_SRP */
851
852 default:
853 return;
854 }
855
856 outlen = (outp - outpacket_buf) - PPP_HDRLEN;
857 PUTSHORT(outlen, lenloc);
858
859 output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN);
860
861 esp->es_server.ea_requests++;
862
863 if (esp->es_server.ea_timeout > 0)
864 TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout);
865 }
866
867 /*
868 * eap_authpeer - Authenticate our peer (behave as server).
869 *
870 * Start server state and send first request. This is called only
871 * after eap_lowerup.
872 */
873 void
eap_authpeer(unit,localname)874 eap_authpeer(unit, localname)
875 int unit;
876 char *localname;
877 {
878 eap_state *esp = &eap_states[unit];
879
880 /* Save the name we're given. */
881 esp->es_server.ea_name = localname;
882 esp->es_server.ea_namelen = strlen(localname);
883
884 esp->es_savedtime = esp->es_server.ea_timeout;
885
886 /* Lower layer up yet? */
887 if (esp->es_server.ea_state == eapInitial ||
888 esp->es_server.ea_state == eapPending) {
889 esp->es_server.ea_state = eapPending;
890 return;
891 }
892
893 esp->es_server.ea_state = eapPending;
894
895 /* ID number not updated here intentionally; hashed into M1 */
896 eap_send_request(esp);
897 }
898
899 /*
900 * eap_server_timeout - Retransmission timer for sending Requests
901 * expired.
902 */
903 static void
eap_server_timeout(arg)904 eap_server_timeout(arg)
905 void *arg;
906 {
907 eap_state *esp = (eap_state *) arg;
908
909 if (!eap_server_active(esp))
910 return;
911
912 /* EAP ID number must not change on timeout. */
913 eap_send_request(esp);
914 }
915
916 /*
917 * When it's time to send rechallenge the peer, this timeout is
918 * called. Once the rechallenge is successful, the response handler
919 * will restart the timer. If it fails, then the link is dropped.
920 */
921 static void
eap_rechallenge(arg)922 eap_rechallenge(arg)
923 void *arg;
924 {
925 eap_state *esp = (eap_state *)arg;
926
927 if (esp->es_server.ea_state != eapOpen &&
928 esp->es_server.ea_state != eapSRP4)
929 return;
930
931 esp->es_server.ea_requests = 0;
932 esp->es_server.ea_state = eapIdentify;
933 eap_figure_next_state(esp, 0);
934 esp->es_server.ea_id++;
935 eap_send_request(esp);
936 }
937
938 static void
srp_lwrechallenge(arg)939 srp_lwrechallenge(arg)
940 void *arg;
941 {
942 eap_state *esp = (eap_state *)arg;
943
944 if (esp->es_server.ea_state != eapOpen ||
945 esp->es_server.ea_type != EAPT_SRP)
946 return;
947
948 esp->es_server.ea_requests = 0;
949 esp->es_server.ea_state = eapSRP4;
950 esp->es_server.ea_id++;
951 eap_send_request(esp);
952 }
953
954 /*
955 * eap_lowerup - The lower layer is now up.
956 *
957 * This is called before either eap_authpeer or eap_authwithpeer. See
958 * link_established() in auth.c. All that's necessary here is to
959 * return to closed state so that those two routines will do the right
960 * thing.
961 */
962 static void
eap_lowerup(unit)963 eap_lowerup(unit)
964 int unit;
965 {
966 eap_state *esp = &eap_states[unit];
967
968 /* Discard any (possibly authenticated) peer name. */
969 if (esp->es_server.ea_peer != NULL &&
970 esp->es_server.ea_peer != remote_name)
971 free(esp->es_server.ea_peer);
972 esp->es_server.ea_peer = NULL;
973 if (esp->es_client.ea_peer != NULL)
974 free(esp->es_client.ea_peer);
975 esp->es_client.ea_peer = NULL;
976
977 esp->es_client.ea_state = eapClosed;
978 esp->es_server.ea_state = eapClosed;
979 }
980
981 /*
982 * eap_lowerdown - The lower layer is now down.
983 *
984 * Cancel all timeouts and return to initial state.
985 */
986 static void
eap_lowerdown(unit)987 eap_lowerdown(unit)
988 int unit;
989 {
990 eap_state *esp = &eap_states[unit];
991
992 if (eap_client_active(esp) && esp->es_client.ea_timeout > 0) {
993 UNTIMEOUT(eap_client_timeout, (void *)esp);
994 }
995 if (eap_server_active(esp)) {
996 if (esp->es_server.ea_timeout > 0) {
997 UNTIMEOUT(eap_server_timeout, (void *)esp);
998 }
999 } else {
1000 if ((esp->es_server.ea_state == eapOpen ||
1001 esp->es_server.ea_state == eapSRP4) &&
1002 esp->es_rechallenge > 0) {
1003 UNTIMEOUT(eap_rechallenge, (void *)esp);
1004 }
1005 if (esp->es_server.ea_state == eapOpen &&
1006 esp->es_lwrechallenge > 0) {
1007 UNTIMEOUT(srp_lwrechallenge, (void *)esp);
1008 }
1009 }
1010
1011 esp->es_client.ea_state = esp->es_server.ea_state = eapInitial;
1012 esp->es_client.ea_requests = esp->es_server.ea_requests = 0;
1013 }
1014
1015 /*
1016 * eap_protrej - Peer doesn't speak this protocol.
1017 *
1018 * This shouldn't happen. If it does, it represents authentication
1019 * failure.
1020 */
1021 static void
eap_protrej(unit)1022 eap_protrej(unit)
1023 int unit;
1024 {
1025 eap_state *esp = &eap_states[unit];
1026
1027 if (eap_client_active(esp)) {
1028 error("EAP authentication failed due to Protocol-Reject");
1029 auth_withpeer_fail(unit, PPP_EAP);
1030 }
1031 if (eap_server_active(esp)) {
1032 error("EAP authentication of peer failed on Protocol-Reject");
1033 auth_peer_fail(unit, PPP_EAP);
1034 }
1035 eap_lowerdown(unit);
1036 }
1037
1038 /*
1039 * Format and send a regular EAP Response message.
1040 */
1041 static void
eap_send_response(esp,id,typenum,str,lenstr)1042 eap_send_response(esp, id, typenum, str, lenstr)
1043 eap_state *esp;
1044 u_char id;
1045 u_char typenum;
1046 u_char *str;
1047 int lenstr;
1048 {
1049 u_char *outp;
1050 int msglen;
1051
1052 outp = outpacket_buf;
1053
1054 MAKEHEADER(outp, PPP_EAP);
1055
1056 PUTCHAR(EAP_RESPONSE, outp);
1057 PUTCHAR(id, outp);
1058 esp->es_client.ea_id = id;
1059 msglen = EAP_HEADERLEN + sizeof (u_char) + lenstr;
1060 PUTSHORT(msglen, outp);
1061 PUTCHAR(typenum, outp);
1062 if (lenstr > 0) {
1063 BCOPY(str, outp, lenstr);
1064 }
1065
1066 output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen);
1067 }
1068
1069 /*
1070 * Format and send an MD5-Challenge EAP Response message.
1071 */
1072 static void
eap_chap_response(esp,id,hash,name,namelen)1073 eap_chap_response(esp, id, hash, name, namelen)
1074 eap_state *esp;
1075 u_char id;
1076 u_char *hash;
1077 char *name;
1078 int namelen;
1079 {
1080 u_char *outp;
1081 int msglen;
1082
1083 outp = outpacket_buf;
1084
1085 MAKEHEADER(outp, PPP_EAP);
1086
1087 PUTCHAR(EAP_RESPONSE, outp);
1088 PUTCHAR(id, outp);
1089 esp->es_client.ea_id = id;
1090 msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + MD5_SIGNATURE_SIZE +
1091 namelen;
1092 PUTSHORT(msglen, outp);
1093 PUTCHAR(EAPT_MD5CHAP, outp);
1094 PUTCHAR(MD5_SIGNATURE_SIZE, outp);
1095 BCOPY(hash, outp, MD5_SIGNATURE_SIZE);
1096 INCPTR(MD5_SIGNATURE_SIZE, outp);
1097 if (namelen > 0) {
1098 BCOPY(name, outp, namelen);
1099 }
1100
1101 output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen);
1102 }
1103
1104 #ifdef USE_SRP
1105 /*
1106 * Format and send a SRP EAP Response message.
1107 */
1108 static void
eap_srp_response(esp,id,subtypenum,str,lenstr)1109 eap_srp_response(esp, id, subtypenum, str, lenstr)
1110 eap_state *esp;
1111 u_char id;
1112 u_char subtypenum;
1113 u_char *str;
1114 int lenstr;
1115 {
1116 u_char *outp;
1117 int msglen;
1118
1119 outp = outpacket_buf;
1120
1121 MAKEHEADER(outp, PPP_EAP);
1122
1123 PUTCHAR(EAP_RESPONSE, outp);
1124 PUTCHAR(id, outp);
1125 esp->es_client.ea_id = id;
1126 msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + lenstr;
1127 PUTSHORT(msglen, outp);
1128 PUTCHAR(EAPT_SRP, outp);
1129 PUTCHAR(subtypenum, outp);
1130 if (lenstr > 0) {
1131 BCOPY(str, outp, lenstr);
1132 }
1133
1134 output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen);
1135 }
1136
1137 /*
1138 * Format and send a SRP EAP Client Validator Response message.
1139 */
1140 static void
eap_srpval_response(esp,id,flags,str)1141 eap_srpval_response(esp, id, flags, str)
1142 eap_state *esp;
1143 u_char id;
1144 u_int32_t flags;
1145 u_char *str;
1146 {
1147 u_char *outp;
1148 int msglen;
1149
1150 outp = outpacket_buf;
1151
1152 MAKEHEADER(outp, PPP_EAP);
1153
1154 PUTCHAR(EAP_RESPONSE, outp);
1155 PUTCHAR(id, outp);
1156 esp->es_client.ea_id = id;
1157 msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) +
1158 SHA_DIGESTSIZE;
1159 PUTSHORT(msglen, outp);
1160 PUTCHAR(EAPT_SRP, outp);
1161 PUTCHAR(EAPSRP_CVALIDATOR, outp);
1162 PUTLONG(flags, outp);
1163 BCOPY(str, outp, SHA_DIGESTSIZE);
1164
1165 output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen);
1166 }
1167 #endif /* USE_SRP */
1168
1169 static void
eap_send_nak(esp,id,type)1170 eap_send_nak(esp, id, type)
1171 eap_state *esp;
1172 u_char id;
1173 u_char type;
1174 {
1175 u_char *outp;
1176 int msglen;
1177
1178 outp = outpacket_buf;
1179
1180 MAKEHEADER(outp, PPP_EAP);
1181
1182 PUTCHAR(EAP_RESPONSE, outp);
1183 PUTCHAR(id, outp);
1184 esp->es_client.ea_id = id;
1185 msglen = EAP_HEADERLEN + 2 * sizeof (u_char);
1186 PUTSHORT(msglen, outp);
1187 PUTCHAR(EAPT_NAK, outp);
1188 PUTCHAR(type, outp);
1189
1190 output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen);
1191 }
1192
1193 #ifdef USE_SRP
1194 static char *
name_of_pn_file()1195 name_of_pn_file()
1196 {
1197 char *user, *path, *file;
1198 struct passwd *pw;
1199 size_t pl;
1200 static bool pnlogged = 0;
1201
1202 pw = getpwuid(getuid());
1203 if (pw == NULL || (user = pw->pw_dir) == NULL || user[0] == 0) {
1204 errno = EINVAL;
1205 return (NULL);
1206 }
1207 file = _PATH_PSEUDONYM;
1208 pl = strlen(user) + strlen(file) + 2;
1209 path = malloc(pl);
1210 if (path == NULL)
1211 return (NULL);
1212 (void) slprintf(path, pl, "%s/%s", user, file);
1213 if (!pnlogged) {
1214 dbglog("pseudonym file: %s", path);
1215 pnlogged = 1;
1216 }
1217 return (path);
1218 }
1219
1220 static int
open_pn_file(modebits)1221 open_pn_file(modebits)
1222 mode_t modebits;
1223 {
1224 char *path;
1225 int fd, err;
1226
1227 if ((path = name_of_pn_file()) == NULL)
1228 return (-1);
1229 fd = open(path, modebits, S_IRUSR | S_IWUSR);
1230 err = errno;
1231 free(path);
1232 errno = err;
1233 return (fd);
1234 }
1235
1236 static void
remove_pn_file()1237 remove_pn_file()
1238 {
1239 char *path;
1240
1241 if ((path = name_of_pn_file()) != NULL) {
1242 (void) unlink(path);
1243 (void) free(path);
1244 }
1245 }
1246
1247 static void
write_pseudonym(esp,inp,len,id)1248 write_pseudonym(esp, inp, len, id)
1249 eap_state *esp;
1250 u_char *inp;
1251 int len, id;
1252 {
1253 u_char val;
1254 u_char *datp, *digp;
1255 SHA1_CTX ctxt;
1256 u_char dig[SHA_DIGESTSIZE];
1257 int dsize, fd, olen = len;
1258
1259 /*
1260 * Do the decoding by working backwards. This eliminates the need
1261 * to save the decoded output in a separate buffer.
1262 */
1263 val = id;
1264 while (len > 0) {
1265 if ((dsize = len % SHA_DIGESTSIZE) == 0)
1266 dsize = SHA_DIGESTSIZE;
1267 len -= dsize;
1268 datp = inp + len;
1269 SHA1Init(&ctxt);
1270 SHA1Update(&ctxt, &val, 1);
1271 SHA1Update(&ctxt, esp->es_client.ea_skey, SESSION_KEY_LEN);
1272 if (len > 0) {
1273 SHA1Update(&ctxt, datp, SHA_DIGESTSIZE);
1274 } else {
1275 SHA1Update(&ctxt, esp->es_client.ea_name,
1276 esp->es_client.ea_namelen);
1277 }
1278 SHA1Final(dig, &ctxt);
1279 for (digp = dig; digp < dig + SHA_DIGESTSIZE; digp++)
1280 *datp++ ^= *digp;
1281 }
1282
1283 /* Now check that the result is sane */
1284 if (olen <= 0 || *inp + 1 > olen) {
1285 dbglog("EAP: decoded pseudonym is unusable <%.*B>", olen, inp);
1286 return;
1287 }
1288
1289 /* Save it away */
1290 fd = open_pn_file(O_WRONLY | O_CREAT | O_TRUNC);
1291 if (fd < 0) {
1292 dbglog("EAP: error saving pseudonym: %m");
1293 return;
1294 }
1295 len = write(fd, inp + 1, *inp);
1296 if (close(fd) != -1 && len == *inp) {
1297 dbglog("EAP: saved pseudonym");
1298 esp->es_usedpseudo = 0;
1299 } else {
1300 dbglog("EAP: failed to save pseudonym");
1301 remove_pn_file();
1302 }
1303 }
1304 #endif /* USE_SRP */
1305
1306 /*
1307 * eap_request - Receive EAP Request message (client mode).
1308 */
1309 static void
eap_request(esp,inp,id,len)1310 eap_request(esp, inp, id, len)
1311 eap_state *esp;
1312 u_char *inp;
1313 int id;
1314 int len;
1315 {
1316 u_char typenum;
1317 u_char vallen;
1318 int secret_len;
1319 char secret[MAXWORDLEN];
1320 char rhostname[256];
1321 MD5_CTX mdContext;
1322 u_char hash[MD5_SIGNATURE_SIZE];
1323 #ifdef USE_SRP
1324 struct t_client *tc;
1325 struct t_num sval, gval, Nval, *Ap, Bval;
1326 u_char vals[2];
1327 SHA1_CTX ctxt;
1328 u_char dig[SHA_DIGESTSIZE];
1329 int fd;
1330 #endif /* USE_SRP */
1331
1332 /*
1333 * Note: we update es_client.ea_id *only if* a Response
1334 * message is being generated. Otherwise, we leave it the
1335 * same for duplicate detection purposes.
1336 */
1337
1338 esp->es_client.ea_requests++;
1339 if (esp->es_client.ea_maxrequests != 0 &&
1340 esp->es_client.ea_requests > esp->es_client.ea_maxrequests) {
1341 info("EAP: received too many Request messages");
1342 if (esp->es_client.ea_timeout > 0) {
1343 UNTIMEOUT(eap_client_timeout, (void *)esp);
1344 }
1345 auth_withpeer_fail(esp->es_unit, PPP_EAP);
1346 return;
1347 }
1348
1349 if (len <= 0) {
1350 error("EAP: empty Request message discarded");
1351 return;
1352 }
1353
1354 GETCHAR(typenum, inp);
1355 len--;
1356
1357 switch (typenum) {
1358 case EAPT_IDENTITY:
1359 if (len > 0)
1360 info("EAP: Identity prompt \"%.*q\"", len, inp);
1361 #ifdef USE_SRP
1362 if (esp->es_usepseudo &&
1363 (esp->es_usedpseudo == 0 ||
1364 (esp->es_usedpseudo == 1 &&
1365 id == esp->es_client.ea_id))) {
1366 esp->es_usedpseudo = 1;
1367 /* Try to get a pseudonym */
1368 if ((fd = open_pn_file(O_RDONLY)) >= 0) {
1369 strcpy(rhostname, SRP_PSEUDO_ID);
1370 len = read(fd, rhostname + SRP_PSEUDO_LEN,
1371 sizeof (rhostname) - SRP_PSEUDO_LEN);
1372 /* XXX NAI unsupported */
1373 if (len > 0) {
1374 eap_send_response(esp, id, typenum,
1375 rhostname, len + SRP_PSEUDO_LEN);
1376 }
1377 (void) close(fd);
1378 if (len > 0)
1379 break;
1380 }
1381 }
1382 /* Stop using pseudonym now. */
1383 if (esp->es_usepseudo && esp->es_usedpseudo != 2) {
1384 remove_pn_file();
1385 esp->es_usedpseudo = 2;
1386 }
1387 #endif /* USE_SRP */
1388 eap_send_response(esp, id, typenum, esp->es_client.ea_name,
1389 esp->es_client.ea_namelen);
1390 break;
1391
1392 case EAPT_NOTIFICATION:
1393 if (len > 0)
1394 info("EAP: Notification \"%.*q\"", len, inp);
1395 eap_send_response(esp, id, typenum, NULL, 0);
1396 break;
1397
1398 case EAPT_NAK:
1399 /*
1400 * Avoid the temptation to send Response Nak in reply
1401 * to Request Nak here. It can only lead to trouble.
1402 */
1403 warn("EAP: unexpected Nak in Request; ignored");
1404 /* Return because we're waiting for something real. */
1405 return;
1406
1407 case EAPT_MD5CHAP:
1408 if (len < 1) {
1409 error("EAP: received MD5-Challenge with no data");
1410 /* Bogus request; wait for something real. */
1411 return;
1412 }
1413 GETCHAR(vallen, inp);
1414 len--;
1415 if (vallen < 8 || vallen > len) {
1416 error("EAP: MD5-Challenge with bad length %d (8..%d)",
1417 vallen, len);
1418 /* Try something better. */
1419 eap_send_nak(esp, id, EAPT_SRP);
1420 break;
1421 }
1422
1423 /* Not so likely to happen. */
1424 if (vallen >= len + sizeof (rhostname)) {
1425 dbglog("EAP: trimming really long peer name down");
1426 BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
1427 rhostname[sizeof (rhostname) - 1] = '\0';
1428 } else {
1429 BCOPY(inp + vallen, rhostname, len - vallen);
1430 rhostname[len - vallen] = '\0';
1431 }
1432
1433 /* In case the remote doesn't give us his name. */
1434 if (explicit_remote ||
1435 (remote_name[0] != '\0' && vallen == len))
1436 strlcpy(rhostname, remote_name, sizeof (rhostname));
1437
1438 /*
1439 * Get the secret for authenticating ourselves with
1440 * the specified host.
1441 */
1442 if (!get_secret(esp->es_unit, esp->es_client.ea_name,
1443 rhostname, secret, &secret_len, 0)) {
1444 dbglog("EAP: no MD5 secret for auth to %q", rhostname);
1445 eap_send_nak(esp, id, EAPT_SRP);
1446 break;
1447 }
1448 MD5_Init(&mdContext);
1449 typenum = id;
1450 MD5_Update(&mdContext, &typenum, 1);
1451 MD5_Update(&mdContext, (u_char *)secret, secret_len);
1452 BZERO(secret, sizeof (secret));
1453 MD5_Update(&mdContext, inp, vallen);
1454 MD5_Final(hash, &mdContext);
1455 eap_chap_response(esp, id, hash, esp->es_client.ea_name,
1456 esp->es_client.ea_namelen);
1457 break;
1458
1459 #ifdef USE_SRP
1460 case EAPT_SRP:
1461 if (len < 1) {
1462 error("EAP: received empty SRP Request");
1463 /* Bogus request; wait for something real. */
1464 return;
1465 }
1466
1467 /* Get subtype */
1468 GETCHAR(vallen, inp);
1469 len--;
1470 switch (vallen) {
1471 case EAPSRP_CHALLENGE:
1472 tc = NULL;
1473 if (esp->es_client.ea_session != NULL) {
1474 tc = (struct t_client *)esp->es_client.
1475 ea_session;
1476 /*
1477 * If this is a new challenge, then start
1478 * over with a new client session context.
1479 * Otherwise, just resend last response.
1480 */
1481 if (id != esp->es_client.ea_id) {
1482 t_clientclose(tc);
1483 esp->es_client.ea_session = NULL;
1484 tc = NULL;
1485 }
1486 }
1487 /* No session key just yet */
1488 esp->es_client.ea_skey = NULL;
1489 if (tc == NULL) {
1490 GETCHAR(vallen, inp);
1491 len--;
1492 if (vallen >= len) {
1493 error("EAP: badly-formed SRP Challenge"
1494 " (name)");
1495 /* Ignore badly-formed messages */
1496 return;
1497 }
1498 BCOPY(inp, rhostname, vallen);
1499 rhostname[vallen] = '\0';
1500 INCPTR(vallen, inp);
1501 len -= vallen;
1502
1503 /*
1504 * In case the remote doesn't give us his name,
1505 * use configured name.
1506 */
1507 if (explicit_remote ||
1508 (remote_name[0] != '\0' && vallen == 0)) {
1509 strlcpy(rhostname, remote_name,
1510 sizeof (rhostname));
1511 }
1512
1513 if (esp->es_client.ea_peer != NULL)
1514 free(esp->es_client.ea_peer);
1515 esp->es_client.ea_peer = strdup(rhostname);
1516 esp->es_client.ea_peerlen = strlen(rhostname);
1517
1518 GETCHAR(vallen, inp);
1519 len--;
1520 if (vallen >= len) {
1521 error("EAP: badly-formed SRP Challenge"
1522 " (s)");
1523 /* Ignore badly-formed messages */
1524 return;
1525 }
1526 sval.data = inp;
1527 sval.len = vallen;
1528 INCPTR(vallen, inp);
1529 len -= vallen;
1530
1531 GETCHAR(vallen, inp);
1532 len--;
1533 if (vallen > len) {
1534 error("EAP: badly-formed SRP Challenge"
1535 " (g)");
1536 /* Ignore badly-formed messages */
1537 return;
1538 }
1539 /* If no generator present, then use value 2 */
1540 if (vallen == 0) {
1541 gval.data = (u_char *)"\002";
1542 gval.len = 1;
1543 } else {
1544 gval.data = inp;
1545 gval.len = vallen;
1546 }
1547 INCPTR(vallen, inp);
1548 len -= vallen;
1549
1550 /*
1551 * If no modulus present, then use well-known
1552 * value.
1553 */
1554 if (len == 0) {
1555 Nval.data = (u_char *)wkmodulus;
1556 Nval.len = sizeof (wkmodulus);
1557 } else {
1558 Nval.data = inp;
1559 Nval.len = len;
1560 }
1561 tc = t_clientopen(esp->es_client.ea_name,
1562 &Nval, &gval, &sval);
1563 if (tc == NULL) {
1564 eap_send_nak(esp, id, EAPT_MD5CHAP);
1565 break;
1566 }
1567 esp->es_client.ea_session = (void *)tc;
1568
1569 /* Add Challenge ID & type to verifier */
1570 vals[0] = id;
1571 vals[1] = EAPT_SRP;
1572 t_clientaddexdata(tc, vals, 2);
1573 }
1574 Ap = t_clientgenexp(tc);
1575 eap_srp_response(esp, id, EAPSRP_CKEY, Ap->data,
1576 Ap->len);
1577 break;
1578
1579 case EAPSRP_SKEY:
1580 tc = (struct t_client *)esp->es_client.ea_session;
1581 if (tc == NULL) {
1582 warn("EAP: peer sent Subtype 2 without 1");
1583 eap_send_nak(esp, id, EAPT_MD5CHAP);
1584 break;
1585 }
1586 if (esp->es_client.ea_skey != NULL) {
1587 /*
1588 * ID number should not change here. Warn
1589 * if it does (but otherwise ignore).
1590 */
1591 if (id != esp->es_client.ea_id) {
1592 warn("EAP: ID changed from %d to %d "
1593 "in SRP Subtype 2 rexmit",
1594 esp->es_client.ea_id, id);
1595 }
1596 } else {
1597 if (get_srp_secret(esp->es_unit,
1598 esp->es_client.ea_name,
1599 esp->es_client.ea_peer, secret, 0) == 0) {
1600 /*
1601 * Can't work with this peer because
1602 * the secret is missing. Just give
1603 * up.
1604 */
1605 eap_send_nak(esp, id, EAPT_MD5CHAP);
1606 break;
1607 }
1608 Bval.data = inp;
1609 Bval.len = len;
1610 t_clientpasswd(tc, secret);
1611 BZERO(secret, sizeof (secret));
1612 esp->es_client.ea_skey =
1613 t_clientgetkey(tc, &Bval);
1614 if (esp->es_client.ea_skey == NULL) {
1615 /* Server is rogue; stop now */
1616 error("EAP: SRP server is rogue");
1617 goto client_failure;
1618 }
1619 }
1620 eap_srpval_response(esp, id, SRPVAL_EBIT,
1621 t_clientresponse(tc));
1622 break;
1623
1624 case EAPSRP_SVALIDATOR:
1625 tc = (struct t_client *)esp->es_client.ea_session;
1626 if (tc == NULL || esp->es_client.ea_skey == NULL) {
1627 warn("EAP: peer sent Subtype 3 without 1/2");
1628 eap_send_nak(esp, id, EAPT_MD5CHAP);
1629 break;
1630 }
1631 /*
1632 * If we're already open, then this ought to be a
1633 * duplicate. Otherwise, check that the server is
1634 * who we think it is.
1635 */
1636 if (esp->es_client.ea_state == eapOpen) {
1637 if (id != esp->es_client.ea_id) {
1638 warn("EAP: ID changed from %d to %d "
1639 "in SRP Subtype 3 rexmit",
1640 esp->es_client.ea_id, id);
1641 }
1642 } else {
1643 len -= sizeof (u_int32_t) + SHA_DIGESTSIZE;
1644 if (len < 0 || t_clientverify(tc, inp +
1645 sizeof (u_int32_t)) != 0) {
1646 error("EAP: SRP server verification "
1647 "failed");
1648 goto client_failure;
1649 }
1650 GETLONG(esp->es_client.ea_keyflags, inp);
1651 /* Save pseudonym if user wants it. */
1652 if (len > 0 && esp->es_usepseudo) {
1653 INCPTR(SHA_DIGESTSIZE, inp);
1654 write_pseudonym(esp, inp, len, id);
1655 }
1656 }
1657 /*
1658 * We've verified our peer. We're now mostly done,
1659 * except for waiting on the regular EAP Success
1660 * message.
1661 */
1662 eap_srp_response(esp, id, EAPSRP_ACK, NULL, 0);
1663 break;
1664
1665 case EAPSRP_LWRECHALLENGE:
1666 if (len < 4) {
1667 warn("EAP: malformed Lightweight rechallenge");
1668 return;
1669 }
1670 SHA1Init(&ctxt);
1671 vals[0] = id;
1672 SHA1Update(&ctxt, vals, 1);
1673 SHA1Update(&ctxt, esp->es_client.ea_skey,
1674 SESSION_KEY_LEN);
1675 SHA1Update(&ctxt, inp, len);
1676 SHA1Update(&ctxt, esp->es_client.ea_name,
1677 esp->es_client.ea_namelen);
1678 SHA1Final(dig, &ctxt);
1679 eap_srp_response(esp, id, EAPSRP_LWRECHALLENGE, dig,
1680 SHA_DIGESTSIZE);
1681 break;
1682
1683 default:
1684 error("EAP: unknown SRP Subtype %d", vallen);
1685 eap_send_nak(esp, id, EAPT_MD5CHAP);
1686 break;
1687 }
1688 break;
1689 #endif /* USE_SRP */
1690
1691 default:
1692 info("EAP: unknown authentication type %d; Naking", typenum);
1693 eap_send_nak(esp, id, EAPT_SRP);
1694 break;
1695 }
1696
1697 if (esp->es_client.ea_timeout > 0) {
1698 UNTIMEOUT(eap_client_timeout, (void *)esp);
1699 TIMEOUT(eap_client_timeout, (void *)esp,
1700 esp->es_client.ea_timeout);
1701 }
1702 return;
1703
1704 #ifdef USE_SRP
1705 client_failure:
1706 esp->es_client.ea_state = eapBadAuth;
1707 if (esp->es_client.ea_timeout > 0) {
1708 UNTIMEOUT(eap_client_timeout, (void *)esp);
1709 }
1710 esp->es_client.ea_session = NULL;
1711 t_clientclose(tc);
1712 auth_withpeer_fail(esp->es_unit, PPP_EAP);
1713 #endif /* USE_SRP */
1714 }
1715
1716 /*
1717 * eap_response - Receive EAP Response message (server mode).
1718 */
1719 static void
eap_response(esp,inp,id,len)1720 eap_response(esp, inp, id, len)
1721 eap_state *esp;
1722 u_char *inp;
1723 int id;
1724 int len;
1725 {
1726 u_char typenum;
1727 u_char vallen;
1728 int secret_len;
1729 char secret[MAXSECRETLEN];
1730 char rhostname[256];
1731 MD5_CTX mdContext;
1732 u_char hash[MD5_SIGNATURE_SIZE];
1733 #ifdef USE_SRP
1734 struct t_server *ts;
1735 struct t_num A;
1736 SHA1_CTX ctxt;
1737 u_char dig[SHA_DIGESTSIZE];
1738 #endif /* USE_SRP */
1739
1740 if (esp->es_server.ea_id != id) {
1741 dbglog("EAP: discarding Response %d; expected ID %d", id,
1742 esp->es_server.ea_id);
1743 return;
1744 }
1745
1746 esp->es_server.ea_responses++;
1747
1748 if (len <= 0) {
1749 error("EAP: empty Response message discarded");
1750 return;
1751 }
1752
1753 GETCHAR(typenum, inp);
1754 len--;
1755
1756 switch (typenum) {
1757 case EAPT_IDENTITY:
1758 if (esp->es_server.ea_state != eapIdentify) {
1759 dbglog("EAP discarding unwanted Identify \"%.q\"", len,
1760 inp);
1761 break;
1762 }
1763 info("EAP: unauthenticated peer name \"%.*q\"", len, inp);
1764 if (esp->es_server.ea_peer != NULL &&
1765 esp->es_server.ea_peer != remote_name)
1766 free(esp->es_server.ea_peer);
1767 esp->es_server.ea_peer = malloc(len + 1);
1768 if (esp->es_server.ea_peer == NULL) {
1769 esp->es_server.ea_peerlen = 0;
1770 eap_figure_next_state(esp, 1);
1771 break;
1772 }
1773 BCOPY(inp, esp->es_server.ea_peer, len);
1774 esp->es_server.ea_peer[len] = '\0';
1775 esp->es_server.ea_peerlen = len;
1776 eap_figure_next_state(esp, 0);
1777 break;
1778
1779 case EAPT_NOTIFICATION:
1780 dbglog("EAP unexpected Notification; response discarded");
1781 break;
1782
1783 case EAPT_NAK:
1784 if (len < 1) {
1785 info("EAP: Nak Response with no suggested protocol");
1786 eap_figure_next_state(esp, 1);
1787 break;
1788 }
1789
1790 GETCHAR(vallen, inp);
1791 len--;
1792
1793 if (!explicit_remote && esp->es_server.ea_state == eapIdentify){
1794 /* Peer cannot Nak Identify Request */
1795 eap_figure_next_state(esp, 1);
1796 break;
1797 }
1798
1799 switch (vallen) {
1800 case EAPT_SRP:
1801 /* Run through SRP validator selection again. */
1802 esp->es_server.ea_state = eapIdentify;
1803 eap_figure_next_state(esp, 0);
1804 break;
1805
1806 case EAPT_MD5CHAP:
1807 esp->es_server.ea_state = eapMD5Chall;
1808 break;
1809
1810 default:
1811 dbglog("EAP: peer requesting unknown Type %d", vallen);
1812 switch (esp->es_server.ea_state) {
1813 case eapSRP1:
1814 case eapSRP2:
1815 case eapSRP3:
1816 esp->es_server.ea_state = eapMD5Chall;
1817 break;
1818 case eapMD5Chall:
1819 case eapSRP4:
1820 esp->es_server.ea_state = eapIdentify;
1821 eap_figure_next_state(esp, 0);
1822 break;
1823 default:
1824 break;
1825 }
1826 break;
1827 }
1828 break;
1829
1830 case EAPT_MD5CHAP:
1831 if (esp->es_server.ea_state != eapMD5Chall) {
1832 error("EAP: unexpected MD5-Response");
1833 eap_figure_next_state(esp, 1);
1834 break;
1835 }
1836 if (len < 1) {
1837 error("EAP: received MD5-Response with no data");
1838 eap_figure_next_state(esp, 1);
1839 break;
1840 }
1841 GETCHAR(vallen, inp);
1842 len--;
1843 if (vallen != 16 || vallen > len) {
1844 error("EAP: MD5-Response with bad length %d", vallen);
1845 eap_figure_next_state(esp, 1);
1846 break;
1847 }
1848
1849 /* Not so likely to happen. */
1850 if (vallen >= len + sizeof (rhostname)) {
1851 dbglog("EAP: trimming really long peer name down");
1852 BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
1853 rhostname[sizeof (rhostname) - 1] = '\0';
1854 } else {
1855 BCOPY(inp + vallen, rhostname, len - vallen);
1856 rhostname[len - vallen] = '\0';
1857 }
1858
1859 /* In case the remote doesn't give us his name. */
1860 if (explicit_remote ||
1861 (remote_name[0] != '\0' && vallen == len))
1862 strlcpy(rhostname, remote_name, sizeof (rhostname));
1863
1864 /*
1865 * Get the secret for authenticating the specified
1866 * host.
1867 */
1868 if (!get_secret(esp->es_unit, rhostname,
1869 esp->es_server.ea_name, secret, &secret_len, 1)) {
1870 dbglog("EAP: no MD5 secret for auth of %q", rhostname);
1871 eap_send_failure(esp);
1872 break;
1873 }
1874 MD5_Init(&mdContext);
1875 MD5_Update(&mdContext, &esp->es_server.ea_id, 1);
1876 MD5_Update(&mdContext, (u_char *)secret, secret_len);
1877 BZERO(secret, sizeof (secret));
1878 MD5_Update(&mdContext, esp->es_challenge, esp->es_challen);
1879 MD5_Final(hash, &mdContext);
1880 if (BCMP(hash, inp, MD5_SIGNATURE_SIZE) != 0) {
1881 eap_send_failure(esp);
1882 break;
1883 }
1884 esp->es_server.ea_type = EAPT_MD5CHAP;
1885 eap_send_success(esp);
1886 eap_figure_next_state(esp, 0);
1887 if (esp->es_rechallenge != 0)
1888 TIMEOUT(eap_rechallenge, esp, esp->es_rechallenge);
1889 break;
1890
1891 #ifdef USE_SRP
1892 case EAPT_SRP:
1893 if (len < 1) {
1894 error("EAP: empty SRP Response");
1895 eap_figure_next_state(esp, 1);
1896 break;
1897 }
1898 GETCHAR(typenum, inp);
1899 len--;
1900 switch (typenum) {
1901 case EAPSRP_CKEY:
1902 if (esp->es_server.ea_state != eapSRP1) {
1903 error("EAP: unexpected SRP Subtype 1 Response");
1904 eap_figure_next_state(esp, 1);
1905 break;
1906 }
1907 A.data = inp;
1908 A.len = len;
1909 ts = (struct t_server *)esp->es_server.ea_session;
1910 assert(ts != NULL);
1911 esp->es_server.ea_skey = t_servergetkey(ts, &A);
1912 if (esp->es_server.ea_skey == NULL) {
1913 /* Client's A value is bogus; terminate now */
1914 error("EAP: bogus A value from client");
1915 eap_send_failure(esp);
1916 } else {
1917 eap_figure_next_state(esp, 0);
1918 }
1919 break;
1920
1921 case EAPSRP_CVALIDATOR:
1922 if (esp->es_server.ea_state != eapSRP2) {
1923 error("EAP: unexpected SRP Subtype 2 Response");
1924 eap_figure_next_state(esp, 1);
1925 break;
1926 }
1927 if (len < sizeof (u_int32_t) + SHA_DIGESTSIZE) {
1928 error("EAP: M1 length %d < %d", len,
1929 sizeof (u_int32_t) + SHA_DIGESTSIZE);
1930 eap_figure_next_state(esp, 1);
1931 break;
1932 }
1933 GETLONG(esp->es_server.ea_keyflags, inp);
1934 ts = (struct t_server *)esp->es_server.ea_session;
1935 assert(ts != NULL);
1936 if (t_serververify(ts, inp)) {
1937 info("EAP: unable to validate client identity");
1938 eap_send_failure(esp);
1939 break;
1940 }
1941 eap_figure_next_state(esp, 0);
1942 break;
1943
1944 case EAPSRP_ACK:
1945 if (esp->es_server.ea_state != eapSRP3) {
1946 error("EAP: unexpected SRP Subtype 3 Response");
1947 eap_send_failure(esp);
1948 break;
1949 }
1950 esp->es_server.ea_type = EAPT_SRP;
1951 eap_send_success(esp);
1952 eap_figure_next_state(esp, 0);
1953 if (esp->es_rechallenge != 0)
1954 TIMEOUT(eap_rechallenge, esp,
1955 esp->es_rechallenge);
1956 if (esp->es_lwrechallenge != 0)
1957 TIMEOUT(srp_lwrechallenge, esp,
1958 esp->es_lwrechallenge);
1959 break;
1960
1961 case EAPSRP_LWRECHALLENGE:
1962 if (esp->es_server.ea_state != eapSRP4) {
1963 info("EAP: unexpected SRP Subtype 4 Response");
1964 return;
1965 }
1966 if (len != SHA_DIGESTSIZE) {
1967 error("EAP: bad Lightweight rechallenge "
1968 "response");
1969 return;
1970 }
1971 SHA1Init(&ctxt);
1972 vallen = id;
1973 SHA1Update(&ctxt, &vallen, 1);
1974 SHA1Update(&ctxt, esp->es_server.ea_skey,
1975 SESSION_KEY_LEN);
1976 SHA1Update(&ctxt, esp->es_challenge, esp->es_challen);
1977 SHA1Update(&ctxt, esp->es_server.ea_peer,
1978 esp->es_server.ea_peerlen);
1979 SHA1Final(dig, &ctxt);
1980 if (BCMP(dig, inp, SHA_DIGESTSIZE) != 0) {
1981 error("EAP: failed Lightweight rechallenge");
1982 eap_send_failure(esp);
1983 break;
1984 }
1985 esp->es_server.ea_state = eapOpen;
1986 if (esp->es_lwrechallenge != 0)
1987 TIMEOUT(srp_lwrechallenge, esp,
1988 esp->es_lwrechallenge);
1989 break;
1990 }
1991 break;
1992 #endif /* USE_SRP */
1993
1994 default:
1995 /* This can't happen. */
1996 error("EAP: unknown Response type %d; ignored", typenum);
1997 return;
1998 }
1999
2000 if (esp->es_server.ea_timeout > 0) {
2001 UNTIMEOUT(eap_server_timeout, (void *)esp);
2002 }
2003
2004 if (esp->es_server.ea_state != eapBadAuth &&
2005 esp->es_server.ea_state != eapOpen) {
2006 esp->es_server.ea_id++;
2007 eap_send_request(esp);
2008 }
2009 }
2010
2011 /*
2012 * eap_success - Receive EAP Success message (client mode).
2013 */
2014 static void
eap_success(esp,inp,id,len)2015 eap_success(esp, inp, id, len)
2016 eap_state *esp;
2017 u_char *inp;
2018 int id;
2019 int len;
2020 {
2021 if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) {
2022 dbglog("EAP unexpected success message in state %s (%d)",
2023 eap_state_name(esp->es_client.ea_state),
2024 esp->es_client.ea_state);
2025 return;
2026 }
2027
2028 if (esp->es_client.ea_timeout > 0) {
2029 UNTIMEOUT(eap_client_timeout, (void *)esp);
2030 }
2031
2032 if (len > 0) {
2033 /* This is odd. The spec doesn't allow for this. */
2034 PRINTMSG(inp, len);
2035 }
2036
2037 esp->es_client.ea_state = eapOpen;
2038 auth_withpeer_success(esp->es_unit, PPP_EAP, 0);
2039 }
2040
2041 /*
2042 * eap_failure - Receive EAP Failure message (client mode).
2043 */
2044 static void
eap_failure(esp,inp,id,len)2045 eap_failure(esp, inp, id, len)
2046 eap_state *esp;
2047 u_char *inp;
2048 int id;
2049 int len;
2050 {
2051 if (!eap_client_active(esp)) {
2052 dbglog("EAP unexpected failure message in state %s (%d)",
2053 eap_state_name(esp->es_client.ea_state),
2054 esp->es_client.ea_state);
2055 }
2056
2057 if (esp->es_client.ea_timeout > 0) {
2058 UNTIMEOUT(eap_client_timeout, (void *)esp);
2059 }
2060
2061 if (len > 0) {
2062 /* This is odd. The spec doesn't allow for this. */
2063 PRINTMSG(inp, len);
2064 }
2065
2066 esp->es_client.ea_state = eapBadAuth;
2067
2068 error("EAP: peer reports authentication failure");
2069 auth_withpeer_fail(esp->es_unit, PPP_EAP);
2070 }
2071
2072 /*
2073 * eap_input - Handle received EAP message.
2074 */
2075 static void
eap_input(unit,inp,inlen)2076 eap_input(unit, inp, inlen)
2077 int unit;
2078 u_char *inp;
2079 int inlen;
2080 {
2081 eap_state *esp = &eap_states[unit];
2082 u_char code, id;
2083 int len;
2084
2085 /*
2086 * Parse header (code, id and length). If packet too short,
2087 * drop it.
2088 */
2089 if (inlen < EAP_HEADERLEN) {
2090 error("EAP: packet too short: %d < %d", inlen, EAP_HEADERLEN);
2091 return;
2092 }
2093 GETCHAR(code, inp);
2094 GETCHAR(id, inp);
2095 GETSHORT(len, inp);
2096 if (len < EAP_HEADERLEN || len > inlen) {
2097 error("EAP: packet has illegal length field %d (%d..%d)", len,
2098 EAP_HEADERLEN, inlen);
2099 return;
2100 }
2101 len -= EAP_HEADERLEN;
2102
2103 /* Dispatch based on message code */
2104 switch (code) {
2105 case EAP_REQUEST:
2106 eap_request(esp, inp, id, len);
2107 break;
2108
2109 case EAP_RESPONSE:
2110 eap_response(esp, inp, id, len);
2111 break;
2112
2113 case EAP_SUCCESS:
2114 eap_success(esp, inp, id, len);
2115 break;
2116
2117 case EAP_FAILURE:
2118 eap_failure(esp, inp, id, len);
2119 break;
2120
2121 default: /* XXX Need code reject */
2122 /* Note: it's not legal to send EAP Nak here. */
2123 warn("EAP: unknown code %d received", code);
2124 break;
2125 }
2126 }
2127
2128 /*
2129 * eap_printpkt - print the contents of an EAP packet.
2130 */
2131 static char *eap_codenames[] = {
2132 "Request", "Response", "Success", "Failure"
2133 };
2134
2135 static char *eap_typenames[] = {
2136 "Identity", "Notification", "Nak", "MD5-Challenge",
2137 "OTP", "Generic-Token", NULL, NULL,
2138 "RSA", "DSS", "KEA", "KEA-Validate",
2139 "TLS", "Defender", "Windows 2000", "Arcot",
2140 "Cisco", "Nokia", "SRP"
2141 };
2142
2143 static int
eap_printpkt(inp,inlen,printer,arg)2144 eap_printpkt(inp, inlen, printer, arg)
2145 u_char *inp;
2146 int inlen;
2147 void (*printer) __P((void *, char *, ...));
2148 void *arg;
2149 {
2150 int code, id, len, rtype, vallen;
2151 u_char *pstart;
2152 u_int32_t uval;
2153
2154 if (inlen < EAP_HEADERLEN)
2155 return (0);
2156 pstart = inp;
2157 GETCHAR(code, inp);
2158 GETCHAR(id, inp);
2159 GETSHORT(len, inp);
2160 if (len < EAP_HEADERLEN || len > inlen)
2161 return (0);
2162
2163 if (code >= 1 && code <= sizeof(eap_codenames) / sizeof(char *))
2164 printer(arg, " %s", eap_codenames[code-1]);
2165 else
2166 printer(arg, " code=0x%x", code);
2167 printer(arg, " id=0x%x", id);
2168 len -= EAP_HEADERLEN;
2169 switch (code) {
2170 case EAP_REQUEST:
2171 if (len < 1) {
2172 printer(arg, " <missing type>");
2173 break;
2174 }
2175 GETCHAR(rtype, inp);
2176 len--;
2177 if (rtype >= 1 &&
2178 rtype <= sizeof (eap_typenames) / sizeof (char *))
2179 printer(arg, " %s", eap_typenames[rtype-1]);
2180 else
2181 printer(arg, " type=0x%x", rtype);
2182 switch (rtype) {
2183 case EAPT_IDENTITY:
2184 case EAPT_NOTIFICATION:
2185 if (len > 0) {
2186 printer(arg, " <Message ");
2187 print_string((char *)inp, len, printer, arg);
2188 printer(arg, ">");
2189 INCPTR(len, inp);
2190 len = 0;
2191 } else {
2192 printer(arg, " <No message>");
2193 }
2194 break;
2195
2196 case EAPT_MD5CHAP:
2197 if (len <= 0)
2198 break;
2199 GETCHAR(vallen, inp);
2200 len--;
2201 if (vallen > len)
2202 goto truncated;
2203 printer(arg, " <Value%.*B>", vallen, inp);
2204 INCPTR(vallen, inp);
2205 len -= vallen;
2206 if (len > 0) {
2207 printer(arg, " <Name ");
2208 print_string((char *)inp, len, printer, arg);
2209 printer(arg, ">");
2210 INCPTR(len, inp);
2211 len = 0;
2212 } else {
2213 printer(arg, " <No name>");
2214 }
2215 break;
2216
2217 case EAPT_SRP:
2218 if (len < 3)
2219 goto truncated;
2220 GETCHAR(vallen, inp);
2221 len--;
2222 printer(arg, "-%d", vallen);
2223 switch (vallen) {
2224 case EAPSRP_CHALLENGE:
2225 GETCHAR(vallen, inp);
2226 len--;
2227 if (vallen >= len)
2228 goto truncated;
2229 if (vallen > 0) {
2230 printer(arg, " <Name ");
2231 print_string((char *)inp, vallen, printer,
2232 arg);
2233 printer(arg, ">");
2234 } else {
2235 printer(arg, " <No name>");
2236 }
2237 INCPTR(vallen, inp);
2238 len -= vallen;
2239 GETCHAR(vallen, inp);
2240 len--;
2241 if (vallen >= len)
2242 goto truncated;
2243 printer(arg, " <s%.*B>", vallen, inp);
2244 INCPTR(vallen, inp);
2245 len -= vallen;
2246 GETCHAR(vallen, inp);
2247 len--;
2248 if (vallen > len)
2249 goto truncated;
2250 if (vallen == 0) {
2251 printer(arg, " <Default g=2>");
2252 } else {
2253 printer(arg, " <g%.*B>", vallen, inp);
2254 }
2255 INCPTR(vallen, inp);
2256 len -= vallen;
2257 if (len == 0) {
2258 printer(arg, " <Default N>");
2259 } else {
2260 printer(arg, " <N%.*B>", len, inp);
2261 INCPTR(len, inp);
2262 len = 0;
2263 }
2264 break;
2265
2266 case EAPSRP_SKEY:
2267 printer(arg, " <B%.*B>", len, inp);
2268 INCPTR(len, inp);
2269 len = 0;
2270 break;
2271
2272 case EAPSRP_SVALIDATOR:
2273 if (len < sizeof (u_int32_t))
2274 break;
2275 GETLONG(uval, inp);
2276 len -= sizeof (u_int32_t);
2277 if (uval & SRPVAL_EBIT) {
2278 printer(arg, " E");
2279 uval &= ~SRPVAL_EBIT;
2280 }
2281 if (uval != 0) {
2282 printer(arg, " f<%X>", uval);
2283 }
2284 if ((vallen = len) > SHA_DIGESTSIZE)
2285 vallen = SHA_DIGESTSIZE;
2286 printer(arg, " <M2%.*B%s>", len, inp,
2287 len < SHA_DIGESTSIZE ? "?" : "");
2288 INCPTR(vallen, inp);
2289 len -= vallen;
2290 if (len > 0) {
2291 printer(arg, " <PN%.*B>", len, inp);
2292 INCPTR(len, inp);
2293 len = 0;
2294 }
2295 break;
2296
2297 case EAPSRP_LWRECHALLENGE:
2298 printer(arg, " <Challenge%.*B>", len, inp);
2299 INCPTR(len, inp);
2300 len = 0;
2301 break;
2302 }
2303 break;
2304 }
2305 break;
2306
2307 case EAP_RESPONSE:
2308 if (len < 1)
2309 break;
2310 GETCHAR(rtype, inp);
2311 len--;
2312 if (rtype >= 1 &&
2313 rtype <= sizeof (eap_typenames) / sizeof (char *))
2314 printer(arg, " %s", eap_typenames[rtype-1]);
2315 else
2316 printer(arg, " type=0x%x", rtype);
2317 switch (rtype) {
2318 case EAPT_IDENTITY:
2319 if (len > 0) {
2320 printer(arg, " <Name ");
2321 print_string((char *)inp, len, printer, arg);
2322 printer(arg, ">");
2323 INCPTR(len, inp);
2324 len = 0;
2325 }
2326 break;
2327
2328 case EAPT_NAK:
2329 if (len <= 0) {
2330 printer(arg, " <missing hint>");
2331 break;
2332 }
2333 GETCHAR(rtype, inp);
2334 len--;
2335 printer(arg, " <Suggested-type %02X", rtype);
2336 if (rtype >= 1 &&
2337 rtype < sizeof (eap_typenames) / sizeof (char *))
2338 printer(arg, " (%s)", eap_typenames[rtype-1]);
2339 printer(arg, ">");
2340 break;
2341
2342 case EAPT_MD5CHAP:
2343 if (len <= 0) {
2344 printer(arg, " <missing length>");
2345 break;
2346 }
2347 GETCHAR(vallen, inp);
2348 len--;
2349 if (vallen > len)
2350 goto truncated;
2351 printer(arg, " <Value%.*B>", vallen, inp);
2352 INCPTR(vallen, inp);
2353 len -= vallen;
2354 if (len > 0) {
2355 printer(arg, " <Name ");
2356 print_string((char *)inp, len, printer, arg);
2357 printer(arg, ">");
2358 INCPTR(len, inp);
2359 len = 0;
2360 } else {
2361 printer(arg, " <No name>");
2362 }
2363 break;
2364
2365 case EAPT_SRP:
2366 if (len < 1)
2367 goto truncated;
2368 GETCHAR(vallen, inp);
2369 len--;
2370 printer(arg, "-%d", vallen);
2371 switch (vallen) {
2372 case EAPSRP_CKEY:
2373 printer(arg, " <A%.*B>", len, inp);
2374 INCPTR(len, inp);
2375 len = 0;
2376 break;
2377
2378 case EAPSRP_CVALIDATOR:
2379 if (len < sizeof (u_int32_t))
2380 break;
2381 GETLONG(uval, inp);
2382 len -= sizeof (u_int32_t);
2383 if (uval & SRPVAL_EBIT) {
2384 printer(arg, " E");
2385 uval &= ~SRPVAL_EBIT;
2386 }
2387 if (uval != 0) {
2388 printer(arg, " f<%X>", uval);
2389 }
2390 printer(arg, " <M1%.*B%s>", len, inp,
2391 len == SHA_DIGESTSIZE ? "" : "?");
2392 INCPTR(len, inp);
2393 len = 0;
2394 break;
2395
2396 case EAPSRP_ACK:
2397 break;
2398
2399 case EAPSRP_LWRECHALLENGE:
2400 printer(arg, " <Response%.*B%s>", len, inp,
2401 len == SHA_DIGESTSIZE ? "" : "?");
2402 if ((vallen = len) > SHA_DIGESTSIZE)
2403 vallen = SHA_DIGESTSIZE;
2404 INCPTR(vallen, inp);
2405 len -= vallen;
2406 break;
2407 }
2408 break;
2409 }
2410 break;
2411
2412 case EAP_SUCCESS: /* No payload expected for these! */
2413 case EAP_FAILURE:
2414 break;
2415
2416 truncated:
2417 printer(arg, " <truncated>");
2418 break;
2419 }
2420
2421 if (len > 8)
2422 printer(arg, "%8B...", inp);
2423 else if (len > 0)
2424 printer(arg, "%.*B", len, inp);
2425 INCPTR(len, inp);
2426
2427 return (inp - pstart);
2428 }
2429