1 /* 2 * eap.c - Extensible Authentication Protocol for PPP (RFC 2284) 3 * 4 * Copyright (c) 2001 by Sun Microsystems, Inc. 5 * All rights reserved. 6 * 7 * Non-exclusive rights to redistribute, modify, translate, and use 8 * this software in source and binary forms, in whole or in part, is 9 * hereby granted, provided that the above copyright notice is 10 * duplicated in any source form, and that neither the name of the 11 * copyright holder nor the author is used to endorse or promote 12 * products derived from this software. 13 * 14 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 16 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 17 * 18 * Original version by James Carlson 19 * 20 * This implementation of EAP supports MD5-Challenge and SRP-SHA1 21 * authentication styles. Note that support of MD5-Challenge is a 22 * requirement of RFC 2284, and that it's essentially just a 23 * reimplementation of regular RFC 1994 CHAP using EAP messages. 24 * 25 * As an authenticator ("server"), there are multiple phases for each 26 * style. In the first phase of each style, the unauthenticated peer 27 * name is queried using the EAP Identity request type. If the 28 * "remotename" option is used, then this phase is skipped, because 29 * the peer's name is presumed to be known. 30 * 31 * For MD5-Challenge, there are two phases, and the second phase 32 * consists of sending the challenge itself and handling the 33 * associated response. 34 * 35 * For SRP-SHA1, there are four phases. The second sends 's', 'N', 36 * and 'g'. The reply contains 'A'. The third sends 'B', and the 37 * reply contains 'M1'. The forth sends the 'M2' value. 38 * 39 * As an authenticatee ("client"), there's just a single phase -- 40 * responding to the queries generated by the peer. EAP is an 41 * authenticator-driven protocol. 42 * 43 * Based on draft-ietf-pppext-eap-srp-03.txt. 44 */ 45 46 #include "netif/ppp/ppp_opts.h" 47 #if PPP_SUPPORT && EAP_SUPPORT /* don't build if not configured for use in lwipopts.h */ 48 49 #include "netif/ppp/ppp_impl.h" 50 #include "netif/ppp/eap.h" 51 #include "netif/ppp/magic.h" 52 #include "netif/ppp/pppcrypt.h" 53 54 #ifdef USE_SRP 55 #include <t_pwd.h> 56 #include <t_server.h> 57 #include <t_client.h> 58 #endif /* USE_SRP */ 59 60 #ifndef SHA_DIGESTSIZE 61 #define SHA_DIGESTSIZE 20 62 #endif 63 64 #ifdef USE_SRP 65 static char *pn_secret = NULL; /* Pseudonym generating secret */ 66 #endif 67 68 #if PPP_OPTIONS 69 /* 70 * Command-line options. 71 */ 72 static option_t eap_option_list[] = { 73 { "eap-restart", o_int, &eap_states[0].es_server.ea_timeout, 74 "Set retransmit timeout for EAP Requests (server)" }, 75 { "eap-max-sreq", o_int, &eap_states[0].es_server.ea_maxrequests, 76 "Set max number of EAP Requests sent (server)" }, 77 { "eap-timeout", o_int, &eap_states[0].es_client.ea_timeout, 78 "Set time limit for peer EAP authentication" }, 79 { "eap-max-rreq", o_int, &eap_states[0].es_client.ea_maxrequests, 80 "Set max number of EAP Requests allows (client)" }, 81 { "eap-interval", o_int, &eap_states[0].es_rechallenge, 82 "Set interval for EAP rechallenge" }, 83 #ifdef USE_SRP 84 { "srp-interval", o_int, &eap_states[0].es_lwrechallenge, 85 "Set interval for SRP lightweight rechallenge" }, 86 { "srp-pn-secret", o_string, &pn_secret, 87 "Long term pseudonym generation secret" }, 88 { "srp-use-pseudonym", o_bool, &eap_states[0].es_usepseudo, 89 "Use pseudonym if offered one by server", 1 }, 90 #endif 91 { NULL } 92 }; 93 #endif /* PPP_OPTIONS */ 94 95 /* 96 * Protocol entry points. 97 */ 98 static void eap_init(ppp_pcb *pcb); 99 static void eap_input(ppp_pcb *pcb, u_char *inp, int inlen); 100 static void eap_protrej(ppp_pcb *pcb); 101 static void eap_lowerup(ppp_pcb *pcb); 102 static void eap_lowerdown(ppp_pcb *pcb); 103 #if PRINTPKT_SUPPORT 104 static int eap_printpkt(const u_char *inp, int inlen, 105 void (*)(void *arg, const char *fmt, ...), void *arg); 106 #endif /* PRINTPKT_SUPPORT */ 107 108 const struct protent eap_protent = { 109 PPP_EAP, /* protocol number */ 110 eap_init, /* initialization procedure */ 111 eap_input, /* process a received packet */ 112 eap_protrej, /* process a received protocol-reject */ 113 eap_lowerup, /* lower layer has gone up */ 114 eap_lowerdown, /* lower layer has gone down */ 115 NULL, /* open the protocol */ 116 NULL, /* close the protocol */ 117 #if PRINTPKT_SUPPORT 118 eap_printpkt, /* print a packet in readable form */ 119 #endif /* PRINTPKT_SUPPORT */ 120 #if PPP_DATAINPUT 121 NULL, /* process a received data packet */ 122 #endif /* PPP_DATAINPUT */ 123 #if PRINTPKT_SUPPORT 124 "EAP", /* text name of protocol */ 125 NULL, /* text name of corresponding data protocol */ 126 #endif /* PRINTPKT_SUPPORT */ 127 #if PPP_OPTIONS 128 eap_option_list, /* list of command-line options */ 129 NULL, /* check requested options; assign defaults */ 130 #endif /* PPP_OPTIONS */ 131 #if DEMAND_SUPPORT 132 NULL, /* configure interface for demand-dial */ 133 NULL /* say whether to bring up link for this pkt */ 134 #endif /* DEMAND_SUPPORT */ 135 }; 136 137 #ifdef USE_SRP 138 /* 139 * A well-known 2048 bit modulus. 140 */ 141 static const u_char wkmodulus[] = { 142 0xAC, 0x6B, 0xDB, 0x41, 0x32, 0x4A, 0x9A, 0x9B, 143 0xF1, 0x66, 0xDE, 0x5E, 0x13, 0x89, 0x58, 0x2F, 144 0xAF, 0x72, 0xB6, 0x65, 0x19, 0x87, 0xEE, 0x07, 145 0xFC, 0x31, 0x92, 0x94, 0x3D, 0xB5, 0x60, 0x50, 146 0xA3, 0x73, 0x29, 0xCB, 0xB4, 0xA0, 0x99, 0xED, 147 0x81, 0x93, 0xE0, 0x75, 0x77, 0x67, 0xA1, 0x3D, 148 0xD5, 0x23, 0x12, 0xAB, 0x4B, 0x03, 0x31, 0x0D, 149 0xCD, 0x7F, 0x48, 0xA9, 0xDA, 0x04, 0xFD, 0x50, 150 0xE8, 0x08, 0x39, 0x69, 0xED, 0xB7, 0x67, 0xB0, 151 0xCF, 0x60, 0x95, 0x17, 0x9A, 0x16, 0x3A, 0xB3, 152 0x66, 0x1A, 0x05, 0xFB, 0xD5, 0xFA, 0xAA, 0xE8, 153 0x29, 0x18, 0xA9, 0x96, 0x2F, 0x0B, 0x93, 0xB8, 154 0x55, 0xF9, 0x79, 0x93, 0xEC, 0x97, 0x5E, 0xEA, 155 0xA8, 0x0D, 0x74, 0x0A, 0xDB, 0xF4, 0xFF, 0x74, 156 0x73, 0x59, 0xD0, 0x41, 0xD5, 0xC3, 0x3E, 0xA7, 157 0x1D, 0x28, 0x1E, 0x44, 0x6B, 0x14, 0x77, 0x3B, 158 0xCA, 0x97, 0xB4, 0x3A, 0x23, 0xFB, 0x80, 0x16, 159 0x76, 0xBD, 0x20, 0x7A, 0x43, 0x6C, 0x64, 0x81, 160 0xF1, 0xD2, 0xB9, 0x07, 0x87, 0x17, 0x46, 0x1A, 161 0x5B, 0x9D, 0x32, 0xE6, 0x88, 0xF8, 0x77, 0x48, 162 0x54, 0x45, 0x23, 0xB5, 0x24, 0xB0, 0xD5, 0x7D, 163 0x5E, 0xA7, 0x7A, 0x27, 0x75, 0xD2, 0xEC, 0xFA, 164 0x03, 0x2C, 0xFB, 0xDB, 0xF5, 0x2F, 0xB3, 0x78, 165 0x61, 0x60, 0x27, 0x90, 0x04, 0xE5, 0x7A, 0xE6, 166 0xAF, 0x87, 0x4E, 0x73, 0x03, 0xCE, 0x53, 0x29, 167 0x9C, 0xCC, 0x04, 0x1C, 0x7B, 0xC3, 0x08, 0xD8, 168 0x2A, 0x56, 0x98, 0xF3, 0xA8, 0xD0, 0xC3, 0x82, 169 0x71, 0xAE, 0x35, 0xF8, 0xE9, 0xDB, 0xFB, 0xB6, 170 0x94, 0xB5, 0xC8, 0x03, 0xD8, 0x9F, 0x7A, 0xE4, 171 0x35, 0xDE, 0x23, 0x6D, 0x52, 0x5F, 0x54, 0x75, 172 0x9B, 0x65, 0xE3, 0x72, 0xFC, 0xD6, 0x8E, 0xF2, 173 0x0F, 0xA7, 0x11, 0x1F, 0x9E, 0x4A, 0xFF, 0x73 174 }; 175 #endif 176 177 #if PPP_SERVER 178 /* Local forward declarations. */ 179 static void eap_server_timeout(void *arg); 180 #endif /* PPP_SERVER */ 181 182 /* 183 * Convert EAP state code to printable string for debug. 184 */ 185 static const char * eap_state_name(enum eap_state_code esc) 186 { 187 static const char *state_names[] = { EAP_STATES }; 188 189 return (state_names[(int)esc]); 190 } 191 192 /* 193 * eap_init - Initialize state for an EAP user. This is currently 194 * called once by main() during start-up. 195 */ 196 static void eap_init(ppp_pcb *pcb) { 197 198 BZERO(&pcb->eap, sizeof(eap_state)); 199 #if PPP_SERVER 200 pcb->eap.es_server.ea_id = magic(); 201 #endif /* PPP_SERVER */ 202 } 203 204 /* 205 * eap_client_timeout - Give up waiting for the peer to send any 206 * Request messages. 207 */ 208 static void eap_client_timeout(void *arg) { 209 ppp_pcb *pcb = (ppp_pcb*)arg; 210 211 if (!eap_client_active(pcb)) 212 return; 213 214 ppp_error("EAP: timeout waiting for Request from peer"); 215 auth_withpeer_fail(pcb, PPP_EAP); 216 pcb->eap.es_client.ea_state = eapBadAuth; 217 } 218 219 /* 220 * eap_authwithpeer - Authenticate to our peer (behave as client). 221 * 222 * Start client state and wait for requests. This is called only 223 * after eap_lowerup. 224 */ 225 void eap_authwithpeer(ppp_pcb *pcb, const char *localname) { 226 227 if(NULL == localname) 228 return; 229 230 /* Save the peer name we're given */ 231 pcb->eap.es_client.ea_name = localname; 232 pcb->eap.es_client.ea_namelen = strlen(localname); 233 234 pcb->eap.es_client.ea_state = eapListen; 235 236 /* 237 * Start a timer so that if the other end just goes 238 * silent, we don't sit here waiting forever. 239 */ 240 if (pcb->settings.eap_req_time > 0) 241 TIMEOUT(eap_client_timeout, pcb, 242 pcb->settings.eap_req_time); 243 } 244 245 #if PPP_SERVER 246 /* 247 * Format a standard EAP Failure message and send it to the peer. 248 * (Server operation) 249 */ 250 static void eap_send_failure(ppp_pcb *pcb) { 251 struct pbuf *p; 252 u_char *outp; 253 254 p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + EAP_HEADERLEN), PPP_CTRL_PBUF_TYPE); 255 if(NULL == p) 256 return; 257 if(p->tot_len != p->len) { 258 pbuf_free(p); 259 return; 260 } 261 262 outp = (u_char*)p->payload; 263 264 MAKEHEADER(outp, PPP_EAP); 265 266 PUTCHAR(EAP_FAILURE, outp); 267 pcb->eap.es_server.ea_id++; 268 PUTCHAR(pcb->eap.es_server.ea_id, outp); 269 PUTSHORT(EAP_HEADERLEN, outp); 270 271 ppp_write(pcb, p); 272 273 pcb->eap.es_server.ea_state = eapBadAuth; 274 auth_peer_fail(pcb, PPP_EAP); 275 } 276 277 /* 278 * Format a standard EAP Success message and send it to the peer. 279 * (Server operation) 280 */ 281 static void eap_send_success(ppp_pcb *pcb) { 282 struct pbuf *p; 283 u_char *outp; 284 285 p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + EAP_HEADERLEN), PPP_CTRL_PBUF_TYPE); 286 if(NULL == p) 287 return; 288 if(p->tot_len != p->len) { 289 pbuf_free(p); 290 return; 291 } 292 293 outp = (u_char*)p->payload; 294 295 MAKEHEADER(outp, PPP_EAP); 296 297 PUTCHAR(EAP_SUCCESS, outp); 298 pcb->eap.es_server.ea_id++; 299 PUTCHAR(pcb->eap.es_server.ea_id, outp); 300 PUTSHORT(EAP_HEADERLEN, outp); 301 302 ppp_write(pcb, p); 303 304 auth_peer_success(pcb, PPP_EAP, 0, 305 pcb->eap.es_server.ea_peer, pcb->eap.es_server.ea_peerlen); 306 } 307 #endif /* PPP_SERVER */ 308 309 #ifdef USE_SRP 310 /* 311 * Set DES key according to pseudonym-generating secret and current 312 * date. 313 */ 314 static bool 315 pncrypt_setkey(int timeoffs) 316 { 317 struct tm *tp; 318 char tbuf[9]; 319 SHA1_CTX ctxt; 320 u_char dig[SHA_DIGESTSIZE]; 321 time_t reftime; 322 323 if (pn_secret == NULL) 324 return (0); 325 reftime = time(NULL) + timeoffs; 326 tp = localtime(&reftime); 327 SHA1Init(&ctxt); 328 SHA1Update(&ctxt, pn_secret, strlen(pn_secret)); 329 strftime(tbuf, sizeof (tbuf), "%Y%m%d", tp); 330 SHA1Update(&ctxt, tbuf, strlen(tbuf)); 331 SHA1Final(dig, &ctxt); 332 /* FIXME: if we want to do SRP, we need to find a way to pass the PolarSSL des_context instead of using static memory */ 333 return (DesSetkey(dig)); 334 } 335 336 static char base64[] = 337 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 338 339 struct b64state { 340 u32_t bs_bits; 341 int bs_offs; 342 }; 343 344 static int 345 b64enc(bs, inp, inlen, outp) 346 struct b64state *bs; 347 u_char *inp; 348 int inlen; 349 u_char *outp; 350 { 351 int outlen = 0; 352 353 while (inlen > 0) { 354 bs->bs_bits = (bs->bs_bits << 8) | *inp++; 355 inlen--; 356 bs->bs_offs += 8; 357 if (bs->bs_offs >= 24) { 358 *outp++ = base64[(bs->bs_bits >> 18) & 0x3F]; 359 *outp++ = base64[(bs->bs_bits >> 12) & 0x3F]; 360 *outp++ = base64[(bs->bs_bits >> 6) & 0x3F]; 361 *outp++ = base64[bs->bs_bits & 0x3F]; 362 outlen += 4; 363 bs->bs_offs = 0; 364 bs->bs_bits = 0; 365 } 366 } 367 return (outlen); 368 } 369 370 static int 371 b64flush(bs, outp) 372 struct b64state *bs; 373 u_char *outp; 374 { 375 int outlen = 0; 376 377 if (bs->bs_offs == 8) { 378 *outp++ = base64[(bs->bs_bits >> 2) & 0x3F]; 379 *outp++ = base64[(bs->bs_bits << 4) & 0x3F]; 380 outlen = 2; 381 } else if (bs->bs_offs == 16) { 382 *outp++ = base64[(bs->bs_bits >> 10) & 0x3F]; 383 *outp++ = base64[(bs->bs_bits >> 4) & 0x3F]; 384 *outp++ = base64[(bs->bs_bits << 2) & 0x3F]; 385 outlen = 3; 386 } 387 bs->bs_offs = 0; 388 bs->bs_bits = 0; 389 return (outlen); 390 } 391 392 static int 393 b64dec(bs, inp, inlen, outp) 394 struct b64state *bs; 395 u_char *inp; 396 int inlen; 397 u_char *outp; 398 { 399 int outlen = 0; 400 char *cp; 401 402 while (inlen > 0) { 403 if ((cp = strchr(base64, *inp++)) == NULL) 404 break; 405 bs->bs_bits = (bs->bs_bits << 6) | (cp - base64); 406 inlen--; 407 bs->bs_offs += 6; 408 if (bs->bs_offs >= 8) { 409 *outp++ = bs->bs_bits >> (bs->bs_offs - 8); 410 outlen++; 411 bs->bs_offs -= 8; 412 } 413 } 414 return (outlen); 415 } 416 #endif /* USE_SRP */ 417 418 #if PPP_SERVER 419 /* 420 * Assume that current waiting server state is complete and figure 421 * next state to use based on available authentication data. 'status' 422 * indicates if there was an error in handling the last query. It is 423 * 0 for success and non-zero for failure. 424 */ 425 static void eap_figure_next_state(ppp_pcb *pcb, int status) { 426 #ifdef USE_SRP 427 unsigned char secbuf[MAXSECRETLEN], clear[8], *sp, *dp; 428 struct t_pw tpw; 429 struct t_confent *tce, mytce; 430 char *cp, *cp2; 431 struct t_server *ts; 432 int id, i, plen, toffs; 433 u_char vals[2]; 434 struct b64state bs; 435 #endif /* USE_SRP */ 436 437 pcb->settings.eap_timeout_time = pcb->eap.es_savedtime; 438 switch (pcb->eap.es_server.ea_state) { 439 case eapBadAuth: 440 return; 441 442 case eapIdentify: 443 #ifdef USE_SRP 444 /* Discard any previous session. */ 445 ts = (struct t_server *)pcb->eap.es_server.ea_session; 446 if (ts != NULL) { 447 t_serverclose(ts); 448 pcb->eap.es_server.ea_session = NULL; 449 pcb->eap.es_server.ea_skey = NULL; 450 } 451 #endif /* USE_SRP */ 452 if (status != 0) { 453 pcb->eap.es_server.ea_state = eapBadAuth; 454 break; 455 } 456 #ifdef USE_SRP 457 /* If we've got a pseudonym, try to decode to real name. */ 458 if (pcb->eap.es_server.ea_peerlen > SRP_PSEUDO_LEN && 459 strncmp(pcb->eap.es_server.ea_peer, SRP_PSEUDO_ID, 460 SRP_PSEUDO_LEN) == 0 && 461 (pcb->eap.es_server.ea_peerlen - SRP_PSEUDO_LEN) * 3 / 4 < 462 sizeof (secbuf)) { 463 BZERO(&bs, sizeof (bs)); 464 plen = b64dec(&bs, 465 pcb->eap.es_server.ea_peer + SRP_PSEUDO_LEN, 466 pcb->eap.es_server.ea_peerlen - SRP_PSEUDO_LEN, 467 secbuf); 468 toffs = 0; 469 for (i = 0; i < 5; i++) { 470 pncrypt_setkey(toffs); 471 toffs -= 86400; 472 /* FIXME: if we want to do SRP, we need to find a way to pass the PolarSSL des_context instead of using static memory */ 473 if (!DesDecrypt(secbuf, clear)) { 474 ppp_dbglog("no DES here; cannot decode " 475 "pseudonym"); 476 return; 477 } 478 id = *(unsigned char *)clear; 479 if (id + 1 <= plen && id + 9 > plen) 480 break; 481 } 482 if (plen % 8 == 0 && i < 5) { 483 /* 484 * Note that this is always shorter than the 485 * original stored string, so there's no need 486 * to realloc. 487 */ 488 if ((i = plen = *(unsigned char *)clear) > 7) 489 i = 7; 490 pcb->eap.es_server.ea_peerlen = plen; 491 dp = (unsigned char *)pcb->eap.es_server.ea_peer; 492 MEMCPY(dp, clear + 1, i); 493 plen -= i; 494 dp += i; 495 sp = secbuf + 8; 496 while (plen > 0) { 497 /* FIXME: if we want to do SRP, we need to find a way to pass the PolarSSL des_context instead of using static memory */ 498 (void) DesDecrypt(sp, dp); 499 sp += 8; 500 dp += 8; 501 plen -= 8; 502 } 503 pcb->eap.es_server.ea_peer[ 504 pcb->eap.es_server.ea_peerlen] = '\0'; 505 ppp_dbglog("decoded pseudonym to \"%.*q\"", 506 pcb->eap.es_server.ea_peerlen, 507 pcb->eap.es_server.ea_peer); 508 } else { 509 ppp_dbglog("failed to decode real name"); 510 /* Stay in eapIdentfy state; requery */ 511 break; 512 } 513 } 514 /* Look up user in secrets database. */ 515 if (get_srp_secret(pcb->eap.es_unit, pcb->eap.es_server.ea_peer, 516 pcb->eap.es_server.ea_name, (char *)secbuf, 1) != 0) { 517 /* Set up default in case SRP entry is bad */ 518 pcb->eap.es_server.ea_state = eapMD5Chall; 519 /* Get t_confent based on index in srp-secrets */ 520 id = strtol((char *)secbuf, &cp, 10); 521 if (*cp++ != ':' || id < 0) 522 break; 523 if (id == 0) { 524 mytce.index = 0; 525 mytce.modulus.data = (u_char *)wkmodulus; 526 mytce.modulus.len = sizeof (wkmodulus); 527 mytce.generator.data = (u_char *)"\002"; 528 mytce.generator.len = 1; 529 tce = &mytce; 530 } else if ((tce = gettcid(id)) != NULL) { 531 /* 532 * Client will have to verify this modulus/ 533 * generator combination, and that will take 534 * a while. Lengthen the timeout here. 535 */ 536 if (pcb->settings.eap_timeout_time > 0 && 537 pcb->settings.eap_timeout_time < 30) 538 pcb->settings.eap_timeout_time = 30; 539 } else { 540 break; 541 } 542 if ((cp2 = strchr(cp, ':')) == NULL) 543 break; 544 *cp2++ = '\0'; 545 tpw.pebuf.name = pcb->eap.es_server.ea_peer; 546 tpw.pebuf.password.len = t_fromb64((char *)tpw.pwbuf, 547 cp); 548 tpw.pebuf.password.data = tpw.pwbuf; 549 tpw.pebuf.salt.len = t_fromb64((char *)tpw.saltbuf, 550 cp2); 551 tpw.pebuf.salt.data = tpw.saltbuf; 552 if ((ts = t_serveropenraw(&tpw.pebuf, tce)) == NULL) 553 break; 554 pcb->eap.es_server.ea_session = (void *)ts; 555 pcb->eap.es_server.ea_state = eapSRP1; 556 vals[0] = pcb->eap.es_server.ea_id + 1; 557 vals[1] = EAPT_SRP; 558 t_serveraddexdata(ts, vals, 2); 559 /* Generate B; must call before t_servergetkey() */ 560 t_servergenexp(ts); 561 break; 562 } 563 #endif /* USE_SRP */ 564 pcb->eap.es_server.ea_state = eapMD5Chall; 565 break; 566 567 case eapSRP1: 568 #ifdef USE_SRP 569 ts = (struct t_server *)pcb->eap.es_server.ea_session; 570 if (ts != NULL && status != 0) { 571 t_serverclose(ts); 572 pcb->eap.es_server.ea_session = NULL; 573 pcb->eap.es_server.ea_skey = NULL; 574 } 575 #endif /* USE_SRP */ 576 if (status == 1) { 577 pcb->eap.es_server.ea_state = eapMD5Chall; 578 } else if (status != 0 || pcb->eap.es_server.ea_session == NULL) { 579 pcb->eap.es_server.ea_state = eapBadAuth; 580 } else { 581 pcb->eap.es_server.ea_state = eapSRP2; 582 } 583 break; 584 585 case eapSRP2: 586 #ifdef USE_SRP 587 ts = (struct t_server *)pcb->eap.es_server.ea_session; 588 if (ts != NULL && status != 0) { 589 t_serverclose(ts); 590 pcb->eap.es_server.ea_session = NULL; 591 pcb->eap.es_server.ea_skey = NULL; 592 } 593 #endif /* USE_SRP */ 594 if (status != 0 || pcb->eap.es_server.ea_session == NULL) { 595 pcb->eap.es_server.ea_state = eapBadAuth; 596 } else { 597 pcb->eap.es_server.ea_state = eapSRP3; 598 } 599 break; 600 601 case eapSRP3: 602 case eapSRP4: 603 #ifdef USE_SRP 604 ts = (struct t_server *)pcb->eap.es_server.ea_session; 605 if (ts != NULL && status != 0) { 606 t_serverclose(ts); 607 pcb->eap.es_server.ea_session = NULL; 608 pcb->eap.es_server.ea_skey = NULL; 609 } 610 #endif /* USE_SRP */ 611 if (status != 0 || pcb->eap.es_server.ea_session == NULL) { 612 pcb->eap.es_server.ea_state = eapBadAuth; 613 } else { 614 pcb->eap.es_server.ea_state = eapOpen; 615 } 616 break; 617 618 case eapMD5Chall: 619 if (status != 0) { 620 pcb->eap.es_server.ea_state = eapBadAuth; 621 } else { 622 pcb->eap.es_server.ea_state = eapOpen; 623 } 624 break; 625 626 default: 627 pcb->eap.es_server.ea_state = eapBadAuth; 628 break; 629 } 630 if (pcb->eap.es_server.ea_state == eapBadAuth) 631 eap_send_failure(pcb); 632 } 633 634 /* 635 * Format an EAP Request message and send it to the peer. Message 636 * type depends on current state. (Server operation) 637 */ 638 static void eap_send_request(ppp_pcb *pcb) { 639 struct pbuf *p; 640 u_char *outp; 641 u_char *lenloc; 642 int outlen; 643 int len; 644 const char *str; 645 #ifdef USE_SRP 646 struct t_server *ts; 647 u_char clear[8], cipher[8], dig[SHA_DIGESTSIZE], *optr, *cp; 648 int i, j; 649 struct b64state b64; 650 SHA1_CTX ctxt; 651 #endif /* USE_SRP */ 652 653 /* Handle both initial auth and restart */ 654 if (pcb->eap.es_server.ea_state < eapIdentify && 655 pcb->eap.es_server.ea_state != eapInitial) { 656 pcb->eap.es_server.ea_state = eapIdentify; 657 #if PPP_REMOTENAME 658 if (pcb->settings.explicit_remote && pcb->remote_name) { 659 /* 660 * If we already know the peer's 661 * unauthenticated name, then there's no 662 * reason to ask. Go to next state instead. 663 */ 664 int len = (int)strlen(pcb->remote_name); 665 if (len > MAXNAMELEN) { 666 len = MAXNAMELEN; 667 } 668 MEMCPY(pcb->eap.es_server.ea_peer, pcb->remote_name, len); 669 pcb->eap.es_server.ea_peer[len] = '\0'; 670 pcb->eap.es_server.ea_peerlen = len; 671 eap_figure_next_state(pcb, 0); 672 } 673 #endif /* PPP_REMOTENAME */ 674 } 675 676 if (pcb->settings.eap_max_transmits > 0 && 677 pcb->eap.es_server.ea_requests >= pcb->settings.eap_max_transmits) { 678 if (pcb->eap.es_server.ea_responses > 0) 679 ppp_error("EAP: too many Requests sent"); 680 else 681 ppp_error("EAP: no response to Requests"); 682 eap_send_failure(pcb); 683 return; 684 } 685 686 p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_CTRL_PBUF_MAX_SIZE), PPP_CTRL_PBUF_TYPE); 687 if(NULL == p) 688 return; 689 if(p->tot_len != p->len) { 690 pbuf_free(p); 691 return; 692 } 693 694 outp = (u_char*)p->payload; 695 696 MAKEHEADER(outp, PPP_EAP); 697 698 PUTCHAR(EAP_REQUEST, outp); 699 PUTCHAR(pcb->eap.es_server.ea_id, outp); 700 lenloc = outp; 701 INCPTR(2, outp); 702 703 switch (pcb->eap.es_server.ea_state) { 704 case eapIdentify: 705 PUTCHAR(EAPT_IDENTITY, outp); 706 str = "Name"; 707 len = strlen(str); 708 MEMCPY(outp, str, len); 709 INCPTR(len, outp); 710 break; 711 712 case eapMD5Chall: 713 PUTCHAR(EAPT_MD5CHAP, outp); 714 /* 715 * pick a random challenge length between 716 * EAP_MIN_CHALLENGE_LENGTH and EAP_MAX_CHALLENGE_LENGTH 717 */ 718 pcb->eap.es_challen = EAP_MIN_CHALLENGE_LENGTH + 719 magic_pow(EAP_MIN_MAX_POWER_OF_TWO_CHALLENGE_LENGTH); 720 PUTCHAR(pcb->eap.es_challen, outp); 721 magic_random_bytes(pcb->eap.es_challenge, pcb->eap.es_challen); 722 MEMCPY(outp, pcb->eap.es_challenge, pcb->eap.es_challen); 723 INCPTR(pcb->eap.es_challen, outp); 724 MEMCPY(outp, pcb->eap.es_server.ea_name, pcb->eap.es_server.ea_namelen); 725 INCPTR(pcb->eap.es_server.ea_namelen, outp); 726 break; 727 728 #ifdef USE_SRP 729 case eapSRP1: 730 PUTCHAR(EAPT_SRP, outp); 731 PUTCHAR(EAPSRP_CHALLENGE, outp); 732 733 PUTCHAR(pcb->eap.es_server.ea_namelen, outp); 734 MEMCPY(outp, pcb->eap.es_server.ea_name, pcb->eap.es_server.ea_namelen); 735 INCPTR(pcb->eap.es_server.ea_namelen, outp); 736 737 ts = (struct t_server *)pcb->eap.es_server.ea_session; 738 assert(ts != NULL); 739 PUTCHAR(ts->s.len, outp); 740 MEMCPY(outp, ts->s.data, ts->s.len); 741 INCPTR(ts->s.len, outp); 742 743 if (ts->g.len == 1 && ts->g.data[0] == 2) { 744 PUTCHAR(0, outp); 745 } else { 746 PUTCHAR(ts->g.len, outp); 747 MEMCPY(outp, ts->g.data, ts->g.len); 748 INCPTR(ts->g.len, outp); 749 } 750 751 if (ts->n.len != sizeof (wkmodulus) || 752 BCMP(ts->n.data, wkmodulus, sizeof (wkmodulus)) != 0) { 753 MEMCPY(outp, ts->n.data, ts->n.len); 754 INCPTR(ts->n.len, outp); 755 } 756 break; 757 758 case eapSRP2: 759 PUTCHAR(EAPT_SRP, outp); 760 PUTCHAR(EAPSRP_SKEY, outp); 761 762 ts = (struct t_server *)pcb->eap.es_server.ea_session; 763 assert(ts != NULL); 764 MEMCPY(outp, ts->B.data, ts->B.len); 765 INCPTR(ts->B.len, outp); 766 break; 767 768 case eapSRP3: 769 PUTCHAR(EAPT_SRP, outp); 770 PUTCHAR(EAPSRP_SVALIDATOR, outp); 771 PUTLONG(SRPVAL_EBIT, outp); 772 ts = (struct t_server *)pcb->eap.es_server.ea_session; 773 assert(ts != NULL); 774 MEMCPY(outp, t_serverresponse(ts), SHA_DIGESTSIZE); 775 INCPTR(SHA_DIGESTSIZE, outp); 776 777 if (pncrypt_setkey(0)) { 778 /* Generate pseudonym */ 779 optr = outp; 780 cp = (unsigned char *)pcb->eap.es_server.ea_peer; 781 if ((j = i = pcb->eap.es_server.ea_peerlen) > 7) 782 j = 7; 783 clear[0] = i; 784 MEMCPY(clear + 1, cp, j); 785 i -= j; 786 cp += j; 787 /* FIXME: if we want to do SRP, we need to find a way to pass the PolarSSL des_context instead of using static memory */ 788 if (!DesEncrypt(clear, cipher)) { 789 ppp_dbglog("no DES here; not generating pseudonym"); 790 break; 791 } 792 BZERO(&b64, sizeof (b64)); 793 outp++; /* space for pseudonym length */ 794 outp += b64enc(&b64, cipher, 8, outp); 795 while (i >= 8) { 796 /* FIXME: if we want to do SRP, we need to find a way to pass the PolarSSL des_context instead of using static memory */ 797 (void) DesEncrypt(cp, cipher); 798 outp += b64enc(&b64, cipher, 8, outp); 799 cp += 8; 800 i -= 8; 801 } 802 if (i > 0) { 803 MEMCPY(clear, cp, i); 804 cp += i; 805 magic_random_bytes(cp, 8-i); 806 /* FIXME: if we want to do SRP, we need to find a way to pass the PolarSSL des_context instead of using static memory */ 807 (void) DesEncrypt(clear, cipher); 808 outp += b64enc(&b64, cipher, 8, outp); 809 } 810 outp += b64flush(&b64, outp); 811 812 /* Set length and pad out to next 20 octet boundary */ 813 i = outp - optr - 1; 814 *optr = i; 815 i %= SHA_DIGESTSIZE; 816 if (i != 0) { 817 magic_random_bytes(outp, SHA_DIGESTSIZE-i); 818 INCPTR(SHA_DIGESTSIZE-i, outp); 819 } 820 821 /* Obscure the pseudonym with SHA1 hash */ 822 SHA1Init(&ctxt); 823 SHA1Update(&ctxt, &pcb->eap.es_server.ea_id, 1); 824 SHA1Update(&ctxt, pcb->eap.es_server.ea_skey, 825 SESSION_KEY_LEN); 826 SHA1Update(&ctxt, pcb->eap.es_server.ea_peer, 827 pcb->eap.es_server.ea_peerlen); 828 while (optr < outp) { 829 SHA1Final(dig, &ctxt); 830 cp = dig; 831 while (cp < dig + SHA_DIGESTSIZE) 832 *optr++ ^= *cp++; 833 SHA1Init(&ctxt); 834 SHA1Update(&ctxt, &pcb->eap.es_server.ea_id, 1); 835 SHA1Update(&ctxt, pcb->eap.es_server.ea_skey, 836 SESSION_KEY_LEN); 837 SHA1Update(&ctxt, optr - SHA_DIGESTSIZE, 838 SHA_DIGESTSIZE); 839 } 840 } 841 break; 842 843 case eapSRP4: 844 PUTCHAR(EAPT_SRP, outp); 845 PUTCHAR(EAPSRP_LWRECHALLENGE, outp); 846 pcb->eap.es_challen = EAP_MIN_CHALLENGE_LENGTH + 847 magic_pow(EAP_MIN_MAX_POWER_OF_TWO_CHALLENGE_LENGTH); 848 magic_random_bytes(pcb->eap.es_challenge, pcb->eap.es_challen); 849 MEMCPY(outp, pcb->eap.es_challenge, pcb->eap.es_challen); 850 INCPTR(pcb->eap.es_challen, outp); 851 break; 852 #endif /* USE_SRP */ 853 854 default: 855 return; 856 } 857 858 outlen = (outp - (unsigned char*)p->payload) - PPP_HDRLEN; 859 PUTSHORT(outlen, lenloc); 860 861 pbuf_realloc(p, outlen + PPP_HDRLEN); 862 ppp_write(pcb, p); 863 864 pcb->eap.es_server.ea_requests++; 865 866 if (pcb->settings.eap_timeout_time > 0) 867 TIMEOUT(eap_server_timeout, pcb, pcb->settings.eap_timeout_time); 868 } 869 870 /* 871 * eap_authpeer - Authenticate our peer (behave as server). 872 * 873 * Start server state and send first request. This is called only 874 * after eap_lowerup. 875 */ 876 void eap_authpeer(ppp_pcb *pcb, const char *localname) { 877 878 /* Save the name we're given. */ 879 pcb->eap.es_server.ea_name = localname; 880 pcb->eap.es_server.ea_namelen = strlen(localname); 881 882 pcb->eap.es_savedtime = pcb->settings.eap_timeout_time; 883 884 /* Lower layer up yet? */ 885 if (pcb->eap.es_server.ea_state == eapInitial || 886 pcb->eap.es_server.ea_state == eapPending) { 887 pcb->eap.es_server.ea_state = eapPending; 888 return; 889 } 890 891 pcb->eap.es_server.ea_state = eapPending; 892 893 /* ID number not updated here intentionally; hashed into M1 */ 894 eap_send_request(pcb); 895 } 896 897 /* 898 * eap_server_timeout - Retransmission timer for sending Requests 899 * expired. 900 */ 901 static void eap_server_timeout(void *arg) { 902 ppp_pcb *pcb = (ppp_pcb*)arg; 903 904 if (!eap_server_active(pcb)) 905 return; 906 907 /* EAP ID number must not change on timeout. */ 908 eap_send_request(pcb); 909 } 910 911 /* 912 * When it's time to send rechallenge the peer, this timeout is 913 * called. Once the rechallenge is successful, the response handler 914 * will restart the timer. If it fails, then the link is dropped. 915 */ 916 static void eap_rechallenge(void *arg) { 917 ppp_pcb *pcb = (ppp_pcb*)arg; 918 919 if (pcb->eap.es_server.ea_state != eapOpen && 920 pcb->eap.es_server.ea_state != eapSRP4) 921 return; 922 923 pcb->eap.es_server.ea_requests = 0; 924 pcb->eap.es_server.ea_state = eapIdentify; 925 eap_figure_next_state(pcb, 0); 926 pcb->eap.es_server.ea_id++; 927 eap_send_request(pcb); 928 } 929 930 static void srp_lwrechallenge(void *arg) { 931 ppp_pcb *pcb = (ppp_pcb*)arg; 932 933 if (pcb->eap.es_server.ea_state != eapOpen || 934 pcb->eap.es_server.ea_type != EAPT_SRP) 935 return; 936 937 pcb->eap.es_server.ea_requests = 0; 938 pcb->eap.es_server.ea_state = eapSRP4; 939 pcb->eap.es_server.ea_id++; 940 eap_send_request(pcb); 941 } 942 #endif /* PPP_SERVER */ 943 944 /* 945 * eap_lowerup - The lower layer is now up. 946 * 947 * This is called before either eap_authpeer or eap_authwithpeer. See 948 * link_established() in auth.c. All that's necessary here is to 949 * return to closed state so that those two routines will do the right 950 * thing. 951 */ 952 static void eap_lowerup(ppp_pcb *pcb) { 953 pcb->eap.es_client.ea_state = eapClosed; 954 #if PPP_SERVER 955 pcb->eap.es_server.ea_state = eapClosed; 956 #endif /* PPP_SERVER */ 957 } 958 959 /* 960 * eap_lowerdown - The lower layer is now down. 961 * 962 * Cancel all timeouts and return to initial state. 963 */ 964 static void eap_lowerdown(ppp_pcb *pcb) { 965 966 if (eap_client_active(pcb) && pcb->settings.eap_req_time > 0) { 967 UNTIMEOUT(eap_client_timeout, pcb); 968 } 969 #if PPP_SERVER 970 if (eap_server_active(pcb)) { 971 if (pcb->settings.eap_timeout_time > 0) { 972 UNTIMEOUT(eap_server_timeout, pcb); 973 } 974 } else { 975 if ((pcb->eap.es_server.ea_state == eapOpen || 976 pcb->eap.es_server.ea_state == eapSRP4) && 977 pcb->eap.es_rechallenge > 0) { 978 UNTIMEOUT(eap_rechallenge, (void *)pcb); 979 } 980 if (pcb->eap.es_server.ea_state == eapOpen && 981 pcb->eap.es_lwrechallenge > 0) { 982 UNTIMEOUT(srp_lwrechallenge, (void *)pcb); 983 } 984 } 985 986 pcb->eap.es_client.ea_state = pcb->eap.es_server.ea_state = eapInitial; 987 pcb->eap.es_client.ea_requests = pcb->eap.es_server.ea_requests = 0; 988 #endif /* PPP_SERVER */ 989 } 990 991 /* 992 * eap_protrej - Peer doesn't speak this protocol. 993 * 994 * This shouldn't happen. If it does, it represents authentication 995 * failure. 996 */ 997 static void eap_protrej(ppp_pcb *pcb) { 998 999 if (eap_client_active(pcb)) { 1000 ppp_error("EAP authentication failed due to Protocol-Reject"); 1001 auth_withpeer_fail(pcb, PPP_EAP); 1002 } 1003 #if PPP_SERVER 1004 if (eap_server_active(pcb)) { 1005 ppp_error("EAP authentication of peer failed on Protocol-Reject"); 1006 auth_peer_fail(pcb, PPP_EAP); 1007 } 1008 #endif /* PPP_SERVER */ 1009 eap_lowerdown(pcb); 1010 } 1011 1012 /* 1013 * Format and send a regular EAP Response message. 1014 */ 1015 static void eap_send_response(ppp_pcb *pcb, u_char id, u_char typenum, const u_char *str, int lenstr) { 1016 struct pbuf *p; 1017 u_char *outp; 1018 int msglen; 1019 1020 msglen = EAP_HEADERLEN + sizeof (u_char) + lenstr; 1021 p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PPP_CTRL_PBUF_TYPE); 1022 if(NULL == p) 1023 return; 1024 if(p->tot_len != p->len) { 1025 pbuf_free(p); 1026 return; 1027 } 1028 1029 outp = (u_char*)p->payload; 1030 1031 MAKEHEADER(outp, PPP_EAP); 1032 1033 PUTCHAR(EAP_RESPONSE, outp); 1034 PUTCHAR(id, outp); 1035 pcb->eap.es_client.ea_id = id; 1036 PUTSHORT(msglen, outp); 1037 PUTCHAR(typenum, outp); 1038 if (lenstr > 0) { 1039 MEMCPY(outp, str, lenstr); 1040 } 1041 1042 ppp_write(pcb, p); 1043 } 1044 1045 /* 1046 * Format and send an MD5-Challenge EAP Response message. 1047 */ 1048 static void eap_chap_response(ppp_pcb *pcb, u_char id, u_char *hash, const char *name, int namelen) { 1049 struct pbuf *p; 1050 u_char *outp; 1051 int msglen; 1052 1053 msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + MD5_SIGNATURE_SIZE + 1054 namelen; 1055 p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PPP_CTRL_PBUF_TYPE); 1056 if(NULL == p) 1057 return; 1058 if(p->tot_len != p->len) { 1059 pbuf_free(p); 1060 return; 1061 } 1062 1063 outp = (u_char*)p->payload; 1064 1065 MAKEHEADER(outp, PPP_EAP); 1066 1067 PUTCHAR(EAP_RESPONSE, outp); 1068 PUTCHAR(id, outp); 1069 pcb->eap.es_client.ea_id = id; 1070 PUTSHORT(msglen, outp); 1071 PUTCHAR(EAPT_MD5CHAP, outp); 1072 PUTCHAR(MD5_SIGNATURE_SIZE, outp); 1073 MEMCPY(outp, hash, MD5_SIGNATURE_SIZE); 1074 INCPTR(MD5_SIGNATURE_SIZE, outp); 1075 if (namelen > 0) { 1076 MEMCPY(outp, name, namelen); 1077 } 1078 1079 ppp_write(pcb, p); 1080 } 1081 1082 #ifdef USE_SRP 1083 /* 1084 * Format and send a SRP EAP Response message. 1085 */ 1086 static void 1087 eap_srp_response(esp, id, subtypenum, str, lenstr) 1088 eap_state *esp; 1089 u_char id; 1090 u_char subtypenum; 1091 u_char *str; 1092 int lenstr; 1093 { 1094 ppp_pcb *pcb = &ppp_pcb_list[pcb->eap.es_unit]; 1095 struct pbuf *p; 1096 u_char *outp; 1097 int msglen; 1098 1099 msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + lenstr; 1100 p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PPP_CTRL_PBUF_TYPE); 1101 if(NULL == p) 1102 return; 1103 if(p->tot_len != p->len) { 1104 pbuf_free(p); 1105 return; 1106 } 1107 1108 outp = p->payload; 1109 1110 MAKEHEADER(outp, PPP_EAP); 1111 1112 PUTCHAR(EAP_RESPONSE, outp); 1113 PUTCHAR(id, outp); 1114 pcb->eap.es_client.ea_id = id; 1115 PUTSHORT(msglen, outp); 1116 PUTCHAR(EAPT_SRP, outp); 1117 PUTCHAR(subtypenum, outp); 1118 if (lenstr > 0) { 1119 MEMCPY(outp, str, lenstr); 1120 } 1121 1122 ppp_write(pcb, p); 1123 } 1124 1125 /* 1126 * Format and send a SRP EAP Client Validator Response message. 1127 */ 1128 static void 1129 eap_srpval_response(esp, id, flags, str) 1130 eap_state *esp; 1131 u_char id; 1132 u32_t flags; 1133 u_char *str; 1134 { 1135 ppp_pcb *pcb = &ppp_pcb_list[pcb->eap.es_unit]; 1136 struct pbuf *p; 1137 u_char *outp; 1138 int msglen; 1139 1140 msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u32_t) + 1141 SHA_DIGESTSIZE; 1142 p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PPP_CTRL_PBUF_TYPE); 1143 if(NULL == p) 1144 return; 1145 if(p->tot_len != p->len) { 1146 pbuf_free(p); 1147 return; 1148 } 1149 1150 outp = p->payload; 1151 1152 MAKEHEADER(outp, PPP_EAP); 1153 1154 PUTCHAR(EAP_RESPONSE, outp); 1155 PUTCHAR(id, outp); 1156 pcb->eap.es_client.ea_id = id; 1157 PUTSHORT(msglen, outp); 1158 PUTCHAR(EAPT_SRP, outp); 1159 PUTCHAR(EAPSRP_CVALIDATOR, outp); 1160 PUTLONG(flags, outp); 1161 MEMCPY(outp, str, SHA_DIGESTSIZE); 1162 1163 ppp_write(pcb, p); 1164 } 1165 #endif /* USE_SRP */ 1166 1167 static void eap_send_nak(ppp_pcb *pcb, u_char id, u_char type) { 1168 struct pbuf *p; 1169 u_char *outp; 1170 int msglen; 1171 1172 msglen = EAP_HEADERLEN + 2 * sizeof (u_char); 1173 p = pbuf_alloc(PBUF_RAW, (u16_t)(PPP_HDRLEN + msglen), PPP_CTRL_PBUF_TYPE); 1174 if(NULL == p) 1175 return; 1176 if(p->tot_len != p->len) { 1177 pbuf_free(p); 1178 return; 1179 } 1180 1181 outp = (u_char*)p->payload; 1182 1183 MAKEHEADER(outp, PPP_EAP); 1184 1185 PUTCHAR(EAP_RESPONSE, outp); 1186 PUTCHAR(id, outp); 1187 pcb->eap.es_client.ea_id = id; 1188 PUTSHORT(msglen, outp); 1189 PUTCHAR(EAPT_NAK, outp); 1190 PUTCHAR(type, outp); 1191 1192 ppp_write(pcb, p); 1193 } 1194 1195 #ifdef USE_SRP 1196 static char * 1197 name_of_pn_file() 1198 { 1199 char *user, *path, *file; 1200 struct passwd *pw; 1201 size_t pl; 1202 static bool pnlogged = 0; 1203 1204 pw = getpwuid(getuid()); 1205 if (pw == NULL || (user = pw->pw_dir) == NULL || user[0] == 0) { 1206 errno = EINVAL; 1207 return (NULL); 1208 } 1209 file = _PATH_PSEUDONYM; 1210 pl = strlen(user) + strlen(file) + 2; 1211 path = malloc(pl); 1212 if (path == NULL) 1213 return (NULL); 1214 (void) slprintf(path, pl, "%s/%s", user, file); 1215 if (!pnlogged) { 1216 ppp_dbglog("pseudonym file: %s", path); 1217 pnlogged = 1; 1218 } 1219 return (path); 1220 } 1221 1222 static int 1223 open_pn_file(modebits) 1224 mode_t modebits; 1225 { 1226 char *path; 1227 int fd, err; 1228 1229 if ((path = name_of_pn_file()) == NULL) 1230 return (-1); 1231 fd = open(path, modebits, S_IRUSR | S_IWUSR); 1232 err = errno; 1233 free(path); 1234 errno = err; 1235 return (fd); 1236 } 1237 1238 static void 1239 remove_pn_file() 1240 { 1241 char *path; 1242 1243 if ((path = name_of_pn_file()) != NULL) { 1244 (void) unlink(path); 1245 (void) free(path); 1246 } 1247 } 1248 1249 static void 1250 write_pseudonym(esp, inp, len, id) 1251 eap_state *esp; 1252 u_char *inp; 1253 int len, id; 1254 { 1255 u_char val; 1256 u_char *datp, *digp; 1257 SHA1_CTX ctxt; 1258 u_char dig[SHA_DIGESTSIZE]; 1259 int dsize, fd, olen = len; 1260 1261 /* 1262 * Do the decoding by working backwards. This eliminates the need 1263 * to save the decoded output in a separate buffer. 1264 */ 1265 val = id; 1266 while (len > 0) { 1267 if ((dsize = len % SHA_DIGESTSIZE) == 0) 1268 dsize = SHA_DIGESTSIZE; 1269 len -= dsize; 1270 datp = inp + len; 1271 SHA1Init(&ctxt); 1272 SHA1Update(&ctxt, &val, 1); 1273 SHA1Update(&ctxt, pcb->eap.es_client.ea_skey, SESSION_KEY_LEN); 1274 if (len > 0) { 1275 SHA1Update(&ctxt, datp, SHA_DIGESTSIZE); 1276 } else { 1277 SHA1Update(&ctxt, pcb->eap.es_client.ea_name, 1278 pcb->eap.es_client.ea_namelen); 1279 } 1280 SHA1Final(dig, &ctxt); 1281 for (digp = dig; digp < dig + SHA_DIGESTSIZE; digp++) 1282 *datp++ ^= *digp; 1283 } 1284 1285 /* Now check that the result is sane */ 1286 if (olen <= 0 || *inp + 1 > olen) { 1287 ppp_dbglog("EAP: decoded pseudonym is unusable <%.*B>", olen, inp); 1288 return; 1289 } 1290 1291 /* Save it away */ 1292 fd = open_pn_file(O_WRONLY | O_CREAT | O_TRUNC); 1293 if (fd < 0) { 1294 ppp_dbglog("EAP: error saving pseudonym: %m"); 1295 return; 1296 } 1297 len = write(fd, inp + 1, *inp); 1298 if (close(fd) != -1 && len == *inp) { 1299 ppp_dbglog("EAP: saved pseudonym"); 1300 pcb->eap.es_usedpseudo = 0; 1301 } else { 1302 ppp_dbglog("EAP: failed to save pseudonym"); 1303 remove_pn_file(); 1304 } 1305 } 1306 #endif /* USE_SRP */ 1307 1308 /* 1309 * eap_request - Receive EAP Request message (client mode). 1310 */ 1311 static void eap_request(ppp_pcb *pcb, u_char *inp, int id, int len) { 1312 u_char typenum; 1313 u_char vallen; 1314 int secret_len; 1315 char secret[MAXSECRETLEN]; 1316 char rhostname[MAXNAMELEN]; 1317 lwip_md5_context mdContext; 1318 u_char hash[MD5_SIGNATURE_SIZE]; 1319 #ifdef USE_SRP 1320 struct t_client *tc; 1321 struct t_num sval, gval, Nval, *Ap, Bval; 1322 u_char vals[2]; 1323 SHA1_CTX ctxt; 1324 u_char dig[SHA_DIGESTSIZE]; 1325 int fd; 1326 #endif /* USE_SRP */ 1327 1328 /* 1329 * Note: we update es_client.ea_id *only if* a Response 1330 * message is being generated. Otherwise, we leave it the 1331 * same for duplicate detection purposes. 1332 */ 1333 1334 pcb->eap.es_client.ea_requests++; 1335 if (pcb->settings.eap_allow_req != 0 && 1336 pcb->eap.es_client.ea_requests > pcb->settings.eap_allow_req) { 1337 ppp_info("EAP: received too many Request messages"); 1338 if (pcb->settings.eap_req_time > 0) { 1339 UNTIMEOUT(eap_client_timeout, pcb); 1340 } 1341 auth_withpeer_fail(pcb, PPP_EAP); 1342 return; 1343 } 1344 1345 if (len <= 0) { 1346 ppp_error("EAP: empty Request message discarded"); 1347 return; 1348 } 1349 1350 GETCHAR(typenum, inp); 1351 len--; 1352 1353 switch (typenum) { 1354 case EAPT_IDENTITY: 1355 if (len > 0) 1356 ppp_info("EAP: Identity prompt \"%.*q\"", len, inp); 1357 #ifdef USE_SRP 1358 if (pcb->eap.es_usepseudo && 1359 (pcb->eap.es_usedpseudo == 0 || 1360 (pcb->eap.es_usedpseudo == 1 && 1361 id == pcb->eap.es_client.ea_id))) { 1362 pcb->eap.es_usedpseudo = 1; 1363 /* Try to get a pseudonym */ 1364 if ((fd = open_pn_file(O_RDONLY)) >= 0) { 1365 strcpy(rhostname, SRP_PSEUDO_ID); 1366 len = read(fd, rhostname + SRP_PSEUDO_LEN, 1367 sizeof (rhostname) - SRP_PSEUDO_LEN); 1368 /* XXX NAI unsupported */ 1369 if (len > 0) { 1370 eap_send_response(pcb, id, typenum, 1371 rhostname, len + SRP_PSEUDO_LEN); 1372 } 1373 (void) close(fd); 1374 if (len > 0) 1375 break; 1376 } 1377 } 1378 /* Stop using pseudonym now. */ 1379 if (pcb->eap.es_usepseudo && pcb->eap.es_usedpseudo != 2) { 1380 remove_pn_file(); 1381 pcb->eap.es_usedpseudo = 2; 1382 } 1383 #endif /* USE_SRP */ 1384 eap_send_response(pcb, id, typenum, (const u_char*)pcb->eap.es_client.ea_name, 1385 pcb->eap.es_client.ea_namelen); 1386 break; 1387 1388 case EAPT_NOTIFICATION: 1389 if (len > 0) 1390 ppp_info("EAP: Notification \"%.*q\"", len, inp); 1391 eap_send_response(pcb, id, typenum, NULL, 0); 1392 break; 1393 1394 case EAPT_NAK: 1395 /* 1396 * Avoid the temptation to send Response Nak in reply 1397 * to Request Nak here. It can only lead to trouble. 1398 */ 1399 ppp_warn("EAP: unexpected Nak in Request; ignored"); 1400 /* Return because we're waiting for something real. */ 1401 return; 1402 1403 case EAPT_MD5CHAP: 1404 if (len < 1) { 1405 ppp_error("EAP: received MD5-Challenge with no data"); 1406 /* Bogus request; wait for something real. */ 1407 return; 1408 } 1409 GETCHAR(vallen, inp); 1410 len--; 1411 if (vallen < 8 || vallen > len) { 1412 ppp_error("EAP: MD5-Challenge with bad length %d (8..%d)", 1413 vallen, len); 1414 /* Try something better. */ 1415 eap_send_nak(pcb, id, EAPT_SRP); 1416 break; 1417 } 1418 1419 /* Not so likely to happen. */ 1420 if (vallen >= len + sizeof (rhostname)) { 1421 ppp_dbglog("EAP: trimming really long peer name down"); 1422 MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1); 1423 rhostname[sizeof (rhostname) - 1] = '\0'; 1424 } else { 1425 MEMCPY(rhostname, inp + vallen, len - vallen); 1426 rhostname[len - vallen] = '\0'; 1427 } 1428 1429 #if PPP_REMOTENAME 1430 /* In case the remote doesn't give us his name. */ 1431 if (pcb->settings.explicit_remote || 1432 (pcb->settings.remote_name[0] != '\0' && vallen == len)) 1433 strlcpy(rhostname, pcb->settings.remote_name, sizeof (rhostname)); 1434 #endif /* PPP_REMOTENAME */ 1435 1436 /* 1437 * Get the secret for authenticating ourselves with 1438 * the specified host. 1439 */ 1440 if (!get_secret(pcb, pcb->eap.es_client.ea_name, 1441 rhostname, secret, &secret_len, 0)) { 1442 ppp_dbglog("EAP: no MD5 secret for auth to %q", rhostname); 1443 eap_send_nak(pcb, id, EAPT_SRP); 1444 break; 1445 } 1446 lwip_md5_init(&mdContext); 1447 lwip_md5_starts(&mdContext); 1448 typenum = id; 1449 lwip_md5_update(&mdContext, &typenum, 1); 1450 lwip_md5_update(&mdContext, (u_char *)secret, secret_len); 1451 BZERO(secret, sizeof (secret)); 1452 lwip_md5_update(&mdContext, inp, vallen); 1453 lwip_md5_finish(&mdContext, hash); 1454 lwip_md5_free(&mdContext); 1455 eap_chap_response(pcb, id, hash, pcb->eap.es_client.ea_name, 1456 pcb->eap.es_client.ea_namelen); 1457 break; 1458 1459 #ifdef USE_SRP 1460 case EAPT_SRP: 1461 if (len < 1) { 1462 ppp_error("EAP: received empty SRP Request"); 1463 /* Bogus request; wait for something real. */ 1464 return; 1465 } 1466 1467 /* Get subtype */ 1468 GETCHAR(vallen, inp); 1469 len--; 1470 switch (vallen) { 1471 case EAPSRP_CHALLENGE: 1472 tc = NULL; 1473 if (pcb->eap.es_client.ea_session != NULL) { 1474 tc = (struct t_client *)pcb->eap.es_client. 1475 ea_session; 1476 /* 1477 * If this is a new challenge, then start 1478 * over with a new client session context. 1479 * Otherwise, just resend last response. 1480 */ 1481 if (id != pcb->eap.es_client.ea_id) { 1482 t_clientclose(tc); 1483 pcb->eap.es_client.ea_session = NULL; 1484 tc = NULL; 1485 } 1486 } 1487 /* No session key just yet */ 1488 pcb->eap.es_client.ea_skey = NULL; 1489 if (tc == NULL) { 1490 int rhostnamelen; 1491 1492 GETCHAR(vallen, inp); 1493 len--; 1494 if (vallen >= len) { 1495 ppp_error("EAP: badly-formed SRP Challenge" 1496 " (name)"); 1497 /* Ignore badly-formed messages */ 1498 return; 1499 } 1500 MEMCPY(rhostname, inp, vallen); 1501 rhostname[vallen] = '\0'; 1502 INCPTR(vallen, inp); 1503 len -= vallen; 1504 1505 /* 1506 * In case the remote doesn't give us his name, 1507 * use configured name. 1508 */ 1509 if (explicit_remote || 1510 (remote_name[0] != '\0' && vallen == 0)) { 1511 strlcpy(rhostname, remote_name, 1512 sizeof (rhostname)); 1513 } 1514 1515 rhostnamelen = (int)strlen(rhostname); 1516 if (rhostnamelen > MAXNAMELEN) { 1517 rhostnamelen = MAXNAMELEN; 1518 } 1519 MEMCPY(pcb->eap.es_client.ea_peer, rhostname, rhostnamelen); 1520 pcb->eap.es_client.ea_peer[rhostnamelen] = '\0'; 1521 pcb->eap.es_client.ea_peerlen = rhostnamelen; 1522 1523 GETCHAR(vallen, inp); 1524 len--; 1525 if (vallen >= len) { 1526 ppp_error("EAP: badly-formed SRP Challenge" 1527 " (s)"); 1528 /* Ignore badly-formed messages */ 1529 return; 1530 } 1531 sval.data = inp; 1532 sval.len = vallen; 1533 INCPTR(vallen, inp); 1534 len -= vallen; 1535 1536 GETCHAR(vallen, inp); 1537 len--; 1538 if (vallen > len) { 1539 ppp_error("EAP: badly-formed SRP Challenge" 1540 " (g)"); 1541 /* Ignore badly-formed messages */ 1542 return; 1543 } 1544 /* If no generator present, then use value 2 */ 1545 if (vallen == 0) { 1546 gval.data = (u_char *)"\002"; 1547 gval.len = 1; 1548 } else { 1549 gval.data = inp; 1550 gval.len = vallen; 1551 } 1552 INCPTR(vallen, inp); 1553 len -= vallen; 1554 1555 /* 1556 * If no modulus present, then use well-known 1557 * value. 1558 */ 1559 if (len == 0) { 1560 Nval.data = (u_char *)wkmodulus; 1561 Nval.len = sizeof (wkmodulus); 1562 } else { 1563 Nval.data = inp; 1564 Nval.len = len; 1565 } 1566 tc = t_clientopen(pcb->eap.es_client.ea_name, 1567 &Nval, &gval, &sval); 1568 if (tc == NULL) { 1569 eap_send_nak(pcb, id, EAPT_MD5CHAP); 1570 break; 1571 } 1572 pcb->eap.es_client.ea_session = (void *)tc; 1573 1574 /* Add Challenge ID & type to verifier */ 1575 vals[0] = id; 1576 vals[1] = EAPT_SRP; 1577 t_clientaddexdata(tc, vals, 2); 1578 } 1579 Ap = t_clientgenexp(tc); 1580 eap_srp_response(esp, id, EAPSRP_CKEY, Ap->data, 1581 Ap->len); 1582 break; 1583 1584 case EAPSRP_SKEY: 1585 tc = (struct t_client *)pcb->eap.es_client.ea_session; 1586 if (tc == NULL) { 1587 ppp_warn("EAP: peer sent Subtype 2 without 1"); 1588 eap_send_nak(pcb, id, EAPT_MD5CHAP); 1589 break; 1590 } 1591 if (pcb->eap.es_client.ea_skey != NULL) { 1592 /* 1593 * ID number should not change here. Warn 1594 * if it does (but otherwise ignore). 1595 */ 1596 if (id != pcb->eap.es_client.ea_id) { 1597 ppp_warn("EAP: ID changed from %d to %d " 1598 "in SRP Subtype 2 rexmit", 1599 pcb->eap.es_client.ea_id, id); 1600 } 1601 } else { 1602 if (get_srp_secret(pcb->eap.es_unit, 1603 pcb->eap.es_client.ea_name, 1604 pcb->eap.es_client.ea_peer, secret, 0) == 0) { 1605 /* 1606 * Can't work with this peer because 1607 * the secret is missing. Just give 1608 * up. 1609 */ 1610 eap_send_nak(pcb, id, EAPT_MD5CHAP); 1611 break; 1612 } 1613 Bval.data = inp; 1614 Bval.len = len; 1615 t_clientpasswd(tc, secret); 1616 BZERO(secret, sizeof (secret)); 1617 pcb->eap.es_client.ea_skey = 1618 t_clientgetkey(tc, &Bval); 1619 if (pcb->eap.es_client.ea_skey == NULL) { 1620 /* Server is rogue; stop now */ 1621 ppp_error("EAP: SRP server is rogue"); 1622 goto client_failure; 1623 } 1624 } 1625 eap_srpval_response(esp, id, SRPVAL_EBIT, 1626 t_clientresponse(tc)); 1627 break; 1628 1629 case EAPSRP_SVALIDATOR: 1630 tc = (struct t_client *)pcb->eap.es_client.ea_session; 1631 if (tc == NULL || pcb->eap.es_client.ea_skey == NULL) { 1632 ppp_warn("EAP: peer sent Subtype 3 without 1/2"); 1633 eap_send_nak(pcb, id, EAPT_MD5CHAP); 1634 break; 1635 } 1636 /* 1637 * If we're already open, then this ought to be a 1638 * duplicate. Otherwise, check that the server is 1639 * who we think it is. 1640 */ 1641 if (pcb->eap.es_client.ea_state == eapOpen) { 1642 if (id != pcb->eap.es_client.ea_id) { 1643 ppp_warn("EAP: ID changed from %d to %d " 1644 "in SRP Subtype 3 rexmit", 1645 pcb->eap.es_client.ea_id, id); 1646 } 1647 } else { 1648 len -= sizeof (u32_t) + SHA_DIGESTSIZE; 1649 if (len < 0 || t_clientverify(tc, inp + 1650 sizeof (u32_t)) != 0) { 1651 ppp_error("EAP: SRP server verification " 1652 "failed"); 1653 goto client_failure; 1654 } 1655 GETLONG(pcb->eap.es_client.ea_keyflags, inp); 1656 /* Save pseudonym if user wants it. */ 1657 if (len > 0 && pcb->eap.es_usepseudo) { 1658 INCPTR(SHA_DIGESTSIZE, inp); 1659 write_pseudonym(esp, inp, len, id); 1660 } 1661 } 1662 /* 1663 * We've verified our peer. We're now mostly done, 1664 * except for waiting on the regular EAP Success 1665 * message. 1666 */ 1667 eap_srp_response(esp, id, EAPSRP_ACK, NULL, 0); 1668 break; 1669 1670 case EAPSRP_LWRECHALLENGE: 1671 if (len < 4) { 1672 ppp_warn("EAP: malformed Lightweight rechallenge"); 1673 return; 1674 } 1675 SHA1Init(&ctxt); 1676 vals[0] = id; 1677 SHA1Update(&ctxt, vals, 1); 1678 SHA1Update(&ctxt, pcb->eap.es_client.ea_skey, 1679 SESSION_KEY_LEN); 1680 SHA1Update(&ctxt, inp, len); 1681 SHA1Update(&ctxt, pcb->eap.es_client.ea_name, 1682 pcb->eap.es_client.ea_namelen); 1683 SHA1Final(dig, &ctxt); 1684 eap_srp_response(esp, id, EAPSRP_LWRECHALLENGE, dig, 1685 SHA_DIGESTSIZE); 1686 break; 1687 1688 default: 1689 ppp_error("EAP: unknown SRP Subtype %d", vallen); 1690 eap_send_nak(pcb, id, EAPT_MD5CHAP); 1691 break; 1692 } 1693 break; 1694 #endif /* USE_SRP */ 1695 1696 default: 1697 ppp_info("EAP: unknown authentication type %d; Naking", typenum); 1698 eap_send_nak(pcb, id, EAPT_SRP); 1699 break; 1700 } 1701 1702 if (pcb->settings.eap_req_time > 0) { 1703 UNTIMEOUT(eap_client_timeout, pcb); 1704 TIMEOUT(eap_client_timeout, pcb, 1705 pcb->settings.eap_req_time); 1706 } 1707 return; 1708 1709 #ifdef USE_SRP 1710 client_failure: 1711 pcb->eap.es_client.ea_state = eapBadAuth; 1712 if (pcb->settings.eap_req_time > 0) { 1713 UNTIMEOUT(eap_client_timeout, (void *)esp); 1714 } 1715 pcb->eap.es_client.ea_session = NULL; 1716 t_clientclose(tc); 1717 auth_withpeer_fail(pcb, PPP_EAP); 1718 #endif /* USE_SRP */ 1719 } 1720 1721 #if PPP_SERVER 1722 /* 1723 * eap_response - Receive EAP Response message (server mode). 1724 */ 1725 static void eap_response(ppp_pcb *pcb, u_char *inp, int id, int len) { 1726 u_char typenum; 1727 u_char vallen; 1728 int secret_len; 1729 char secret[MAXSECRETLEN]; 1730 char rhostname[MAXNAMELEN]; 1731 lwip_md5_context mdContext; 1732 u_char hash[MD5_SIGNATURE_SIZE]; 1733 #ifdef USE_SRP 1734 struct t_server *ts; 1735 struct t_num A; 1736 SHA1_CTX ctxt; 1737 u_char dig[SHA_DIGESTSIZE]; 1738 #endif /* USE_SRP */ 1739 1740 if (pcb->eap.es_server.ea_id != id) { 1741 ppp_dbglog("EAP: discarding Response %d; expected ID %d", id, 1742 pcb->eap.es_server.ea_id); 1743 return; 1744 } 1745 1746 pcb->eap.es_server.ea_responses++; 1747 1748 if (len <= 0) { 1749 ppp_error("EAP: empty Response message discarded"); 1750 return; 1751 } 1752 1753 GETCHAR(typenum, inp); 1754 len--; 1755 1756 switch (typenum) { 1757 case EAPT_IDENTITY: 1758 if (pcb->eap.es_server.ea_state != eapIdentify) { 1759 ppp_dbglog("EAP discarding unwanted Identify \"%.q\"", len, 1760 inp); 1761 break; 1762 } 1763 ppp_info("EAP: unauthenticated peer name \"%.*q\"", len, inp); 1764 if (len > MAXNAMELEN) { 1765 len = MAXNAMELEN; 1766 } 1767 MEMCPY(pcb->eap.es_server.ea_peer, inp, len); 1768 pcb->eap.es_server.ea_peer[len] = '\0'; 1769 pcb->eap.es_server.ea_peerlen = len; 1770 eap_figure_next_state(pcb, 0); 1771 break; 1772 1773 case EAPT_NOTIFICATION: 1774 ppp_dbglog("EAP unexpected Notification; response discarded"); 1775 break; 1776 1777 case EAPT_NAK: 1778 if (len < 1) { 1779 ppp_info("EAP: Nak Response with no suggested protocol"); 1780 eap_figure_next_state(pcb, 1); 1781 break; 1782 } 1783 1784 GETCHAR(vallen, inp); 1785 len--; 1786 1787 if ( 1788 #if PPP_REMOTENAME 1789 !pcb->explicit_remote && 1790 #endif /* PPP_REMOTENAME */ 1791 pcb->eap.es_server.ea_state == eapIdentify){ 1792 /* Peer cannot Nak Identify Request */ 1793 eap_figure_next_state(pcb, 1); 1794 break; 1795 } 1796 1797 switch (vallen) { 1798 case EAPT_SRP: 1799 /* Run through SRP validator selection again. */ 1800 pcb->eap.es_server.ea_state = eapIdentify; 1801 eap_figure_next_state(pcb, 0); 1802 break; 1803 1804 case EAPT_MD5CHAP: 1805 pcb->eap.es_server.ea_state = eapMD5Chall; 1806 break; 1807 1808 default: 1809 ppp_dbglog("EAP: peer requesting unknown Type %d", vallen); 1810 switch (pcb->eap.es_server.ea_state) { 1811 case eapSRP1: 1812 case eapSRP2: 1813 case eapSRP3: 1814 pcb->eap.es_server.ea_state = eapMD5Chall; 1815 break; 1816 case eapMD5Chall: 1817 case eapSRP4: 1818 pcb->eap.es_server.ea_state = eapIdentify; 1819 eap_figure_next_state(pcb, 0); 1820 break; 1821 default: 1822 break; 1823 } 1824 break; 1825 } 1826 break; 1827 1828 case EAPT_MD5CHAP: 1829 if (pcb->eap.es_server.ea_state != eapMD5Chall) { 1830 ppp_error("EAP: unexpected MD5-Response"); 1831 eap_figure_next_state(pcb, 1); 1832 break; 1833 } 1834 if (len < 1) { 1835 ppp_error("EAP: received MD5-Response with no data"); 1836 eap_figure_next_state(pcb, 1); 1837 break; 1838 } 1839 GETCHAR(vallen, inp); 1840 len--; 1841 if (vallen != 16 || vallen > len) { 1842 ppp_error("EAP: MD5-Response with bad length %d", vallen); 1843 eap_figure_next_state(pcb, 1); 1844 break; 1845 } 1846 1847 /* Not so likely to happen. */ 1848 if (vallen >= len + sizeof (rhostname)) { 1849 ppp_dbglog("EAP: trimming really long peer name down"); 1850 MEMCPY(rhostname, inp + vallen, sizeof (rhostname) - 1); 1851 rhostname[sizeof (rhostname) - 1] = '\0'; 1852 } else { 1853 MEMCPY(rhostname, inp + vallen, len - vallen); 1854 rhostname[len - vallen] = '\0'; 1855 } 1856 1857 #if PPP_REMOTENAME 1858 /* In case the remote doesn't give us his name. */ 1859 if (explicit_remote || 1860 (remote_name[0] != '\0' && vallen == len)) 1861 strlcpy(rhostname, remote_name, sizeof (rhostname)); 1862 #endif /* PPP_REMOTENAME */ 1863 1864 /* 1865 * Get the secret for authenticating the specified 1866 * host. 1867 */ 1868 if (!get_secret(pcb, rhostname, 1869 pcb->eap.es_server.ea_name, secret, &secret_len, 1)) { 1870 ppp_dbglog("EAP: no MD5 secret for auth of %q", rhostname); 1871 eap_send_failure(pcb); 1872 break; 1873 } 1874 lwip_md5_init(&mdContext); 1875 lwip_md5_starts(&mdContext); 1876 lwip_md5_update(&mdContext, &pcb->eap.es_server.ea_id, 1); 1877 lwip_md5_update(&mdContext, (u_char *)secret, secret_len); 1878 BZERO(secret, sizeof (secret)); 1879 lwip_md5_update(&mdContext, pcb->eap.es_challenge, pcb->eap.es_challen); 1880 lwip_md5_finish(&mdContext, hash); 1881 lwip_md5_free(&mdContext); 1882 if (BCMP(hash, inp, MD5_SIGNATURE_SIZE) != 0) { 1883 eap_send_failure(pcb); 1884 break; 1885 } 1886 pcb->eap.es_server.ea_type = EAPT_MD5CHAP; 1887 eap_send_success(pcb); 1888 eap_figure_next_state(pcb, 0); 1889 if (pcb->eap.es_rechallenge != 0) 1890 TIMEOUT(eap_rechallenge, pcb, pcb->eap.es_rechallenge); 1891 break; 1892 1893 #ifdef USE_SRP 1894 case EAPT_SRP: 1895 if (len < 1) { 1896 ppp_error("EAP: empty SRP Response"); 1897 eap_figure_next_state(pcb, 1); 1898 break; 1899 } 1900 GETCHAR(typenum, inp); 1901 len--; 1902 switch (typenum) { 1903 case EAPSRP_CKEY: 1904 if (pcb->eap.es_server.ea_state != eapSRP1) { 1905 ppp_error("EAP: unexpected SRP Subtype 1 Response"); 1906 eap_figure_next_state(pcb, 1); 1907 break; 1908 } 1909 A.data = inp; 1910 A.len = len; 1911 ts = (struct t_server *)pcb->eap.es_server.ea_session; 1912 assert(ts != NULL); 1913 pcb->eap.es_server.ea_skey = t_servergetkey(ts, &A); 1914 if (pcb->eap.es_server.ea_skey == NULL) { 1915 /* Client's A value is bogus; terminate now */ 1916 ppp_error("EAP: bogus A value from client"); 1917 eap_send_failure(pcb); 1918 } else { 1919 eap_figure_next_state(pcb, 0); 1920 } 1921 break; 1922 1923 case EAPSRP_CVALIDATOR: 1924 if (pcb->eap.es_server.ea_state != eapSRP2) { 1925 ppp_error("EAP: unexpected SRP Subtype 2 Response"); 1926 eap_figure_next_state(pcb, 1); 1927 break; 1928 } 1929 if (len < sizeof (u32_t) + SHA_DIGESTSIZE) { 1930 ppp_error("EAP: M1 length %d < %d", len, 1931 sizeof (u32_t) + SHA_DIGESTSIZE); 1932 eap_figure_next_state(pcb, 1); 1933 break; 1934 } 1935 GETLONG(pcb->eap.es_server.ea_keyflags, inp); 1936 ts = (struct t_server *)pcb->eap.es_server.ea_session; 1937 assert(ts != NULL); 1938 if (t_serververify(ts, inp)) { 1939 ppp_info("EAP: unable to validate client identity"); 1940 eap_send_failure(pcb); 1941 break; 1942 } 1943 eap_figure_next_state(pcb, 0); 1944 break; 1945 1946 case EAPSRP_ACK: 1947 if (pcb->eap.es_server.ea_state != eapSRP3) { 1948 ppp_error("EAP: unexpected SRP Subtype 3 Response"); 1949 eap_send_failure(esp); 1950 break; 1951 } 1952 pcb->eap.es_server.ea_type = EAPT_SRP; 1953 eap_send_success(pcb, esp); 1954 eap_figure_next_state(pcb, 0); 1955 if (pcb->eap.es_rechallenge != 0) 1956 TIMEOUT(eap_rechallenge, pcb, 1957 pcb->eap.es_rechallenge); 1958 if (pcb->eap.es_lwrechallenge != 0) 1959 TIMEOUT(srp_lwrechallenge, pcb, 1960 pcb->eap.es_lwrechallenge); 1961 break; 1962 1963 case EAPSRP_LWRECHALLENGE: 1964 if (pcb->eap.es_server.ea_state != eapSRP4) { 1965 ppp_info("EAP: unexpected SRP Subtype 4 Response"); 1966 return; 1967 } 1968 if (len != SHA_DIGESTSIZE) { 1969 ppp_error("EAP: bad Lightweight rechallenge " 1970 "response"); 1971 return; 1972 } 1973 SHA1Init(&ctxt); 1974 vallen = id; 1975 SHA1Update(&ctxt, &vallen, 1); 1976 SHA1Update(&ctxt, pcb->eap.es_server.ea_skey, 1977 SESSION_KEY_LEN); 1978 SHA1Update(&ctxt, pcb->eap.es_challenge, pcb->eap.es_challen); 1979 SHA1Update(&ctxt, pcb->eap.es_server.ea_peer, 1980 pcb->eap.es_server.ea_peerlen); 1981 SHA1Final(dig, &ctxt); 1982 if (BCMP(dig, inp, SHA_DIGESTSIZE) != 0) { 1983 ppp_error("EAP: failed Lightweight rechallenge"); 1984 eap_send_failure(pcb); 1985 break; 1986 } 1987 pcb->eap.es_server.ea_state = eapOpen; 1988 if (pcb->eap.es_lwrechallenge != 0) 1989 TIMEOUT(srp_lwrechallenge, esp, 1990 pcb->eap.es_lwrechallenge); 1991 break; 1992 } 1993 break; 1994 #endif /* USE_SRP */ 1995 1996 default: 1997 /* This can't happen. */ 1998 ppp_error("EAP: unknown Response type %d; ignored", typenum); 1999 return; 2000 } 2001 2002 if (pcb->settings.eap_timeout_time > 0) { 2003 UNTIMEOUT(eap_server_timeout, pcb); 2004 } 2005 2006 if (pcb->eap.es_server.ea_state != eapBadAuth && 2007 pcb->eap.es_server.ea_state != eapOpen) { 2008 pcb->eap.es_server.ea_id++; 2009 eap_send_request(pcb); 2010 } 2011 } 2012 #endif /* PPP_SERVER */ 2013 2014 /* 2015 * eap_success - Receive EAP Success message (client mode). 2016 */ 2017 static void eap_success(ppp_pcb *pcb, u_char *inp, int id, int len) { 2018 LWIP_UNUSED_ARG(id); 2019 2020 if (pcb->eap.es_client.ea_state != eapOpen && !eap_client_active(pcb)) { 2021 ppp_dbglog("EAP unexpected success message in state %s (%d)", 2022 eap_state_name(pcb->eap.es_client.ea_state), 2023 pcb->eap.es_client.ea_state); 2024 return; 2025 } 2026 2027 if (pcb->settings.eap_req_time > 0) { 2028 UNTIMEOUT(eap_client_timeout, pcb); 2029 } 2030 2031 if (len > 0) { 2032 /* This is odd. The spec doesn't allow for this. */ 2033 PRINTMSG(inp, len); 2034 } 2035 2036 pcb->eap.es_client.ea_state = eapOpen; 2037 auth_withpeer_success(pcb, PPP_EAP, 0); 2038 } 2039 2040 /* 2041 * eap_failure - Receive EAP Failure message (client mode). 2042 */ 2043 static void eap_failure(ppp_pcb *pcb, u_char *inp, int id, int len) { 2044 LWIP_UNUSED_ARG(id); 2045 2046 if (!eap_client_active(pcb)) { 2047 ppp_dbglog("EAP unexpected failure message in state %s (%d)", 2048 eap_state_name(pcb->eap.es_client.ea_state), 2049 pcb->eap.es_client.ea_state); 2050 } 2051 2052 if (pcb->settings.eap_req_time > 0) { 2053 UNTIMEOUT(eap_client_timeout, pcb); 2054 } 2055 2056 if (len > 0) { 2057 /* This is odd. The spec doesn't allow for this. */ 2058 PRINTMSG(inp, len); 2059 } 2060 2061 pcb->eap.es_client.ea_state = eapBadAuth; 2062 2063 ppp_error("EAP: peer reports authentication failure"); 2064 auth_withpeer_fail(pcb, PPP_EAP); 2065 } 2066 2067 /* 2068 * eap_input - Handle received EAP message. 2069 */ 2070 static void eap_input(ppp_pcb *pcb, u_char *inp, int inlen) { 2071 u_char code, id; 2072 int len; 2073 2074 /* 2075 * Parse header (code, id and length). If packet too short, 2076 * drop it. 2077 */ 2078 if (inlen < EAP_HEADERLEN) { 2079 ppp_error("EAP: packet too short: %d < %d", inlen, EAP_HEADERLEN); 2080 return; 2081 } 2082 GETCHAR(code, inp); 2083 GETCHAR(id, inp); 2084 GETSHORT(len, inp); 2085 if (len < EAP_HEADERLEN || len > inlen) { 2086 ppp_error("EAP: packet has illegal length field %d (%d..%d)", len, 2087 EAP_HEADERLEN, inlen); 2088 return; 2089 } 2090 len -= EAP_HEADERLEN; 2091 2092 /* Dispatch based on message code */ 2093 switch (code) { 2094 case EAP_REQUEST: 2095 eap_request(pcb, inp, id, len); 2096 break; 2097 2098 #if PPP_SERVER 2099 case EAP_RESPONSE: 2100 eap_response(pcb, inp, id, len); 2101 break; 2102 #endif /* PPP_SERVER */ 2103 2104 case EAP_SUCCESS: 2105 eap_success(pcb, inp, id, len); 2106 break; 2107 2108 case EAP_FAILURE: 2109 eap_failure(pcb, inp, id, len); 2110 break; 2111 2112 default: /* XXX Need code reject */ 2113 /* Note: it's not legal to send EAP Nak here. */ 2114 ppp_warn("EAP: unknown code %d received", code); 2115 break; 2116 } 2117 } 2118 2119 #if PRINTPKT_SUPPORT 2120 /* 2121 * eap_printpkt - print the contents of an EAP packet. 2122 */ 2123 static const char* const eap_codenames[] = { 2124 "Request", "Response", "Success", "Failure" 2125 }; 2126 2127 static const char* const eap_typenames[] = { 2128 "Identity", "Notification", "Nak", "MD5-Challenge", 2129 "OTP", "Generic-Token", NULL, NULL, 2130 "RSA", "DSS", "KEA", "KEA-Validate", 2131 "TLS", "Defender", "Windows 2000", "Arcot", 2132 "Cisco", "Nokia", "SRP" 2133 }; 2134 2135 static int eap_printpkt(const u_char *inp, int inlen, void (*printer) (void *, const char *, ...), void *arg) { 2136 int code, id, len, rtype, vallen; 2137 const u_char *pstart; 2138 u32_t uval; 2139 2140 if (inlen < EAP_HEADERLEN) 2141 return (0); 2142 pstart = inp; 2143 GETCHAR(code, inp); 2144 GETCHAR(id, inp); 2145 GETSHORT(len, inp); 2146 if (len < EAP_HEADERLEN || len > inlen) 2147 return (0); 2148 2149 if (code >= 1 && code <= (int)LWIP_ARRAYSIZE(eap_codenames)) 2150 printer(arg, " %s", eap_codenames[code-1]); 2151 else 2152 printer(arg, " code=0x%x", code); 2153 printer(arg, " id=0x%x", id); 2154 len -= EAP_HEADERLEN; 2155 switch (code) { 2156 case EAP_REQUEST: 2157 if (len < 1) { 2158 printer(arg, " <missing type>"); 2159 break; 2160 } 2161 GETCHAR(rtype, inp); 2162 len--; 2163 if (rtype >= 1 && rtype <= (int)LWIP_ARRAYSIZE(eap_typenames)) 2164 printer(arg, " %s", eap_typenames[rtype-1]); 2165 else 2166 printer(arg, " type=0x%x", rtype); 2167 switch (rtype) { 2168 case EAPT_IDENTITY: 2169 case EAPT_NOTIFICATION: 2170 if (len > 0) { 2171 printer(arg, " <Message "); 2172 ppp_print_string(inp, len, printer, arg); 2173 printer(arg, ">"); 2174 INCPTR(len, inp); 2175 len = 0; 2176 } else { 2177 printer(arg, " <No message>"); 2178 } 2179 break; 2180 2181 case EAPT_MD5CHAP: 2182 if (len <= 0) 2183 break; 2184 GETCHAR(vallen, inp); 2185 len--; 2186 if (vallen > len) 2187 goto truncated; 2188 printer(arg, " <Value%.*B>", vallen, inp); 2189 INCPTR(vallen, inp); 2190 len -= vallen; 2191 if (len > 0) { 2192 printer(arg, " <Name "); 2193 ppp_print_string(inp, len, printer, arg); 2194 printer(arg, ">"); 2195 INCPTR(len, inp); 2196 len = 0; 2197 } else { 2198 printer(arg, " <No name>"); 2199 } 2200 break; 2201 2202 case EAPT_SRP: 2203 if (len < 3) 2204 goto truncated; 2205 GETCHAR(vallen, inp); 2206 len--; 2207 printer(arg, "-%d", vallen); 2208 switch (vallen) { 2209 case EAPSRP_CHALLENGE: 2210 GETCHAR(vallen, inp); 2211 len--; 2212 if (vallen >= len) 2213 goto truncated; 2214 if (vallen > 0) { 2215 printer(arg, " <Name "); 2216 ppp_print_string(inp, vallen, printer, 2217 arg); 2218 printer(arg, ">"); 2219 } else { 2220 printer(arg, " <No name>"); 2221 } 2222 INCPTR(vallen, inp); 2223 len -= vallen; 2224 GETCHAR(vallen, inp); 2225 len--; 2226 if (vallen >= len) 2227 goto truncated; 2228 printer(arg, " <s%.*B>", vallen, inp); 2229 INCPTR(vallen, inp); 2230 len -= vallen; 2231 GETCHAR(vallen, inp); 2232 len--; 2233 if (vallen > len) 2234 goto truncated; 2235 if (vallen == 0) { 2236 printer(arg, " <Default g=2>"); 2237 } else { 2238 printer(arg, " <g%.*B>", vallen, inp); 2239 } 2240 INCPTR(vallen, inp); 2241 len -= vallen; 2242 if (len == 0) { 2243 printer(arg, " <Default N>"); 2244 } else { 2245 printer(arg, " <N%.*B>", len, inp); 2246 INCPTR(len, inp); 2247 len = 0; 2248 } 2249 break; 2250 2251 case EAPSRP_SKEY: 2252 printer(arg, " <B%.*B>", len, inp); 2253 INCPTR(len, inp); 2254 len = 0; 2255 break; 2256 2257 case EAPSRP_SVALIDATOR: 2258 if (len < (int)sizeof (u32_t)) 2259 break; 2260 GETLONG(uval, inp); 2261 len -= sizeof (u32_t); 2262 if (uval & SRPVAL_EBIT) { 2263 printer(arg, " E"); 2264 uval &= ~SRPVAL_EBIT; 2265 } 2266 if (uval != 0) { 2267 printer(arg, " f<%X>", uval); 2268 } 2269 if ((vallen = len) > SHA_DIGESTSIZE) 2270 vallen = SHA_DIGESTSIZE; 2271 printer(arg, " <M2%.*B%s>", len, inp, 2272 len < SHA_DIGESTSIZE ? "?" : ""); 2273 INCPTR(vallen, inp); 2274 len -= vallen; 2275 if (len > 0) { 2276 printer(arg, " <PN%.*B>", len, inp); 2277 INCPTR(len, inp); 2278 len = 0; 2279 } 2280 break; 2281 2282 case EAPSRP_LWRECHALLENGE: 2283 printer(arg, " <Challenge%.*B>", len, inp); 2284 INCPTR(len, inp); 2285 len = 0; 2286 break; 2287 default: 2288 break; 2289 } 2290 break; 2291 default: 2292 break; 2293 } 2294 break; 2295 2296 case EAP_RESPONSE: 2297 if (len < 1) 2298 break; 2299 GETCHAR(rtype, inp); 2300 len--; 2301 if (rtype >= 1 && rtype <= (int)LWIP_ARRAYSIZE(eap_typenames)) 2302 printer(arg, " %s", eap_typenames[rtype-1]); 2303 else 2304 printer(arg, " type=0x%x", rtype); 2305 switch (rtype) { 2306 case EAPT_IDENTITY: 2307 if (len > 0) { 2308 printer(arg, " <Name "); 2309 ppp_print_string(inp, len, printer, arg); 2310 printer(arg, ">"); 2311 INCPTR(len, inp); 2312 len = 0; 2313 } 2314 break; 2315 2316 case EAPT_NAK: 2317 if (len <= 0) { 2318 printer(arg, " <missing hint>"); 2319 break; 2320 } 2321 GETCHAR(rtype, inp); 2322 len--; 2323 printer(arg, " <Suggested-type %02X", rtype); 2324 if (rtype >= 1 && rtype < (int)LWIP_ARRAYSIZE(eap_typenames)) 2325 printer(arg, " (%s)", eap_typenames[rtype-1]); 2326 printer(arg, ">"); 2327 break; 2328 2329 case EAPT_MD5CHAP: 2330 if (len <= 0) { 2331 printer(arg, " <missing length>"); 2332 break; 2333 } 2334 GETCHAR(vallen, inp); 2335 len--; 2336 if (vallen > len) 2337 goto truncated; 2338 printer(arg, " <Value%.*B>", vallen, inp); 2339 INCPTR(vallen, inp); 2340 len -= vallen; 2341 if (len > 0) { 2342 printer(arg, " <Name "); 2343 ppp_print_string(inp, len, printer, arg); 2344 printer(arg, ">"); 2345 INCPTR(len, inp); 2346 len = 0; 2347 } else { 2348 printer(arg, " <No name>"); 2349 } 2350 break; 2351 2352 case EAPT_SRP: 2353 if (len < 1) 2354 goto truncated; 2355 GETCHAR(vallen, inp); 2356 len--; 2357 printer(arg, "-%d", vallen); 2358 switch (vallen) { 2359 case EAPSRP_CKEY: 2360 printer(arg, " <A%.*B>", len, inp); 2361 INCPTR(len, inp); 2362 len = 0; 2363 break; 2364 2365 case EAPSRP_CVALIDATOR: 2366 if (len < (int)sizeof (u32_t)) 2367 break; 2368 GETLONG(uval, inp); 2369 len -= sizeof (u32_t); 2370 if (uval & SRPVAL_EBIT) { 2371 printer(arg, " E"); 2372 uval &= ~SRPVAL_EBIT; 2373 } 2374 if (uval != 0) { 2375 printer(arg, " f<%X>", uval); 2376 } 2377 printer(arg, " <M1%.*B%s>", len, inp, 2378 len == SHA_DIGESTSIZE ? "" : "?"); 2379 INCPTR(len, inp); 2380 len = 0; 2381 break; 2382 2383 case EAPSRP_ACK: 2384 break; 2385 2386 case EAPSRP_LWRECHALLENGE: 2387 printer(arg, " <Response%.*B%s>", len, inp, 2388 len == SHA_DIGESTSIZE ? "" : "?"); 2389 if ((vallen = len) > SHA_DIGESTSIZE) 2390 vallen = SHA_DIGESTSIZE; 2391 INCPTR(vallen, inp); 2392 len -= vallen; 2393 break; 2394 default: 2395 break; 2396 } 2397 break; 2398 default: 2399 break; 2400 } 2401 break; 2402 2403 case EAP_SUCCESS: /* No payload expected for these! */ 2404 case EAP_FAILURE: 2405 default: 2406 break; 2407 2408 truncated: 2409 printer(arg, " <truncated>"); 2410 break; 2411 } 2412 2413 if (len > 8) 2414 printer(arg, "%8B...", inp); 2415 else if (len > 0) 2416 printer(arg, "%.*B", len, inp); 2417 INCPTR(len, inp); 2418 2419 return (inp - pstart); 2420 } 2421 #endif /* PRINTPKT_SUPPORT */ 2422 2423 #endif /* PPP_SUPPORT && EAP_SUPPORT */ 2424