From 1c5d747dac840a633aebd3eef882b11321993009 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Fri, 20 Jun 2014 10:26:32 +0200 Subject: [PATCH 26/27] Revert "pppd: rebase EAP-TLS patch v0.994" This reverts commit 044a5b1e5d878c519143b71a44b3d5b0ca91de3b. --- README.eap-tls | 169 ------- etc.ppp/eaptls-client | 10 - etc.ppp/eaptls-server | 11 - etc.ppp/openssl.cnf | 14 - linux/Makefile.top | 6 +- pppd/Makefile.linux | 12 - pppd/auth.c | 414 +-------------- pppd/ccp.c | 20 +- pppd/chap-md5.c | 4 - pppd/eap-tls.c | 1174 ------------------------------------------- pppd/eap-tls.h | 107 ---- pppd/eap.c | 462 +---------------- pppd/eap.h | 32 +- pppd/md5.c | 3 - pppd/md5.h | 3 - pppd/options.c | 10 - pppd/pathnames.h | 7 - pppd/plugins/Makefile.linux | 3 - pppd/plugins/passprompt.c | 3 - pppd/plugins/passwordfd.c | 4 - pppd/pppd.h | 8 - 21 files changed, 15 insertions(+), 2461 deletions(-) delete mode 100644 README.eap-tls delete mode 100644 etc.ppp/eaptls-client delete mode 100644 etc.ppp/eaptls-server delete mode 100644 etc.ppp/openssl.cnf delete mode 100644 pppd/eap-tls.c delete mode 100644 pppd/eap-tls.h diff --git a/README.eap-tls b/README.eap-tls deleted file mode 100644 index 0a4fee9..0000000 --- a/README.eap-tls +++ /dev/null @@ -1,169 +0,0 @@ -EAP-TLS authentication support for PPP -====================================== - -1. Intro - - The Extensible Authentication Protocol (EAP; RFC 3748) is a - security protocol that can be used with PPP. It provides a means - to plug in multiple optional authentication methods. - - Transport Level Security (TLS; RFC 2246) provides for mutual - authentication, integrity-protected ciphersuite negotiation and - key exchange between two endpoints. It also provides for optional - MPPE encryption. - - EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, - allowing TLS mutual authentication to be used as a generic EAP - mechanism. It also provides optional encryption using the MPPE - protocol. - - This patch provide EAP-TLS support to pppd. - This authentication method can be used in both client or server - mode. - -2. Building - - To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org) - is required. Any version from 0.9.7 should work. - - Configure, compile, and install as usual. - -3. Configuration - - On the client side there are two ways to configure EAP-TLS: - - 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters - - 2. edit the /etc/ppp/eaptls-client file. - Insert a line for each system with which you use EAP-TLS. - The line is composed of this fields separated by tab: - - - Client name - The name used by the client for authentication, can be * - - Server name - The name of the server, can be * - - Client certificate file - The file containing the certificate chain for the - client in PEM format - - Server certificate file - If you want to specify the certificate that the - server is allowed to use, put the certificate file name. - Else put a dash '-'. - - CA certificate file - The file containing the trusted CA certificates in PEM - format. - - Client private key file - The file containing the client private key in PEM format. - - - On the server side edit the /etc/ppp/eaptls-server file. - Insert a line for each system with which you use EAP-TLS. - The line is composed of this fields separated by tab: - - - Client name - The name used by the client for authentication, can be * - - Server name - The name of the server, can be * - - Client certificate file - If you want to specify the certificate that the - client is allowed to use, put the certificate file name. - Else put a dash '-'. - - Server certificate file - The file containing the certificate chain for the - server in PEM format - - CA certificate file - The file containing the trusted CA certificates in PEM - format. - - Client private key file - The file containing the server private key in PEM format. - - addresses - A list of IP addresses the client is allowed to use. - - - OpenSSL engine support is included starting with v0.95 of this patch. - Currently the only engine tested is the 'pkcs11' engine (hardware token - support). To use the 'pksc11' engine: - - Use a special private key fileiname in the /etc/ppp/eaptls-client file: - : - e.g. - pkcs11:123456 - - - The certificate can also be loaded from the 'pkcs11' engine using - a special client certificate filename in the /etc/ppp/eaptls-client file: - : - e.g. - pkcs11:123456 - - - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior - to starting 'pppd'. A sample openssl.cnf file is - - openssl_conf = openssl_def - - [ openssl_def ] - engines = engine_section - - [ engine_section ] - pkcs11 = pkcs11_section - - [ pkcs11_section ] - engine_id = pkcs11 - dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so - MODULE_PATH = /usr/lib64/libeTPkcs11.so - init = 0 - - - There are two ways to specify a password/PIN for the PKCS11 engine: - - inside the openssl.cnf file using - PIN = your-secret-pin - Note The keyword 'PIN' is case sensitive! - - Using the 'password' in the ppp options file. - From v0.97 of the eap-tls patch the password can also be supplied - using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c - for an example). - - -4. Options - - These pppd options are available: - - ca - Use the CA public certificate found in in PEM format - cert - Use the client public certificate found in in PEM format - or in engine:engine_id format - key - Use the client private key found in in PEM format - or in engine:engine_id format - crl-dir - Use CRL files from dir. It contains CRL files in PEM - format and each file contains a CRL. The files are looked up - by the issuer name hash value. Use the c_rehash utility - to create necessary links. - need-peer-eap - If the peer doesn't ask us to authenticate or doesn't use eap - to authenticate us, disconnect. - - Note: - password-encrypted certificates can be used as of v0.94 of this - patch. The password for the eap-tls.key file is specified using - the regular - password .... - statement in the ppp options file, or by using the appropriate - plugin which supplies a 'eaptls_passwd_hook' routine. - -5. Connecting - - If you're setting up a pppd server, edit the EAP-TLS configuration file - as written above and then run pppd with the 'auth' option to authenticate - the client. The EAP-TLS method will be used if the other eap methods can't - be used (no secrets). - - If you're setting up a client, edit the configuration file and then run - pppd with 'remotename' option to specify the server name. Add the - 'need-peer-eap' option if you want to be sure the peer ask you to - authenticate (and to use eap) and to disconnect if it doesn't. - -6. Notes - - This is experimental code. - Send suggestions and comments to Jan Just Keijser - diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client deleted file mode 100644 index 7782f0e..0000000 --- a/etc.ppp/eaptls-client +++ /dev/null @@ -1,10 +0,0 @@ -# Parameters for authentication using EAP-TLS (client) - -# client name (can be *) -# server name (can be *) -# client certificate file (required) -# server certificate file (optional, if unused put '-') -# CA certificate file (required) -# client private key file (required) - -#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server deleted file mode 100644 index fa53cbd..0000000 --- a/etc.ppp/eaptls-server +++ /dev/null @@ -1,11 +0,0 @@ -# Parameters for authentication using EAP-TLS (server) - -# client name (can be *) -# server name (can be *) -# client certificate file (optional, if unused put '-') -# server certificate file (required) -# CA certificate file (required) -# server private key file (required) -# allowed addresses (required, can be *) - -#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf deleted file mode 100644 index dd32f30..0000000 --- a/etc.ppp/openssl.cnf +++ /dev/null @@ -1,14 +0,0 @@ -openssl_conf = openssl_def - -[ openssl_def ] -engines = engine_section - -[ engine_section ] -pkcs11 = pkcs11_section - -[ pkcs11_section ] -engine_id = pkcs11 -dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so -MODULE_PATH = /usr/lib64/libeTPkcs11.so -init = 0 - diff --git a/linux/Makefile.top b/linux/Makefile.top index 9a8945a..f42efd5 100644 --- a/linux/Makefile.top +++ b/linux/Makefile.top @@ -28,7 +28,7 @@ install-progs: cd pppdump; $(MAKE) $(MFLAGS) install install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ - $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client + $(ETCDIR)/chap-secrets install-devel: cd pppd; $(MAKE) $(MFLAGS) install-devel @@ -39,10 +39,6 @@ $(ETCDIR)/pap-secrets: $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ $(ETCDIR)/chap-secrets: $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ -$(ETCDIR)/eaptls-server: - $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@ -$(ETCDIR)/eaptls-client: - $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@ $(BINDIR): $(INSTALL) -d -m 755 $@ diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux index 534ccc2..943cf83 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux @@ -79,9 +79,6 @@ CBCP=y # Use libutil USE_LIBUTIL=y -# Enable EAP-TLS authentication (requires libssl and libcrypto) -USE_EAPTLS=y - MAXOCTETS=y INCLUDE_DIRS= -I../include @@ -121,15 +118,6 @@ HEADERS += sha1.h PPPDOBJS += sha1.o endif -# EAP-TLS -ifdef USE_EAPTLS -CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include -LIBS += -lssl -lcrypto -PPPDSRC += eap-tls.c -HEADERS += eap-tls.h -PPPDOBJS += eap-tls.o -endif - ifdef HAS_SHADOW CFLAGS += -DHAS_SHADOW #LIBS += -lshadow $(LIBS) diff --git a/pppd/auth.c b/pppd/auth.c index 88cbdb6..9e957fa 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -109,9 +109,6 @@ #include "upap.h" #include "chap-new.h" #include "eap.h" -#ifdef USE_EAPTLS -#include "eap-tls.h" -#endif #ifdef CBCP_SUPPORT #include "cbcp.h" #endif @@ -186,11 +183,6 @@ int (*chap_check_hook) __P((void)) = NULL; /* Hook for a plugin to get the CHAP password for authenticating us */ int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; -#ifdef USE_EAPTLS -/* Hook for a plugin to get the EAP-TLS password for authenticating us */ -int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL; -#endif - /* Hook for a plugin to say whether it is OK if the peer refuses to authenticate. */ int (*null_auth_hook) __P((struct wordlist **paddrs, @@ -246,13 +238,6 @@ bool explicit_remote = 0; /* User specified explicit remote name */ bool explicit_user = 0; /* Set if "user" option supplied */ bool explicit_passwd = 0; /* Set if "password" option supplied */ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ -#ifdef USE_EAPTLS -char *cacert_file = NULL; /* CA certificate file (pem format) */ -char *cert_file = NULL; /* client certificate file (pem format) */ -char *privkey_file = NULL; /* client private key file (pem format) */ -char *crl_dir = NULL; /* directory containing CRL files */ -bool need_peer_eap = 0; /* Require peer to authenticate us */ -#endif static char *uafname; /* name of most recent +ua file */ @@ -269,19 +254,6 @@ static int have_pap_secret __P((int *)); static int have_chap_secret __P((char *, char *, int, int *)); static int have_srp_secret __P((char *client, char *server, int need_ip, int *lacks_ipp)); - -#ifdef USE_EAPTLS -static int have_eaptls_secret_server -__P((char *client, char *server, int need_ip, int *lacks_ipp)); -static int have_eaptls_secret_client __P((char *client, char *server)); -static int scan_authfile_eaptls __P((FILE * f, char *client, char *server, - char *cli_cert, char *serv_cert, - char *ca_cert, char *pk, - struct wordlist ** addrs, - struct wordlist ** opts, - char *filename, int flags)); -#endif - static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); static int scan_authfile __P((FILE *, char *, char *, char *, struct wordlist **, struct wordlist **, @@ -429,14 +401,6 @@ option_t auth_options[] = { "Set telephone number(s) which are allowed to connect", OPT_PRIV | OPT_A2LIST }, -#ifdef USE_EAPTLS - { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, - { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, - { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, - { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, - { "need-peer-eap", o_bool, &need_peer_eap, - "Require the peer to authenticate us", 1 }, -#endif /* USE_EAPTLS */ { NULL } }; @@ -766,9 +730,6 @@ link_established(unit) lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *go = &lcp_gotoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit]; -#ifdef USE_EAPTLS - lcp_options *ao = &lcp_allowoptions[unit]; -#endif int i; struct protent *protp; @@ -803,22 +764,6 @@ link_established(unit) } } -#ifdef USE_EAPTLS - if (need_peer_eap && !ao->neg_eap) { - warn("eap required to authenticate us but no suitable secrets"); - lcp_close(unit, "couldn't negotiate eap"); - status = EXIT_AUTH_TOPEER_FAILED; - return; - } - - if (need_peer_eap && !ho->neg_eap) { - warn("peer doesn't want to authenticate us with eap"); - lcp_close(unit, "couldn't negotiate eap"); - status = EXIT_PEER_AUTH_FAILED; - return; - } -#endif - new_phase(PHASE_AUTHENTICATE); auth = 0; if (go->neg_eap) { @@ -1172,7 +1117,7 @@ np_down(unit, proto) UNTIMEOUT(connect_time_expired, NULL); #ifdef MAXOCTETS UNTIMEOUT(check_maxoctets, NULL); -#endif +#endif new_phase(PHASE_NETWORK); } } @@ -1199,7 +1144,7 @@ check_maxoctets(arg) update_link_stats(ifunit); link_stats_valid=0; - + switch(maxoctets_dir) { case PPP_OCTETS_DIRECTION_IN: used = link_stats.bytes_in; @@ -1332,15 +1277,6 @@ auth_check_options() our_name, 1, &lacks_ip); } -#ifdef USE_EAPTLS - if (!can_auth && wo->neg_eap) { - can_auth = - have_eaptls_secret_server((explicit_remote ? remote_name : - NULL), our_name, 1, &lacks_ip); - - } -#endif - if (auth_required && !can_auth && noauth_addrs == NULL) { if (default_auth) { option_error( @@ -1395,11 +1331,7 @@ auth_reset(unit) passwd[0] != 0 || (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, (explicit_remote? remote_name: NULL), 0, NULL))) || - have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) -#ifdef USE_EAPTLS - || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) -#endif - ); + have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); hadchap = -1; if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) @@ -1414,14 +1346,8 @@ auth_reset(unit) !have_chap_secret((explicit_remote? remote_name: NULL), our_name, 1, NULL))) && !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, - NULL) -#ifdef USE_EAPTLS - && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), - our_name, 1, NULL) -#endif - ) + NULL)) go->neg_eap = 0; - } @@ -1781,7 +1707,6 @@ have_srp_secret(client, server, need_ip, lacks_ipp) } - /* * get_secret - open the CHAP secret file and return the secret * for authenticating the given client on the given server. @@ -2434,334 +2359,3 @@ auth_script(script) auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); } - - -#ifdef USE_EAPTLS -static int -have_eaptls_secret_server(client, server, need_ip, lacks_ipp) - char *client; - char *server; - int need_ip; - int *lacks_ipp; -{ - FILE *f; - int ret; - char *filename; - struct wordlist *addrs; - char servcertfile[MAXWORDLEN]; - char clicertfile[MAXWORDLEN]; - char cacertfile[MAXWORDLEN]; - char pkfile[MAXWORDLEN]; - - filename = _PATH_EAPTLSSERVFILE; - f = fopen(filename, "r"); - if (f == NULL) - return 0; - - if (client != NULL && client[0] == 0) - client = NULL; - else if (server != NULL && server[0] == 0) - server = NULL; - - ret = - scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, - cacertfile, pkfile, &addrs, NULL, filename, - 0); - - fclose(f); - -/* - if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, - clicertfile, pkfile)) - ret = -1; -*/ - - if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { - if (lacks_ipp != 0) - *lacks_ipp = 1; - ret = -1; - } - if (addrs != 0) - free_wordlist(addrs); - - return ret >= 0; -} - - -static int -have_eaptls_secret_client(client, server) - char *client; - char *server; -{ - FILE *f; - int ret; - char *filename; - struct wordlist *addrs = NULL; - char servcertfile[MAXWORDLEN]; - char clicertfile[MAXWORDLEN]; - char cacertfile[MAXWORDLEN]; - char pkfile[MAXWORDLEN]; - - if (client != NULL && client[0] == 0) - client = NULL; - else if (server != NULL && server[0] == 0) - server = NULL; - - if (cacert_file && cert_file && privkey_file) - return 1; - - filename = _PATH_EAPTLSCLIFILE; - f = fopen(filename, "r"); - if (f == NULL) - return 0; - - ret = - scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, - cacertfile, pkfile, &addrs, NULL, filename, - 0); - fclose(f); - -/* - if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, - servcertfile, pkfile)) - ret = -1; -*/ - - if (addrs != 0) - free_wordlist(addrs); - - return ret >= 0; -} - - -static int -scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk, - addrs, opts, filename, flags) - FILE *f; - char *client; - char *server; - char *cli_cert; - char *serv_cert; - char *ca_cert; - char *pk; - struct wordlist **addrs; - struct wordlist **opts; - char *filename; - int flags; -{ - int newline; - int got_flag, best_flag; - struct wordlist *ap, *addr_list, *alist, **app; - char word[MAXWORDLEN]; - - if (addrs != NULL) - *addrs = NULL; - if (opts != NULL) - *opts = NULL; - addr_list = NULL; - if (!getword(f, word, &newline, filename)) - return -1; /* file is empty??? */ - newline = 1; - best_flag = -1; - for (;;) { - /* - * Skip until we find a word at the start of a line. - */ - while (!newline && getword(f, word, &newline, filename)); - if (!newline) - break; /* got to end of file */ - - /* - * Got a client - check if it's a match or a wildcard. - */ - got_flag = 0; - if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { - newline = 0; - continue; - } - if (!ISWILD(word)) - got_flag = NONWILD_CLIENT; - - /* - * Now get a server and check if it matches. - */ - if (!getword(f, word, &newline, filename)) - break; - if (newline) - continue; - if (!ISWILD(word)) { - if (server != NULL && strcmp(word, server) != 0) - continue; - got_flag |= NONWILD_SERVER; - } - - /* - * Got some sort of a match - see if it's better than what - * we have already. - */ - if (got_flag <= best_flag) - continue; - - /* - * Get the cli_cert - */ - if (!getword(f, word, &newline, filename)) - break; - if (newline) - continue; - if (strcmp(word, "-") != 0) { - strlcpy(cli_cert, word, MAXWORDLEN); - } else - cli_cert[0] = 0; - - /* - * Get serv_cert - */ - if (!getword(f, word, &newline, filename)) - break; - if (newline) - continue; - if (strcmp(word, "-") != 0) { - strlcpy(serv_cert, word, MAXWORDLEN); - } else - serv_cert[0] = 0; - - /* - * Get ca_cert - */ - if (!getword(f, word, &newline, filename)) - break; - if (newline) - continue; - strlcpy(ca_cert, word, MAXWORDLEN); - - /* - * Get pk - */ - if (!getword(f, word, &newline, filename)) - break; - if (newline) - continue; - strlcpy(pk, word, MAXWORDLEN); - - - /* - * Now read address authorization info and make a wordlist. - */ - app = &alist; - for (;;) { - if (!getword(f, word, &newline, filename) || newline) - break; - ap = (struct wordlist *) - malloc(sizeof(struct wordlist) + strlen(word) + 1); - if (ap == NULL) - novm("authorized addresses"); - ap->word = (char *) (ap + 1); - strcpy(ap->word, word); - *app = ap; - app = &ap->next; - } - *app = NULL; - /* - * This is the best so far; remember it. - */ - best_flag = got_flag; - if (addr_list) - free_wordlist(addr_list); - addr_list = alist; - - if (!newline) - break; - } - - /* scan for a -- word indicating the start of options */ - for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) - if (strcmp(ap->word, "--") == 0) - break; - /* ap = start of options */ - if (ap != NULL) { - ap = ap->next; /* first option */ - free(*app); /* free the "--" word */ - *app = NULL; /* terminate addr list */ - } - if (opts != NULL) - *opts = ap; - else if (ap != NULL) - free_wordlist(ap); - if (addrs != NULL) - *addrs = addr_list; - else if (addr_list != NULL) - free_wordlist(addr_list); - - return best_flag; -} - - -int -get_eaptls_secret(unit, client, server, clicertfile, servcertfile, - cacertfile, pkfile, am_server) - int unit; - char *client; - char *server; - char *clicertfile; - char *servcertfile; - char *cacertfile; - char *pkfile; - int am_server; -{ - FILE *fp; - int ret; - char *filename = NULL; - struct wordlist *addrs = NULL; - struct wordlist *opts = NULL; - - /* in client mode the ca+cert+privkey can also be specified as options */ - if (!am_server && cacert_file && cert_file && privkey_file ) - { - strlcpy( clicertfile, cert_file, MAXWORDLEN ); - strlcpy( cacertfile, cacert_file, MAXWORDLEN ); - strlcpy( pkfile, privkey_file, MAXWORDLEN ); - servcertfile[0] = '\0'; - } - else - { - filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); - addrs = NULL; - - fp = fopen(filename, "r"); - if (fp == NULL) - { - error("Can't open eap-tls secret file %s: %m", filename); - return 0; - } - - check_access(fp, filename); - - ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, - cacertfile, pkfile, &addrs, &opts, filename, 0); - - fclose(fp); - - if (ret < 0) return 0; - } - - if (eaptls_passwd_hook) - { - dbglog( "Calling eaptls password hook" ); - if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) - { - error("Unable to obtain EAP-TLS password for %s (%s) from plugin", - client, pkfile); - return 0; - } - } - if (am_server) - set_allowed_addrs(unit, addrs, opts); - else if (opts != NULL) - free_wordlist(opts); - if (addrs != NULL) - free_wordlist(addrs); - - return 1; -} -#endif diff --git a/pppd/ccp.c b/pppd/ccp.c index 7dead23..5814f35 100644 --- a/pppd/ccp.c +++ b/pppd/ccp.c @@ -540,9 +540,6 @@ ccp_resetci(f) if (go->mppe) { ccp_options *ao = &ccp_allowoptions[f->unit]; int auth_mschap_bits = auth_done[f->unit]; -#ifdef USE_EAPTLS - int auth_eap_bits = auth_done[f->unit]; -#endif int numbits; /* @@ -570,23 +567,8 @@ ccp_resetci(f) lcp_close(f->unit, "MPPE required but not available"); return; } - -#ifdef USE_EAPTLS - /* - * MPPE is also possible in combination with EAP-TLS. - * It is not possible to detect if we're doing EAP or EAP-TLS - * at this stage, hence we accept all forms of EAP. If TLS is - * not used then the MPPE keys will not be derived anyway. - */ - /* Leave only the eap auth bits set */ - auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); - - if ((numbits == 0) && (auth_eap_bits == 0)) { - error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); -#else if (!numbits) { - error("MPPE required, but MS-CHAP[v2] auth not performed."); -#endif + error("MPPE required, but MS-CHAP[v2] auth not performed."); lcp_close(f->unit, "MPPE required but not available"); return; } diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c index 269b52c..77dd4ec 100644 --- a/pppd/chap-md5.c +++ b/pppd/chap-md5.c @@ -36,11 +36,7 @@ #include "chap-new.h" #include "chap-md5.h" #include "magic.h" -#ifdef USE_EAPTLS -#include "eap-tls.h" -#else #include "md5.h" -#endif /* USE_EAPTLS */ #define MD5_HASH_SIZE 16 #define MD5_MIN_CHALLENGE 16 diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c deleted file mode 100644 index a3aea5a..0000000 --- a/pppd/eap-tls.c +++ /dev/null @@ -1,1174 +0,0 @@ -/* - * eap-tls.c - EAP-TLS implementation for PPP - * - * Copyright (c) Beniamino Galvani 2005 All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. The name(s) of the authors of this software must not be used to - * endorse or promote products derived from this software without - * prior written permission. - * - * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO - * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY - * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN - * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - */ - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#include "pppd.h" -#include "eap.h" -#include "eap-tls.h" -#include "fsm.h" -#include "lcp.h" -#include "pathnames.h" - -/* The openssl configuration file and engines can be loaded only once */ -static CONF *ssl_config = NULL; -static ENGINE *cert_engine = NULL; -static ENGINE *pkey_engine = NULL; - -#ifdef MPPE - -/* - * TLS PRF from RFC 2246 - */ -static void P_hash(const EVP_MD *evp_md, - const unsigned char *secret, unsigned int secret_len, - const unsigned char *seed, unsigned int seed_len, - unsigned char *out, unsigned int out_len) -{ - HMAC_CTX ctx_a, ctx_out; - unsigned char a[HMAC_MAX_MD_CBLOCK]; - unsigned int size; - - HMAC_CTX_init(&ctx_a); - HMAC_CTX_init(&ctx_out); - HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL); - HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL); - - size = HMAC_size(&ctx_out); - - /* Calculate A(1) */ - HMAC_Update(&ctx_a, seed, seed_len); - HMAC_Final(&ctx_a, a, NULL); - - while (1) { - /* Calculate next part of output */ - HMAC_Update(&ctx_out, a, size); - HMAC_Update(&ctx_out, seed, seed_len); - - /* Check if last part */ - if (out_len < size) { - HMAC_Final(&ctx_out, a, NULL); - memcpy(out, a, out_len); - break; - } - - /* Place digest in output buffer */ - HMAC_Final(&ctx_out, out, NULL); - HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL); - out += size; - out_len -= size; - - /* Calculate next A(i) */ - HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL); - HMAC_Update(&ctx_a, a, size); - HMAC_Final(&ctx_a, a, NULL); - } - - HMAC_CTX_cleanup(&ctx_a); - HMAC_CTX_cleanup(&ctx_out); - memset(a, 0, sizeof(a)); -} - -static void PRF(const unsigned char *secret, unsigned int secret_len, - const unsigned char *seed, unsigned int seed_len, - unsigned char *out, unsigned char *buf, unsigned int out_len) -{ - unsigned int i; - unsigned int len = (secret_len + 1) / 2; - const unsigned char *s1 = secret; - const unsigned char *s2 = secret + (secret_len - len); - - P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); - P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); - - for (i=0; i < out_len; i++) { - out[i] ^= buf[i]; - } -} - -#define EAPTLS_MPPE_KEY_LEN 32 - -/* - * Generate keys according to RFC 2716 and add to reply - */ -void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, - int client) -{ - unsigned char out[4*EAPTLS_MPPE_KEY_LEN], buf[4*EAPTLS_MPPE_KEY_LEN]; - unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; - unsigned char *p = seed; - SSL *s = ets->ssl; - size_t prf_size; - - prf_size = strlen(prf_label); - - memcpy(p, prf_label, prf_size); - p += prf_size; - - memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; - prf_size += SSL3_RANDOM_SIZE; - - memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); - prf_size += SSL3_RANDOM_SIZE; - - PRF(s->session->master_key, s->session->master_key_length, - seed, prf_size, out, buf, sizeof(out)); - - /* - * We now have the master send and receive keys. - * From these, generate the session send and receive keys. - * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) - */ - if (client) - { - p = out; - BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); - p += EAPTLS_MPPE_KEY_LEN; - BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); - } - else - { - p = out; - BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); - p += EAPTLS_MPPE_KEY_LEN; - BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); - } - - mppe_keys_set = 1; -} - -#endif - -void log_ssl_errors( void ) -{ - unsigned long ssl_err = ERR_get_error(); - - if (ssl_err != 0) - dbglog("EAP-TLS SSL error stack:"); - while (ssl_err != 0) { - dbglog( ERR_error_string( ssl_err, NULL ) ); - ssl_err = ERR_get_error(); - } -} - - -int password_callback (char *buf, int size, int rwflag, void *u) -{ - if (buf) - { - strncpy (buf, passwd, size); - return strlen (buf); - } - return 0; -} - - -CONF *eaptls_ssl_load_config( void ) -{ - CONF *config; - int ret_code; - long error_line = 33; - - config = NCONF_new( NULL ); - dbglog( "Loading OpenSSL config file" ); - ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); - if (ret_code == 0) - { - warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); - NCONF_free( config ); - config = NULL; - ERR_clear_error(); - } - - dbglog( "Loading OpenSSL built-ins" ); - ENGINE_load_builtin_engines(); - OPENSSL_load_builtin_modules(); - - dbglog( "Loading OpenSSL configured modules" ); - if (CONF_modules_load( config, NULL, 0 ) <= 0 ) - { - warn( "EAP-TLS: Error loading OpenSSL modules" ); - log_ssl_errors(); - config = NULL; - } - - return config; -} - -ENGINE *eaptls_ssl_load_engine( char *engine_name ) -{ - ENGINE *e = NULL; - - dbglog( "Enabling OpenSSL auto engines" ); - ENGINE_register_all_complete(); - - dbglog( "Loading OpenSSL '%s' engine support", engine_name ); - e = ENGINE_by_id( engine_name ); - if (!e) - { - dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); - e = ENGINE_by_id( "dynamic" ); - if (e) - { - if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) - || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) - { - warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); - log_ssl_errors(); - ENGINE_free(e); - e = NULL; - } - } - else - { - warn( "EAP-TLS: Cannot load dynamic engine support" ); - } - } - - if (e) - { - dbglog( "Initialising engine" ); - if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) - { - warn( "EAP-TLS: Cannot use that engine" ); - log_ssl_errors(); - ENGINE_free(e); - e = NULL; - } - } - - return e; -} - -/* - * Initialize the SSL stacks and tests if certificates, key and crl - * for client or server use can be loaded. - */ -SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, - char *certfile, char *peer_certfile, char *privkeyfile) -{ - char *cert_engine_name = NULL; - char *cert_identifier = NULL; - char *pkey_engine_name = NULL; - char *pkey_identifier = NULL; - SSL_CTX *ctx; - X509_STORE *certstore; - X509_LOOKUP *lookup; - X509 *tmp; - - /* - * Without these can't continue - */ - if (!cacertfile[0]) - { - error("EAP-TLS: CA certificate missing"); - return NULL; - } - - if (!certfile[0]) - { - error("EAP-TLS: User certificate missing"); - return NULL; - } - - if (!privkeyfile[0]) - { - error("EAP-TLS: User private key missing"); - return NULL; - } - - SSL_library_init(); - SSL_load_error_strings(); - - ctx = SSL_CTX_new(TLSv1_method()); - - if (!ctx) { - error("EAP-TLS: Cannot initialize SSL CTX context"); - goto fail; - } - - /* if the certificate filename is of the form engine:id. e.g. - pkcs11:12345 - then we try to load and use this engine. - If the certificate filename starts with a / or . then we - ALWAYS assume it is a file and not an engine/pkcs11 identifier - */ - if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) - { - cert_identifier = index( certfile, ':' ); - - if (cert_identifier) - { - cert_engine_name = certfile; - *cert_identifier = '\0'; - cert_identifier++; - - dbglog( "Found certificate engine '%s'", cert_engine_name ); - dbglog( "Found certificate identifier '%s'", cert_identifier ); - } - } - - /* if the privatekey filename is of the form engine:id. e.g. - pkcs11:12345 - then we try to load and use this engine. - If the privatekey filename starts with a / or . then we - ALWAYS assume it is a file and not an engine/pkcs11 identifier - */ - if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) - { - pkey_identifier = index( privkeyfile, ':' ); - - if (pkey_identifier) - { - pkey_engine_name = privkeyfile; - *pkey_identifier = '\0'; - pkey_identifier++; - - dbglog( "Found privatekey engine '%s'", pkey_engine_name ); - dbglog( "Found privatekey identifier '%s'", pkey_identifier ); - } - } - - if (cert_identifier && pkey_identifier) - { - if (strlen( cert_identifier ) == 0) - { - if (strlen( pkey_identifier ) == 0) - error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); - else - { - dbglog( "Substituting privatekey identifier for certificate identifier" ); - cert_identifier = pkey_identifier; - } - } - else - { - if (strlen( pkey_identifier ) == 0) - { - dbglog( "Substituting certificate identifier for privatekey identifier" ); - pkey_identifier = cert_identifier; - } - } - - } - - /* load the openssl config file only once */ - if (!ssl_config) - { - if (cert_engine_name || pkey_engine_name) - ssl_config = eaptls_ssl_load_config(); - - if (ssl_config && cert_engine_name) - cert_engine = eaptls_ssl_load_engine( cert_engine_name ); - - if (ssl_config && pkey_engine_name) - { - /* don't load the same engine twice */ - if ( strcmp( cert_engine_name, pkey_engine_name) == 0 ) - pkey_engine = cert_engine; - else - pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); - } - } - - SSL_CTX_set_default_passwd_cb (ctx, password_callback); - - if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) - { - error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); - goto fail; - } - - if (init_server) - SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); - - if (cert_engine) - { - struct - { - const char *s_slot_cert_id; - X509 *cert; - } cert_info; - - cert_info.s_slot_cert_id = cert_identifier; - cert_info.cert = NULL; - - if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) - { - error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); - goto fail; - } - - if (cert_info.cert) - { - dbglog( "Got the certificate, adding it to SSL context" ); - dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); - if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) - { - error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); - goto fail; - } - } - else - { - warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); - log_ssl_errors(); - } - } - else - { - if (!SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) - { - error( "EAP-TLS: Cannot use public certificate %s", certfile ); - goto fail; - } - } - - if (pkey_engine) - { - EVP_PKEY *pkey = NULL; - PW_CB_DATA cb_data; - - cb_data.password = passwd; - cb_data.prompt_info = pkey_identifier; - - dbglog( "Loading private key '%s' from engine", pkey_identifier ); - pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); - if (pkey) - { - dbglog( "Got the private key, adding it to SSL context" ); - if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) - { - error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); - goto fail; - } - } - else - { - warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); - log_ssl_errors(); - } - } - else - { - if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) - { - error("EAP-TLS: Cannot use private key %s", privkeyfile); - goto fail; - } - } - - if (SSL_CTX_check_private_key(ctx) != 1) { - error("EAP-TLS: Private key %s fails security check", privkeyfile); - goto fail; - } - - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); - SSL_CTX_set_verify_depth(ctx, 5); - SSL_CTX_set_verify(ctx, - SSL_VERIFY_PEER | - SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - &ssl_verify_callback); - - if (crl_dir) { - if (!(certstore = SSL_CTX_get_cert_store(ctx))) { - error("EAP-TLS: Failed to get certificate store"); - goto fail; - } - - if (!(lookup = - X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { - error("EAP-TLS: Store lookup for CRL failed"); - - goto fail; - } - - X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); - X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); - } - - /* - * If a peer certificate file was specified, it must be valid, else fail - */ - if (peer_certfile[0]) { - if (!(tmp = get_X509_from_file(peer_certfile))) { - error("EAP-TLS: Error loading client certificate from file %s", - peer_certfile); - goto fail; - } - X509_free(tmp); - } - - return ctx; - -fail: - log_ssl_errors(); - SSL_CTX_free(ctx); - return NULL; -} - -/* - * Determine the maximum packet size by looking at the LCP handshake - */ - -int eaptls_get_mtu(int unit) -{ - int mtu, mru; - - lcp_options *wo = &lcp_wantoptions[unit]; - lcp_options *go = &lcp_gotoptions[unit]; - lcp_options *ho = &lcp_hisoptions[unit]; - lcp_options *ao = &lcp_allowoptions[unit]; - - mtu = ho->neg_mru? ho->mru: PPP_MRU; - mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; - mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; - - dbglog("MTU = %d", mtu); - return mtu; -} - - -/* - * Init the ssl handshake (server mode) - */ -int eaptls_init_ssl_server(eap_state * esp) -{ - struct eaptls_session *ets; - char servcertfile[MAXWORDLEN]; - char clicertfile[MAXWORDLEN]; - char cacertfile[MAXWORDLEN]; - char pkfile[MAXWORDLEN]; - /* - * Allocate new eaptls session - */ - esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); - if (!esp->es_server.ea_session) - fatal("Allocation error"); - ets = esp->es_server.ea_session; - - if (!esp->es_server.ea_peer) { - error("EAP-TLS: Error: client name not set (BUG)"); - return 0; - } - - strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); - - dbglog( "getting eaptls secret" ); - if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, - esp->es_server.ea_name, clicertfile, - servcertfile, cacertfile, pkfile, 1)) { - error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", - esp->es_server.ea_peer, esp->es_server.ea_name ); - return 0; - } - - ets->mtu = eaptls_get_mtu(esp->es_unit); - - ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); - if (!ets->ctx) - goto fail; - - if (!(ets->ssl = SSL_new(ets->ctx))) - goto fail; - - /* - * Set auto-retry to avoid timeouts on BIO_read - */ - SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); - - /* - * Initialize the BIOs we use to read/write to ssl engine - */ - ets->into_ssl = BIO_new(BIO_s_mem()); - ets->from_ssl = BIO_new(BIO_s_mem()); - SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); - - SSL_set_msg_callback(ets->ssl, ssl_msg_callback); - SSL_set_msg_callback_arg(ets->ssl, ets); - - /* - * Attach the session struct to the connection, so we can later - * retrieve it when doing certificate verification - */ - SSL_set_ex_data(ets->ssl, 0, ets); - - SSL_set_accept_state(ets->ssl); - - ets->data = NULL; - ets->datalen = 0; - ets->alert_sent = 0; - ets->alert_recv = 0; - - /* - * If we specified the client certificate file, store it in ets->peercertfile, - * so we can check it later in ssl_verify_callback() - */ - if (clicertfile[0]) - strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); - else - ets->peercertfile[0] = 0; - - return 1; - -fail: - SSL_CTX_free(ets->ctx); - return 0; -} - -/* - * Init the ssl handshake (client mode) - */ -int eaptls_init_ssl_client(eap_state * esp) -{ - struct eaptls_session *ets; - char servcertfile[MAXWORDLEN]; - char clicertfile[MAXWORDLEN]; - char cacertfile[MAXWORDLEN]; - char pkfile[MAXWORDLEN]; - - /* - * Allocate new eaptls session - */ - esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); - if (!esp->es_client.ea_session) - fatal("Allocation error"); - ets = esp->es_client.ea_session; - - /* - * If available, copy server name in ets; it will be used in cert - * verify - */ - if (esp->es_client.ea_peer) - strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); - else - ets->peer[0] = 0; - - ets->mtu = eaptls_get_mtu(esp->es_unit); - - dbglog( "calling get_eaptls_secret" ); - if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, - esp->es_client.ea_peer, clicertfile, - servcertfile, cacertfile, pkfile, 0)) { - error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", - esp->es_client.ea_name, esp->es_client.ea_peer ); - return 0; - } - - dbglog( "calling eaptls_init_ssl" ); - ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); - if (!ets->ctx) - goto fail; - - ets->ssl = SSL_new(ets->ctx); - - if (!ets->ssl) - goto fail; - - /* - * Initialize the BIOs we use to read/write to ssl engine - */ - dbglog( "Initializing SSL BIOs" ); - ets->into_ssl = BIO_new(BIO_s_mem()); - ets->from_ssl = BIO_new(BIO_s_mem()); - SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); - - SSL_set_msg_callback(ets->ssl, ssl_msg_callback); - SSL_set_msg_callback_arg(ets->ssl, ets); - - /* - * Attach the session struct to the connection, so we can later - * retrieve it when doing certificate verification - */ - SSL_set_ex_data(ets->ssl, 0, ets); - - SSL_set_connect_state(ets->ssl); - - ets->data = NULL; - ets->datalen = 0; - ets->alert_sent = 0; - ets->alert_recv = 0; - - /* - * If we specified the server certificate file, store it in - * ets->peercertfile, so we can check it later in - * ssl_verify_callback() - */ - if (servcertfile[0]) - strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); - else - ets->peercertfile[0] = 0; - - return 1; - -fail: - dbglog( "eaptls_init_ssl_client: fail" ); - SSL_CTX_free(ets->ctx); - return 0; - -} - -void eaptls_free_session(struct eaptls_session *ets) -{ - if (ets->ssl) - SSL_free(ets->ssl); - - if (ets->ctx) - SSL_CTX_free(ets->ctx); - - free(ets); -} - -/* - * Handle a received packet, reassembling fragmented messages and - * passing them to the ssl engine - */ -int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) -{ - u_char flags; - u_int tlslen; - u_char dummy[65536]; - - GETCHAR(flags, inp); - len--; - - if (flags & EAP_TLS_FLAGS_LI && !ets->data) { - - /* - * This is the first packet of a message - */ - - GETLONG(tlslen, inp); - len -= 4; - - if (tlslen > EAP_TLS_MAX_LEN) { - error("Error: tls message length > %d, truncated", - EAP_TLS_MAX_LEN); - tlslen = EAP_TLS_MAX_LEN; - } - - /* - * Allocate memory for the whole message - */ - ets->data = malloc(tlslen); - if (!ets->data) - fatal("EAP TLS: allocation error\n"); - - ets->datalen = 0; - ets->tlslen = tlslen; - - } - else if (flags & EAP_TLS_FLAGS_LI && ets->data) { - /* - * Non first with LI (strange...) - */ - - GETLONG(tlslen, inp); - len -= 4; - - } - else if (!ets->data) { - /* - * A non fragmented message without LI flag - */ - - ets->data = malloc(len); - if (!ets->data) - fatal("EAP TLS: allocation error\n"); - - ets->datalen = 0; - ets->tlslen = len; - } - - if (flags & EAP_TLS_FLAGS_MF) - ets->frag = 1; - else - ets->frag = 0; - - if (len + ets->datalen > ets->tlslen) { - warn("EAP TLS: received data > TLS message length"); - return 1; - } - - BCOPY(inp, ets->data + ets->datalen, len); - ets->datalen += len; - - if (!ets->frag) { - - /* - * If we have the whole message, pass it to ssl - */ - - if (ets->datalen != ets->tlslen) { - warn("EAP TLS: received data != TLS message length"); - return 1; - } - - if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) - log_ssl_errors(); - - SSL_read(ets->ssl, dummy, 65536); - - free(ets->data); - ets->data = NULL; - ets->datalen = 0; - } - - return 0; -} - -/* - * Return an eap-tls packet in outp. - * A TLS message read from the ssl engine is buffered in ets->data. - * At each call we control if there is buffered data and send a - * packet of mtu bytes. - */ -int eaptls_send(struct eaptls_session *ets, u_char ** outp) -{ - bool first = 0; - int size; - u_char fromtls[65536]; - int res; - u_char *start; - - start = *outp; - - if (!ets->data) { - - if(!ets->alert_sent) - SSL_read(ets->ssl, fromtls, 65536); - - /* - * Read from ssl - */ - if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) - fatal("No data from BIO_read"); - - ets->datalen = res; - - ets->data = malloc(ets->datalen); - BCOPY(fromtls, ets->data, ets->datalen); - - ets->offset = 0; - first = 1; - - } - - size = ets->datalen - ets->offset; - - if (size > ets->mtu) { - size = ets->mtu; - ets->frag = 1; - } else - ets->frag = 0; - - PUTCHAR(EAPT_TLS, *outp); - - /* - * Set right flags and length if necessary - */ - if (ets->frag && first) { - PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); - PUTLONG(ets->datalen, *outp); - } else if (ets->frag) { - PUTCHAR(EAP_TLS_FLAGS_MF, *outp); - } else - PUTCHAR(0, *outp); - - /* - * Copy the data in outp - */ - BCOPY(ets->data + ets->offset, *outp, size); - INCPTR(size, *outp); - - /* - * Copy the packet in retransmission buffer - */ - BCOPY(start, &ets->rtx[0], *outp - start); - ets->rtx_len = *outp - start; - - ets->offset += size; - - if (ets->offset >= ets->datalen) { - - /* - * The whole message has been sent - */ - - free(ets->data); - ets->data = NULL; - ets->datalen = 0; - ets->offset = 0; - } - - return 0; -} - -/* - * Get the sent packet from the retransmission buffer - */ -void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) -{ - BCOPY(ets->rtx, *outp, ets->rtx_len); - INCPTR(ets->rtx_len, *outp); -} - -/* - * Verify a certificate. - * Most of the work (signatures and issuer attributes checking) - * is done by ssl; we check the CN in the peer certificate - * against the peer name. - */ -int ssl_verify_callback(int preverify_ok, X509_STORE_CTX * ctx) -{ - char subject[256]; - char cn_str[256]; - X509 *peer_cert; - int err, depth; - int ok = preverify_ok; - SSL *ssl; - struct eaptls_session *ets; - - peer_cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); - depth = X509_STORE_CTX_get_error_depth(ctx); - - dbglog("certificate verify depth: %d", depth); - - if (auth_required && !ok) { - X509_NAME_oneline(X509_get_subject_name(peer_cert), - subject, 256); - - X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), - NID_commonName, cn_str, 256); - - dbglog("Certificate verification error:\n depth: %d CN: %s" - "\n err: %d (%s)\n", depth, cn_str, err, - X509_verify_cert_error_string(err)); - - return 0; - } - - ssl = X509_STORE_CTX_get_ex_data(ctx, - SSL_get_ex_data_X509_STORE_CTX_idx()); - - ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); - - if (ets == NULL) { - error("Error: SSL_get_ex_data returned NULL"); - return 0; - } - - log_ssl_errors(); - - if (!depth) { /* This is the peer certificate */ - - X509_NAME_oneline(X509_get_subject_name(peer_cert), - subject, 256); - - X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), - NID_commonName, cn_str, 256); - - /* - * If acting as client and the name of the server wasn't specified - * explicitely, we can't verify the server authenticity - */ - if (!ets->peer[0]) { - warn("Peer name not specified: no check"); - return 1; - } - - /* - * Check the CN - */ - if (strcmp(cn_str, ets->peer)) { - error - ("Certificate verification error: CN (%s) != peer_name (%s)", - cn_str, ets->peer); - return 0; - } - - warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); - - /* - * If a peer certificate file was specified, here we check it - */ - if (ets->peercertfile[0]) { - if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) - != 0) { - error - ("Peer certificate doesn't match stored certificate"); - return 0; - } - } - } - - return 1; -} - -/* - * Compare a certificate with the one stored in a file - */ -int ssl_cmp_certs(char *filename, X509 * a) -{ - X509 *b; - int ret; - - if (!(b = get_X509_from_file(filename))) - return 1; - - ret = X509_cmp(a, b); - X509_free(b); - - return ret; - -} - -X509 *get_X509_from_file(char *filename) -{ - FILE *fp; - X509 *ret; - - if (!(fp = fopen(filename, "r"))) - return NULL; - - ret = PEM_read_X509(fp, NULL, NULL, NULL); - - fclose(fp); - - return ret; -} - -/* - * Every sent & received message this callback function is invoked, - * so we know when alert messages have arrived or are sent and - * we can print debug information about TLS handshake. - */ -void -ssl_msg_callback(int write_p, int version, int content_type, - const void *buf, size_t len, SSL * ssl, void *arg) -{ - char string[256]; - struct eaptls_session *ets = (struct eaptls_session *)arg; - unsigned char code; - - if(write_p) - strcpy(string, " -> "); - else - strcpy(string, " <- "); - - - switch(content_type) { - - case SSL3_RT_ALERT: - strcat(string, "Alert: "); - code = ((const unsigned char *)buf)[1]; - - if (write_p) { - ets->alert_sent = 1; - ets->alert_sent_desc = code; - } else { - ets->alert_recv = 1; - ets->alert_recv_desc = code; - } - - strcat(string, SSL_alert_desc_string_long(code)); - break; - - case SSL3_RT_CHANGE_CIPHER_SPEC: - strcat(string, "ChangeCipherSpec"); - break; - - case SSL3_RT_HANDSHAKE: - - strcat(string, "Handshake: "); - code = ((const unsigned char *)buf)[0]; - - switch(code) { - case SSL3_MT_HELLO_REQUEST: - strcat(string,"Hello Request"); - break; - case SSL3_MT_CLIENT_HELLO: - strcat(string,"Client Hello"); - break; - case SSL3_MT_SERVER_HELLO: - strcat(string,"Server Hello"); - break; - case SSL3_MT_CERTIFICATE: - strcat(string,"Certificate"); - break; - case SSL3_MT_SERVER_KEY_EXCHANGE: - strcat(string,"Server Key Exchange"); - break; - case SSL3_MT_CERTIFICATE_REQUEST: - strcat(string,"Certificate Request"); - break; - case SSL3_MT_SERVER_DONE: - strcat(string,"Server Hello Done"); - break; - case SSL3_MT_CERTIFICATE_VERIFY: - strcat(string,"Certificate Verify"); - break; - case SSL3_MT_CLIENT_KEY_EXCHANGE: - strcat(string,"Client Key Exchange"); - break; - case SSL3_MT_FINISHED: - strcat(string,"Finished"); - break; - - default: - sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); - } - break; - - default: - sprintf( string, "SSL message contains unknown content type: %d", content_type ); - - } - - /* Alert messages must always be displayed */ - if(content_type == SSL3_RT_ALERT) - error("%s", string); - else - dbglog("%s", string); -} - diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h deleted file mode 100644 index 2d45a0b..0000000 --- a/pppd/eap-tls.h +++ /dev/null @@ -1,107 +0,0 @@ -/* - * eap-tls.h - * - * Copyright (c) Beniamino Galvani 2005 All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. The name(s) of the authors of this software must not be used to - * endorse or promote products derived from this software without - * prior written permission. - * - * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO - * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY - * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN - * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - * - */ - -#ifndef __EAP_TLS_H__ -#define __EAP_TLS_H__ - -#include "eap.h" - -#include -#include -#include - -#define EAP_TLS_FLAGS_LI 128 /* length included flag */ -#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ -#define EAP_TLS_FLAGS_START 32 /* start flag */ - -#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */ - -struct eaptls_session -{ - u_char *data; /* buffered data */ - int datalen; /* buffered data len */ - int offset; /* from where to send */ - int tlslen; /* total length of tls data */ - bool frag; /* packet is fragmented */ - SSL_CTX *ctx; - SSL *ssl; /* ssl connection */ - BIO *from_ssl; - BIO *into_ssl; - char peer[MAXWORDLEN]; /* peer name */ - char peercertfile[MAXWORDLEN]; - bool alert_sent; - u_char alert_sent_desc; - bool alert_recv; - u_char alert_recv_desc; - char rtx[65536]; /* retransmission buffer */ - int rtx_len; - int mtu; /* unit mtu */ -}; - -typedef struct pw_cb_data -{ - const void *password; - const char *prompt_info; -} PW_CB_DATA; - - -int ssl_verify_callback(int, X509_STORE_CTX *); -void ssl_msg_callback(int write_p, int version, int ct, const void *buf, - size_t len, SSL * ssl, void *arg); - -X509 *get_X509_from_file(char *filename); -int ssl_cmp_certs(char *filename, X509 * a); - -SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, - char *certfile, char *peer_certfile, char *privkeyfile); -int eaptls_init_ssl_server(eap_state * esp); -int eaptls_init_ssl_client(eap_state * esp); -void eaptls_free_session(struct eaptls_session *ets); - -int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); -int eaptls_send(struct eaptls_session *ets, u_char ** outp); -void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); - -int get_eaptls_secret(int unit, char *client, char *server, - char *clicertfile, char *servcertfile, char *cacertfile, - char *pkfile, int am_server); - -#ifdef MPPE -#include "mppe.h" /* MPPE_MAX_KEY_LEN */ -extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; -extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; -extern int mppe_keys_set; - -void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); - -#endif - -#endif diff --git a/pppd/eap.c b/pppd/eap.c index e2270af..faced53 100644 --- a/pppd/eap.c +++ b/pppd/eap.c @@ -43,11 +43,6 @@ * Based on draft-ietf-pppext-eap-srp-03.txt. */ -/* - * Modification by Beniamino Galvani, Mar 2005 - * Implemented EAP-TLS authentication - */ - #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" /* @@ -67,12 +62,8 @@ #include "pppd.h" #include "pathnames.h" -#include "eap.h" -#ifdef USE_EAPTLS -#include "eap-tls.h" -#else #include "md5.h" -#endif /* USE_EAPTLS */ +#include "eap.h" #ifdef USE_SRP #include @@ -218,9 +209,6 @@ int unit; esp->es_server.ea_id = (u_char)(drand48() * 0x100); esp->es_client.ea_timeout = EAP_DEFREQTIME; esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; -#ifdef USE_EAPTLS - esp->es_client.ea_using_eaptls = 0; -#endif /* USE_EAPTLS */ } /* @@ -280,7 +268,7 @@ eap_state *esp; u_char *outp; outp = outpacket_buf; - + MAKEHEADER(outp, PPP_EAP); PUTCHAR(EAP_FAILURE, outp); @@ -305,7 +293,7 @@ eap_state *esp; u_char *outp; outp = outpacket_buf; - + MAKEHEADER(outp, PPP_EAP); PUTCHAR(EAP_SUCCESS, outp); @@ -448,16 +436,8 @@ int status; u_char vals[2]; struct b64state bs; #endif /* USE_SRP */ -#ifdef USE_EAPTLS - struct eaptls_session *ets; - int secret_len; - char secret[MAXWORDLEN]; -#endif /* USE_EAPTLS */ esp->es_server.ea_timeout = esp->es_savedtime; -#ifdef USE_EAPTLS - esp->es_server.ea_prev_state = esp->es_server.ea_state; -#endif /* USE_EAPTLS */ switch (esp->es_server.ea_state) { case eapBadAuth: return; @@ -582,81 +562,9 @@ int status; break; } #endif /* USE_SRP */ -#ifdef USE_EAPTLS - if (!get_secret(esp->es_unit, esp->es_server.ea_peer, - esp->es_server.ea_name, secret, &secret_len, 1)) { - - esp->es_server.ea_state = eapTlsStart; - break; - } -#endif /* USE_EAPTLS */ - esp->es_server.ea_state = eapMD5Chall; break; -#ifdef USE_EAPTLS - case eapTlsStart: - /* Initialize ssl session */ - if(!eaptls_init_ssl_server(esp)) { - esp->es_server.ea_state = eapBadAuth; - break; - } - - esp->es_server.ea_state = eapTlsRecv; - break; - - case eapTlsRecv: - ets = (struct eaptls_session *) esp->es_server.ea_session; - - if(ets->alert_sent) { - esp->es_server.ea_state = eapTlsSendAlert; - break; - } - - if (status) { - esp->es_server.ea_state = eapBadAuth; - break; - } - ets = (struct eaptls_session *) esp->es_server.ea_session; - - if(ets->frag) - esp->es_server.ea_state = eapTlsSendAck; - else - esp->es_server.ea_state = eapTlsSend; - break; - - case eapTlsSend: - ets = (struct eaptls_session *) esp->es_server.ea_session; - - if(SSL_is_init_finished(ets->ssl)) { - esp->es_server.ea_state = eapTlsRecvClient; - break; - } - - if(ets->frag) - esp->es_server.ea_state = eapTlsRecvAck; - else - esp->es_server.ea_state = eapTlsRecv; - break; - - case eapTlsSendAck: - esp->es_server.ea_state = eapTlsRecv; - break; - - case eapTlsRecvAck: - if (status) { - esp->es_server.ea_state = eapBadAuth; - break; - } - - esp->es_server.ea_state = eapTlsSend; - break; - - case eapTlsSendAlert: - esp->es_server.ea_state = eapTlsRecvAlertAck; - break; -#endif /* USE_EAPTLS */ - case eapSRP1: #ifdef USE_SRP ts = (struct t_server *)esp->es_server.ea_session; @@ -773,7 +681,7 @@ eap_state *esp; } outp = outpacket_buf; - + MAKEHEADER(outp, PPP_EAP); PUTCHAR(EAP_REQUEST, outp); @@ -810,30 +718,6 @@ eap_state *esp; INCPTR(esp->es_server.ea_namelen, outp); break; -#ifdef USE_EAPTLS - case eapTlsStart: - PUTCHAR(EAPT_TLS, outp); - PUTCHAR(EAP_TLS_FLAGS_START, outp); - eap_figure_next_state(esp, 0); - break; - - case eapTlsSend: - eaptls_send(esp->es_server.ea_session, &outp); - eap_figure_next_state(esp, 0); - break; - - case eapTlsSendAck: - PUTCHAR(EAPT_TLS, outp); - PUTCHAR(0, outp); - eap_figure_next_state(esp, 0); - break; - - case eapTlsSendAlert: - eaptls_send(esp->es_server.ea_session, &outp); - eap_figure_next_state(esp, 0); - break; -#endif /* USE_EAPTLS */ - #ifdef USE_SRP case eapSRP1: PUTCHAR(EAPT_SRP, outp); @@ -1020,57 +904,11 @@ static void eap_server_timeout(arg) void *arg; { -#ifdef USE_EAPTLS - u_char *outp; - u_char *lenloc; - int outlen; -#endif /* USE_EAPTLS */ - eap_state *esp = (eap_state *) arg; if (!eap_server_active(esp)) return; -#ifdef USE_EAPTLS - switch(esp->es_server.ea_prev_state) { - - /* - * In eap-tls the state changes after a request, so we return to - * previous state ... - */ - case(eapTlsStart): - case(eapTlsSendAck): - esp->es_server.ea_state = esp->es_server.ea_prev_state; - break; - - /* - * ... or resend the stored data - */ - case(eapTlsSend): - case(eapTlsSendAlert): - outp = outpacket_buf; - MAKEHEADER(outp, PPP_EAP); - PUTCHAR(EAP_REQUEST, outp); - PUTCHAR(esp->es_server.ea_id, outp); - lenloc = outp; - INCPTR(2, outp); - - eaptls_retransmit(esp->es_server.ea_session, &outp); - - outlen = (outp - outpacket_buf) - PPP_HDRLEN; - PUTSHORT(outlen, lenloc); - output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); - esp->es_server.ea_requests++; - - if (esp->es_server.ea_timeout > 0) - TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); - - return; - default: - break; - } -#endif /* USE_EAPTLS */ - /* EAP ID number must not change on timeout. */ eap_send_request(esp); } @@ -1243,7 +1081,7 @@ int namelen; int msglen; outp = outpacket_buf; - + MAKEHEADER(outp, PPP_EAP); PUTCHAR(EAP_RESPONSE, outp); @@ -1279,7 +1117,7 @@ int lenstr; int msglen; outp = outpacket_buf; - + MAKEHEADER(outp, PPP_EAP); PUTCHAR(EAP_RESPONSE, outp); @@ -1310,7 +1148,7 @@ u_char *str; int msglen; outp = outpacket_buf; - + MAKEHEADER(outp, PPP_EAP); PUTCHAR(EAP_RESPONSE, outp); @@ -1328,81 +1166,6 @@ u_char *str; } #endif /* USE_SRP */ -#ifdef USE_EAPTLS -/* - * Send an EAP-TLS response message with tls data - */ -static void -eap_tls_response(esp, id) -eap_state *esp; -u_char id; -{ - u_char *outp; - int outlen; - u_char *lenloc; - - outp = outpacket_buf; - - MAKEHEADER(outp, PPP_EAP); - - PUTCHAR(EAP_RESPONSE, outp); - PUTCHAR(id, outp); - - lenloc = outp; - INCPTR(2, outp); - - /* - If the id in the request is unchanged, we must retransmit - the old data - */ - if(id == esp->es_client.ea_id) - eaptls_retransmit(esp->es_client.ea_session, &outp); - else - eaptls_send(esp->es_client.ea_session, &outp); - - outlen = (outp - outpacket_buf) - PPP_HDRLEN; - PUTSHORT(outlen, lenloc); - - output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); - - esp->es_client.ea_id = id; - -} - -/* - * Send an EAP-TLS ack - */ -static void -eap_tls_sendack(esp, id) -eap_state *esp; -u_char id; -{ - u_char *outp; - int outlen; - u_char *lenloc; - - outp = outpacket_buf; - - MAKEHEADER(outp, PPP_EAP); - - PUTCHAR(EAP_RESPONSE, outp); - PUTCHAR(id, outp); - esp->es_client.ea_id = id; - - lenloc = outp; - INCPTR(2, outp); - - PUTCHAR(EAPT_TLS, outp); - PUTCHAR(0, outp); - - outlen = (outp - outpacket_buf) - PPP_HDRLEN; - PUTSHORT(outlen, lenloc); - - output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); - -} -#endif /* USE_EAPTLS */ - static void eap_send_nak(esp, id, type) eap_state *esp; @@ -1557,11 +1320,6 @@ int len; char rhostname[256]; MD5_CTX mdContext; u_char hash[MD5_SIGNATURE_SIZE]; -#ifdef USE_EAPTLS - u_char flags; - struct eaptls_session *ets = esp->es_client.ea_session; -#endif /* USE_EAPTLS */ - #ifdef USE_SRP struct t_client *tc; struct t_num sval, gval, Nval, *Ap, Bval; @@ -1698,90 +1456,6 @@ int len; esp->es_client.ea_namelen); break; -#ifdef USE_EAPTLS - case EAPT_TLS: - - switch(esp->es_client.ea_state) { - - case eapListen: - - GETCHAR(flags, inp); - if(flags & EAP_TLS_FLAGS_START){ - - esp->es_client.ea_using_eaptls = 1; - - if (explicit_remote){ - esp->es_client.ea_peer = strdup(remote_name); - esp->es_client.ea_peerlen = strlen(remote_name); - } else - esp->es_client.ea_peer = NULL; - - /* Init ssl session */ - if(!eaptls_init_ssl_client(esp)) { - dbglog("cannot init ssl"); - eap_send_nak(esp, id, EAPT_TLS); - esp->es_client.ea_using_eaptls = 0; - break; - } - - ets = esp->es_client.ea_session; - eap_tls_response(esp, id); - esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : - eapTlsRecv); - break; - } - - /* The server has sent a bad start packet. */ - eap_send_nak(esp, id, EAPT_TLS); - break; - - case eapTlsRecvAck: - eap_tls_response(esp, id); - esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : - eapTlsRecv); - break; - - case eapTlsRecv: - eaptls_receive(ets, inp, len); - - if(ets->frag) { - eap_tls_sendack(esp, id); - esp->es_client.ea_state = eapTlsRecv; - break; - } - - if(ets->alert_recv) { - eap_tls_sendack(esp, id); - esp->es_client.ea_state = eapTlsRecvFailure; - break; - } - - /* Check if TLS handshake is finished */ - if(SSL_is_init_finished(ets->ssl)){ -#ifdef MPPE - eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); -#endif - eaptls_free_session(ets); - eap_tls_sendack(esp, id); - esp->es_client.ea_state = eapTlsRecvSuccess; - break; - } - - eap_tls_response(esp,id); - esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : - eapTlsRecv); - - break; - - default: - eap_send_nak(esp, id, EAPT_TLS); - esp->es_client.ea_using_eaptls = 0; - break; - } - - break; -#endif /* USE_EAPTLS */ - #ifdef USE_SRP case EAPT_SRP: if (len < 1) { @@ -2063,11 +1737,6 @@ int len; u_char dig[SHA_DIGESTSIZE]; #endif /* USE_SRP */ -#ifdef USE_EAPTLS - struct eaptls_session *ets; - u_char flags; -#endif /* USE_EAPTLS */ - if (esp->es_server.ea_id != id) { dbglog("EAP: discarding Response %d; expected ID %d", id, esp->es_server.ea_id); @@ -2107,60 +1776,6 @@ int len; eap_figure_next_state(esp, 0); break; -#ifdef USE_EAPTLS - case EAPT_TLS: - switch(esp->es_server.ea_state) { - - case eapTlsRecv: - ets = (struct eaptls_session *) esp->es_server.ea_session; - eap_figure_next_state(esp, - eaptls_receive(esp->es_server.ea_session, inp, len)); - - if(ets->alert_recv) { - eap_send_failure(esp); - break; - } - break; - - case eapTlsRecvAck: - if(len > 1) { - dbglog("EAP-TLS ACK with extra data"); - } - eap_figure_next_state(esp, 0); - break; - - case eapTlsRecvClient: - /* Receive authentication response from client */ - - GETCHAR(flags, inp); - - if(len == 1 && !flags) { /* Ack = ok */ -#ifdef MPPE - eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); -#endif - eap_send_success(esp); - } - else { /* failure */ - eaptls_receive(esp->es_server.ea_session, inp, len); - warn("Server authentication failed"); - eap_send_failure(esp); - } - - eaptls_free_session(esp->es_server.ea_session); - - break; - - case eapTlsRecvAlertAck: - eap_send_failure(esp); - break; - - default: - eap_figure_next_state(esp, 1); - break; - } - break; -#endif /* USE_EAPTLS */ - case EAPT_NOTIFICATION: dbglog("EAP unexpected Notification; response discarded"); break; @@ -2192,13 +1807,6 @@ int len; esp->es_server.ea_state = eapMD5Chall; break; -#ifdef USE_EAPTLS - /* Send EAP-TLS start packet */ - case EAPT_TLS: - esp->es_server.ea_state = eapTlsStart; - break; -#endif /* USE_EAPTLS */ - default: dbglog("EAP: peer requesting unknown Type %d", vallen); switch (esp->es_server.ea_state) { @@ -2410,27 +2018,13 @@ u_char *inp; int id; int len; { - if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) -#ifdef USE_EAPTLS - && esp->es_client.ea_state != eapTlsRecvSuccess -#endif /* USE_EAPTLS */ - ) { + if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { dbglog("EAP unexpected success message in state %s (%d)", eap_state_name(esp->es_client.ea_state), esp->es_client.ea_state); return; } -#ifdef USE_EAPTLS - if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != - eapTlsRecvSuccess) { - dbglog("EAP-TLS unexpected success message in state %s (%d)", - eap_state_name(esp->es_client.ea_state), - esp->es_client.ea_state); - return; - } -#endif /* USE_EAPTLS */ - if (esp->es_client.ea_timeout > 0) { UNTIMEOUT(eap_client_timeout, (void *)esp); } @@ -2556,9 +2150,6 @@ void *arg; int code, id, len, rtype, vallen; u_char *pstart; u_int32_t uval; -#ifdef USE_EAPTLS - u_char flags; -#endif /* USE_EAPTLS */ if (inlen < EAP_HEADERLEN) return (0); @@ -2623,24 +2214,6 @@ void *arg; } break; -#ifdef USE_EAPTLS - case EAPT_TLS: - if (len < 1) - break; - GETCHAR(flags, inp); - len--; - - if(flags == 0 && len == 0){ - printer(arg, " Ack"); - break; - } - - printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); - printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); - printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); - break; -#endif /* USE_EAPTLS */ - case EAPT_SRP: if (len < 3) goto truncated; @@ -2752,25 +2325,6 @@ void *arg; } break; -#ifdef USE_EAPTLS - case EAPT_TLS: - if (len < 1) - break; - GETCHAR(flags, inp); - len--; - - if(flags == 0 && len == 0){ - printer(arg, " Ack"); - break; - } - - printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); - printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); - printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); - - break; -#endif /* USE_EAPTLS */ - case EAPT_NAK: if (len <= 0) { printer(arg, " "); diff --git a/pppd/eap.h b/pppd/eap.h index 3fa5391..199d184 100644 --- a/pppd/eap.h +++ b/pppd/eap.h @@ -84,16 +84,6 @@ enum eap_state_code { eapClosed, /* Authentication not in use */ eapListen, /* Client ready (and timer running) */ eapIdentify, /* EAP Identify sent */ - eapTlsStart, /* Send EAP-TLS start packet */ - eapTlsRecv, /* Receive EAP-TLS tls data */ - eapTlsSendAck, /* Send EAP-TLS ack */ - eapTlsSend, /* Send EAP-TLS tls data */ - eapTlsRecvAck, /* Receive EAP-TLS ack */ - eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/ - eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/ - eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */ - eapTlsRecvSuccess, /* Receive EAP success */ - eapTlsRecvFailure, /* Receive EAP failure */ eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ @@ -105,18 +95,9 @@ enum eap_state_code { #define EAP_STATES \ "Initial", "Pending", "Closed", "Listen", "Identify", \ - "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\ - "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \ "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" -#ifdef USE_EAPTLS -#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\ - (esp)->es_client.ea_state != eapPending ||\ - (esp)->es_client.ea_state != eapClosed) -#else -#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -#endif /* USE_EAPTLS */ - +#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) #define eap_server_active(esp) \ ((esp)->es_server.ea_state >= eapIdentify && \ (esp)->es_server.ea_state <= eapMD5Chall) @@ -131,17 +112,11 @@ struct eap_auth { u_short ea_namelen; /* Length of our name */ u_short ea_peerlen; /* Length of peer's name */ enum eap_state_code ea_state; -#ifdef USE_EAPTLS - enum eap_state_code ea_prev_state; -#endif u_char ea_id; /* Current id */ u_char ea_requests; /* Number of Requests sent/received */ u_char ea_responses; /* Number of Responses */ u_char ea_type; /* One of EAPT_* */ u_int32_t ea_keyflags; /* SRP shared key usage flags */ -#ifdef USE_EAPTLS - bool ea_using_eaptls; -#endif }; /* @@ -164,12 +139,7 @@ typedef struct eap_state { * Timeouts. */ #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ -#ifdef USE_EAPTLS -#define EAP_DEFTRANSMITS 30 /* max # times to transmit */ - /* certificates can be long ... */ -#else #define EAP_DEFTRANSMITS 10 /* max # times to transmit */ -#endif /* USE_EAPTLS */ #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ diff --git a/pppd/md5.c b/pppd/md5.c index 2ee0c80..f1291ce 100644 --- a/pppd/md5.c +++ b/pppd/md5.c @@ -33,8 +33,6 @@ *********************************************************************** */ -#ifndef USE_EAPTLS - #include #include "md5.h" @@ -307,4 +305,3 @@ UINT4 *in; ** End of md5.c ** ******************************** (cut) ******************************** */ -#endif /* USE_EAPTLS */ diff --git a/pppd/md5.h b/pppd/md5.h index 14d7121..71e8b00 100644 --- a/pppd/md5.h +++ b/pppd/md5.h @@ -36,7 +36,6 @@ ** documentation and/or software. ** *********************************************************************** */ -#ifndef USE_EAPTLS #ifndef __MD5_INCLUDE__ @@ -64,5 +63,3 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext); #define __MD5_INCLUDE__ #endif /* __MD5_INCLUDE__ */ - -#endif /* USE_EAPTLS */ diff --git a/pppd/options.c b/pppd/options.c index 6915b2d..8e62635 100644 --- a/pppd/options.c +++ b/pppd/options.c @@ -120,10 +120,6 @@ bool dump_options; /* print out option values */ bool dryrun; /* print out option values and exit */ char *domain; /* domain name set by domain option */ int child_wait = 5; /* # seconds to wait for children at exit */ -#ifdef USE_EAPTLS -bool only_update_crl_server = 0; /* update server crl and exit */ -bool only_update_crl_client = 0; /* update client crl and exit */ -#endif /* USE_EAPTLS */ struct userenv *userenv_list; /* user environment variables */ #ifdef MAXOCTETS @@ -342,12 +338,6 @@ option_t general_options[] = { { "mo-timeout", o_int, &maxoctets_timeout, "Check for traffic limit every N seconds", OPT_PRIO | OPT_LLIMIT | 1 }, #endif -#ifdef USE_EAPTLS - { "only-update-crl-server", o_bool, &only_update_crl_server, - "Update server CA CRLs and exit", 1 }, - { "only-update-crl-client", o_bool, &only_update_crl_client, - "Update client CA CRLs and exit", 1 }, -#endif /* USE_EAPTLS */ { NULL } }; diff --git a/pppd/pathnames.h b/pppd/pathnames.h index 6275df6..24e010c 100644 --- a/pppd/pathnames.h +++ b/pppd/pathnames.h @@ -22,13 +22,6 @@ #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" - -#ifdef USE_EAPTLS -#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client" -#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server" -#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf" -#endif /* USE_EAPTLS */ - #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux index 760cad4..b474a19 100644 --- a/pppd/plugins/Makefile.linux +++ b/pppd/plugins/Makefile.linux @@ -4,9 +4,6 @@ CFLAGS = $(COPTS) -I.. -I../../include -fPIC LDFLAGS = -shared INSTALL = install -# EAP-TLS -CFLAGS += -DUSE_EAPTLS=1 - DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin MANDIR = $(DESTDIR)/share/man/man8 diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c index 6ba73ca..babb6dc 100644 --- a/pppd/plugins/passprompt.c +++ b/pppd/plugins/passprompt.c @@ -107,7 +107,4 @@ void plugin_init(void) { add_options(options); pap_passwd_hook = promptpass; -#ifdef USE_EAPTLS - eaptls_passwd_hook = promptpass; -#endif } diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c index c3f9793..d718f3b 100644 --- a/pppd/plugins/passwordfd.c +++ b/pppd/plugins/passwordfd.c @@ -79,8 +79,4 @@ void plugin_init (void) chap_check_hook = pwfd_check; chap_passwd_hook = pwfd_passwd; - -#ifdef USE_EAPTLS - eaptls_passwd_hook = pwfd_passwd; -#endif } diff --git a/pppd/pppd.h b/pppd/pppd.h index aaddba1..5f72f72 100644 --- a/pppd/pppd.h +++ b/pppd/pppd.h @@ -324,10 +324,6 @@ extern bool dump_options; /* print out option values */ extern bool dryrun; /* check everything, print options, exit */ extern int child_wait; /* # seconds to wait for children at end */ -#ifdef USE_EAPTLS -extern char *crl_dir; -#endif /* USE_EAPTLS */ - #ifdef MAXOCTETS extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ extern int maxoctets_dir; /* Direction : @@ -742,10 +738,6 @@ extern int (*chap_check_hook) __P((void)); extern int (*chap_passwd_hook) __P((char *user, char *passwd)); extern void (*multilink_join_hook) __P((void)); -#ifdef USE_EAPTLS -extern int (*eaptls_passwd_hook) __P((char *user, char *passwd)); -#endif - /* Let a plugin snoop sent and received packets. Useful for L2TP */ extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); extern void (*snoop_send_hook) __P((unsigned char *p, int len)); -- 1.8.3.1