/[smeserver]/rpms/ppp/sme10/ppp-2.4.5-eaptls-mppe-0.99.patch
ViewVC logotype

Annotation of /rpms/ppp/sme10/ppp-2.4.5-eaptls-mppe-0.99.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Feb 4 13:23:45 2016 UTC (8 years, 9 months ago) by vip-ire
Branch: MAIN
CVS Tags: ppp-2_4_5-24_el7_sme, HEAD
sme10 branch

1 vip-ire 1.1 diff -Naur ppp-2.4.5/README.eap-tls ppp-2.4.5-eaptls-mppe-0.99/README.eap-tls
2     --- ppp-2.4.5/README.eap-tls 1970-01-01 01:00:00.000000000 +0100
3     +++ ppp-2.4.5-eaptls-mppe-0.99/README.eap-tls 2010-10-01 15:17:54.205272328 +0200
4     @@ -0,0 +1,169 @@
5     +EAP-TLS authentication support for PPP
6     +======================================
7     +
8     +1. Intro
9     +
10     + The Extensible Authentication Protocol (EAP; RFC 3748) is a
11     + security protocol that can be used with PPP. It provides a means
12     + to plug in multiple optional authentication methods.
13     +
14     + Transport Level Security (TLS; RFC 2246) provides for mutual
15     + authentication, integrity-protected ciphersuite negotiation and
16     + key exchange between two endpoints. It also provides for optional
17     + MPPE encryption.
18     +
19     + EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets,
20     + allowing TLS mutual authentication to be used as a generic EAP
21     + mechanism. It also provides optional encryption using the MPPE
22     + protocol.
23     +
24     + This patch provide EAP-TLS support to pppd.
25     + This authentication method can be used in both client or server
26     + mode.
27     +
28     +2. Building
29     +
30     + To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org)
31     + is required. Any version from 0.9.7 should work.
32     +
33     + Configure, compile, and install as usual.
34     +
35     +3. Configuration
36     +
37     + On the client side there are two ways to configure EAP-TLS:
38     +
39     + 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters
40     +
41     + 2. edit the /etc/ppp/eaptls-client file.
42     + Insert a line for each system with which you use EAP-TLS.
43     + The line is composed of this fields separated by tab:
44     +
45     + - Client name
46     + The name used by the client for authentication, can be *
47     + - Server name
48     + The name of the server, can be *
49     + - Client certificate file
50     + The file containing the certificate chain for the
51     + client in PEM format
52     + - Server certificate file
53     + If you want to specify the certificate that the
54     + server is allowed to use, put the certificate file name.
55     + Else put a dash '-'.
56     + - CA certificate file
57     + The file containing the trusted CA certificates in PEM
58     + format.
59     + - Client private key file
60     + The file containing the client private key in PEM format.
61     +
62     +
63     + On the server side edit the /etc/ppp/eaptls-server file.
64     + Insert a line for each system with which you use EAP-TLS.
65     + The line is composed of this fields separated by tab:
66     +
67     + - Client name
68     + The name used by the client for authentication, can be *
69     + - Server name
70     + The name of the server, can be *
71     + - Client certificate file
72     + If you want to specify the certificate that the
73     + client is allowed to use, put the certificate file name.
74     + Else put a dash '-'.
75     + - Server certificate file
76     + The file containing the certificate chain for the
77     + server in PEM format
78     + - CA certificate file
79     + The file containing the trusted CA certificates in PEM
80     + format.
81     + - Client private key file
82     + The file containing the server private key in PEM format.
83     + - addresses
84     + A list of IP addresses the client is allowed to use.
85     +
86     +
87     + OpenSSL engine support is included starting with v0.95 of this patch.
88     + Currently the only engine tested is the 'pkcs11' engine (hardware token
89     + support). To use the 'pksc11' engine:
90     + - Use a special private key fileiname in the /etc/ppp/eaptls-client file:
91     + <engine>:<identifier>
92     + e.g.
93     + pkcs11:123456
94     +
95     + - The certificate can also be loaded from the 'pkcs11' engine using
96     + a special client certificate filename in the /etc/ppp/eaptls-client file:
97     + <engine>:<identifier>
98     + e.g.
99     + pkcs11:123456
100     +
101     + - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior
102     + to starting 'pppd'. A sample openssl.cnf file is
103     +
104     + openssl_conf = openssl_def
105     +
106     + [ openssl_def ]
107     + engines = engine_section
108     +
109     + [ engine_section ]
110     + pkcs11 = pkcs11_section
111     +
112     + [ pkcs11_section ]
113     + engine_id = pkcs11
114     + dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
115     + MODULE_PATH = /usr/lib64/libeTPkcs11.so
116     + init = 0
117     +
118     + - There are two ways to specify a password/PIN for the PKCS11 engine:
119     + - inside the openssl.cnf file using
120     + PIN = your-secret-pin
121     + Note The keyword 'PIN' is case sensitive!
122     + - Using the 'password' in the ppp options file.
123     + From v0.97 of the eap-tls patch the password can also be supplied
124     + using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c
125     + for an example).
126     +
127     +
128     +4. Options
129     +
130     + These pppd options are available:
131     +
132     + ca <ca-file>
133     + Use the CA public certificate found in <ca-file> in PEM format
134     + cert <cert-file>
135     + Use the client public certificate found in <cert-file> in PEM format
136     + or in engine:engine_id format
137     + key <key-file>
138     + Use the client private key found in <key-file> in PEM format
139     + or in engine:engine_id format
140     + crl-dir <dir>
141     + Use CRL files from dir. It contains CRL files in PEM
142     + format and each file contains a CRL. The files are looked up
143     + by the issuer name hash value. Use the c_rehash utility
144     + to create necessary links.
145     + need-peer-eap
146     + If the peer doesn't ask us to authenticate or doesn't use eap
147     + to authenticate us, disconnect.
148     +
149     + Note:
150     + password-encrypted certificates can be used as of v0.94 of this
151     + patch. The password for the eap-tls.key file is specified using
152     + the regular
153     + password ....
154     + statement in the ppp options file, or by using the appropriate
155     + plugin which supplies a 'eaptls_passwd_hook' routine.
156     +
157     +5. Connecting
158     +
159     + If you're setting up a pppd server, edit the EAP-TLS configuration file
160     + as written above and then run pppd with the 'auth' option to authenticate
161     + the client. The EAP-TLS method will be used if the other eap methods can't
162     + be used (no secrets).
163     +
164     + If you're setting up a client, edit the configuration file and then run
165     + pppd with 'remotename' option to specify the server name. Add the
166     + 'need-peer-eap' option if you want to be sure the peer ask you to
167     + authenticate (and to use eap) and to disconnect if it doesn't.
168     +
169     +6. Notes
170     +
171     + This is experimental code.
172     + Send suggestions and comments to Jan Just Keijser <janjust@nikhef.nl>
173     +
174     diff -Naur ppp-2.4.5/etc.ppp/eaptls-client ppp-2.4.5-eaptls-mppe-0.99/etc.ppp/eaptls-client
175     --- ppp-2.4.5/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100
176     +++ ppp-2.4.5-eaptls-mppe-0.99/etc.ppp/eaptls-client 2010-10-01 15:17:54.205272328 +0200
177     @@ -0,0 +1,10 @@
178     +# Parameters for authentication using EAP-TLS (client)
179     +
180     +# client name (can be *)
181     +# server name (can be *)
182     +# client certificate file (required)
183     +# server certificate file (optional, if unused put '-')
184     +# CA certificate file (required)
185     +# client private key file (required)
186     +
187     +#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key
188     diff -Naur ppp-2.4.5/etc.ppp/eaptls-server ppp-2.4.5-eaptls-mppe-0.99/etc.ppp/eaptls-server
189     --- ppp-2.4.5/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100
190     +++ ppp-2.4.5-eaptls-mppe-0.99/etc.ppp/eaptls-server 2010-10-01 15:17:54.205272328 +0200
191     @@ -0,0 +1,11 @@
192     +# Parameters for authentication using EAP-TLS (server)
193     +
194     +# client name (can be *)
195     +# server name (can be *)
196     +# client certificate file (optional, if unused put '-')
197     +# server certificate file (required)
198     +# CA certificate file (required)
199     +# server private key file (required)
200     +# allowed addresses (required, can be *)
201     +
202     +#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24
203     diff -Naur ppp-2.4.5/etc.ppp/openssl.cnf ppp-2.4.5-eaptls-mppe-0.99/etc.ppp/openssl.cnf
204     --- ppp-2.4.5/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100
205     +++ ppp-2.4.5-eaptls-mppe-0.99/etc.ppp/openssl.cnf 2010-10-01 15:17:54.206272162 +0200
206     @@ -0,0 +1,14 @@
207     +openssl_conf = openssl_def
208     +
209     +[ openssl_def ]
210     +engines = engine_section
211     +
212     +[ engine_section ]
213     +pkcs11 = pkcs11_section
214     +
215     +[ pkcs11_section ]
216     +engine_id = pkcs11
217     +dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
218     +MODULE_PATH = /usr/lib64/libeTPkcs11.so
219     +init = 0
220     +
221     diff -Naur ppp-2.4.5/linux/Makefile.top ppp-2.4.5-eaptls-mppe-0.99/linux/Makefile.top
222     --- ppp-2.4.5/linux/Makefile.top 2009-11-16 23:26:07.000000000 +0100
223     +++ ppp-2.4.5-eaptls-mppe-0.99/linux/Makefile.top 2010-10-01 15:17:54.206272162 +0200
224     @@ -26,7 +26,7 @@
225     cd pppdump; $(MAKE) $(MFLAGS) install
226    
227     install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \
228     - $(ETCDIR)/chap-secrets
229     + $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client
230    
231     install-devel:
232     cd pppd; $(MAKE) $(MFLAGS) install-devel
233     @@ -37,6 +37,10 @@
234     $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@
235     $(ETCDIR)/chap-secrets:
236     $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@
237     +$(ETCDIR)/eaptls-server:
238     + $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@
239     +$(ETCDIR)/eaptls-client:
240     + $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@
241    
242     $(BINDIR):
243     $(INSTALL) -d -m 755 $@
244     diff -Naur ppp-2.4.5/pppd/Makefile.linux ppp-2.4.5-eaptls-mppe-0.99/pppd/Makefile.linux
245     --- ppp-2.4.5/pppd/Makefile.linux 2009-11-16 23:26:07.000000000 +0100
246     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/Makefile.linux 2010-10-01 15:17:54.207272272 +0200
247     @@ -73,6 +73,9 @@
248     # Enable EAP SRP-SHA1 authentication (requires libsrp)
249     #USE_SRP=y
250    
251     +# Enable EAP-TLS authentication (requires libssl and libcurl)
252     +USE_EAPTLS=y
253     +
254     MAXOCTETS=y
255    
256     INCLUDE_DIRS= -I../include
257     @@ -112,6 +115,15 @@
258     PPPDOBJS += sha1.o
259     endif
260    
261     +# EAP-TLS
262     +ifdef USE_EAPTLS
263     +CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
264     +LIBS += -lssl -lcrypto
265     +PPPDSRC += eap-tls.c
266     +HEADERS += eap-tls.h
267     +PPPDOBJS += eap-tls.o
268     +endif
269     +
270     ifdef HAS_SHADOW
271     CFLAGS += -DHAS_SHADOW
272     #LIBS += -lshadow $(LIBS)
273     diff -Naur ppp-2.4.5/pppd/auth.c ppp-2.4.5-eaptls-mppe-0.99/pppd/auth.c
274     --- ppp-2.4.5/pppd/auth.c 2009-11-16 23:26:07.000000000 +0100
275     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/auth.c 2010-10-01 15:17:54.210272021 +0200
276     @@ -109,6 +109,9 @@
277     #include "upap.h"
278     #include "chap-new.h"
279     #include "eap.h"
280     +#ifdef USE_EAPTLS
281     +#include "eap-tls.h"
282     +#endif
283     #ifdef CBCP_SUPPORT
284     #include "cbcp.h"
285     #endif
286     @@ -183,6 +186,12 @@
287     /* Hook for a plugin to get the CHAP password for authenticating us */
288     int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL;
289    
290     +#ifdef USE_EAPTLS
291     +/* Hook for a plugin to get the EAP-TLS password for authenticating us */
292     +int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL;
293     +int (*eaptls_check_hook) __P((void)) = NULL;
294     +#endif
295     +
296     /* Hook for a plugin to say whether it is OK if the peer
297     refuses to authenticate. */
298     int (*null_auth_hook) __P((struct wordlist **paddrs,
299     @@ -238,6 +246,13 @@
300     bool explicit_user = 0; /* Set if "user" option supplied */
301     bool explicit_passwd = 0; /* Set if "password" option supplied */
302     char remote_name[MAXNAMELEN]; /* Peer's name for authentication */
303     +#ifdef USE_EAPTLS
304     +char *cacert_file = NULL; /* CA certificate file (pem format) */
305     +char *cert_file = NULL; /* client certificate file (pem format) */
306     +char *privkey_file = NULL; /* client private key file (pem format) */
307     +char *crl_dir = NULL; /* directory containing CRL files */
308     +bool need_peer_eap = 0; /* Require peer to authenticate us */
309     +#endif
310    
311     static char *uafname; /* name of most recent +ua file */
312    
313     @@ -254,6 +269,19 @@
314     static int have_chap_secret __P((char *, char *, int, int *));
315     static int have_srp_secret __P((char *client, char *server, int need_ip,
316     int *lacks_ipp));
317     +
318     +#ifdef USE_EAPTLS
319     +static int have_eaptls_secret_server
320     +__P((char *client, char *server, int need_ip, int *lacks_ipp));
321     +static int have_eaptls_secret_client __P((char *client, char *server));
322     +static int scan_authfile_eaptls __P((FILE * f, char *client, char *server,
323     + char *cli_cert, char *serv_cert,
324     + char *ca_cert, char *pk,
325     + struct wordlist ** addrs,
326     + struct wordlist ** opts,
327     + char *filename, int flags));
328     +#endif
329     +
330     static int ip_addr_check __P((u_int32_t, struct permitted_ip *));
331     static int scan_authfile __P((FILE *, char *, char *, char *,
332     struct wordlist **, struct wordlist **,
333     @@ -401,6 +429,14 @@
334     "Set telephone number(s) which are allowed to connect",
335     OPT_PRIV | OPT_A2LIST },
336    
337     +#ifdef USE_EAPTLS
338     + { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" },
339     + { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" },
340     + { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" },
341     + { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" },
342     + { "need-peer-eap", o_bool, &need_peer_eap,
343     + "Require the peer to authenticate us", 1 },
344     +#endif /* USE_EAPTLS */
345     { NULL }
346     };
347    
348     @@ -731,6 +767,9 @@
349     lcp_options *wo = &lcp_wantoptions[unit];
350     lcp_options *go = &lcp_gotoptions[unit];
351     lcp_options *ho = &lcp_hisoptions[unit];
352     +#ifdef USE_EAPTLS
353     + lcp_options *ao = &lcp_allowoptions[unit];
354     +#endif
355     int i;
356     struct protent *protp;
357    
358     @@ -765,6 +804,22 @@
359     }
360     }
361    
362     +#ifdef USE_EAPTLS
363     + if (need_peer_eap && !ao->neg_eap) {
364     + warn("eap required to authenticate us but no suitable secrets");
365     + lcp_close(unit, "couldn't negotiate eap");
366     + status = EXIT_AUTH_TOPEER_FAILED;
367     + return;
368     + }
369     +
370     + if (need_peer_eap && !ho->neg_eap) {
371     + warn("peer doesn't want to authenticate us with eap");
372     + lcp_close(unit, "couldn't negotiate eap");
373     + status = EXIT_PEER_AUTH_FAILED;
374     + return;
375     + }
376     +#endif
377     +
378     new_phase(PHASE_AUTHENTICATE);
379     auth = 0;
380     if (go->neg_eap) {
381     @@ -1278,6 +1333,15 @@
382     our_name, 1, &lacks_ip);
383     }
384    
385     +#ifdef USE_EAPTLS
386     + if (!can_auth && wo->neg_eap) {
387     + can_auth =
388     + have_eaptls_secret_server((explicit_remote ? remote_name :
389     + NULL), our_name, 1, &lacks_ip);
390     +
391     + }
392     +#endif
393     +
394     if (auth_required && !can_auth && noauth_addrs == NULL) {
395     if (default_auth) {
396     option_error(
397     @@ -1332,7 +1396,11 @@
398     passwd[0] != 0 ||
399     (hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
400     (explicit_remote? remote_name: NULL), 0, NULL))) ||
401     - have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL));
402     + have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)
403     +#ifdef USE_EAPTLS
404     + || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL))
405     +#endif
406     + );
407    
408     hadchap = -1;
409     if (go->neg_upap && !uselogin && !have_pap_secret(NULL))
410     @@ -1347,8 +1415,14 @@
411     !have_chap_secret((explicit_remote? remote_name: NULL), our_name,
412     1, NULL))) &&
413     !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
414     - NULL))
415     + NULL)
416     +#ifdef USE_EAPTLS
417     + && !have_eaptls_secret_server((explicit_remote? remote_name: NULL),
418     + our_name, 1, NULL)
419     +#endif
420     + )
421     go->neg_eap = 0;
422     +
423     }
424    
425    
426     @@ -1706,6 +1780,7 @@
427     }
428    
429    
430     +
431     /*
432     * get_secret - open the CHAP secret file and return the secret
433     * for authenticating the given client on the given server.
434     @@ -2358,3 +2433,335 @@
435    
436     auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0);
437     }
438     +
439     +
440     +#ifdef USE_EAPTLS
441     +static int
442     +have_eaptls_secret_server(client, server, need_ip, lacks_ipp)
443     + char *client;
444     + char *server;
445     + int need_ip;
446     + int *lacks_ipp;
447     +{
448     + FILE *f;
449     + int ret;
450     + char *filename;
451     + struct wordlist *addrs;
452     + char servcertfile[MAXWORDLEN];
453     + char clicertfile[MAXWORDLEN];
454     + char cacertfile[MAXWORDLEN];
455     + char pkfile[MAXWORDLEN];
456     +
457     + filename = _PATH_EAPTLSSERVFILE;
458     + f = fopen(filename, "r");
459     + if (f == NULL)
460     + return 0;
461     +
462     + if (client != NULL && client[0] == 0)
463     + client = NULL;
464     + else if (server != NULL && server[0] == 0)
465     + server = NULL;
466     +
467     + ret =
468     + scan_authfile_eaptls(f, client, server, clicertfile, servcertfile,
469     + cacertfile, pkfile, &addrs, NULL, filename,
470     + 0);
471     +
472     + fclose(f);
473     +
474     +/*
475     + if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile,
476     + clicertfile, pkfile))
477     + ret = -1;
478     +*/
479     +
480     + if (ret >= 0 && need_ip && !some_ip_ok(addrs)) {
481     + if (lacks_ipp != 0)
482     + *lacks_ipp = 1;
483     + ret = -1;
484     + }
485     + if (addrs != 0)
486     + free_wordlist(addrs);
487     +
488     + return ret >= 0;
489     +}
490     +
491     +
492     +static int
493     +have_eaptls_secret_client(client, server)
494     + char *client;
495     + char *server;
496     +{
497     + FILE *f;
498     + int ret;
499     + char *filename;
500     + struct wordlist *addrs = NULL;
501     + char servcertfile[MAXWORDLEN];
502     + char clicertfile[MAXWORDLEN];
503     + char cacertfile[MAXWORDLEN];
504     + char pkfile[MAXWORDLEN];
505     +
506     + if (client != NULL && client[0] == 0)
507     + client = NULL;
508     + else if (server != NULL && server[0] == 0)
509     + server = NULL;
510     +
511     + if (cacert_file && cert_file && privkey_file)
512     + return 1;
513     +
514     + filename = _PATH_EAPTLSCLIFILE;
515     + f = fopen(filename, "r");
516     + if (f == NULL)
517     + return 0;
518     +
519     + ret =
520     + scan_authfile_eaptls(f, client, server, clicertfile, servcertfile,
521     + cacertfile, pkfile, &addrs, NULL, filename,
522     + 0);
523     + fclose(f);
524     +
525     +/*
526     + if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile,
527     + servcertfile, pkfile))
528     + ret = -1;
529     +*/
530     +
531     + if (addrs != 0)
532     + free_wordlist(addrs);
533     +
534     + return ret >= 0;
535     +}
536     +
537     +
538     +static int
539     +scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk,
540     + addrs, opts, filename, flags)
541     + FILE *f;
542     + char *client;
543     + char *server;
544     + char *cli_cert;
545     + char *serv_cert;
546     + char *ca_cert;
547     + char *pk;
548     + struct wordlist **addrs;
549     + struct wordlist **opts;
550     + char *filename;
551     + int flags;
552     +{
553     + int newline;
554     + int got_flag, best_flag;
555     + struct wordlist *ap, *addr_list, *alist, **app;
556     + char word[MAXWORDLEN];
557     +
558     + if (addrs != NULL)
559     + *addrs = NULL;
560     + if (opts != NULL)
561     + *opts = NULL;
562     + addr_list = NULL;
563     + if (!getword(f, word, &newline, filename))
564     + return -1; /* file is empty??? */
565     + newline = 1;
566     + best_flag = -1;
567     + for (;;) {
568     + /*
569     + * Skip until we find a word at the start of a line.
570     + */
571     + while (!newline && getword(f, word, &newline, filename));
572     + if (!newline)
573     + break; /* got to end of file */
574     +
575     + /*
576     + * Got a client - check if it's a match or a wildcard.
577     + */
578     + got_flag = 0;
579     + if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) {
580     + newline = 0;
581     + continue;
582     + }
583     + if (!ISWILD(word))
584     + got_flag = NONWILD_CLIENT;
585     +
586     + /*
587     + * Now get a server and check if it matches.
588     + */
589     + if (!getword(f, word, &newline, filename))
590     + break;
591     + if (newline)
592     + continue;
593     + if (!ISWILD(word)) {
594     + if (server != NULL && strcmp(word, server) != 0)
595     + continue;
596     + got_flag |= NONWILD_SERVER;
597     + }
598     +
599     + /*
600     + * Got some sort of a match - see if it's better than what
601     + * we have already.
602     + */
603     + if (got_flag <= best_flag)
604     + continue;
605     +
606     + /*
607     + * Get the cli_cert
608     + */
609     + if (!getword(f, word, &newline, filename))
610     + break;
611     + if (newline)
612     + continue;
613     + if (strcmp(word, "-") != 0) {
614     + strlcpy(cli_cert, word, MAXWORDLEN);
615     + } else
616     + cli_cert[0] = 0;
617     +
618     + /*
619     + * Get serv_cert
620     + */
621     + if (!getword(f, word, &newline, filename))
622     + break;
623     + if (newline)
624     + continue;
625     + if (strcmp(word, "-") != 0) {
626     + strlcpy(serv_cert, word, MAXWORDLEN);
627     + } else
628     + serv_cert[0] = 0;
629     +
630     + /*
631     + * Get ca_cert
632     + */
633     + if (!getword(f, word, &newline, filename))
634     + break;
635     + if (newline)
636     + continue;
637     + strlcpy(ca_cert, word, MAXWORDLEN);
638     +
639     + /*
640     + * Get pk
641     + */
642     + if (!getword(f, word, &newline, filename))
643     + break;
644     + if (newline)
645     + continue;
646     + strlcpy(pk, word, MAXWORDLEN);
647     +
648     +
649     + /*
650     + * Now read address authorization info and make a wordlist.
651     + */
652     + app = &alist;
653     + for (;;) {
654     + if (!getword(f, word, &newline, filename) || newline)
655     + break;
656     + ap = (struct wordlist *)
657     + malloc(sizeof(struct wordlist) + strlen(word) + 1);
658     + if (ap == NULL)
659     + novm("authorized addresses");
660     + ap->word = (char *) (ap + 1);
661     + strcpy(ap->word, word);
662     + *app = ap;
663     + app = &ap->next;
664     + }
665     + *app = NULL;
666     + /*
667     + * This is the best so far; remember it.
668     + */
669     + best_flag = got_flag;
670     + if (addr_list)
671     + free_wordlist(addr_list);
672     + addr_list = alist;
673     +
674     + if (!newline)
675     + break;
676     + }
677     +
678     + /* scan for a -- word indicating the start of options */
679     + for (app = &addr_list; (ap = *app) != NULL; app = &ap->next)
680     + if (strcmp(ap->word, "--") == 0)
681     + break;
682     + /* ap = start of options */
683     + if (ap != NULL) {
684     + ap = ap->next; /* first option */
685     + free(*app); /* free the "--" word */
686     + *app = NULL; /* terminate addr list */
687     + }
688     + if (opts != NULL)
689     + *opts = ap;
690     + else if (ap != NULL)
691     + free_wordlist(ap);
692     + if (addrs != NULL)
693     + *addrs = addr_list;
694     + else if (addr_list != NULL)
695     + free_wordlist(addr_list);
696     +
697     + return best_flag;
698     +}
699     +
700     +
701     +int
702     +get_eaptls_secret(unit, client, server, clicertfile, servcertfile,
703     + cacertfile, pkfile, am_server)
704     + int unit;
705     + char *client;
706     + char *server;
707     + char *clicertfile;
708     + char *servcertfile;
709     + char *cacertfile;
710     + char *pkfile;
711     + int am_server;
712     +{
713     + FILE *fp;
714     + int ret;
715     + char *filename = NULL;
716     + struct wordlist *addrs = NULL;
717     + struct wordlist *opts = NULL;
718     +
719     + /* in client mode the ca+cert+privkey can also be specified as options */
720     + if (!am_server && cacert_file && cert_file && privkey_file )
721     + {
722     + strlcpy( clicertfile, cert_file, MAXWORDLEN );
723     + strlcpy( cacertfile, cacert_file, MAXWORDLEN );
724     + strlcpy( pkfile, privkey_file, MAXWORDLEN );
725     + servcertfile[0] = '\0';
726     + }
727     + else
728     + {
729     + filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE);
730     + addrs = NULL;
731     +
732     + fp = fopen(filename, "r");
733     + if (fp == NULL)
734     + {
735     + error("Can't open eap-tls secret file %s: %m", filename);
736     + return 0;
737     + }
738     +
739     + check_access(fp, filename);
740     +
741     + ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile,
742     + cacertfile, pkfile, &addrs, &opts, filename, 0);
743     +
744     + fclose(fp);
745     +
746     + if (ret < 0) return 0;
747     + }
748     +
749     + if (eaptls_passwd_hook)
750     + {
751     + dbglog( "Calling eaptls password hook" );
752     + if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0)
753     + {
754     + error("Unable to obtain EAP-TLS password for %s (%s) from plugin",
755     + client, pkfile);
756     + return 0;
757     + }
758     + }
759     + if (am_server)
760     + set_allowed_addrs(unit, addrs, opts);
761     + else if (opts != NULL)
762     + free_wordlist(opts);
763     + if (addrs != NULL)
764     + free_wordlist(addrs);
765     +
766     + return 1;
767     +}
768     +#endif
769     +
770     diff -Naur ppp-2.4.5/pppd/ccp.c ppp-2.4.5-eaptls-mppe-0.99/pppd/ccp.c
771     --- ppp-2.4.5/pppd/ccp.c 2009-11-16 23:26:07.000000000 +0100
772     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/ccp.c 2010-10-01 15:17:54.211272258 +0200
773     @@ -540,6 +540,9 @@
774     if (go->mppe) {
775     ccp_options *ao = &ccp_allowoptions[f->unit];
776     int auth_mschap_bits = auth_done[f->unit];
777     +#ifdef USE_EAPTLS
778     + int auth_eap_bits = auth_done[f->unit];
779     +#endif
780     int numbits;
781    
782     /*
783     @@ -567,8 +570,23 @@
784     lcp_close(f->unit, "MPPE required but not available");
785     return;
786     }
787     +
788     +#ifdef USE_EAPTLS
789     + /*
790     + * MPPE is also possible in combination with EAP-TLS.
791     + * It is not possible to detect if we're doing EAP or EAP-TLS
792     + * at this stage, hence we accept all forms of EAP. If TLS is
793     + * not used then the MPPE keys will not be derived anyway.
794     + */
795     + /* Leave only the eap auth bits set */
796     + auth_eap_bits &= (EAP_WITHPEER | EAP_PEER );
797     +
798     + if ((numbits == 0) && (auth_eap_bits == 0)) {
799     + error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed.");
800     +#else
801     if (!numbits) {
802     - error("MPPE required, but MS-CHAP[v2] auth not performed.");
803     + error("MPPE required, but MS-CHAP[v2] auth not performed.");
804     +#endif
805     lcp_close(f->unit, "MPPE required but not available");
806     return;
807     }
808     diff -Naur ppp-2.4.5/pppd/chap-md5.c ppp-2.4.5-eaptls-mppe-0.99/pppd/chap-md5.c
809     --- ppp-2.4.5/pppd/chap-md5.c 2009-11-16 23:26:07.000000000 +0100
810     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/chap-md5.c 2010-10-01 15:17:54.212272142 +0200
811     @@ -36,7 +36,11 @@
812     #include "chap-new.h"
813     #include "chap-md5.h"
814     #include "magic.h"
815     +#ifdef USE_EAPTLS
816     +#include "eap-tls.h"
817     +#else
818     #include "md5.h"
819     +#endif /* USE_EAPTLS */
820    
821     #define MD5_HASH_SIZE 16
822     #define MD5_MIN_CHALLENGE 16
823     diff -Naur ppp-2.4.5/pppd/eap-tls.c ppp-2.4.5-eaptls-mppe-0.99/pppd/eap-tls.c
824     --- ppp-2.4.5/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100
825     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/eap-tls.c 2010-10-05 15:12:45.881615580 +0200
826     @@ -0,0 +1,1174 @@
827     +/*
828     + * eap-tls.c - EAP-TLS implementation for PPP
829     + *
830     + * Copyright (c) Beniamino Galvani 2005 All rights reserved.
831     + *
832     + * Redistribution and use in source and binary forms, with or without
833     + * modification, are permitted provided that the following conditions
834     + * are met:
835     + *
836     + * 1. Redistributions of source code must retain the above copyright
837     + * notice, this list of conditions and the following disclaimer.
838     + *
839     + * 2. Redistributions in binary form must reproduce the above copyright
840     + * notice, this list of conditions and the following disclaimer in
841     + * the documentation and/or other materials provided with the
842     + * distribution.
843     + *
844     + * 3. The name(s) of the authors of this software must not be used to
845     + * endorse or promote products derived from this software without
846     + * prior written permission.
847     + *
848     + * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
849     + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
850     + * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
851     + * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
852     + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
853     + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
854     + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
855     + *
856     + */
857     +
858     +#include <string.h>
859     +#include <unistd.h>
860     +#include <sys/types.h>
861     +#include <sys/stat.h>
862     +#include <fcntl.h>
863     +
864     +#include <openssl/conf.h>
865     +#include <openssl/engine.h>
866     +#include <openssl/hmac.h>
867     +#include <openssl/err.h>
868     +#include <openssl/x509v3.h>
869     +
870     +#include "pppd.h"
871     +#include "eap.h"
872     +#include "eap-tls.h"
873     +#include "fsm.h"
874     +#include "lcp.h"
875     +#include "pathnames.h"
876     +
877     +/* The openssl configuration file and engines can be loaded only once */
878     +static CONF *ssl_config = NULL;
879     +static ENGINE *cert_engine = NULL;
880     +static ENGINE *pkey_engine = NULL;
881     +
882     +#ifdef MPPE
883     +
884     +/*
885     + * TLS PRF from RFC 2246
886     + */
887     +static void P_hash(const EVP_MD *evp_md,
888     + const unsigned char *secret, unsigned int secret_len,
889     + const unsigned char *seed, unsigned int seed_len,
890     + unsigned char *out, unsigned int out_len)
891     +{
892     + HMAC_CTX ctx_a, ctx_out;
893     + unsigned char a[HMAC_MAX_MD_CBLOCK];
894     + unsigned int size;
895     +
896     + HMAC_CTX_init(&ctx_a);
897     + HMAC_CTX_init(&ctx_out);
898     + HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL);
899     + HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL);
900     +
901     + size = HMAC_size(&ctx_out);
902     +
903     + /* Calculate A(1) */
904     + HMAC_Update(&ctx_a, seed, seed_len);
905     + HMAC_Final(&ctx_a, a, NULL);
906     +
907     + while (1) {
908     + /* Calculate next part of output */
909     + HMAC_Update(&ctx_out, a, size);
910     + HMAC_Update(&ctx_out, seed, seed_len);
911     +
912     + /* Check if last part */
913     + if (out_len < size) {
914     + HMAC_Final(&ctx_out, a, NULL);
915     + memcpy(out, a, out_len);
916     + break;
917     + }
918     +
919     + /* Place digest in output buffer */
920     + HMAC_Final(&ctx_out, out, NULL);
921     + HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL);
922     + out += size;
923     + out_len -= size;
924     +
925     + /* Calculate next A(i) */
926     + HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL);
927     + HMAC_Update(&ctx_a, a, size);
928     + HMAC_Final(&ctx_a, a, NULL);
929     + }
930     +
931     + HMAC_CTX_cleanup(&ctx_a);
932     + HMAC_CTX_cleanup(&ctx_out);
933     + memset(a, 0, sizeof(a));
934     +}
935     +
936     +static void PRF(const unsigned char *secret, unsigned int secret_len,
937     + const unsigned char *seed, unsigned int seed_len,
938     + unsigned char *out, unsigned char *buf, unsigned int out_len)
939     +{
940     + unsigned int i;
941     + unsigned int len = (secret_len + 1) / 2;
942     + const unsigned char *s1 = secret;
943     + const unsigned char *s2 = secret + (secret_len - len);
944     +
945     + P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len);
946     + P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len);
947     +
948     + for (i=0; i < out_len; i++) {
949     + out[i] ^= buf[i];
950     + }
951     +}
952     +
953     +#define EAPTLS_MPPE_KEY_LEN 32
954     +
955     +/*
956     + * Generate keys according to RFC 2716 and add to reply
957     + */
958     +void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label,
959     + int client)
960     +{
961     + unsigned char out[4*EAPTLS_MPPE_KEY_LEN], buf[4*EAPTLS_MPPE_KEY_LEN];
962     + unsigned char seed[64 + 2*SSL3_RANDOM_SIZE];
963     + unsigned char *p = seed;
964     + SSL *s = ets->ssl;
965     + size_t prf_size;
966     +
967     + prf_size = strlen(prf_label);
968     +
969     + memcpy(p, prf_label, prf_size);
970     + p += prf_size;
971     +
972     + memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
973     + p += SSL3_RANDOM_SIZE;
974     + prf_size += SSL3_RANDOM_SIZE;
975     +
976     + memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
977     + prf_size += SSL3_RANDOM_SIZE;
978     +
979     + PRF(s->session->master_key, s->session->master_key_length,
980     + seed, prf_size, out, buf, sizeof(out));
981     +
982     + /*
983     + * We now have the master send and receive keys.
984     + * From these, generate the session send and receive keys.
985     + * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details)
986     + */
987     + if (client)
988     + {
989     + p = out;
990     + BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
991     + p += EAPTLS_MPPE_KEY_LEN;
992     + BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
993     + }
994     + else
995     + {
996     + p = out;
997     + BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
998     + p += EAPTLS_MPPE_KEY_LEN;
999     + BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
1000     + }
1001     +
1002     + mppe_keys_set = 1;
1003     +}
1004     +
1005     +#endif
1006     +
1007     +void log_ssl_errors( void )
1008     +{
1009     + unsigned long ssl_err = ERR_get_error();
1010     +
1011     + if (ssl_err != 0)
1012     + dbglog("EAP-TLS SSL error stack:");
1013     + while (ssl_err != 0) {
1014     + dbglog( ERR_error_string( ssl_err, NULL ) );
1015     + ssl_err = ERR_get_error();
1016     + }
1017     +}
1018     +
1019     +
1020     +int password_callback (char *buf, int size, int rwflag, void *u)
1021     +{
1022     + if (buf)
1023     + {
1024     + strncpy (buf, passwd, size);
1025     + return strlen (buf);
1026     + }
1027     + return 0;
1028     +}
1029     +
1030     +
1031     +CONF *eaptls_ssl_load_config( void )
1032     +{
1033     + CONF *config;
1034     + int ret_code;
1035     + long error_line = 33;
1036     +
1037     + config = NCONF_new( NULL );
1038     + dbglog( "Loading OpenSSL config file" );
1039     + ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line );
1040     + if (ret_code == 0)
1041     + {
1042     + warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line );
1043     + NCONF_free( config );
1044     + config = NULL;
1045     + ERR_clear_error();
1046     + }
1047     +
1048     + dbglog( "Loading OpenSSL built-ins" );
1049     + ENGINE_load_builtin_engines();
1050     + OPENSSL_load_builtin_modules();
1051     +
1052     + dbglog( "Loading OpenSSL configured modules" );
1053     + if (CONF_modules_load( config, NULL, 0 ) <= 0 )
1054     + {
1055     + warn( "EAP-TLS: Error loading OpenSSL modules" );
1056     + log_ssl_errors();
1057     + config = NULL;
1058     + }
1059     +
1060     + return config;
1061     +}
1062     +
1063     +ENGINE *eaptls_ssl_load_engine( char *engine_name )
1064     +{
1065     + ENGINE *e = NULL;
1066     +
1067     + dbglog( "Enabling OpenSSL auto engines" );
1068     + ENGINE_register_all_complete();
1069     +
1070     + dbglog( "Loading OpenSSL '%s' engine support", engine_name );
1071     + e = ENGINE_by_id( engine_name );
1072     + if (!e)
1073     + {
1074     + dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name );
1075     + e = ENGINE_by_id( "dynamic" );
1076     + if (e)
1077     + {
1078     + if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0)
1079     + || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
1080     + {
1081     + warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name );
1082     + log_ssl_errors();
1083     + ENGINE_free(e);
1084     + e = NULL;
1085     + }
1086     + }
1087     + else
1088     + {
1089     + warn( "EAP-TLS: Cannot load dynamic engine support" );
1090     + }
1091     + }
1092     +
1093     + if (e)
1094     + {
1095     + dbglog( "Initialising engine" );
1096     + if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
1097     + {
1098     + warn( "EAP-TLS: Cannot use that engine" );
1099     + log_ssl_errors();
1100     + ENGINE_free(e);
1101     + e = NULL;
1102     + }
1103     + }
1104     +
1105     + return e;
1106     +}
1107     +
1108     +/*
1109     + * Initialize the SSL stacks and tests if certificates, key and crl
1110     + * for client or server use can be loaded.
1111     + */
1112     +SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile,
1113     + char *certfile, char *peer_certfile, char *privkeyfile)
1114     +{
1115     + char *cert_engine_name = NULL;
1116     + char *cert_identifier = NULL;
1117     + char *pkey_engine_name = NULL;
1118     + char *pkey_identifier = NULL;
1119     + SSL_CTX *ctx;
1120     + X509_STORE *certstore;
1121     + X509_LOOKUP *lookup;
1122     + X509 *tmp;
1123     +
1124     + /*
1125     + * Without these can't continue
1126     + */
1127     + if (!cacertfile[0])
1128     + {
1129     + error("EAP-TLS: CA certificate missing");
1130     + return NULL;
1131     + }
1132     +
1133     + if (!certfile[0])
1134     + {
1135     + error("EAP-TLS: User certificate missing");
1136     + return NULL;
1137     + }
1138     +
1139     + if (!privkeyfile[0])
1140     + {
1141     + error("EAP-TLS: User private key missing");
1142     + return NULL;
1143     + }
1144     +
1145     + SSL_library_init();
1146     + SSL_load_error_strings();
1147     +
1148     + ctx = SSL_CTX_new(TLSv1_method());
1149     +
1150     + if (!ctx) {
1151     + error("EAP-TLS: Cannot initialize SSL CTX context");
1152     + goto fail;
1153     + }
1154     +
1155     + /* if the certificate filename is of the form engine:id. e.g.
1156     + pkcs11:12345
1157     + then we try to load and use this engine.
1158     + If the certificate filename starts with a / or . then we
1159     + ALWAYS assume it is a file and not an engine/pkcs11 identifier
1160     + */
1161     + if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL )
1162     + {
1163     + cert_identifier = index( certfile, ':' );
1164     +
1165     + if (cert_identifier)
1166     + {
1167     + cert_engine_name = certfile;
1168     + *cert_identifier = '\0';
1169     + cert_identifier++;
1170     +
1171     + dbglog( "Found certificate engine '%s'", cert_engine_name );
1172     + dbglog( "Found certificate identifier '%s'", cert_identifier );
1173     + }
1174     + }
1175     +
1176     + /* if the privatekey filename is of the form engine:id. e.g.
1177     + pkcs11:12345
1178     + then we try to load and use this engine.
1179     + If the privatekey filename starts with a / or . then we
1180     + ALWAYS assume it is a file and not an engine/pkcs11 identifier
1181     + */
1182     + if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL )
1183     + {
1184     + pkey_identifier = index( privkeyfile, ':' );
1185     +
1186     + if (pkey_identifier)
1187     + {
1188     + pkey_engine_name = privkeyfile;
1189     + *pkey_identifier = '\0';
1190     + pkey_identifier++;
1191     +
1192     + dbglog( "Found privatekey engine '%s'", pkey_engine_name );
1193     + dbglog( "Found privatekey identifier '%s'", pkey_identifier );
1194     + }
1195     + }
1196     +
1197     + if (cert_identifier && pkey_identifier)
1198     + {
1199     + if (strlen( cert_identifier ) == 0)
1200     + {
1201     + if (strlen( pkey_identifier ) == 0)
1202     + error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" );
1203     + else
1204     + {
1205     + dbglog( "Substituting privatekey identifier for certificate identifier" );
1206     + cert_identifier = pkey_identifier;
1207     + }
1208     + }
1209     + else
1210     + {
1211     + if (strlen( pkey_identifier ) == 0)
1212     + {
1213     + dbglog( "Substituting certificate identifier for privatekey identifier" );
1214     + pkey_identifier = cert_identifier;
1215     + }
1216     + }
1217     +
1218     + }
1219     +
1220     + /* load the openssl config file only once */
1221     + if (!ssl_config)
1222     + {
1223     + if (cert_engine_name || pkey_engine_name)
1224     + ssl_config = eaptls_ssl_load_config();
1225     +
1226     + if (ssl_config && cert_engine_name)
1227     + cert_engine = eaptls_ssl_load_engine( cert_engine_name );
1228     +
1229     + if (ssl_config && pkey_engine_name)
1230     + {
1231     + /* don't load the same engine twice */
1232     + if ( strcmp( cert_engine_name, pkey_engine_name) == 0 )
1233     + pkey_engine = cert_engine;
1234     + else
1235     + pkey_engine = eaptls_ssl_load_engine( pkey_engine_name );
1236     + }
1237     + }
1238     +
1239     + SSL_CTX_set_default_passwd_cb (ctx, password_callback);
1240     +
1241     + if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL))
1242     + {
1243     + error("EAP-TLS: Cannot load or verify CA file %s", cacertfile);
1244     + goto fail;
1245     + }
1246     +
1247     + if (init_server)
1248     + SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile));
1249     +
1250     + if (cert_engine)
1251     + {
1252     + struct
1253     + {
1254     + const char *s_slot_cert_id;
1255     + X509 *cert;
1256     + } cert_info;
1257     +
1258     + cert_info.s_slot_cert_id = cert_identifier;
1259     + cert_info.cert = NULL;
1260     +
1261     + if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) )
1262     + {
1263     + error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier );
1264     + goto fail;
1265     + }
1266     +
1267     + if (cert_info.cert)
1268     + {
1269     + dbglog( "Got the certificate, adding it to SSL context" );
1270     + dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) );
1271     + if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0)
1272     + {
1273     + error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier);
1274     + goto fail;
1275     + }
1276     + }
1277     + else
1278     + {
1279     + warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier);
1280     + log_ssl_errors();
1281     + }
1282     + }
1283     + else
1284     + {
1285     + if (!SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM))
1286     + {
1287     + error( "EAP-TLS: Cannot use public certificate %s", certfile );
1288     + goto fail;
1289     + }
1290     + }
1291     +
1292     + if (pkey_engine)
1293     + {
1294     + EVP_PKEY *pkey = NULL;
1295     + PW_CB_DATA cb_data;
1296     +
1297     + cb_data.password = passwd;
1298     + cb_data.prompt_info = pkey_identifier;
1299     +
1300     + dbglog( "Loading private key '%s' from engine", pkey_identifier );
1301     + pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data);
1302     + if (pkey)
1303     + {
1304     + dbglog( "Got the private key, adding it to SSL context" );
1305     + if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0)
1306     + {
1307     + error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier);
1308     + goto fail;
1309     + }
1310     + }
1311     + else
1312     + {
1313     + warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier);
1314     + log_ssl_errors();
1315     + }
1316     + }
1317     + else
1318     + {
1319     + if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM))
1320     + {
1321     + error("EAP-TLS: Cannot use private key %s", privkeyfile);
1322     + goto fail;
1323     + }
1324     + }
1325     +
1326     + if (SSL_CTX_check_private_key(ctx) != 1) {
1327     + error("EAP-TLS: Private key %s fails security check", privkeyfile);
1328     + goto fail;
1329     + }
1330     +
1331     + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
1332     + SSL_CTX_set_verify_depth(ctx, 5);
1333     + SSL_CTX_set_verify(ctx,
1334     + SSL_VERIFY_PEER |
1335     + SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1336     + &ssl_verify_callback);
1337     +
1338     + if (crl_dir) {
1339     + if (!(certstore = SSL_CTX_get_cert_store(ctx))) {
1340     + error("EAP-TLS: Failed to get certificate store");
1341     + goto fail;
1342     + }
1343     +
1344     + if (!(lookup =
1345     + X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) {
1346     + error("EAP-TLS: Store lookup for CRL failed");
1347     +
1348     + goto fail;
1349     + }
1350     +
1351     + X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM);
1352     + X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
1353     + }
1354     +
1355     + /*
1356     + * If a peer certificate file was specified, it must be valid, else fail
1357     + */
1358     + if (peer_certfile[0]) {
1359     + if (!(tmp = get_X509_from_file(peer_certfile))) {
1360     + error("EAP-TLS: Error loading client certificate from file %s",
1361     + peer_certfile);
1362     + goto fail;
1363     + }
1364     + X509_free(tmp);
1365     + }
1366     +
1367     + return ctx;
1368     +
1369     +fail:
1370     + log_ssl_errors();
1371     + SSL_CTX_free(ctx);
1372     + return NULL;
1373     +}
1374     +
1375     +/*
1376     + * Determine the maximum packet size by looking at the LCP handshake
1377     + */
1378     +
1379     +int eaptls_get_mtu(int unit)
1380     +{
1381     + int mtu, mru;
1382     +
1383     + lcp_options *wo = &lcp_wantoptions[unit];
1384     + lcp_options *go = &lcp_gotoptions[unit];
1385     + lcp_options *ho = &lcp_hisoptions[unit];
1386     + lcp_options *ao = &lcp_allowoptions[unit];
1387     +
1388     + mtu = ho->neg_mru? ho->mru: PPP_MRU;
1389     + mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU;
1390     + mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10;
1391     +
1392     + dbglog("MTU = %d", mtu);
1393     + return mtu;
1394     +}
1395     +
1396     +
1397     +/*
1398     + * Init the ssl handshake (server mode)
1399     + */
1400     +int eaptls_init_ssl_server(eap_state * esp)
1401     +{
1402     + struct eaptls_session *ets;
1403     + char servcertfile[MAXWORDLEN];
1404     + char clicertfile[MAXWORDLEN];
1405     + char cacertfile[MAXWORDLEN];
1406     + char pkfile[MAXWORDLEN];
1407     + /*
1408     + * Allocate new eaptls session
1409     + */
1410     + esp->es_server.ea_session = malloc(sizeof(struct eaptls_session));
1411     + if (!esp->es_server.ea_session)
1412     + fatal("Allocation error");
1413     + ets = esp->es_server.ea_session;
1414     +
1415     + if (!esp->es_server.ea_peer) {
1416     + error("EAP-TLS: Error: client name not set (BUG)");
1417     + return 0;
1418     + }
1419     +
1420     + strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN);
1421     +
1422     + dbglog( "getting eaptls secret" );
1423     + if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer,
1424     + esp->es_server.ea_name, clicertfile,
1425     + servcertfile, cacertfile, pkfile, 1)) {
1426     + error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
1427     + esp->es_server.ea_peer, esp->es_server.ea_name );
1428     + return 0;
1429     + }
1430     +
1431     + ets->mtu = eaptls_get_mtu(esp->es_unit);
1432     +
1433     + ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile);
1434     + if (!ets->ctx)
1435     + goto fail;
1436     +
1437     + if (!(ets->ssl = SSL_new(ets->ctx)))
1438     + goto fail;
1439     +
1440     + /*
1441     + * Set auto-retry to avoid timeouts on BIO_read
1442     + */
1443     + SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY);
1444     +
1445     + /*
1446     + * Initialize the BIOs we use to read/write to ssl engine
1447     + */
1448     + ets->into_ssl = BIO_new(BIO_s_mem());
1449     + ets->from_ssl = BIO_new(BIO_s_mem());
1450     + SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl);
1451     +
1452     + SSL_set_msg_callback(ets->ssl, ssl_msg_callback);
1453     + SSL_set_msg_callback_arg(ets->ssl, ets);
1454     +
1455     + /*
1456     + * Attach the session struct to the connection, so we can later
1457     + * retrieve it when doing certificate verification
1458     + */
1459     + SSL_set_ex_data(ets->ssl, 0, ets);
1460     +
1461     + SSL_set_accept_state(ets->ssl);
1462     +
1463     + ets->data = NULL;
1464     + ets->datalen = 0;
1465     + ets->alert_sent = 0;
1466     + ets->alert_recv = 0;
1467     +
1468     + /*
1469     + * If we specified the client certificate file, store it in ets->peercertfile,
1470     + * so we can check it later in ssl_verify_callback()
1471     + */
1472     + if (clicertfile[0])
1473     + strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN);
1474     + else
1475     + ets->peercertfile[0] = 0;
1476     +
1477     + return 1;
1478     +
1479     +fail:
1480     + SSL_CTX_free(ets->ctx);
1481     + return 0;
1482     +}
1483     +
1484     +/*
1485     + * Init the ssl handshake (client mode)
1486     + */
1487     +int eaptls_init_ssl_client(eap_state * esp)
1488     +{
1489     + struct eaptls_session *ets;
1490     + char servcertfile[MAXWORDLEN];
1491     + char clicertfile[MAXWORDLEN];
1492     + char cacertfile[MAXWORDLEN];
1493     + char pkfile[MAXWORDLEN];
1494     +
1495     + /*
1496     + * Allocate new eaptls session
1497     + */
1498     + esp->es_client.ea_session = malloc(sizeof(struct eaptls_session));
1499     + if (!esp->es_client.ea_session)
1500     + fatal("Allocation error");
1501     + ets = esp->es_client.ea_session;
1502     +
1503     + /*
1504     + * If available, copy server name in ets; it will be used in cert
1505     + * verify
1506     + */
1507     + if (esp->es_client.ea_peer)
1508     + strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN);
1509     + else
1510     + ets->peer[0] = 0;
1511     +
1512     + ets->mtu = eaptls_get_mtu(esp->es_unit);
1513     +
1514     + dbglog( "calling get_eaptls_secret" );
1515     + if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name,
1516     + esp->es_client.ea_peer, clicertfile,
1517     + servcertfile, cacertfile, pkfile, 0)) {
1518     + error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
1519     + esp->es_client.ea_name, esp->es_client.ea_peer );
1520     + return 0;
1521     + }
1522     +
1523     + dbglog( "calling eaptls_init_ssl" );
1524     + ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile);
1525     + if (!ets->ctx)
1526     + goto fail;
1527     +
1528     + ets->ssl = SSL_new(ets->ctx);
1529     +
1530     + if (!ets->ssl)
1531     + goto fail;
1532     +
1533     + /*
1534     + * Initialize the BIOs we use to read/write to ssl engine
1535     + */
1536     + dbglog( "Initializing SSL BIOs" );
1537     + ets->into_ssl = BIO_new(BIO_s_mem());
1538     + ets->from_ssl = BIO_new(BIO_s_mem());
1539     + SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl);
1540     +
1541     + SSL_set_msg_callback(ets->ssl, ssl_msg_callback);
1542     + SSL_set_msg_callback_arg(ets->ssl, ets);
1543     +
1544     + /*
1545     + * Attach the session struct to the connection, so we can later
1546     + * retrieve it when doing certificate verification
1547     + */
1548     + SSL_set_ex_data(ets->ssl, 0, ets);
1549     +
1550     + SSL_set_connect_state(ets->ssl);
1551     +
1552     + ets->data = NULL;
1553     + ets->datalen = 0;
1554     + ets->alert_sent = 0;
1555     + ets->alert_recv = 0;
1556     +
1557     + /*
1558     + * If we specified the server certificate file, store it in
1559     + * ets->peercertfile, so we can check it later in
1560     + * ssl_verify_callback()
1561     + */
1562     + if (servcertfile[0])
1563     + strncpy(ets->peercertfile, servcertfile, MAXWORDLEN);
1564     + else
1565     + ets->peercertfile[0] = 0;
1566     +
1567     + return 1;
1568     +
1569     +fail:
1570     + dbglog( "eaptls_init_ssl_client: fail" );
1571     + SSL_CTX_free(ets->ctx);
1572     + return 0;
1573     +
1574     +}
1575     +
1576     +void eaptls_free_session(struct eaptls_session *ets)
1577     +{
1578     + if (ets->ssl)
1579     + SSL_free(ets->ssl);
1580     +
1581     + if (ets->ctx)
1582     + SSL_CTX_free(ets->ctx);
1583     +
1584     + free(ets);
1585     +}
1586     +
1587     +/*
1588     + * Handle a received packet, reassembling fragmented messages and
1589     + * passing them to the ssl engine
1590     + */
1591     +int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len)
1592     +{
1593     + u_char flags;
1594     + u_int tlslen;
1595     + u_char dummy[65536];
1596     +
1597     + GETCHAR(flags, inp);
1598     + len--;
1599     +
1600     + if (flags & EAP_TLS_FLAGS_LI && !ets->data) {
1601     +
1602     + /*
1603     + * This is the first packet of a message
1604     + */
1605     +
1606     + GETLONG(tlslen, inp);
1607     + len -= 4;
1608     +
1609     + if (tlslen > EAP_TLS_MAX_LEN) {
1610     + error("Error: tls message length > %d, truncated",
1611     + EAP_TLS_MAX_LEN);
1612     + tlslen = EAP_TLS_MAX_LEN;
1613     + }
1614     +
1615     + /*
1616     + * Allocate memory for the whole message
1617     + */
1618     + ets->data = malloc(tlslen);
1619     + if (!ets->data)
1620     + fatal("EAP TLS: allocation error\n");
1621     +
1622     + ets->datalen = 0;
1623     + ets->tlslen = tlslen;
1624     +
1625     + }
1626     + else if (flags & EAP_TLS_FLAGS_LI && ets->data) {
1627     + /*
1628     + * Non first with LI (strange...)
1629     + */
1630     +
1631     + GETLONG(tlslen, inp);
1632     + len -= 4;
1633     +
1634     + }
1635     + else if (!ets->data) {
1636     + /*
1637     + * A non fragmented message without LI flag
1638     + */
1639     +
1640     + ets->data = malloc(len);
1641     + if (!ets->data)
1642     + fatal("EAP TLS: allocation error\n");
1643     +
1644     + ets->datalen = 0;
1645     + ets->tlslen = len;
1646     + }
1647     +
1648     + if (flags & EAP_TLS_FLAGS_MF)
1649     + ets->frag = 1;
1650     + else
1651     + ets->frag = 0;
1652     +
1653     + if (len + ets->datalen > ets->tlslen) {
1654     + warn("EAP TLS: received data > TLS message length");
1655     + return 1;
1656     + }
1657     +
1658     + BCOPY(inp, ets->data + ets->datalen, len);
1659     + ets->datalen += len;
1660     +
1661     + if (!ets->frag) {
1662     +
1663     + /*
1664     + * If we have the whole message, pass it to ssl
1665     + */
1666     +
1667     + if (ets->datalen != ets->tlslen) {
1668     + warn("EAP TLS: received data != TLS message length");
1669     + return 1;
1670     + }
1671     +
1672     + if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1)
1673     + log_ssl_errors();
1674     +
1675     + SSL_read(ets->ssl, dummy, 65536);
1676     +
1677     + free(ets->data);
1678     + ets->data = NULL;
1679     + ets->datalen = 0;
1680     + }
1681     +
1682     + return 0;
1683     +}
1684     +
1685     +/*
1686     + * Return an eap-tls packet in outp.
1687     + * A TLS message read from the ssl engine is buffered in ets->data.
1688     + * At each call we control if there is buffered data and send a
1689     + * packet of mtu bytes.
1690     + */
1691     +int eaptls_send(struct eaptls_session *ets, u_char ** outp)
1692     +{
1693     + bool first = 0;
1694     + int size;
1695     + u_char fromtls[65536];
1696     + int res;
1697     + u_char *start;
1698     +
1699     + start = *outp;
1700     +
1701     + if (!ets->data) {
1702     +
1703     + if(!ets->alert_sent)
1704     + SSL_read(ets->ssl, fromtls, 65536);
1705     +
1706     + /*
1707     + * Read from ssl
1708     + */
1709     + if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1)
1710     + fatal("No data from BIO_read");
1711     +
1712     + ets->datalen = res;
1713     +
1714     + ets->data = malloc(ets->datalen);
1715     + BCOPY(fromtls, ets->data, ets->datalen);
1716     +
1717     + ets->offset = 0;
1718     + first = 1;
1719     +
1720     + }
1721     +
1722     + size = ets->datalen - ets->offset;
1723     +
1724     + if (size > ets->mtu) {
1725     + size = ets->mtu;
1726     + ets->frag = 1;
1727     + } else
1728     + ets->frag = 0;
1729     +
1730     + PUTCHAR(EAPT_TLS, *outp);
1731     +
1732     + /*
1733     + * Set right flags and length if necessary
1734     + */
1735     + if (ets->frag && first) {
1736     + PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp);
1737     + PUTLONG(ets->datalen, *outp);
1738     + } else if (ets->frag) {
1739     + PUTCHAR(EAP_TLS_FLAGS_MF, *outp);
1740     + } else
1741     + PUTCHAR(0, *outp);
1742     +
1743     + /*
1744     + * Copy the data in outp
1745     + */
1746     + BCOPY(ets->data + ets->offset, *outp, size);
1747     + INCPTR(size, *outp);
1748     +
1749     + /*
1750     + * Copy the packet in retransmission buffer
1751     + */
1752     + BCOPY(start, &ets->rtx[0], *outp - start);
1753     + ets->rtx_len = *outp - start;
1754     +
1755     + ets->offset += size;
1756     +
1757     + if (ets->offset >= ets->datalen) {
1758     +
1759     + /*
1760     + * The whole message has been sent
1761     + */
1762     +
1763     + free(ets->data);
1764     + ets->data = NULL;
1765     + ets->datalen = 0;
1766     + ets->offset = 0;
1767     + }
1768     +
1769     + return 0;
1770     +}
1771     +
1772     +/*
1773     + * Get the sent packet from the retransmission buffer
1774     + */
1775     +void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp)
1776     +{
1777     + BCOPY(ets->rtx, *outp, ets->rtx_len);
1778     + INCPTR(ets->rtx_len, *outp);
1779     +}
1780     +
1781     +/*
1782     + * Verify a certificate.
1783     + * Most of the work (signatures and issuer attributes checking)
1784     + * is done by ssl; we check the CN in the peer certificate
1785     + * against the peer name.
1786     + */
1787     +int ssl_verify_callback(int preverify_ok, X509_STORE_CTX * ctx)
1788     +{
1789     + char subject[256];
1790     + char cn_str[256];
1791     + X509 *peer_cert;
1792     + int err, depth;
1793     + int ok = preverify_ok;
1794     + SSL *ssl;
1795     + struct eaptls_session *ets;
1796     +
1797     + peer_cert = X509_STORE_CTX_get_current_cert(ctx);
1798     + err = X509_STORE_CTX_get_error(ctx);
1799     + depth = X509_STORE_CTX_get_error_depth(ctx);
1800     +
1801     + dbglog("certificate verify depth: %d", depth);
1802     +
1803     + if (auth_required && !ok) {
1804     + X509_NAME_oneline(X509_get_subject_name(peer_cert),
1805     + subject, 256);
1806     +
1807     + X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
1808     + NID_commonName, cn_str, 256);
1809     +
1810     + dbglog("Certificate verification error:\n depth: %d CN: %s"
1811     + "\n err: %d (%s)\n", depth, cn_str, err,
1812     + X509_verify_cert_error_string(err));
1813     +
1814     + return 0;
1815     + }
1816     +
1817     + ssl = X509_STORE_CTX_get_ex_data(ctx,
1818     + SSL_get_ex_data_X509_STORE_CTX_idx());
1819     +
1820     + ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0);
1821     +
1822     + if (ets == NULL) {
1823     + error("Error: SSL_get_ex_data returned NULL");
1824     + return 0;
1825     + }
1826     +
1827     + log_ssl_errors();
1828     +
1829     + if (!depth) { /* This is the peer certificate */
1830     +
1831     + X509_NAME_oneline(X509_get_subject_name(peer_cert),
1832     + subject, 256);
1833     +
1834     + X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
1835     + NID_commonName, cn_str, 256);
1836     +
1837     + /*
1838     + * If acting as client and the name of the server wasn't specified
1839     + * explicitely, we can't verify the server authenticity
1840     + */
1841     + if (!ets->peer[0]) {
1842     + warn("Peer name not specified: no check");
1843     + return 1;
1844     + }
1845     +
1846     + /*
1847     + * Check the CN
1848     + */
1849     + if (strcmp(cn_str, ets->peer)) {
1850     + error
1851     + ("Certificate verification error: CN (%s) != peer_name (%s)",
1852     + cn_str, ets->peer);
1853     + return 0;
1854     + }
1855     +
1856     + warn("Certificate CN: %s , peer name %s", cn_str, ets->peer);
1857     +
1858     + /*
1859     + * If a peer certificate file was specified, here we check it
1860     + */
1861     + if (ets->peercertfile[0]) {
1862     + if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert)
1863     + != 0) {
1864     + error
1865     + ("Peer certificate doesn't match stored certificate");
1866     + return 0;
1867     + }
1868     + }
1869     + }
1870     +
1871     + return 1;
1872     +}
1873     +
1874     +/*
1875     + * Compare a certificate with the one stored in a file
1876     + */
1877     +int ssl_cmp_certs(char *filename, X509 * a)
1878     +{
1879     + X509 *b;
1880     + int ret;
1881     +
1882     + if (!(b = get_X509_from_file(filename)))
1883     + return 1;
1884     +
1885     + ret = X509_cmp(a, b);
1886     + X509_free(b);
1887     +
1888     + return ret;
1889     +
1890     +}
1891     +
1892     +X509 *get_X509_from_file(char *filename)
1893     +{
1894     + FILE *fp;
1895     + X509 *ret;
1896     +
1897     + if (!(fp = fopen(filename, "r")))
1898     + return NULL;
1899     +
1900     + ret = PEM_read_X509(fp, NULL, NULL, NULL);
1901     +
1902     + fclose(fp);
1903     +
1904     + return ret;
1905     +}
1906     +
1907     +/*
1908     + * Every sent & received message this callback function is invoked,
1909     + * so we know when alert messages have arrived or are sent and
1910     + * we can print debug information about TLS handshake.
1911     + */
1912     +void
1913     +ssl_msg_callback(int write_p, int version, int content_type,
1914     + const void *buf, size_t len, SSL * ssl, void *arg)
1915     +{
1916     + char string[256];
1917     + struct eaptls_session *ets = (struct eaptls_session *)arg;
1918     + unsigned char code;
1919     +
1920     + if(write_p)
1921     + strcpy(string, " -> ");
1922     + else
1923     + strcpy(string, " <- ");
1924     +
1925     +
1926     + switch(content_type) {
1927     +
1928     + case SSL3_RT_ALERT:
1929     + strcat(string, "Alert: ");
1930     + code = ((const unsigned char *)buf)[1];
1931     +
1932     + if (write_p) {
1933     + ets->alert_sent = 1;
1934     + ets->alert_sent_desc = code;
1935     + } else {
1936     + ets->alert_recv = 1;
1937     + ets->alert_recv_desc = code;
1938     + }
1939     +
1940     + strcat(string, SSL_alert_desc_string_long(code));
1941     + break;
1942     +
1943     + case SSL3_RT_CHANGE_CIPHER_SPEC:
1944     + strcat(string, "ChangeCipherSpec");
1945     + break;
1946     +
1947     + case SSL3_RT_HANDSHAKE:
1948     +
1949     + strcat(string, "Handshake: ");
1950     + code = ((const unsigned char *)buf)[0];
1951     +
1952     + switch(code) {
1953     + case SSL3_MT_HELLO_REQUEST:
1954     + strcat(string,"Hello Request");
1955     + break;
1956     + case SSL3_MT_CLIENT_HELLO:
1957     + strcat(string,"Client Hello");
1958     + break;
1959     + case SSL3_MT_SERVER_HELLO:
1960     + strcat(string,"Server Hello");
1961     + break;
1962     + case SSL3_MT_CERTIFICATE:
1963     + strcat(string,"Certificate");
1964     + break;
1965     + case SSL3_MT_SERVER_KEY_EXCHANGE:
1966     + strcat(string,"Server Key Exchange");
1967     + break;
1968     + case SSL3_MT_CERTIFICATE_REQUEST:
1969     + strcat(string,"Certificate Request");
1970     + break;
1971     + case SSL3_MT_SERVER_DONE:
1972     + strcat(string,"Server Hello Done");
1973     + break;
1974     + case SSL3_MT_CERTIFICATE_VERIFY:
1975     + strcat(string,"Certificate Verify");
1976     + break;
1977     + case SSL3_MT_CLIENT_KEY_EXCHANGE:
1978     + strcat(string,"Client Key Exchange");
1979     + break;
1980     + case SSL3_MT_FINISHED:
1981     + strcat(string,"Finished");
1982     + break;
1983     +
1984     + default:
1985     + sprintf( string, "Handshake: Unknown SSL3 code received: %d", code );
1986     + }
1987     + break;
1988     +
1989     + default:
1990     + sprintf( string, "SSL message contains unknown content type: %d", content_type );
1991     +
1992     + }
1993     +
1994     + /* Alert messages must always be displayed */
1995     + if(content_type == SSL3_RT_ALERT)
1996     + error("%s", string);
1997     + else
1998     + dbglog("%s", string);
1999     +}
2000     +
2001     diff -Naur ppp-2.4.5/pppd/eap-tls.h ppp-2.4.5-eaptls-mppe-0.99/pppd/eap-tls.h
2002     --- ppp-2.4.5/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100
2003     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/eap-tls.h 2010-10-01 15:17:54.213271816 +0200
2004     @@ -0,0 +1,107 @@
2005     +/*
2006     + * eap-tls.h
2007     + *
2008     + * Copyright (c) Beniamino Galvani 2005 All rights reserved.
2009     + *
2010     + * Redistribution and use in source and binary forms, with or without
2011     + * modification, are permitted provided that the following conditions
2012     + * are met:
2013     + *
2014     + * 1. Redistributions of source code must retain the above copyright
2015     + * notice, this list of conditions and the following disclaimer.
2016     + *
2017     + * 2. Redistributions in binary form must reproduce the above copyright
2018     + * notice, this list of conditions and the following disclaimer in
2019     + * the documentation and/or other materials provided with the
2020     + * distribution.
2021     + *
2022     + * 3. The name(s) of the authors of this software must not be used to
2023     + * endorse or promote products derived from this software without
2024     + * prior written permission.
2025     + *
2026     + * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
2027     + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2028     + * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
2029     + * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
2030     + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
2031     + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
2032     + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
2033     + *
2034     + */
2035     +
2036     +#ifndef __EAP_TLS_H__
2037     +#define __EAP_TLS_H__
2038     +
2039     +#include "eap.h"
2040     +
2041     +#include <openssl/ssl.h>
2042     +#include <openssl/bio.h>
2043     +#include <openssl/md5.h>
2044     +
2045     +#define EAP_TLS_FLAGS_LI 128 /* length included flag */
2046     +#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */
2047     +#define EAP_TLS_FLAGS_START 32 /* start flag */
2048     +
2049     +#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */
2050     +
2051     +struct eaptls_session
2052     +{
2053     + u_char *data; /* buffered data */
2054     + int datalen; /* buffered data len */
2055     + int offset; /* from where to send */
2056     + int tlslen; /* total length of tls data */
2057     + bool frag; /* packet is fragmented */
2058     + SSL_CTX *ctx;
2059     + SSL *ssl; /* ssl connection */
2060     + BIO *from_ssl;
2061     + BIO *into_ssl;
2062     + char peer[MAXWORDLEN]; /* peer name */
2063     + char peercertfile[MAXWORDLEN];
2064     + bool alert_sent;
2065     + u_char alert_sent_desc;
2066     + bool alert_recv;
2067     + u_char alert_recv_desc;
2068     + char rtx[65536]; /* retransmission buffer */
2069     + int rtx_len;
2070     + int mtu; /* unit mtu */
2071     +};
2072     +
2073     +typedef struct pw_cb_data
2074     +{
2075     + const void *password;
2076     + const char *prompt_info;
2077     +} PW_CB_DATA;
2078     +
2079     +
2080     +int ssl_verify_callback(int, X509_STORE_CTX *);
2081     +void ssl_msg_callback(int write_p, int version, int ct, const void *buf,
2082     + size_t len, SSL * ssl, void *arg);
2083     +
2084     +X509 *get_X509_from_file(char *filename);
2085     +int ssl_cmp_certs(char *filename, X509 * a);
2086     +
2087     +SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile,
2088     + char *certfile, char *peer_certfile, char *privkeyfile);
2089     +int eaptls_init_ssl_server(eap_state * esp);
2090     +int eaptls_init_ssl_client(eap_state * esp);
2091     +void eaptls_free_session(struct eaptls_session *ets);
2092     +
2093     +int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len);
2094     +int eaptls_send(struct eaptls_session *ets, u_char ** outp);
2095     +void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp);
2096     +
2097     +int get_eaptls_secret(int unit, char *client, char *server,
2098     + char *clicertfile, char *servcertfile, char *cacertfile,
2099     + char *pkfile, int am_server);
2100     +
2101     +#ifdef MPPE
2102     +#include "mppe.h" /* MPPE_MAX_KEY_LEN */
2103     +extern u_char mppe_send_key[MPPE_MAX_KEY_LEN];
2104     +extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
2105     +extern int mppe_keys_set;
2106     +
2107     +void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client);
2108     +
2109     +#endif
2110     +
2111     +#endif
2112     diff -Naur ppp-2.4.5/pppd/eap.c ppp-2.4.5-eaptls-mppe-0.99/pppd/eap.c
2113     --- ppp-2.4.5/pppd/eap.c 2009-11-16 23:26:07.000000000 +0100
2114     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/eap.c 2010-01-29 16:31:29.000000000 +0100
2115     @@ -43,6 +43,11 @@
2116     * Based on draft-ietf-pppext-eap-srp-03.txt.
2117     */
2118    
2119     +/*
2120     + * Modification by Beniamino Galvani, Mar 2005
2121     + * Implemented EAP-TLS authentication
2122     + */
2123     +
2124     #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $"
2125    
2126     /*
2127     @@ -62,8 +67,12 @@
2128    
2129     #include "pppd.h"
2130     #include "pathnames.h"
2131     -#include "md5.h"
2132     #include "eap.h"
2133     +#ifdef USE_EAPTLS
2134     +#include "eap-tls.h"
2135     +#else
2136     +#include "md5.h"
2137     +#endif /* USE_EAPTLS */
2138    
2139     #ifdef USE_SRP
2140     #include <t_pwd.h>
2141     @@ -209,6 +218,9 @@
2142     esp->es_server.ea_id = (u_char)(drand48() * 0x100);
2143     esp->es_client.ea_timeout = EAP_DEFREQTIME;
2144     esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ;
2145     +#ifdef USE_EAPTLS
2146     + esp->es_client.ea_using_eaptls = 0;
2147     +#endif /* USE_EAPTLS */
2148     }
2149    
2150     /*
2151     @@ -436,8 +448,16 @@
2152     u_char vals[2];
2153     struct b64state bs;
2154     #endif /* USE_SRP */
2155     +#ifdef USE_EAPTLS
2156     + struct eaptls_session *ets;
2157     + int secret_len;
2158     + char secret[MAXWORDLEN];
2159     +#endif /* USE_EAPTLS */
2160    
2161     esp->es_server.ea_timeout = esp->es_savedtime;
2162     +#ifdef USE_EAPTLS
2163     + esp->es_server.ea_prev_state = esp->es_server.ea_state;
2164     +#endif /* USE_EAPTLS */
2165     switch (esp->es_server.ea_state) {
2166     case eapBadAuth:
2167     return;
2168     @@ -562,9 +582,81 @@
2169     break;
2170     }
2171     #endif /* USE_SRP */
2172     +#ifdef USE_EAPTLS
2173     + if (!get_secret(esp->es_unit, esp->es_server.ea_peer,
2174     + esp->es_server.ea_name, secret, &secret_len, 1)) {
2175     +
2176     + esp->es_server.ea_state = eapTlsStart;
2177     + break;
2178     + }
2179     +#endif /* USE_EAPTLS */
2180     +
2181     esp->es_server.ea_state = eapMD5Chall;
2182     break;
2183    
2184     +#ifdef USE_EAPTLS
2185     + case eapTlsStart:
2186     + /* Initialize ssl session */
2187     + if(!eaptls_init_ssl_server(esp)) {
2188     + esp->es_server.ea_state = eapBadAuth;
2189     + break;
2190     + }
2191     +
2192     + esp->es_server.ea_state = eapTlsRecv;
2193     + break;
2194     +
2195     + case eapTlsRecv:
2196     + ets = (struct eaptls_session *) esp->es_server.ea_session;
2197     +
2198     + if(ets->alert_sent) {
2199     + esp->es_server.ea_state = eapTlsSendAlert;
2200     + break;
2201     + }
2202     +
2203     + if (status) {
2204     + esp->es_server.ea_state = eapBadAuth;
2205     + break;
2206     + }
2207     + ets = (struct eaptls_session *) esp->es_server.ea_session;
2208     +
2209     + if(ets->frag)
2210     + esp->es_server.ea_state = eapTlsSendAck;
2211     + else
2212     + esp->es_server.ea_state = eapTlsSend;
2213     + break;
2214     +
2215     + case eapTlsSend:
2216     + ets = (struct eaptls_session *) esp->es_server.ea_session;
2217     +
2218     + if(SSL_is_init_finished(ets->ssl)) {
2219     + esp->es_server.ea_state = eapTlsRecvClient;
2220     + break;
2221     + }
2222     +
2223     + if(ets->frag)
2224     + esp->es_server.ea_state = eapTlsRecvAck;
2225     + else
2226     + esp->es_server.ea_state = eapTlsRecv;
2227     + break;
2228     +
2229     + case eapTlsSendAck:
2230     + esp->es_server.ea_state = eapTlsRecv;
2231     + break;
2232     +
2233     + case eapTlsRecvAck:
2234     + if (status) {
2235     + esp->es_server.ea_state = eapBadAuth;
2236     + break;
2237     + }
2238     +
2239     + esp->es_server.ea_state = eapTlsSend;
2240     + break;
2241     +
2242     + case eapTlsSendAlert:
2243     + esp->es_server.ea_state = eapTlsRecvAlertAck;
2244     + break;
2245     +#endif /* USE_EAPTLS */
2246     +
2247     case eapSRP1:
2248     #ifdef USE_SRP
2249     ts = (struct t_server *)esp->es_server.ea_session;
2250     @@ -718,6 +810,30 @@
2251     INCPTR(esp->es_server.ea_namelen, outp);
2252     break;
2253    
2254     +#ifdef USE_EAPTLS
2255     + case eapTlsStart:
2256     + PUTCHAR(EAPT_TLS, outp);
2257     + PUTCHAR(EAP_TLS_FLAGS_START, outp);
2258     + eap_figure_next_state(esp, 0);
2259     + break;
2260     +
2261     + case eapTlsSend:
2262     + eaptls_send(esp->es_server.ea_session, &outp);
2263     + eap_figure_next_state(esp, 0);
2264     + break;
2265     +
2266     + case eapTlsSendAck:
2267     + PUTCHAR(EAPT_TLS, outp);
2268     + PUTCHAR(0, outp);
2269     + eap_figure_next_state(esp, 0);
2270     + break;
2271     +
2272     + case eapTlsSendAlert:
2273     + eaptls_send(esp->es_server.ea_session, &outp);
2274     + eap_figure_next_state(esp, 0);
2275     + break;
2276     +#endif /* USE_EAPTLS */
2277     +
2278     #ifdef USE_SRP
2279     case eapSRP1:
2280     PUTCHAR(EAPT_SRP, outp);
2281     @@ -904,11 +1020,57 @@
2282     eap_server_timeout(arg)
2283     void *arg;
2284     {
2285     +#ifdef USE_EAPTLS
2286     + u_char *outp;
2287     + u_char *lenloc;
2288     + int outlen;
2289     +#endif /* USE_EAPTLS */
2290     +
2291     eap_state *esp = (eap_state *) arg;
2292    
2293     if (!eap_server_active(esp))
2294     return;
2295    
2296     +#ifdef USE_EAPTLS
2297     + switch(esp->es_server.ea_prev_state) {
2298     +
2299     + /*
2300     + * In eap-tls the state changes after a request, so we return to
2301     + * previous state ...
2302     + */
2303     + case(eapTlsStart):
2304     + case(eapTlsSendAck):
2305     + esp->es_server.ea_state = esp->es_server.ea_prev_state;
2306     + break;
2307     +
2308     + /*
2309     + * ... or resend the stored data
2310     + */
2311     + case(eapTlsSend):
2312     + case(eapTlsSendAlert):
2313     + outp = outpacket_buf;
2314     + MAKEHEADER(outp, PPP_EAP);
2315     + PUTCHAR(EAP_REQUEST, outp);
2316     + PUTCHAR(esp->es_server.ea_id, outp);
2317     + lenloc = outp;
2318     + INCPTR(2, outp);
2319     +
2320     + eaptls_retransmit(esp->es_server.ea_session, &outp);
2321     +
2322     + outlen = (outp - outpacket_buf) - PPP_HDRLEN;
2323     + PUTSHORT(outlen, lenloc);
2324     + output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN);
2325     + esp->es_server.ea_requests++;
2326     +
2327     + if (esp->es_server.ea_timeout > 0)
2328     + TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout);
2329     +
2330     + return;
2331     + default:
2332     + break;
2333     + }
2334     +#endif /* USE_EAPTLS */
2335     +
2336     /* EAP ID number must not change on timeout. */
2337     eap_send_request(esp);
2338     }
2339     @@ -1166,6 +1328,81 @@
2340     }
2341     #endif /* USE_SRP */
2342    
2343     +#ifdef USE_EAPTLS
2344     +/*
2345     + * Send an EAP-TLS response message with tls data
2346     + */
2347     +static void
2348     +eap_tls_response(esp, id)
2349     +eap_state *esp;
2350     +u_char id;
2351     +{
2352     + u_char *outp;
2353     + int outlen;
2354     + u_char *lenloc;
2355     +
2356     + outp = outpacket_buf;
2357     +
2358     + MAKEHEADER(outp, PPP_EAP);
2359     +
2360     + PUTCHAR(EAP_RESPONSE, outp);
2361     + PUTCHAR(id, outp);
2362     +
2363     + lenloc = outp;
2364     + INCPTR(2, outp);
2365     +
2366     + /*
2367     + If the id in the request is unchanged, we must retransmit
2368     + the old data
2369     + */
2370     + if(id == esp->es_client.ea_id)
2371     + eaptls_retransmit(esp->es_client.ea_session, &outp);
2372     + else
2373     + eaptls_send(esp->es_client.ea_session, &outp);
2374     +
2375     + outlen = (outp - outpacket_buf) - PPP_HDRLEN;
2376     + PUTSHORT(outlen, lenloc);
2377     +
2378     + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
2379     +
2380     + esp->es_client.ea_id = id;
2381     +
2382     +}
2383     +
2384     +/*
2385     + * Send an EAP-TLS ack
2386     + */
2387     +static void
2388     +eap_tls_sendack(esp, id)
2389     +eap_state *esp;
2390     +u_char id;
2391     +{
2392     + u_char *outp;
2393     + int outlen;
2394     + u_char *lenloc;
2395     +
2396     + outp = outpacket_buf;
2397     +
2398     + MAKEHEADER(outp, PPP_EAP);
2399     +
2400     + PUTCHAR(EAP_RESPONSE, outp);
2401     + PUTCHAR(id, outp);
2402     + esp->es_client.ea_id = id;
2403     +
2404     + lenloc = outp;
2405     + INCPTR(2, outp);
2406     +
2407     + PUTCHAR(EAPT_TLS, outp);
2408     + PUTCHAR(0, outp);
2409     +
2410     + outlen = (outp - outpacket_buf) - PPP_HDRLEN;
2411     + PUTSHORT(outlen, lenloc);
2412     +
2413     + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
2414     +
2415     +}
2416     +#endif /* USE_EAPTLS */
2417     +
2418     static void
2419     eap_send_nak(esp, id, type)
2420     eap_state *esp;
2421     @@ -1320,6 +1557,11 @@
2422     char rhostname[256];
2423     MD5_CTX mdContext;
2424     u_char hash[MD5_SIGNATURE_SIZE];
2425     +#ifdef USE_EAPTLS
2426     + u_char flags;
2427     + struct eaptls_session *ets = esp->es_client.ea_session;
2428     +#endif /* USE_EAPTLS */
2429     +
2430     #ifdef USE_SRP
2431     struct t_client *tc;
2432     struct t_num sval, gval, Nval, *Ap, Bval;
2433     @@ -1456,6 +1698,90 @@
2434     esp->es_client.ea_namelen);
2435     break;
2436    
2437     +#ifdef USE_EAPTLS
2438     + case EAPT_TLS:
2439     +
2440     + switch(esp->es_client.ea_state) {
2441     +
2442     + case eapListen:
2443     +
2444     + GETCHAR(flags, inp);
2445     + if(flags & EAP_TLS_FLAGS_START){
2446     +
2447     + esp->es_client.ea_using_eaptls = 1;
2448     +
2449     + if (explicit_remote){
2450     + esp->es_client.ea_peer = strdup(remote_name);
2451     + esp->es_client.ea_peerlen = strlen(remote_name);
2452     + } else
2453     + esp->es_client.ea_peer = NULL;
2454     +
2455     + /* Init ssl session */
2456     + if(!eaptls_init_ssl_client(esp)) {
2457     + dbglog("cannot init ssl");
2458     + eap_send_nak(esp, id, EAPT_TLS);
2459     + esp->es_client.ea_using_eaptls = 0;
2460     + break;
2461     + }
2462     +
2463     + ets = esp->es_client.ea_session;
2464     + eap_tls_response(esp, id);
2465     + esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
2466     + eapTlsRecv);
2467     + break;
2468     + }
2469     +
2470     + /* The server has sent a bad start packet. */
2471     + eap_send_nak(esp, id, EAPT_TLS);
2472     + break;
2473     +
2474     + case eapTlsRecvAck:
2475     + eap_tls_response(esp, id);
2476     + esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
2477     + eapTlsRecv);
2478     + break;
2479     +
2480     + case eapTlsRecv:
2481     + eaptls_receive(ets, inp, len);
2482     +
2483     + if(ets->frag) {
2484     + eap_tls_sendack(esp, id);
2485     + esp->es_client.ea_state = eapTlsRecv;
2486     + break;
2487     + }
2488     +
2489     + if(ets->alert_recv) {
2490     + eap_tls_sendack(esp, id);
2491     + esp->es_client.ea_state = eapTlsRecvFailure;
2492     + break;
2493     + }
2494     +
2495     + /* Check if TLS handshake is finished */
2496     + if(SSL_is_init_finished(ets->ssl)){
2497     +#ifdef MPPE
2498     + eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 );
2499     +#endif
2500     + eaptls_free_session(ets);
2501     + eap_tls_sendack(esp, id);
2502     + esp->es_client.ea_state = eapTlsRecvSuccess;
2503     + break;
2504     + }
2505     +
2506     + eap_tls_response(esp,id);
2507     + esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
2508     + eapTlsRecv);
2509     +
2510     + break;
2511     +
2512     + default:
2513     + eap_send_nak(esp, id, EAPT_TLS);
2514     + esp->es_client.ea_using_eaptls = 0;
2515     + break;
2516     + }
2517     +
2518     + break;
2519     +#endif /* USE_EAPTLS */
2520     +
2521     #ifdef USE_SRP
2522     case EAPT_SRP:
2523     if (len < 1) {
2524     @@ -1737,6 +2063,11 @@
2525     u_char dig[SHA_DIGESTSIZE];
2526     #endif /* USE_SRP */
2527    
2528     +#ifdef USE_EAPTLS
2529     + struct eaptls_session *ets;
2530     + u_char flags;
2531     +#endif /* USE_EAPTLS */
2532     +
2533     if (esp->es_server.ea_id != id) {
2534     dbglog("EAP: discarding Response %d; expected ID %d", id,
2535     esp->es_server.ea_id);
2536     @@ -1776,6 +2107,60 @@
2537     eap_figure_next_state(esp, 0);
2538     break;
2539    
2540     +#ifdef USE_EAPTLS
2541     + case EAPT_TLS:
2542     + switch(esp->es_server.ea_state) {
2543     +
2544     + case eapTlsRecv:
2545     + ets = (struct eaptls_session *) esp->es_server.ea_session;
2546     + eap_figure_next_state(esp,
2547     + eaptls_receive(esp->es_server.ea_session, inp, len));
2548     +
2549     + if(ets->alert_recv) {
2550     + eap_send_failure(esp);
2551     + break;
2552     + }
2553     + break;
2554     +
2555     + case eapTlsRecvAck:
2556     + if(len > 1) {
2557     + dbglog("EAP-TLS ACK with extra data");
2558     + }
2559     + eap_figure_next_state(esp, 0);
2560     + break;
2561     +
2562     + case eapTlsRecvClient:
2563     + /* Receive authentication response from client */
2564     +
2565     + GETCHAR(flags, inp);
2566     +
2567     + if(len == 1 && !flags) { /* Ack = ok */
2568     +#ifdef MPPE
2569     + eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 );
2570     +#endif
2571     + eap_send_success(esp);
2572     + }
2573     + else { /* failure */
2574     + eaptls_receive(esp->es_server.ea_session, inp, len);
2575     + warn("Server authentication failed");
2576     + eap_send_failure(esp);
2577     + }
2578     +
2579     + eaptls_free_session(esp->es_server.ea_session);
2580     +
2581     + break;
2582     +
2583     + case eapTlsRecvAlertAck:
2584     + eap_send_failure(esp);
2585     + break;
2586     +
2587     + default:
2588     + eap_figure_next_state(esp, 1);
2589     + break;
2590     + }
2591     + break;
2592     +#endif /* USE_EAPTLS */
2593     +
2594     case EAPT_NOTIFICATION:
2595     dbglog("EAP unexpected Notification; response discarded");
2596     break;
2597     @@ -1807,6 +2192,13 @@
2598     esp->es_server.ea_state = eapMD5Chall;
2599     break;
2600    
2601     +#ifdef USE_EAPTLS
2602     + /* Send EAP-TLS start packet */
2603     + case EAPT_TLS:
2604     + esp->es_server.ea_state = eapTlsStart;
2605     + break;
2606     +#endif /* USE_EAPTLS */
2607     +
2608     default:
2609     dbglog("EAP: peer requesting unknown Type %d", vallen);
2610     switch (esp->es_server.ea_state) {
2611     @@ -2018,13 +2410,27 @@
2612     int id;
2613     int len;
2614     {
2615     - if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) {
2616     + if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)
2617     +#ifdef USE_EAPTLS
2618     + && esp->es_client.ea_state != eapTlsRecvSuccess
2619     +#endif /* USE_EAPTLS */
2620     + ) {
2621     dbglog("EAP unexpected success message in state %s (%d)",
2622     eap_state_name(esp->es_client.ea_state),
2623     esp->es_client.ea_state);
2624     return;
2625     }
2626    
2627     +#ifdef USE_EAPTLS
2628     + if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state !=
2629     + eapTlsRecvSuccess) {
2630     + dbglog("EAP-TLS unexpected success message in state %s (%d)",
2631     + eap_state_name(esp->es_client.ea_state),
2632     + esp->es_client.ea_state);
2633     + return;
2634     + }
2635     +#endif /* USE_EAPTLS */
2636     +
2637     if (esp->es_client.ea_timeout > 0) {
2638     UNTIMEOUT(eap_client_timeout, (void *)esp);
2639     }
2640     @@ -2150,6 +2556,9 @@
2641     int code, id, len, rtype, vallen;
2642     u_char *pstart;
2643     u_int32_t uval;
2644     +#ifdef USE_EAPTLS
2645     + u_char flags;
2646     +#endif /* USE_EAPTLS */
2647    
2648     if (inlen < EAP_HEADERLEN)
2649     return (0);
2650     @@ -2214,6 +2623,24 @@
2651     }
2652     break;
2653    
2654     +#ifdef USE_EAPTLS
2655     + case EAPT_TLS:
2656     + if (len < 1)
2657     + break;
2658     + GETCHAR(flags, inp);
2659     + len--;
2660     +
2661     + if(flags == 0 && len == 0){
2662     + printer(arg, " Ack");
2663     + break;
2664     + }
2665     +
2666     + printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -");
2667     + printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-");
2668     + printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
2669     + break;
2670     +#endif /* USE_EAPTLS */
2671     +
2672     case EAPT_SRP:
2673     if (len < 3)
2674     goto truncated;
2675     @@ -2325,6 +2752,25 @@
2676     }
2677     break;
2678    
2679     +#ifdef USE_EAPTLS
2680     + case EAPT_TLS:
2681     + if (len < 1)
2682     + break;
2683     + GETCHAR(flags, inp);
2684     + len--;
2685     +
2686     + if(flags == 0 && len == 0){
2687     + printer(arg, " Ack");
2688     + break;
2689     + }
2690     +
2691     + printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -");
2692     + printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-");
2693     + printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
2694     +
2695     + break;
2696     +#endif /* USE_EAPTLS */
2697     +
2698     case EAPT_NAK:
2699     if (len <= 0) {
2700     printer(arg, " <missing hint>");
2701     @@ -2426,3 +2872,4 @@
2702    
2703     return (inp - pstart);
2704     }
2705     +
2706     diff -Naur ppp-2.4.5/pppd/eap.h ppp-2.4.5-eaptls-mppe-0.99/pppd/eap.h
2707     --- ppp-2.4.5/pppd/eap.h 2009-11-16 23:26:07.000000000 +0100
2708     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/eap.h 2010-10-01 15:17:54.214270927 +0200
2709     @@ -84,6 +84,16 @@
2710     eapClosed, /* Authentication not in use */
2711     eapListen, /* Client ready (and timer running) */
2712     eapIdentify, /* EAP Identify sent */
2713     + eapTlsStart, /* Send EAP-TLS start packet */
2714     + eapTlsRecv, /* Receive EAP-TLS tls data */
2715     + eapTlsSendAck, /* Send EAP-TLS ack */
2716     + eapTlsSend, /* Send EAP-TLS tls data */
2717     + eapTlsRecvAck, /* Receive EAP-TLS ack */
2718     + eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/
2719     + eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/
2720     + eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */
2721     + eapTlsRecvSuccess, /* Receive EAP success */
2722     + eapTlsRecvFailure, /* Receive EAP failure */
2723     eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */
2724     eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */
2725     eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */
2726     @@ -95,9 +105,18 @@
2727    
2728     #define EAP_STATES \
2729     "Initial", "Pending", "Closed", "Listen", "Identify", \
2730     + "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\
2731     + "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \
2732     "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth"
2733    
2734     -#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
2735     +#ifdef USE_EAPTLS
2736     +#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\
2737     + (esp)->es_client.ea_state != eapPending ||\
2738     + (esp)->es_client.ea_state != eapClosed)
2739     +#else
2740     +#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
2741     +#endif /* USE_EAPTLS */
2742     +
2743     #define eap_server_active(esp) \
2744     ((esp)->es_server.ea_state >= eapIdentify && \
2745     (esp)->es_server.ea_state <= eapMD5Chall)
2746     @@ -112,11 +131,17 @@
2747     u_short ea_namelen; /* Length of our name */
2748     u_short ea_peerlen; /* Length of peer's name */
2749     enum eap_state_code ea_state;
2750     +#ifdef USE_EAPTLS
2751     + enum eap_state_code ea_prev_state;
2752     +#endif
2753     u_char ea_id; /* Current id */
2754     u_char ea_requests; /* Number of Requests sent/received */
2755     u_char ea_responses; /* Number of Responses */
2756     u_char ea_type; /* One of EAPT_* */
2757     u_int32_t ea_keyflags; /* SRP shared key usage flags */
2758     +#ifdef USE_EAPTLS
2759     + bool ea_using_eaptls;
2760     +#endif
2761     };
2762    
2763     /*
2764     @@ -139,7 +164,12 @@
2765     * Timeouts.
2766     */
2767     #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */
2768     +#ifdef USE_EAPTLS
2769     +#define EAP_DEFTRANSMITS 30 /* max # times to transmit */
2770     + /* certificates can be long ... */
2771     +#else
2772     #define EAP_DEFTRANSMITS 10 /* max # times to transmit */
2773     +#endif /* USE_EAPTLS */
2774     #define EAP_DEFREQTIME 20 /* Time to wait for peer request */
2775     #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */
2776    
2777     diff -Naur ppp-2.4.5/pppd/md5.c ppp-2.4.5-eaptls-mppe-0.99/pppd/md5.c
2778     --- ppp-2.4.5/pppd/md5.c 2009-11-16 23:26:07.000000000 +0100
2779     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/md5.c 2010-10-01 15:17:54.214270927 +0200
2780     @@ -33,6 +33,8 @@
2781     ***********************************************************************
2782     */
2783    
2784     +#ifndef USE_EAPTLS
2785     +
2786     #include <string.h>
2787     #include "md5.h"
2788    
2789     @@ -305,3 +307,5 @@
2790     ** End of md5.c **
2791     ******************************** (cut) ********************************
2792     */
2793     +#endif /* USE_EAPTLS */
2794     +
2795     diff -Naur ppp-2.4.5/pppd/md5.h ppp-2.4.5-eaptls-mppe-0.99/pppd/md5.h
2796     --- ppp-2.4.5/pppd/md5.h 2009-11-16 23:26:07.000000000 +0100
2797     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/md5.h 2010-10-01 15:17:54.215271014 +0200
2798     @@ -36,6 +36,7 @@
2799     ** documentation and/or software. **
2800     ***********************************************************************
2801     */
2802     +#ifndef USE_EAPTLS
2803    
2804     #ifndef __MD5_INCLUDE__
2805    
2806     @@ -63,3 +64,5 @@
2807    
2808     #define __MD5_INCLUDE__
2809     #endif /* __MD5_INCLUDE__ */
2810     +
2811     +#endif /* USE_EAPTLS */
2812     diff -Naur ppp-2.4.5/pppd/options.c ppp-2.4.5-eaptls-mppe-0.99/pppd/options.c
2813     --- ppp-2.4.5/pppd/options.c 2009-11-16 23:26:07.000000000 +0100
2814     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/options.c 2010-10-01 15:17:54.215271014 +0200
2815     @@ -119,6 +119,10 @@
2816     bool dryrun; /* print out option values and exit */
2817     char *domain; /* domain name set by domain option */
2818     int child_wait = 5; /* # seconds to wait for children at exit */
2819     +#ifdef USE_EAPTLS
2820     +bool only_update_crl_server = 0; /* update server crl and exit */
2821     +bool only_update_crl_client = 0; /* update client crl and exit */
2822     +#endif /* USE_EAPTLS */
2823    
2824     #ifdef MAXOCTETS
2825     unsigned int maxoctets = 0; /* default - no limit */
2826     @@ -320,6 +324,12 @@
2827     { "mo-timeout", o_int, &maxoctets_timeout,
2828     "Check for traffic limit every N seconds", OPT_PRIO | OPT_LLIMIT | 1 },
2829     #endif
2830     +#ifdef USE_EAPTLS
2831     + { "only-update-crl-server", o_bool, &only_update_crl_server,
2832     + "Update server CA CRLs and exit", 1 },
2833     + { "only-update-crl-client", o_bool, &only_update_crl_client,
2834     + "Update client CA CRLs and exit", 1 },
2835     +#endif /* USE_EAPTLS */
2836    
2837     { NULL }
2838     };
2839     diff -Naur ppp-2.4.5/pppd/pathnames.h ppp-2.4.5-eaptls-mppe-0.99/pppd/pathnames.h
2840     --- ppp-2.4.5/pppd/pathnames.h 2009-11-16 23:26:07.000000000 +0100
2841     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/pathnames.h 2010-10-01 15:17:54.215271014 +0200
2842     @@ -21,6 +21,13 @@
2843     #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets"
2844     #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets"
2845     #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets"
2846     +
2847     +#ifdef USE_EAPTLS
2848     +#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client"
2849     +#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server"
2850     +#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf"
2851     +#endif /* USE_EAPTLS */
2852     +
2853     #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
2854     #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up"
2855     #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down"
2856     diff -Naur ppp-2.4.5/pppd/plugins/Makefile.linux ppp-2.4.5-eaptls-mppe-0.99/pppd/plugins/Makefile.linux
2857     --- ppp-2.4.5/pppd/plugins/Makefile.linux 2009-11-16 23:26:07.000000000 +0100
2858     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/plugins/Makefile.linux 2010-10-01 15:17:54.215271014 +0200
2859     @@ -4,6 +4,9 @@
2860     LDFLAGS = -shared
2861     INSTALL = install
2862    
2863     +# EAP-TLS
2864     +CFLAGS += -DUSE_EAPTLS=1
2865     +
2866     DESTDIR = $(INSTROOT)@DESTDIR@
2867     BINDIR = $(DESTDIR)/sbin
2868     MANDIR = $(DESTDIR)/share/man/man8
2869     diff -Naur ppp-2.4.5/pppd/plugins/passprompt.c ppp-2.4.5-eaptls-mppe-0.99/pppd/plugins/passprompt.c
2870     --- ppp-2.4.5/pppd/plugins/passprompt.c 2009-11-16 23:26:07.000000000 +0100
2871     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/plugins/passprompt.c 2010-10-01 15:17:54.215271014 +0200
2872     @@ -107,4 +107,7 @@
2873     {
2874     add_options(options);
2875     pap_passwd_hook = promptpass;
2876     +#ifdef USE_EAPTLS
2877     + eaptls_passwd_hook = promptpass;
2878     +#endif
2879     }
2880     diff -Naur ppp-2.4.5/pppd/plugins/passwordfd.c ppp-2.4.5-eaptls-mppe-0.99/pppd/plugins/passwordfd.c
2881     --- ppp-2.4.5/pppd/plugins/passwordfd.c 2009-11-16 23:26:07.000000000 +0100
2882     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/plugins/passwordfd.c 2010-10-01 15:17:54.216270820 +0200
2883     @@ -79,4 +79,9 @@
2884    
2885     chap_check_hook = pwfd_check;
2886     chap_passwd_hook = pwfd_passwd;
2887     +
2888     +#ifdef USE_EAPTLS
2889     + eaptls_check_hook = pwfd_check;
2890     + eaptls_passwd_hook = pwfd_passwd;
2891     +#endif
2892     }
2893     diff -Naur ppp-2.4.5/pppd/pppd.h ppp-2.4.5-eaptls-mppe-0.99/pppd/pppd.h
2894     --- ppp-2.4.5/pppd/pppd.h 2009-11-16 23:26:07.000000000 +0100
2895     +++ ppp-2.4.5-eaptls-mppe-0.99/pppd/pppd.h 2010-10-01 15:17:54.216270820 +0200
2896     @@ -320,6 +320,10 @@
2897     extern bool dryrun; /* check everything, print options, exit */
2898     extern int child_wait; /* # seconds to wait for children at end */
2899    
2900     +#ifdef USE_EAPTLS
2901     +extern char *crl_dir;
2902     +#endif /* USE_EAPTLS */
2903     +
2904     #ifdef MAXOCTETS
2905     extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */
2906     extern int maxoctets_dir; /* Direction :
2907     @@ -717,6 +721,11 @@
2908     extern int (*chap_passwd_hook) __P((char *user, char *passwd));
2909     extern void (*multilink_join_hook) __P((void));
2910    
2911     +#ifdef USE_EAPTLS
2912     +extern int (*eaptls_check_hook) __P((void));
2913     +extern int (*eaptls_passwd_hook) __P((char *user, char *passwd));
2914     +#endif
2915     +
2916     /* Let a plugin snoop sent and received packets. Useful for L2TP */
2917     extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
2918     extern void (*snoop_send_hook) __P((unsigned char *p, int len));

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed