memcpy(&t->imck_msk, &imck_msk, sizeof(imck_msk));
}
-static void eap_teap_tlv_append(tls_session_t *tls_session, int tlv, bool mandatory, int length, const void *data)
+static void eap_teap_tlv_append(REQUEST *request, tls_session_t *tls_session, int tlv, bool mandatory, int length, const void *data)
{
uint16_t hdr[2];
hdr[0] = htons(tlv | (mandatory ? EAP_TEAP_TLV_MANDATORY : 0));
hdr[1] = htons(length);
+ if ((rad_debug_lvl > 1) && (length < 256)) {
+ DICT_ATTR const *da;
+
+ da = dict_attrbyvalue((tlv << 8) | PW_FREERADIUS_EAP_TEAP_TLV, VENDORPEC_FREERADIUS);
+ if (da) {
+ char buf[1024];
+
+ for (size_t i = 0; i < (size_t) length; i++) {
+ sprintf(&buf[2*i], "%02x", ((const uint8_t *)data)[i]);
+ }
+
+ RDEBUG(" %s = 0x%s", da->name, buf);
+ }
+ }
+
tls_session->record_plus(&tls_session->clean_in, &hdr, 4);
tls_session->record_plus(&tls_session->clean_in, data, length);
}
-static void eap_teap_send_error(tls_session_t *tls_session, int error)
+static void eap_teap_send_error(REQUEST *request, tls_session_t *tls_session, int error)
{
uint32_t value;
value = htonl(error);
- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_ERROR, true, sizeof(value), &value);
+ eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_ERROR, true, sizeof(value), &value);
}
-static void eap_teap_append_identity_type(tls_session_t *tls_session, int value)
+static void eap_teap_append_identity_type(REQUEST *request, tls_session_t *tls_session, int value)
{
uint16_t identity;
identity = htons(value);
t->auths[value].required = true;
t->auths[value].sent = true;
- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_IDENTITY_TYPE, false, sizeof(identity), &identity);
+ eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_IDENTITY_TYPE, false, sizeof(identity), &identity);
}
static void eap_teap_append_result(REQUEST *request, tls_session_t *tls_session, PW_CODE code)
RDEBUG("Phase 2: %s = %s", name, state_name);
- eap_teap_tlv_append(tls_session, type, true, sizeof(state), &state);
+ eap_teap_tlv_append(request, tls_session, type, true, sizeof(state), &state);
}
static void eap_teap_append_eap_identity_request(REQUEST *request, tls_session_t *tls_session, eap_handler_t *eap_session)
eap_packet.length[1] = EAP_HEADER_LEN + 1;
eap_packet.data[0] = PW_EAP_IDENTITY;
- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, sizeof(eap_packet), &eap_packet);
+ eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, sizeof(eap_packet), &eap_packet);
}
/*
struct crypto_binding_buffer *cbb;
uint8_t *outer_tlvs;
- RDEBUG("Phase 2: Sending Cryptobinding");
-
eap_teap_derive_imck(request, tls_session, msk, msklen, emsk, emsklen);
t->imck_emsk_available = emsklen > 0;
cbb->binding.subtype = ((emsklen ? EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_BOTH : EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_MSK) << 4) | EAP_TEAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST;
+ RDEBUG("Phase 2: Sending Cryptobinding flags=%d", emsklen ? EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_BOTH : EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_MSK);
+
rad_assert(sizeof(cbb->binding.nonce) % sizeof(uint32_t) == 0);
RANDFILL(cbb->binding.nonce);
cbb->binding.nonce[sizeof(cbb->binding.nonce) - 1] &= ~0x01; /* RFC 7170, Section 4.2.13 */
memcpy(cbb->binding.emsk_compound_mac, &mac_emsk, sizeof(cbb->binding.emsk_compound_mac));
}
- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_CRYPTO_BINDING, true, sizeof(cbb->binding), (uint8_t *)&cbb->binding);
+ eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_CRYPTO_BINDING, true, sizeof(cbb->binding), (uint8_t *)&cbb->binding);
}
static int eap_teap_verify(REQUEST *request, tls_session_t *tls_session, uint8_t const *data, unsigned int data_len)
RDEBUG("Phase 2: - attribute %d is present", i);
}
}
- eap_teap_send_error(tls_session, EAP_TEAP_ERR_UNEXPECTED_TLV);
+ eap_teap_send_error(request, tls_session, EAP_TEAP_ERR_UNEXPECTED_TLV);
return 0;
}
t->identity_types[t->num_identities++] = vp->vp_short;
/* RFC7170, Appendix C.6 */
- eap_teap_append_identity_type(tls_session, vp->vp_short);
+ eap_teap_append_identity_type(request, tls_session, vp->vp_short);
if (t->default_method || t->eap_method[vp->vp_short]) {
eap_teap_append_eap_identity_request(request, tls_session, eap_session);
vp = fr_pair_find_by_num(reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY);
if (vp) {
doing_eap = true;
- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, vp->vp_length, vp->vp_octets);
+ eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, vp->vp_length, vp->vp_octets);
}
/*
t->sent_basic_password = true;
RDEBUG("Phase 2: Sending Basic-Password-Auth-Req");
- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, vp->vp_length, vp->vp_strvalue);
+ eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, vp->vp_length, vp->vp_strvalue);
}
break;
*/
const EVP_MD *md = SSL_CIPHER_get_handshake_digest(SSL_get_current_cipher(tls_session->ssl));
+ RDEBUG("Phase 2: Crypto-Binding flags=%d", flags);
+
/*
* We verify cryptobinding MSK and EMSK, but we prefer
* EMSK for the later IMCK deriviation.
vp = fr_pair_find_by_num(request->state, PW_EAP_TEAP_TLV_IDENTITY_TYPE, VENDORPEC_FREERADIUS, TAG_ANY);
if (vp) {
RDEBUG("Phase 2: Sending Identity-Type = %s", (vp->vp_short == 1) ? "User" : "Machine");
- eap_teap_append_identity_type(tls_session, vp->vp_short);
+ eap_teap_append_identity_type(request, tls_session, vp->vp_short);
if (t->num_identities == 2) {
RDEBUG("Phase 2: Configured to send too many identities, failing the session");
} else {
RDEBUG("Phase 2: No %s EAP method configured - sending Basic-Password-Auth-Req = \"\"",
!vp ? "" : (vp->vp_short == 1) ? "User" : "Machine");
- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, 0, "");
+ eap_teap_tlv_append(request, tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, 0, "");
}
t->stage = AUTHENTICATION;
projects / thirdparty / freeradius-server.git / commitdiff
