1*05b00f60SXin Li /*
2*05b00f60SXin Li * Copyright (c) 2004 - Michael Richardson <[email protected]>
3*05b00f60SXin Li *
4*05b00f60SXin Li * Redistribution and use in source and binary forms, with or without
5*05b00f60SXin Li * modification, are permitted provided that: (1) source code distributions
6*05b00f60SXin Li * retain the above copyright notice and this paragraph in its entirety, (2)
7*05b00f60SXin Li * distributions including binary code include the above copyright notice and
8*05b00f60SXin Li * this paragraph in its entirety in the documentation or other materials
9*05b00f60SXin Li * provided with the distribution, and (3) all advertising materials mentioning
10*05b00f60SXin Li * features or use of this software display the following acknowledgement:
11*05b00f60SXin Li * ``This product includes software developed by the University of California,
12*05b00f60SXin Li * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
13*05b00f60SXin Li * the University nor the names of its contributors may be used to endorse
14*05b00f60SXin Li * or promote products derived from this software without specific prior
15*05b00f60SXin Li * written permission.
16*05b00f60SXin Li * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
17*05b00f60SXin Li * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
18*05b00f60SXin Li * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
19*05b00f60SXin Li */
20*05b00f60SXin Li
21*05b00f60SXin Li /* \summary: Extensible Authentication Protocol (EAP) printer */
22*05b00f60SXin Li
23*05b00f60SXin Li #ifdef HAVE_CONFIG_H
24*05b00f60SXin Li #include <config.h>
25*05b00f60SXin Li #endif
26*05b00f60SXin Li
27*05b00f60SXin Li #include "netdissect-stdinc.h"
28*05b00f60SXin Li
29*05b00f60SXin Li #include "netdissect.h"
30*05b00f60SXin Li #include "extract.h"
31*05b00f60SXin Li
32*05b00f60SXin Li #define EAP_FRAME_TYPE_PACKET 0
33*05b00f60SXin Li #define EAP_FRAME_TYPE_START 1
34*05b00f60SXin Li #define EAP_FRAME_TYPE_LOGOFF 2
35*05b00f60SXin Li #define EAP_FRAME_TYPE_KEY 3
36*05b00f60SXin Li #define EAP_FRAME_TYPE_ENCAP_ASF_ALERT 4
37*05b00f60SXin Li
38*05b00f60SXin Li struct eap_frame_t {
39*05b00f60SXin Li nd_uint8_t version;
40*05b00f60SXin Li nd_uint8_t type;
41*05b00f60SXin Li nd_uint16_t length;
42*05b00f60SXin Li };
43*05b00f60SXin Li
44*05b00f60SXin Li static const struct tok eap_frame_type_values[] = {
45*05b00f60SXin Li { EAP_FRAME_TYPE_PACKET, "EAP packet" },
46*05b00f60SXin Li { EAP_FRAME_TYPE_START, "EAPOL start" },
47*05b00f60SXin Li { EAP_FRAME_TYPE_LOGOFF, "EAPOL logoff" },
48*05b00f60SXin Li { EAP_FRAME_TYPE_KEY, "EAPOL key" },
49*05b00f60SXin Li { EAP_FRAME_TYPE_ENCAP_ASF_ALERT, "Encapsulated ASF alert" },
50*05b00f60SXin Li { 0, NULL}
51*05b00f60SXin Li };
52*05b00f60SXin Li
53*05b00f60SXin Li /* RFC 3748 */
54*05b00f60SXin Li struct eap_packet_t {
55*05b00f60SXin Li nd_uint8_t code;
56*05b00f60SXin Li nd_uint8_t id;
57*05b00f60SXin Li nd_uint16_t length;
58*05b00f60SXin Li };
59*05b00f60SXin Li
60*05b00f60SXin Li #define EAP_REQUEST 1
61*05b00f60SXin Li #define EAP_RESPONSE 2
62*05b00f60SXin Li #define EAP_SUCCESS 3
63*05b00f60SXin Li #define EAP_FAILURE 4
64*05b00f60SXin Li
65*05b00f60SXin Li static const struct tok eap_code_values[] = {
66*05b00f60SXin Li { EAP_REQUEST, "Request" },
67*05b00f60SXin Li { EAP_RESPONSE, "Response" },
68*05b00f60SXin Li { EAP_SUCCESS, "Success" },
69*05b00f60SXin Li { EAP_FAILURE, "Failure" },
70*05b00f60SXin Li { 0, NULL}
71*05b00f60SXin Li };
72*05b00f60SXin Li
73*05b00f60SXin Li #define EAP_TYPE_NO_PROPOSED 0
74*05b00f60SXin Li #define EAP_TYPE_IDENTITY 1
75*05b00f60SXin Li #define EAP_TYPE_NOTIFICATION 2
76*05b00f60SXin Li #define EAP_TYPE_NAK 3
77*05b00f60SXin Li #define EAP_TYPE_MD5_CHALLENGE 4
78*05b00f60SXin Li #define EAP_TYPE_OTP 5
79*05b00f60SXin Li #define EAP_TYPE_GTC 6
80*05b00f60SXin Li #define EAP_TYPE_TLS 13 /* RFC 5216 */
81*05b00f60SXin Li #define EAP_TYPE_SIM 18 /* RFC 4186 */
82*05b00f60SXin Li #define EAP_TYPE_TTLS 21 /* RFC 5281, draft-funk-eap-ttls-v0-01.txt */
83*05b00f60SXin Li #define EAP_TYPE_AKA 23 /* RFC 4187 */
84*05b00f60SXin Li #define EAP_TYPE_FAST 43 /* RFC 4851 */
85*05b00f60SXin Li #define EAP_TYPE_EXPANDED_TYPES 254
86*05b00f60SXin Li #define EAP_TYPE_EXPERIMENTAL 255
87*05b00f60SXin Li
88*05b00f60SXin Li static const struct tok eap_type_values[] = {
89*05b00f60SXin Li { EAP_TYPE_NO_PROPOSED, "No proposed" },
90*05b00f60SXin Li { EAP_TYPE_IDENTITY, "Identity" },
91*05b00f60SXin Li { EAP_TYPE_NOTIFICATION, "Notification" },
92*05b00f60SXin Li { EAP_TYPE_NAK, "Nak" },
93*05b00f60SXin Li { EAP_TYPE_MD5_CHALLENGE, "MD5-challenge" },
94*05b00f60SXin Li { EAP_TYPE_OTP, "OTP" },
95*05b00f60SXin Li { EAP_TYPE_GTC, "GTC" },
96*05b00f60SXin Li { EAP_TYPE_TLS, "TLS" },
97*05b00f60SXin Li { EAP_TYPE_SIM, "SIM" },
98*05b00f60SXin Li { EAP_TYPE_TTLS, "TTLS" },
99*05b00f60SXin Li { EAP_TYPE_AKA, "AKA" },
100*05b00f60SXin Li { EAP_TYPE_FAST, "FAST" },
101*05b00f60SXin Li { EAP_TYPE_EXPANDED_TYPES, "Expanded types" },
102*05b00f60SXin Li { EAP_TYPE_EXPERIMENTAL, "Experimental" },
103*05b00f60SXin Li { 0, NULL}
104*05b00f60SXin Li };
105*05b00f60SXin Li
106*05b00f60SXin Li #define EAP_TLS_EXTRACT_BIT_L(x) (((x)&0x80)>>7)
107*05b00f60SXin Li
108*05b00f60SXin Li /* RFC 5216 - EAP TLS bits */
109*05b00f60SXin Li #define EAP_TLS_FLAGS_LEN_INCLUDED (1 << 7)
110*05b00f60SXin Li #define EAP_TLS_FLAGS_MORE_FRAGMENTS (1 << 6)
111*05b00f60SXin Li #define EAP_TLS_FLAGS_START (1 << 5)
112*05b00f60SXin Li
113*05b00f60SXin Li static const struct tok eap_tls_flags_values[] = {
114*05b00f60SXin Li { EAP_TLS_FLAGS_LEN_INCLUDED, "L bit" },
115*05b00f60SXin Li { EAP_TLS_FLAGS_MORE_FRAGMENTS, "More fragments bit"},
116*05b00f60SXin Li { EAP_TLS_FLAGS_START, "Start bit"},
117*05b00f60SXin Li { 0, NULL}
118*05b00f60SXin Li };
119*05b00f60SXin Li
120*05b00f60SXin Li #define EAP_TTLS_VERSION(x) ((x)&0x07)
121*05b00f60SXin Li
122*05b00f60SXin Li /* EAP-AKA and EAP-SIM - RFC 4187 */
123*05b00f60SXin Li #define EAP_AKA_CHALLENGE 1
124*05b00f60SXin Li #define EAP_AKA_AUTH_REJECT 2
125*05b00f60SXin Li #define EAP_AKA_SYNC_FAILURE 4
126*05b00f60SXin Li #define EAP_AKA_IDENTITY 5
127*05b00f60SXin Li #define EAP_SIM_START 10
128*05b00f60SXin Li #define EAP_SIM_CHALLENGE 11
129*05b00f60SXin Li #define EAP_AKA_NOTIFICATION 12
130*05b00f60SXin Li #define EAP_AKA_REAUTH 13
131*05b00f60SXin Li #define EAP_AKA_CLIENT_ERROR 14
132*05b00f60SXin Li
133*05b00f60SXin Li static const struct tok eap_aka_subtype_values[] = {
134*05b00f60SXin Li { EAP_AKA_CHALLENGE, "Challenge" },
135*05b00f60SXin Li { EAP_AKA_AUTH_REJECT, "Auth reject" },
136*05b00f60SXin Li { EAP_AKA_SYNC_FAILURE, "Sync failure" },
137*05b00f60SXin Li { EAP_AKA_IDENTITY, "Identity" },
138*05b00f60SXin Li { EAP_SIM_START, "Start" },
139*05b00f60SXin Li { EAP_SIM_CHALLENGE, "Challenge" },
140*05b00f60SXin Li { EAP_AKA_NOTIFICATION, "Notification" },
141*05b00f60SXin Li { EAP_AKA_REAUTH, "Reauth" },
142*05b00f60SXin Li { EAP_AKA_CLIENT_ERROR, "Client error" },
143*05b00f60SXin Li { 0, NULL}
144*05b00f60SXin Li };
145*05b00f60SXin Li
146*05b00f60SXin Li /*
147*05b00f60SXin Li * Print EAP requests / responses
148*05b00f60SXin Li */
149*05b00f60SXin Li void
eap_print(netdissect_options * ndo,const u_char * cp,u_int length)150*05b00f60SXin Li eap_print(netdissect_options *ndo,
151*05b00f60SXin Li const u_char *cp,
152*05b00f60SXin Li u_int length)
153*05b00f60SXin Li {
154*05b00f60SXin Li u_int type, subtype, len;
155*05b00f60SXin Li u_int count;
156*05b00f60SXin Li const char *sep;
157*05b00f60SXin Li
158*05b00f60SXin Li type = GET_U_1(cp);
159*05b00f60SXin Li len = GET_BE_U_2(cp + 2);
160*05b00f60SXin Li if (len != length) {
161*05b00f60SXin Li /*
162*05b00f60SXin Li * Probably a fragment; in some cases the fragmentation might
163*05b00f60SXin Li * not put an EAP header on every packet, if reassembly can
164*05b00f60SXin Li * be done without that (e.g., fragmentation to make a message
165*05b00f60SXin Li * fit in multiple TLVs in a RADIUS packet).
166*05b00f60SXin Li */
167*05b00f60SXin Li ND_PRINT("EAP fragment?");
168*05b00f60SXin Li return;
169*05b00f60SXin Li }
170*05b00f60SXin Li ND_PRINT("%s (%u), id %u, len %u",
171*05b00f60SXin Li tok2str(eap_code_values, "unknown", type),
172*05b00f60SXin Li type,
173*05b00f60SXin Li GET_U_1((cp + 1)),
174*05b00f60SXin Li len);
175*05b00f60SXin Li if (len < 4) {
176*05b00f60SXin Li ND_PRINT(" (too short for EAP header)");
177*05b00f60SXin Li return;
178*05b00f60SXin Li }
179*05b00f60SXin Li
180*05b00f60SXin Li ND_TCHECK_LEN(cp, len);
181*05b00f60SXin Li
182*05b00f60SXin Li if (type == EAP_REQUEST || type == EAP_RESPONSE) {
183*05b00f60SXin Li /* RFC 3748 Section 4.1 */
184*05b00f60SXin Li if (len < 5) {
185*05b00f60SXin Li ND_PRINT(" (too short for EAP request/response)");
186*05b00f60SXin Li return;
187*05b00f60SXin Li }
188*05b00f60SXin Li subtype = GET_U_1(cp + 4);
189*05b00f60SXin Li ND_PRINT("\n\t\t Type %s (%u)",
190*05b00f60SXin Li tok2str(eap_type_values, "unknown", subtype),
191*05b00f60SXin Li subtype);
192*05b00f60SXin Li
193*05b00f60SXin Li switch (subtype) {
194*05b00f60SXin Li case EAP_TYPE_IDENTITY:
195*05b00f60SXin Li /* According to RFC 3748, the message is optional */
196*05b00f60SXin Li if (len > 5) {
197*05b00f60SXin Li ND_PRINT(", Identity: ");
198*05b00f60SXin Li nd_printjnp(ndo, cp + 5, len - 5);
199*05b00f60SXin Li }
200*05b00f60SXin Li break;
201*05b00f60SXin Li
202*05b00f60SXin Li case EAP_TYPE_NOTIFICATION:
203*05b00f60SXin Li /* According to RFC 3748, there must be at least one octet of message */
204*05b00f60SXin Li if (len < 6) {
205*05b00f60SXin Li ND_PRINT(" (too short for EAP Notification request/response)");
206*05b00f60SXin Li return;
207*05b00f60SXin Li }
208*05b00f60SXin Li ND_PRINT(", Notification: ");
209*05b00f60SXin Li nd_printjnp(ndo, cp + 5, len - 5);
210*05b00f60SXin Li break;
211*05b00f60SXin Li
212*05b00f60SXin Li case EAP_TYPE_NAK:
213*05b00f60SXin Li /*
214*05b00f60SXin Li * one or more octets indicating
215*05b00f60SXin Li * the desired authentication
216*05b00f60SXin Li * type one octet per type
217*05b00f60SXin Li */
218*05b00f60SXin Li if (len < 6) {
219*05b00f60SXin Li ND_PRINT(" (too short for EAP Legacy NAK request/response)");
220*05b00f60SXin Li return;
221*05b00f60SXin Li }
222*05b00f60SXin Li sep = "";
223*05b00f60SXin Li for (count = 5; count < len; count++) {
224*05b00f60SXin Li ND_PRINT("%s %s (%u)", sep,
225*05b00f60SXin Li tok2str(eap_type_values, "unknown", GET_U_1((cp + count))),
226*05b00f60SXin Li GET_U_1(cp + count));
227*05b00f60SXin Li sep = ",";
228*05b00f60SXin Li }
229*05b00f60SXin Li break;
230*05b00f60SXin Li
231*05b00f60SXin Li case EAP_TYPE_TTLS:
232*05b00f60SXin Li case EAP_TYPE_TLS:
233*05b00f60SXin Li if (len < 6) {
234*05b00f60SXin Li ND_PRINT(" (too short for EAP TLS/TTLS request/response)");
235*05b00f60SXin Li return;
236*05b00f60SXin Li }
237*05b00f60SXin Li if (subtype == EAP_TYPE_TTLS)
238*05b00f60SXin Li ND_PRINT(" TTLSv%u",
239*05b00f60SXin Li EAP_TTLS_VERSION(GET_U_1((cp + 5))));
240*05b00f60SXin Li ND_PRINT(" flags [%s] 0x%02x",
241*05b00f60SXin Li bittok2str(eap_tls_flags_values, "none", GET_U_1((cp + 5))),
242*05b00f60SXin Li GET_U_1(cp + 5));
243*05b00f60SXin Li
244*05b00f60SXin Li if (EAP_TLS_EXTRACT_BIT_L(GET_U_1(cp + 5))) {
245*05b00f60SXin Li if (len < 10) {
246*05b00f60SXin Li ND_PRINT(" (too short for EAP TLS/TTLS request/response with length)");
247*05b00f60SXin Li return;
248*05b00f60SXin Li }
249*05b00f60SXin Li ND_PRINT(", len %u", GET_BE_U_4(cp + 6));
250*05b00f60SXin Li }
251*05b00f60SXin Li break;
252*05b00f60SXin Li
253*05b00f60SXin Li case EAP_TYPE_FAST:
254*05b00f60SXin Li if (len < 6) {
255*05b00f60SXin Li ND_PRINT(" (too short for EAP FAST request/response)");
256*05b00f60SXin Li return;
257*05b00f60SXin Li }
258*05b00f60SXin Li ND_PRINT(" FASTv%u",
259*05b00f60SXin Li EAP_TTLS_VERSION(GET_U_1((cp + 5))));
260*05b00f60SXin Li ND_PRINT(" flags [%s] 0x%02x",
261*05b00f60SXin Li bittok2str(eap_tls_flags_values, "none", GET_U_1((cp + 5))),
262*05b00f60SXin Li GET_U_1(cp + 5));
263*05b00f60SXin Li
264*05b00f60SXin Li if (EAP_TLS_EXTRACT_BIT_L(GET_U_1(cp + 5))) {
265*05b00f60SXin Li if (len < 10) {
266*05b00f60SXin Li ND_PRINT(" (too short for EAP FAST request/response with length)");
267*05b00f60SXin Li return;
268*05b00f60SXin Li }
269*05b00f60SXin Li ND_PRINT(", len %u", GET_BE_U_4(cp + 6));
270*05b00f60SXin Li }
271*05b00f60SXin Li
272*05b00f60SXin Li /* FIXME - TLV attributes follow */
273*05b00f60SXin Li break;
274*05b00f60SXin Li
275*05b00f60SXin Li case EAP_TYPE_AKA:
276*05b00f60SXin Li case EAP_TYPE_SIM:
277*05b00f60SXin Li if (len < 6) {
278*05b00f60SXin Li ND_PRINT(" (too short for EAP SIM/AKA request/response)");
279*05b00f60SXin Li return;
280*05b00f60SXin Li }
281*05b00f60SXin Li ND_PRINT(" subtype [%s] 0x%02x",
282*05b00f60SXin Li tok2str(eap_aka_subtype_values, "unknown", GET_U_1((cp + 5))),
283*05b00f60SXin Li GET_U_1(cp + 5));
284*05b00f60SXin Li
285*05b00f60SXin Li /* FIXME - TLV attributes follow */
286*05b00f60SXin Li break;
287*05b00f60SXin Li
288*05b00f60SXin Li case EAP_TYPE_MD5_CHALLENGE:
289*05b00f60SXin Li case EAP_TYPE_OTP:
290*05b00f60SXin Li case EAP_TYPE_GTC:
291*05b00f60SXin Li case EAP_TYPE_EXPANDED_TYPES:
292*05b00f60SXin Li case EAP_TYPE_EXPERIMENTAL:
293*05b00f60SXin Li default:
294*05b00f60SXin Li break;
295*05b00f60SXin Li }
296*05b00f60SXin Li }
297*05b00f60SXin Li return;
298*05b00f60SXin Li trunc:
299*05b00f60SXin Li nd_print_trunc(ndo);
300*05b00f60SXin Li }
301*05b00f60SXin Li
302*05b00f60SXin Li void
eapol_print(netdissect_options * ndo,const u_char * cp)303*05b00f60SXin Li eapol_print(netdissect_options *ndo,
304*05b00f60SXin Li const u_char *cp)
305*05b00f60SXin Li {
306*05b00f60SXin Li const struct eap_frame_t *eap;
307*05b00f60SXin Li u_int eap_type, eap_len;
308*05b00f60SXin Li
309*05b00f60SXin Li ndo->ndo_protocol = "eap";
310*05b00f60SXin Li eap = (const struct eap_frame_t *)cp;
311*05b00f60SXin Li ND_TCHECK_SIZE(eap);
312*05b00f60SXin Li eap_type = GET_U_1(eap->type);
313*05b00f60SXin Li
314*05b00f60SXin Li ND_PRINT("%s (%u) v%u, len %u",
315*05b00f60SXin Li tok2str(eap_frame_type_values, "unknown", eap_type),
316*05b00f60SXin Li eap_type,
317*05b00f60SXin Li GET_U_1(eap->version),
318*05b00f60SXin Li GET_BE_U_2(eap->length));
319*05b00f60SXin Li if (ndo->ndo_vflag < 1)
320*05b00f60SXin Li return;
321*05b00f60SXin Li
322*05b00f60SXin Li cp += sizeof(struct eap_frame_t);
323*05b00f60SXin Li eap_len = GET_BE_U_2(eap->length);
324*05b00f60SXin Li
325*05b00f60SXin Li switch (eap_type) {
326*05b00f60SXin Li case EAP_FRAME_TYPE_PACKET:
327*05b00f60SXin Li if (eap_len == 0)
328*05b00f60SXin Li goto trunc;
329*05b00f60SXin Li ND_PRINT(", ");
330*05b00f60SXin Li eap_print(ndo, cp, eap_len);
331*05b00f60SXin Li return;
332*05b00f60SXin Li case EAP_FRAME_TYPE_LOGOFF:
333*05b00f60SXin Li case EAP_FRAME_TYPE_ENCAP_ASF_ALERT:
334*05b00f60SXin Li default:
335*05b00f60SXin Li break;
336*05b00f60SXin Li }
337*05b00f60SXin Li return;
338*05b00f60SXin Li
339*05b00f60SXin Li trunc:
340*05b00f60SXin Li nd_print_trunc(ndo);
341*05b00f60SXin Li }
342