X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/8005b9c8a61d1ee1662afb44f961284d1c0fe35a..d7b497cac78b6e22a66a6bae9bdec60a8044f67a:/print-eap.c diff --git a/print-eap.c b/print-eap.c index 3c63ec35..924157de 100644 --- a/print-eap.c +++ b/print-eap.c @@ -16,30 +16,18 @@ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - * - * Format and print EAP packets. - * */ -#ifndef lint -static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-eap.c,v 1.4 2007-10-04 08:34:28 hannes Exp $"; -#endif +/* \summary: Extensible Authentication Protocol (EAP) printer */ #ifdef HAVE_CONFIG_H #include "config.h" #endif -#include - -#include -#include +#include #include "netdissect.h" -#include "interface.h" -#include "addrtoname.h" #include "extract.h" -#include "ether.h" #define EAP_FRAME_TYPE_PACKET 0 #define EAP_FRAME_TYPE_START 1 @@ -89,6 +77,11 @@ static const struct tok eap_code_values[] = { #define EAP_TYPE_MD5_CHALLENGE 4 #define EAP_TYPE_OTP 5 #define EAP_TYPE_GTC 6 +#define EAP_TYPE_TLS 13 /* RFC 2716 */ +#define EAP_TYPE_SIM 18 /* RFC 4186 */ +#define EAP_TYPE_TTLS 21 /* draft-funk-eap-ttls-v0-01.txt */ +#define EAP_TYPE_AKA 23 /* RFC 4187 */ +#define EAP_TYPE_FAST 43 /* RFC 4851 */ #define EAP_TYPE_EXPANDED_TYPES 254 #define EAP_TYPE_EXPERIMENTAL 255 @@ -100,79 +93,126 @@ static const struct tok eap_type_values[] = { { EAP_TYPE_MD5_CHALLENGE, "MD5-challenge" }, { EAP_TYPE_OTP, "OTP" }, { EAP_TYPE_GTC, "GTC" }, + { EAP_TYPE_TLS, "TLS" }, + { EAP_TYPE_SIM, "SIM" }, + { EAP_TYPE_TTLS, "TTLS" }, + { EAP_TYPE_AKA, "AKA" }, + { EAP_TYPE_FAST, "FAST" }, { EAP_TYPE_EXPANDED_TYPES, "Expanded types" }, { EAP_TYPE_EXPERIMENTAL, "Experimental" }, { 0, NULL} -}; +}; + +#define EAP_TLS_EXTRACT_BIT_L(x) (((x)&0x80)>>7) + +/* RFC 2716 - EAP TLS bits */ +#define EAP_TLS_FLAGS_LEN_INCLUDED (1 << 7) +#define EAP_TLS_FLAGS_MORE_FRAGMENTS (1 << 6) +#define EAP_TLS_FLAGS_START (1 << 5) + +static const struct tok eap_tls_flags_values[] = { + { EAP_TLS_FLAGS_LEN_INCLUDED, "L bit" }, + { EAP_TLS_FLAGS_MORE_FRAGMENTS, "More fragments bit"}, + { EAP_TLS_FLAGS_START, "Start bit"}, + { 0, NULL} +}; + +#define EAP_TTLS_VERSION(x) ((x)&0x07) + +/* EAP-AKA and EAP-SIM - RFC 4187 */ +#define EAP_AKA_CHALLENGE 1 +#define EAP_AKA_AUTH_REJECT 2 +#define EAP_AKA_SYNC_FAILURE 4 +#define EAP_AKA_IDENTITY 5 +#define EAP_SIM_START 10 +#define EAP_SIM_CHALLENGE 11 +#define EAP_AKA_NOTIFICATION 12 +#define EAP_AKA_REAUTH 13 +#define EAP_AKA_CLIENT_ERROR 14 + +static const struct tok eap_aka_subtype_values[] = { + { EAP_AKA_CHALLENGE, "Challenge" }, + { EAP_AKA_AUTH_REJECT, "Auth reject" }, + { EAP_AKA_SYNC_FAILURE, "Sync failure" }, + { EAP_AKA_IDENTITY, "Identity" }, + { EAP_SIM_START, "Start" }, + { EAP_SIM_CHALLENGE, "Challenge" }, + { EAP_AKA_NOTIFICATION, "Notification" }, + { EAP_AKA_REAUTH, "Reauth" }, + { EAP_AKA_CLIENT_ERROR, "Client error" }, + { 0, NULL} +}; /* * Print EAP requests / responses */ void -eap_print(netdissect_options *ndo _U_, +eap_print(netdissect_options *ndo, register const u_char *cp, - u_int length _U_) + u_int length) { const struct eap_frame_t *eap; const u_char *tptr; u_int tlen, type, subtype; int count=0, len; - + tptr = cp; tlen = length; eap = (const struct eap_frame_t *)cp; - TCHECK(*eap); + ND_TCHECK(*eap); /* in non-verbose mode just lets print the basic info */ - if (vflag < 1) { - printf("%s (%u) v%u, len %u", + if (ndo->ndo_vflag < 1) { + ND_PRINT((ndo, "%s (%u) v%u, len %u", tok2str(eap_frame_type_values, "unknown", eap->type), eap->type, eap->version, - EXTRACT_16BITS(eap->length)); + EXTRACT_BE_U_2(eap->length))); return; } - - printf("%s (%u) v%u, len %u", + + ND_PRINT((ndo, "%s (%u) v%u, len %u", tok2str(eap_frame_type_values, "unknown", eap->type), eap->type, eap->version, - EXTRACT_16BITS(eap->length)); + EXTRACT_BE_U_2(eap->length))); - tptr += sizeof(const struct eap_frame_t); - tlen -= sizeof(const struct eap_frame_t); + tptr += sizeof(struct eap_frame_t); + tlen -= sizeof(struct eap_frame_t); switch (eap->type) { case EAP_FRAME_TYPE_PACKET: + ND_TCHECK_1(tptr); type = *(tptr); - len = EXTRACT_16BITS(tptr+2); - printf(", %s (%u), id %u, len %u", + ND_TCHECK_2(tptr + 2); + len = EXTRACT_BE_U_2(tptr + 2); + ND_PRINT((ndo, ", %s (%u), id %u, len %u", tok2str(eap_code_values, "unknown", type), type, - *(tptr+1), - len); + EXTRACT_U_1((tptr + 1)), + len)); - if (!TTEST2(*tptr, len)) - goto trunc; + ND_TCHECK2(*tptr, len); if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */ - subtype = *(tptr+4); - printf("\n\t\t Type %s (%u)", - tok2str(eap_type_values, "unknown", *(tptr+4)), - *(tptr+4)); + ND_TCHECK_1(tptr + 4); + subtype = EXTRACT_U_1(tptr + 4); + ND_PRINT((ndo, "\n\t\t Type %s (%u)", + tok2str(eap_type_values, "unknown", subtype), + subtype)); - switch (subtype) { + switch (subtype) { case EAP_TYPE_IDENTITY: if (len - 5 > 0) { - printf(", Identity: "); - safeputs((const char *)tptr+5, len-5); + ND_PRINT((ndo, ", Identity: ")); + safeputs(ndo, tptr + 5, len - 5); } break; case EAP_TYPE_NOTIFICATION: if (len - 5 > 0) { - printf(", Notification: "); - safeputs((const char *)tptr+5, len-5); + ND_PRINT((ndo, ", Notification: ")); + safeputs(ndo, tptr + 5, len - 5); } break; @@ -184,15 +224,58 @@ eap_print(netdissect_options *ndo _U_, * the desired authentication * type one octet per type */ - while (count < len) { - printf(" %s (%u),", - tok2str(eap_type_values, "unknown", *(tptr+count)), - *(tptr+count)); + while (count < len) { + ND_TCHECK_1(tptr + count); + ND_PRINT((ndo, " %s (%u),", + tok2str(eap_type_values, "unknown", EXTRACT_U_1((tptr + count))), + EXTRACT_U_1(tptr + count))); count++; } break; - case EAP_TYPE_MD5_CHALLENGE: + case EAP_TYPE_TTLS: + case EAP_TYPE_TLS: + ND_TCHECK_1(tptr + 5); + if (subtype == EAP_TYPE_TTLS) + ND_PRINT((ndo, " TTLSv%u", + EAP_TTLS_VERSION(EXTRACT_U_1((tptr + 5))))); + ND_PRINT((ndo, " flags [%s] 0x%02x,", + bittok2str(eap_tls_flags_values, "none", EXTRACT_U_1((tptr + 5))), + EXTRACT_U_1(tptr + 5))); + + if (EAP_TLS_EXTRACT_BIT_L(EXTRACT_U_1(tptr + 5))) { + ND_TCHECK_4(tptr + 6); + ND_PRINT((ndo, " len %u", EXTRACT_BE_U_4(tptr + 6))); + } + break; + + case EAP_TYPE_FAST: + ND_TCHECK_1(tptr + 5); + ND_PRINT((ndo, " FASTv%u", + EAP_TTLS_VERSION(EXTRACT_U_1((tptr + 5))))); + ND_PRINT((ndo, " flags [%s] 0x%02x,", + bittok2str(eap_tls_flags_values, "none", EXTRACT_U_1((tptr + 5))), + EXTRACT_U_1(tptr + 5))); + + if (EAP_TLS_EXTRACT_BIT_L(EXTRACT_U_1(tptr + 5))) { + ND_TCHECK_4(tptr + 6); + ND_PRINT((ndo, " len %u", EXTRACT_BE_U_4(tptr + 6))); + } + + /* FIXME - TLV attributes follow */ + break; + + case EAP_TYPE_AKA: + case EAP_TYPE_SIM: + ND_TCHECK_1(tptr + 5); + ND_PRINT((ndo, " subtype [%s] 0x%02x,", + tok2str(eap_aka_subtype_values, "unknown", EXTRACT_U_1((tptr + 5))), + EXTRACT_U_1(tptr + 5))); + + /* FIXME - TLV attributes follow */ + break; + + case EAP_TYPE_MD5_CHALLENGE: case EAP_TYPE_OTP: case EAP_TYPE_GTC: case EAP_TYPE_EXPANDED_TYPES: @@ -201,7 +284,7 @@ eap_print(netdissect_options *ndo _U_, break; } } - break; + break; case EAP_FRAME_TYPE_LOGOFF: case EAP_FRAME_TYPE_ENCAP_ASF_ALERT: @@ -211,7 +294,7 @@ eap_print(netdissect_options *ndo _U_, return; trunc: - printf("\n\t[|EAP]"); + ND_PRINT((ndo, "\n\t[|EAP]")); } /*