X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/ad7a38341c19e71e3595c17368ac18f08b71482d..HEAD:/print-eap.c diff --git a/print-eap.c b/print-eap.c index b1dea6d0..174f9c94 100644 --- a/print-eap.c +++ b/print-eap.c @@ -16,30 +16,17 @@ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - * - * Format and print EAP packets. - * */ -#ifndef lint -static const char rcsid[] _U_ = - "@(#) $Header: /tcpdump/master/tcpdump/print-eap.c,v 1.5 2007-10-04 16:41:33 hannes Exp $"; -#endif +/* \summary: Extensible Authentication Protocol (EAP) printer */ -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif +#include -#include - -#include -#include +#include "netdissect-stdinc.h" +#define ND_LONGJMP_FROM_TCHECK #include "netdissect.h" -#include "interface.h" -#include "addrtoname.h" #include "extract.h" -#include "ether.h" #define EAP_FRAME_TYPE_PACKET 0 #define EAP_FRAME_TYPE_START 1 @@ -48,25 +35,25 @@ static const char rcsid[] _U_ = #define EAP_FRAME_TYPE_ENCAP_ASF_ALERT 4 struct eap_frame_t { - unsigned char version; - unsigned char type; - unsigned char length[2]; + nd_uint8_t version; + nd_uint8_t type; + nd_uint16_t length; }; static const struct tok eap_frame_type_values[] = { - { EAP_FRAME_TYPE_PACKET, "EAP packet" }, - { EAP_FRAME_TYPE_START, "EAPOL start" }, - { EAP_FRAME_TYPE_LOGOFF, "EAPOL logoff" }, - { EAP_FRAME_TYPE_KEY, "EAPOL key" }, - { EAP_FRAME_TYPE_ENCAP_ASF_ALERT, "Encapsulated ASF alert" }, + { EAP_FRAME_TYPE_PACKET, "EAP packet" }, + { EAP_FRAME_TYPE_START, "EAPOL start" }, + { EAP_FRAME_TYPE_LOGOFF, "EAPOL logoff" }, + { EAP_FRAME_TYPE_KEY, "EAPOL key" }, + { EAP_FRAME_TYPE_ENCAP_ASF_ALERT, "Encapsulated ASF alert" }, { 0, NULL} }; /* RFC 3748 */ struct eap_packet_t { - unsigned char code; - unsigned char id; - unsigned char length[2]; + nd_uint8_t code; + nd_uint8_t id; + nd_uint16_t length; }; #define EAP_REQUEST 1 @@ -89,9 +76,9 @@ static const struct tok eap_code_values[] = { #define EAP_TYPE_MD5_CHALLENGE 4 #define EAP_TYPE_OTP 5 #define EAP_TYPE_GTC 6 -#define EAP_TYPE_TLS 13 /* RFC 2716 */ +#define EAP_TYPE_TLS 13 /* RFC 5216 */ #define EAP_TYPE_SIM 18 /* RFC 4186 */ -#define EAP_TYPE_TTLS 21 /* draft-funk-eap-ttls-v0-01.txt */ +#define EAP_TYPE_TTLS 21 /* RFC 5281, draft-funk-eap-ttls-v0-01.txt */ #define EAP_TYPE_AKA 23 /* RFC 4187 */ #define EAP_TYPE_FAST 43 /* RFC 4851 */ #define EAP_TYPE_EXPANDED_TYPES 254 @@ -101,23 +88,23 @@ static const struct tok eap_type_values[] = { { EAP_TYPE_NO_PROPOSED, "No proposed" }, { EAP_TYPE_IDENTITY, "Identity" }, { EAP_TYPE_NOTIFICATION, "Notification" }, - { EAP_TYPE_NAK, "Nak" }, + { EAP_TYPE_NAK, "Nak" }, { EAP_TYPE_MD5_CHALLENGE, "MD5-challenge" }, - { EAP_TYPE_OTP, "OTP" }, - { EAP_TYPE_GTC, "GTC" }, - { EAP_TYPE_TLS, "TLS" }, - { EAP_TYPE_SIM, "SIM" }, - { EAP_TYPE_TTLS, "TTLS" }, - { EAP_TYPE_AKA, "AKA" }, - { EAP_TYPE_FAST, "FAST" }, + { EAP_TYPE_OTP, "OTP" }, + { EAP_TYPE_GTC, "GTC" }, + { EAP_TYPE_TLS, "TLS" }, + { EAP_TYPE_SIM, "SIM" }, + { EAP_TYPE_TTLS, "TTLS" }, + { EAP_TYPE_AKA, "AKA" }, + { EAP_TYPE_FAST, "FAST" }, { EAP_TYPE_EXPANDED_TYPES, "Expanded types" }, { EAP_TYPE_EXPERIMENTAL, "Experimental" }, { 0, NULL} }; -#define EAP_TLS_EXTRACT_BIT_L(x) (((x)&0x80)>>7) +#define EAP_TLS_EXTRACT_BIT_L(x) (((x)&0x80)>>7) -/* RFC 2716 - EAP TLS bits */ +/* RFC 5216 - EAP TLS bits */ #define EAP_TLS_FLAGS_LEN_INCLUDED (1 << 7) #define EAP_TLS_FLAGS_MORE_FRAGMENTS (1 << 6) #define EAP_TLS_FLAGS_START (1 << 5) @@ -159,111 +146,103 @@ static const struct tok eap_aka_subtype_values[] = { * Print EAP requests / responses */ void -eap_print(netdissect_options *ndo _U_, - register const u_char *cp, - u_int length _U_) +eap_print(netdissect_options *ndo, + const u_char *cp, + const u_int length) { - const struct eap_frame_t *eap; - const u_char *tptr; - u_int tlen, type, subtype; - int count=0, len; - - tptr = cp; - tlen = length; - eap = (const struct eap_frame_t *)cp; - TCHECK(*eap); - - /* in non-verbose mode just lets print the basic info */ - if (vflag < 1) { - printf("%s (%u) v%u, len %u", - tok2str(eap_frame_type_values, "unknown", eap->type), - eap->type, - eap->version, - EXTRACT_16BITS(eap->length)); - return; + u_int type, subtype, len; + u_int count; + const char *sep; + + ndo->ndo_protocol = "eap"; + type = GET_U_1(cp); + len = GET_BE_U_2(cp + 2); + ND_ICHECK_U(len, <, 4); + if (len != length) { + /* + * Probably a fragment; in some cases the fragmentation might + * not put an EAP header on every packet, if reassembly can + * be done without that (e.g., fragmentation to make a message + * fit in multiple TLVs in a RADIUS packet). + */ + ND_PRINT("EAP fragment?"); + return; } - - printf("%s (%u) v%u, len %u", - tok2str(eap_frame_type_values, "unknown", eap->type), - eap->type, - eap->version, - EXTRACT_16BITS(eap->length)); - - tptr += sizeof(const struct eap_frame_t); - tlen -= sizeof(const struct eap_frame_t); - - switch (eap->type) { - case EAP_FRAME_TYPE_PACKET: - type = *(tptr); - len = EXTRACT_16BITS(tptr+2); - printf(", %s (%u), id %u, len %u", - tok2str(eap_code_values, "unknown", type), - type, - *(tptr+1), - len); - - if (!TTEST2(*tptr, len)) - goto trunc; - - if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */ - subtype = *(tptr+4); - printf("\n\t\t Type %s (%u)", - tok2str(eap_type_values, "unknown", *(tptr+4)), - *(tptr+4)); - - switch (subtype) { + ND_PRINT("%s (%u), id %u, len %u", + tok2str(eap_code_values, "unknown", type), + type, + GET_U_1((cp + 1)), + len); + + ND_TCHECK_LEN(cp, len); + + if (type == EAP_REQUEST || type == EAP_RESPONSE) { + /* RFC 3748 Section 4.1 */ + ND_ICHECK_U(len, <, 5); + subtype = GET_U_1(cp + 4); + ND_PRINT("\n\t\t Type %s (%u)", + tok2str(eap_type_values, "unknown", subtype), + subtype); + + switch (subtype) { case EAP_TYPE_IDENTITY: - if (len - 5 > 0) { - printf(", Identity: "); - safeputs((const char *)tptr+5, len-5); + /* According to RFC 3748, the message is optional */ + if (len > 5) { + ND_PRINT(", Identity: "); + nd_printjnp(ndo, cp + 5, len - 5); } break; case EAP_TYPE_NOTIFICATION: - if (len - 5 > 0) { - printf(", Notification: "); - safeputs((const char *)tptr+5, len-5); - } + /* According to RFC 3748, there must be at least one octet of message */ + ND_ICHECK_U(len, <, 6); + ND_PRINT(", Notification: "); + nd_printjnp(ndo, cp + 5, len - 5); break; case EAP_TYPE_NAK: - count = 5; - /* * one or more octets indicating * the desired authentication * type one octet per type */ - while (count < len) { - printf(" %s (%u),", - tok2str(eap_type_values, "unknown", *(tptr+count)), - *(tptr+count)); - count++; + ND_ICHECK_U(len, <, 6); + sep = ""; + for (count = 5; count < len; count++) { + ND_PRINT("%s %s (%u)", sep, + tok2str(eap_type_values, "unknown", GET_U_1((cp + count))), + GET_U_1(cp + count)); + sep = ","; } break; case EAP_TYPE_TTLS: - printf(" TTLSv%u", - EAP_TTLS_VERSION(*(tptr+5))); /* fall through */ case EAP_TYPE_TLS: - printf(" flags [%s] 0x%02x,", - bittok2str(eap_tls_flags_values, "none", *(tptr+5)), - *(tptr+5)); - - if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { - printf(" len %u", EXTRACT_32BITS(tptr+6)); + ND_ICHECK_U(len, <, 6); + if (subtype == EAP_TYPE_TTLS) + ND_PRINT(" TTLSv%u", + EAP_TTLS_VERSION(GET_U_1((cp + 5)))); + ND_PRINT(" flags [%s] 0x%02x", + bittok2str(eap_tls_flags_values, "none", GET_U_1((cp + 5))), + GET_U_1(cp + 5)); + + if (EAP_TLS_EXTRACT_BIT_L(GET_U_1(cp + 5))) { + ND_ICHECK_U(len, <, 10); + ND_PRINT(", len %u", GET_BE_U_4(cp + 6)); } break; case EAP_TYPE_FAST: - printf(" FASTv%u", - EAP_TTLS_VERSION(*(tptr+5))); - printf(" flags [%s] 0x%02x,", - bittok2str(eap_tls_flags_values, "none", *(tptr+5)), - *(tptr+5)); - - if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) { - printf(" len %u", EXTRACT_32BITS(tptr+6)); + ND_ICHECK_U(len, <, 6); + ND_PRINT(" FASTv%u", + EAP_TTLS_VERSION(GET_U_1((cp + 5)))); + ND_PRINT(" flags [%s] 0x%02x", + bittok2str(eap_tls_flags_values, "none", GET_U_1((cp + 5))), + GET_U_1(cp + 5)); + + if (EAP_TLS_EXTRACT_BIT_L(GET_U_1(cp + 5))) { + ND_ICHECK_U(len, <, 10); + ND_PRINT(", len %u", GET_BE_U_4(cp + 6)); } /* FIXME - TLV attributes follow */ @@ -271,9 +250,10 @@ eap_print(netdissect_options *ndo _U_, case EAP_TYPE_AKA: case EAP_TYPE_SIM: - printf(" subtype [%s] 0x%02x,", - tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)), - *(tptr+5)); + ND_ICHECK_U(len, <, 6); + ND_PRINT(" subtype [%s] 0x%02x", + tok2str(eap_aka_subtype_values, "unknown", GET_U_1((cp + 5))), + GET_U_1(cp + 5)); /* FIXME - TLV attributes follow */ break; @@ -285,10 +265,43 @@ eap_print(netdissect_options *ndo _U_, case EAP_TYPE_EXPERIMENTAL: default: break; - } } - break; + } + return; +invalid: + nd_print_invalid(ndo); +} + +void +eapol_print(netdissect_options *ndo, + const u_char *cp) +{ + const struct eap_frame_t *eap; + u_int eap_type, eap_len; + + ndo->ndo_protocol = "eap"; + eap = (const struct eap_frame_t *)cp; + eap_type = GET_U_1(eap->type); + + ND_PRINT("%s (%u) v%u, len %u", + tok2str(eap_frame_type_values, "unknown", eap_type), + eap_type, + GET_U_1(eap->version), + GET_BE_U_2(eap->length)); + if (ndo->ndo_vflag < 1) + return; + + cp += sizeof(struct eap_frame_t); + eap_len = GET_BE_U_2(eap->length); + + switch (eap_type) { + case EAP_FRAME_TYPE_PACKET: + if (eap_len == 0) + goto invalid; + ND_PRINT(", "); + eap_print(ndo, cp, eap_len); + break; case EAP_FRAME_TYPE_LOGOFF: case EAP_FRAME_TYPE_ENCAP_ASF_ALERT: default: @@ -296,12 +309,6 @@ eap_print(netdissect_options *ndo _U_, } return; - trunc: - printf("\n\t[|EAP]"); +invalid: + nd_print_invalid(ndo); } - -/* - * Local Variables: - * c-basic-offset: 4 - * End: - */