1 /* 2 * Copyright (c) 2004 - Michael Richardson <mcr@xelerance.com> 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that: (1) source code distributions 6 * retain the above copyright notice and this paragraph in its entirety, (2) 7 * distributions including binary code include the above copyright notice and 8 * this paragraph in its entirety in the documentation or other materials 9 * provided with the distribution, and (3) all advertising materials mentioning 10 * features or use of this software display the following acknowledgement: 11 * ``This product includes software developed by the University of California, 12 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 13 * the University nor the names of its contributors may be used to endorse 14 * or promote products derived from this software without specific prior 15 * written permission. 16 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 17 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 18 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 19 */ 20 21 /* \summary: Extensible Authentication Protocol (EAP) printer */ 22 23 #ifdef HAVE_CONFIG_H 24 #include <config.h> 25 #endif 26 27 #include "netdissect-stdinc.h" 28 29 #include "netdissect.h" 30 #include "extract.h" 31 32 #define EAP_FRAME_TYPE_PACKET 0 33 #define EAP_FRAME_TYPE_START 1 34 #define EAP_FRAME_TYPE_LOGOFF 2 35 #define EAP_FRAME_TYPE_KEY 3 36 #define EAP_FRAME_TYPE_ENCAP_ASF_ALERT 4 37 38 struct eap_frame_t { 39 nd_uint8_t version; 40 nd_uint8_t type; 41 nd_uint16_t length; 42 }; 43 44 static const struct tok eap_frame_type_values[] = { 45 { EAP_FRAME_TYPE_PACKET, "EAP packet" }, 46 { EAP_FRAME_TYPE_START, "EAPOL start" }, 47 { EAP_FRAME_TYPE_LOGOFF, "EAPOL logoff" }, 48 { EAP_FRAME_TYPE_KEY, "EAPOL key" }, 49 { EAP_FRAME_TYPE_ENCAP_ASF_ALERT, "Encapsulated ASF alert" }, 50 { 0, NULL} 51 }; 52 53 /* RFC 3748 */ 54 struct eap_packet_t { 55 nd_uint8_t code; 56 nd_uint8_t id; 57 nd_uint16_t length; 58 }; 59 60 #define EAP_REQUEST 1 61 #define EAP_RESPONSE 2 62 #define EAP_SUCCESS 3 63 #define EAP_FAILURE 4 64 65 static const struct tok eap_code_values[] = { 66 { EAP_REQUEST, "Request" }, 67 { EAP_RESPONSE, "Response" }, 68 { EAP_SUCCESS, "Success" }, 69 { EAP_FAILURE, "Failure" }, 70 { 0, NULL} 71 }; 72 73 #define EAP_TYPE_NO_PROPOSED 0 74 #define EAP_TYPE_IDENTITY 1 75 #define EAP_TYPE_NOTIFICATION 2 76 #define EAP_TYPE_NAK 3 77 #define EAP_TYPE_MD5_CHALLENGE 4 78 #define EAP_TYPE_OTP 5 79 #define EAP_TYPE_GTC 6 80 #define EAP_TYPE_TLS 13 /* RFC 5216 */ 81 #define EAP_TYPE_SIM 18 /* RFC 4186 */ 82 #define EAP_TYPE_TTLS 21 /* RFC 5281, draft-funk-eap-ttls-v0-01.txt */ 83 #define EAP_TYPE_AKA 23 /* RFC 4187 */ 84 #define EAP_TYPE_FAST 43 /* RFC 4851 */ 85 #define EAP_TYPE_EXPANDED_TYPES 254 86 #define EAP_TYPE_EXPERIMENTAL 255 87 88 static const struct tok eap_type_values[] = { 89 { EAP_TYPE_NO_PROPOSED, "No proposed" }, 90 { EAP_TYPE_IDENTITY, "Identity" }, 91 { EAP_TYPE_NOTIFICATION, "Notification" }, 92 { EAP_TYPE_NAK, "Nak" }, 93 { EAP_TYPE_MD5_CHALLENGE, "MD5-challenge" }, 94 { EAP_TYPE_OTP, "OTP" }, 95 { EAP_TYPE_GTC, "GTC" }, 96 { EAP_TYPE_TLS, "TLS" }, 97 { EAP_TYPE_SIM, "SIM" }, 98 { EAP_TYPE_TTLS, "TTLS" }, 99 { EAP_TYPE_AKA, "AKA" }, 100 { EAP_TYPE_FAST, "FAST" }, 101 { EAP_TYPE_EXPANDED_TYPES, "Expanded types" }, 102 { EAP_TYPE_EXPERIMENTAL, "Experimental" }, 103 { 0, NULL} 104 }; 105 106 #define EAP_TLS_EXTRACT_BIT_L(x) (((x)&0x80)>>7) 107 108 /* RFC 5216 - EAP TLS bits */ 109 #define EAP_TLS_FLAGS_LEN_INCLUDED (1 << 7) 110 #define EAP_TLS_FLAGS_MORE_FRAGMENTS (1 << 6) 111 #define EAP_TLS_FLAGS_START (1 << 5) 112 113 static const struct tok eap_tls_flags_values[] = { 114 { EAP_TLS_FLAGS_LEN_INCLUDED, "L bit" }, 115 { EAP_TLS_FLAGS_MORE_FRAGMENTS, "More fragments bit"}, 116 { EAP_TLS_FLAGS_START, "Start bit"}, 117 { 0, NULL} 118 }; 119 120 #define EAP_TTLS_VERSION(x) ((x)&0x07) 121 122 /* EAP-AKA and EAP-SIM - RFC 4187 */ 123 #define EAP_AKA_CHALLENGE 1 124 #define EAP_AKA_AUTH_REJECT 2 125 #define EAP_AKA_SYNC_FAILURE 4 126 #define EAP_AKA_IDENTITY 5 127 #define EAP_SIM_START 10 128 #define EAP_SIM_CHALLENGE 11 129 #define EAP_AKA_NOTIFICATION 12 130 #define EAP_AKA_REAUTH 13 131 #define EAP_AKA_CLIENT_ERROR 14 132 133 static const struct tok eap_aka_subtype_values[] = { 134 { EAP_AKA_CHALLENGE, "Challenge" }, 135 { EAP_AKA_AUTH_REJECT, "Auth reject" }, 136 { EAP_AKA_SYNC_FAILURE, "Sync failure" }, 137 { EAP_AKA_IDENTITY, "Identity" }, 138 { EAP_SIM_START, "Start" }, 139 { EAP_SIM_CHALLENGE, "Challenge" }, 140 { EAP_AKA_NOTIFICATION, "Notification" }, 141 { EAP_AKA_REAUTH, "Reauth" }, 142 { EAP_AKA_CLIENT_ERROR, "Client error" }, 143 { 0, NULL} 144 }; 145 146 /* 147 * Print EAP requests / responses 148 */ 149 void 150 eap_print(netdissect_options *ndo, 151 const u_char *cp, 152 u_int length) 153 { 154 u_int type, subtype, len; 155 u_int count; 156 const char *sep; 157 158 type = GET_U_1(cp); 159 len = GET_BE_U_2(cp + 2); 160 if (len != length) { 161 /* 162 * Probably a fragment; in some cases the fragmentation might 163 * not put an EAP header on every packet, if reassembly can 164 * be done without that (e.g., fragmentation to make a message 165 * fit in multiple TLVs in a RADIUS packet). 166 */ 167 ND_PRINT("EAP fragment?"); 168 return; 169 } 170 ND_PRINT("%s (%u), id %u, len %u", 171 tok2str(eap_code_values, "unknown", type), 172 type, 173 GET_U_1((cp + 1)), 174 len); 175 if (len < 4) { 176 ND_PRINT(" (too short for EAP header)"); 177 return; 178 } 179 180 ND_TCHECK_LEN(cp, len); 181 182 if (type == EAP_REQUEST || type == EAP_RESPONSE) { 183 /* RFC 3748 Section 4.1 */ 184 if (len < 5) { 185 ND_PRINT(" (too short for EAP request/response)"); 186 return; 187 } 188 subtype = GET_U_1(cp + 4); 189 ND_PRINT("\n\t\t Type %s (%u)", 190 tok2str(eap_type_values, "unknown", subtype), 191 subtype); 192 193 switch (subtype) { 194 case EAP_TYPE_IDENTITY: 195 /* According to RFC 3748, the message is optional */ 196 if (len > 5) { 197 ND_PRINT(", Identity: "); 198 nd_printjnp(ndo, cp + 5, len - 5); 199 } 200 break; 201 202 case EAP_TYPE_NOTIFICATION: 203 /* According to RFC 3748, there must be at least one octet of message */ 204 if (len < 6) { 205 ND_PRINT(" (too short for EAP Notification request/response)"); 206 return; 207 } 208 ND_PRINT(", Notification: "); 209 nd_printjnp(ndo, cp + 5, len - 5); 210 break; 211 212 case EAP_TYPE_NAK: 213 /* 214 * one or more octets indicating 215 * the desired authentication 216 * type one octet per type 217 */ 218 if (len < 6) { 219 ND_PRINT(" (too short for EAP Legacy NAK request/response)"); 220 return; 221 } 222 sep = ""; 223 for (count = 5; count < len; count++) { 224 ND_PRINT("%s %s (%u)", sep, 225 tok2str(eap_type_values, "unknown", GET_U_1((cp + count))), 226 GET_U_1(cp + count)); 227 sep = ","; 228 } 229 break; 230 231 case EAP_TYPE_TTLS: 232 case EAP_TYPE_TLS: 233 if (len < 6) { 234 ND_PRINT(" (too short for EAP TLS/TTLS request/response)"); 235 return; 236 } 237 if (subtype == EAP_TYPE_TTLS) 238 ND_PRINT(" TTLSv%u", 239 EAP_TTLS_VERSION(GET_U_1((cp + 5)))); 240 ND_PRINT(" flags [%s] 0x%02x", 241 bittok2str(eap_tls_flags_values, "none", GET_U_1((cp + 5))), 242 GET_U_1(cp + 5)); 243 244 if (EAP_TLS_EXTRACT_BIT_L(GET_U_1(cp + 5))) { 245 if (len < 10) { 246 ND_PRINT(" (too short for EAP TLS/TTLS request/response with length)"); 247 return; 248 } 249 ND_PRINT(", len %u", GET_BE_U_4(cp + 6)); 250 } 251 break; 252 253 case EAP_TYPE_FAST: 254 if (len < 6) { 255 ND_PRINT(" (too short for EAP FAST request/response)"); 256 return; 257 } 258 ND_PRINT(" FASTv%u", 259 EAP_TTLS_VERSION(GET_U_1((cp + 5)))); 260 ND_PRINT(" flags [%s] 0x%02x", 261 bittok2str(eap_tls_flags_values, "none", GET_U_1((cp + 5))), 262 GET_U_1(cp + 5)); 263 264 if (EAP_TLS_EXTRACT_BIT_L(GET_U_1(cp + 5))) { 265 if (len < 10) { 266 ND_PRINT(" (too short for EAP FAST request/response with length)"); 267 return; 268 } 269 ND_PRINT(", len %u", GET_BE_U_4(cp + 6)); 270 } 271 272 /* FIXME - TLV attributes follow */ 273 break; 274 275 case EAP_TYPE_AKA: 276 case EAP_TYPE_SIM: 277 if (len < 6) { 278 ND_PRINT(" (too short for EAP SIM/AKA request/response)"); 279 return; 280 } 281 ND_PRINT(" subtype [%s] 0x%02x", 282 tok2str(eap_aka_subtype_values, "unknown", GET_U_1((cp + 5))), 283 GET_U_1(cp + 5)); 284 285 /* FIXME - TLV attributes follow */ 286 break; 287 288 case EAP_TYPE_MD5_CHALLENGE: 289 case EAP_TYPE_OTP: 290 case EAP_TYPE_GTC: 291 case EAP_TYPE_EXPANDED_TYPES: 292 case EAP_TYPE_EXPERIMENTAL: 293 default: 294 break; 295 } 296 } 297 return; 298 trunc: 299 nd_print_trunc(ndo); 300 } 301 302 void 303 eapol_print(netdissect_options *ndo, 304 const u_char *cp) 305 { 306 const struct eap_frame_t *eap; 307 u_int eap_type, eap_len; 308 309 ndo->ndo_protocol = "eap"; 310 eap = (const struct eap_frame_t *)cp; 311 ND_TCHECK_SIZE(eap); 312 eap_type = GET_U_1(eap->type); 313 314 ND_PRINT("%s (%u) v%u, len %u", 315 tok2str(eap_frame_type_values, "unknown", eap_type), 316 eap_type, 317 GET_U_1(eap->version), 318 GET_BE_U_2(eap->length)); 319 if (ndo->ndo_vflag < 1) 320 return; 321 322 cp += sizeof(struct eap_frame_t); 323 eap_len = GET_BE_U_2(eap->length); 324 325 switch (eap_type) { 326 case EAP_FRAME_TYPE_PACKET: 327 if (eap_len == 0) 328 goto trunc; 329 ND_PRINT(", "); 330 eap_print(ndo, cp, eap_len); 331 return; 332 case EAP_FRAME_TYPE_LOGOFF: 333 case EAP_FRAME_TYPE_ENCAP_ASF_ALERT: 334 default: 335 break; 336 } 337 return; 338 339 trunc: 340 nd_print_trunc(ndo); 341 } 342