Writing skeleton for EAP-TLS implementation

src/Cedar/CedarType.h

@@ -500,6 +500,7 @@ typedef struct PPP_IPOPTION PPP_IPOPTION;
 typedef struct PPP_IPV6OPTION PPP_IPV6OPTION;
 typedef struct PPP_REQUEST_RESEND PPP_REQUEST_RESEND;
 typedef struct PPP_DELAYED_PACKET PPP_DELAYED_PACKET;
+typedef struct PPP_EAP PPP_EAP;
 
 
 // ==============================================================

src/Cedar/Proto_PPP.c

@@ -706,6 +706,9 @@ bool PPPProcessResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req)
 	case PPP_PROTOCOL_IPV6CP:
 		Debug("IPv6CP to be implemented\n");
 		break;
+	case PPP_PROTOCOL_EAP:
+		return PPPProcessEAPResponsePacket(p, pp, req);
+		break;
 	default:
 		Debug("We received a response for an unsupported protocol??? Should be filtered out already! protocol = 0x%x, code = 0x%x\n", pp->Protocol, pp->Lcp->Code);
 		PPPSetStatus(p, PPP_STATUS_FAIL);
@@ -1061,6 +1064,31 @@ bool PPPProcessIPCPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *re
 	return false;
 }
 
+// Process EAP responses
+bool PPPProcessEAPResponsePacket(PPP_SESSION* p, PPP_PACKET* pp, PPP_PACKET* req)
+{
+	PPP_EAP* eap_packet = pp->Lcp->Data;
+	switch (eap_packet->Type)
+	{
+	case PPP_EAP_TYPE_IDENTITY:
+		/// TODO: implement identity response processing
+		break;
+	case PPP_EAP_TYPE_NOTIFICATION:
+		// Basically this is just an acknoweldgment that the notification was accepted by the client. Nothing to do here... 
+		break;
+	case PPP_EAP_TYPE_NAK:
+		/// TODO: implement alternative EAP protocol selection based on received NAK
+		break;
+	case PPP_EAP_TYPE_TLS:
+		/// TODO: implement EAP-TLS protocol here
+		break;
+	default:
+		Debug("We got an unexpected EAP response packet! Ignoring...\n");
+		break;
+	}
+	return false;
+}
+
 
 // Processes request packets
 bool PPPProcessRequestPacket(PPP_SESSION *p, PPP_PACKET *pp)
@@ -1086,6 +1114,9 @@ bool PPPProcessRequestPacket(PPP_SESSION *p, PPP_PACKET *pp)
 		PPPRejectUnsupportedPacketEx(p, pp, true);
 		Debug("IPv6CP to be implemented\n");
 		break;
+	case PPP_PROTOCOL_EAP:
+		return PPPProcessEAPRequestPacket(p, pp);
+		break;
 	default:
 		Debug("Unsupported protocols should be already filtered out! protocol = 0x%x, code = 0x%x\n", pp->Protocol, pp->Lcp->Code);
 		return false;
@@ -1711,6 +1742,13 @@ bool PPPProcessIPCPRequestPacket(PPP_SESSION *p, PPP_PACKET* pp)
 	return ok;
 }
 
+// Process EAP request packets
+bool PPPProcessEAPRequestPacket(PPP_SESSION* p, PPP_PACKET* pp)
+{
+	/// TODO: to implement
+	return false;
+}
+
 // LCP option based packets utility
 bool PPPRejectLCPOptions(PPP_SESSION *p, PPP_PACKET* pp)
 {
@@ -2270,7 +2308,7 @@ PPP_PACKET *ParsePPPPacket(void *data, UINT size)
 	size -= 2;
 	buf += 2;
 
-	if (pp->Protocol == PPP_PROTOCOL_LCP || pp->Protocol == PPP_PROTOCOL_PAP || pp->Protocol == PPP_PROTOCOL_CHAP || pp->Protocol == PPP_PROTOCOL_IPCP || pp->Protocol == PPP_PROTOCOL_IPV6CP)
+	if (pp->Protocol == PPP_PROTOCOL_LCP || pp->Protocol == PPP_PROTOCOL_PAP || pp->Protocol == PPP_PROTOCOL_CHAP || pp->Protocol == PPP_PROTOCOL_IPCP || pp->Protocol == PPP_PROTOCOL_IPV6CP || pp->Protocol == PPP_PROTOCOL_EAP)
 	{
 		pp->IsControl = true;
 	}
@@ -2843,6 +2881,13 @@ bool PPPGetIPAddressValueFromLCP(PPP_LCP *c, UINT type, IP *ip)
 	return true;
 }
 
+// EAP packet utilities
+bool PPPProcessEAPTlsResponse(PPP_SESSION* p, PPP_EAP* eap_packet, UINT32 datasize)
+{
+	/// TODO: to implement
+	return false;
+}
+
 // Other packet utilities
 
 // Get the option value
@@ -3367,3 +3412,5 @@ char *MsChapV2DoBruteForce(IPC_MSCHAP_V2_AUTHINFO *d, LIST *password_list)
 
 	return NULL;
 }
+
+

src/Cedar/Proto_PPP.h

@@ -21,11 +21,14 @@
 #define PPP_CHAP_CODE_IS_REQUEST(c)			((c) == PPP_CHAP_CODE_CHALLENGE || (c) == PPP_CHAP_CODE_SUCCESS || (c) == PPP_CHAP_CODE_FAILURE)
 #define PPP_CHAP_CODE_IS_RESPONSE(c)		((c) == PPP_CHAP_CODE_RESPONSE)
 
-#define	PPP_CODE_IS_RESPONSE(protocol, c)	((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_PAP) && PPP_PAP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_CHAP) && PPP_CHAP_CODE_IS_RESPONSE(c)))
+#define PPP_EAP_CODE_IS_REQUEST(c)			((c) == PPP_EAP_CODE_REQUEST || (c) == PPP_EAP_CODE_SUCCESS || (c) == PPP_EAP_CODE_FAILURE) // We treat SUCCESS and FAILURE as requests because they affect global state of the EAP protocol
-#define	PPP_CODE_IS_REQUEST(protocol, c)	((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_PAP) && PPP_PAP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_CHAP) && PPP_CHAP_CODE_IS_REQUEST(c)))
+#define PPP_EAP_CODE_IS_RESPONSE(c)			((c) == PPP_EAP_CODE_RESPONSE)
+
+#define	PPP_CODE_IS_RESPONSE(protocol, c)	((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_PAP) && PPP_PAP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_CHAP) && PPP_CHAP_CODE_IS_RESPONSE(c)) || (((protocol) == PPP_PROTOCOL_EAP) && PPP_EAP_CODE_IS_RESPONSE(c)))
+#define	PPP_CODE_IS_REQUEST(protocol, c)	((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_PAP) && PPP_PAP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_CHAP) && PPP_CHAP_CODE_IS_REQUEST(c)) || (((protocol) == PPP_PROTOCOL_EAP) && PPP_EAP_CODE_IS_REQUEST(c)))
 #define	PPP_CODE_IS_WITH_OPTION_LIST(protocol, c) ((((protocol) == PPP_PROTOCOL_LCP || (protocol) == PPP_PROTOCOL_IPCP || (protocol) == PPP_PROTOCOL_IPV6CP) && PPP_LCP_CODE_IS_WITH_OPTION_LIST(c)) || false)
 
-#define	PPP_IS_SUPPORTED_PROTOCOL(p)		((p) == PPP_PROTOCOL_LCP || (p) == PPP_PROTOCOL_PAP || (p) == PPP_PROTOCOL_CHAP || (p) == PPP_PROTOCOL_IPCP || (p) == PPP_PROTOCOL_IPV6CP || (p) == PPP_PROTOCOL_IP || (p) == PPP_PROTOCOL_IPV6)
+#define	PPP_IS_SUPPORTED_PROTOCOL(p)		((p) == PPP_PROTOCOL_LCP || (p) == PPP_PROTOCOL_PAP || (p) == PPP_PROTOCOL_CHAP || (p) == PPP_PROTOCOL_IPCP || (p) == PPP_PROTOCOL_IPV6CP || (p) == PPP_PROTOCOL_IP || (p) == PPP_PROTOCOL_IPV6 || (p) == PPP_PROTOCOL_EAP )
 
 #define PPP_STATUS_IS_UNAVAILABLE(c)		((c) == PPP_STATUS_FAIL || (c) == PPP_STATUS_AUTH_FAIL || (c) == PPP_STATUS_CLOSING || (c) == PPP_STATUS_CLOSING_WAIT || (c) == PPP_STATUS_CLOSED)
 
@@ -48,6 +51,7 @@
 #define	PPP_PROTOCOL_PAP				0xc023
 #define	PPP_PROTOCOL_IPCP				0x8021
 #define	PPP_PROTOCOL_CHAP				0xc223
+#define	PPP_PROTOCOL_EAP				0xc227
 #define PPP_PROTOCOL_IPV6CP				0x8057
 
 // PPP protocol (for transfer)
@@ -93,6 +97,18 @@
 // IPV6CP option type
 #define PPP_IPV6CP_OPTION_IID			1
 
+// EAP codes
+#define PPP_EAP_CODE_REQUEST			1
+#define PPP_EAP_CODE_RESPONSE			2
+#define PPP_EAP_CODE_SUCCESS			3
+#define PPP_EAP_CODE_FAILURE			4
+
+// EAP types
+#define PPP_EAP_TYPE_IDENTITY			1
+#define PPP_EAP_TYPE_NOTIFICATION		2
+#define PPP_EAP_TYPE_NAK				3
+#define PPP_EAP_TYPE_TLS				13
+
 // Authentication protocol
 #define	PPP_LCP_AUTH_PAP				PPP_PROTOCOL_PAP
 #define	PPP_LCP_AUTH_CHAP				PPP_PROTOCOL_CHAP
@@ -164,6 +180,28 @@ struct PPP_OPTION
 	UINT AltDataSize;					// Alternate data size
 };
 
+// PPP EAP packet
+// EAP is a subset of LCP, sharing Code and Id. The Data field is then mapped to this structure
+struct PPP_EAP
+{
+	UCHAR Type;
+	union {
+		UCHAR Data[253]; // LCP Data field = 254 minus 1 byte for Type field
+		struct PPP_EAP_TLS
+		{
+			UCHAR Flags;
+			union {
+				UCHAR TlsDataWithoutLength[252]; // EAP-TLS structure size 1 (Flags) + 252 = 253
+				struct
+				{
+					UINT32 Length;
+					UCHAR Data[248]; // EAP-TLS structure size 1 (Flags) + 4 (TlsSize) + 248 = 253
+				} TlsDataWithLength;
+			};
+		} Tls;
+	};
+};
+
 // PPP request resend
 struct PPP_REQUEST_RESEND
 {
@@ -267,11 +305,13 @@ bool PPPProcessResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
 bool PPPProcessLCPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
 bool PPPProcessCHAPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
 bool PPPProcessIPCPResponsePacket(PPP_SESSION *p, PPP_PACKET *pp, PPP_PACKET *req);
+bool PPPProcessEAPResponsePacket(PPP_SESSION* p, PPP_PACKET* pp, PPP_PACKET* req);
 // Request packets
 bool PPPProcessRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
 bool PPPProcessLCPRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
 bool PPPProcessPAPRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
 bool PPPProcessIPCPRequestPacket(PPP_SESSION *p, PPP_PACKET *pp);
+bool PPPProcessEAPRequestPacket(PPP_SESSION* p, PPP_PACKET* pp);
 
 // LCP option based packets utility
 bool PPPRejectLCPOptions(PPP_SESSION *p, PPP_PACKET *pp);
@@ -281,7 +321,6 @@ bool PPPNackLCPOptionsEx(PPP_SESSION *p, PPP_PACKET* pp, bool simulate);
 bool PPPAckLCPOptions(PPP_SESSION *p, PPP_PACKET *pp);
 bool PPPAckLCPOptionsEx(PPP_SESSION *p, PPP_PACKET *pp, bool simulate);
 
-
 // PPP networking functions
 // Send packets
 bool PPPSendAndRetransmitRequest(PPP_SESSION *p, USHORT protocol, PPP_LCP *c);
@@ -312,6 +351,8 @@ bool PPPGetIPOptionFromLCP(PPP_IPOPTION *o, PPP_LCP *c);
 bool PPPSetIPOptionToLCP(PPP_IPOPTION *o, PPP_LCP *c, bool only_modify);
 bool PPPGetIPAddressValueFromLCP(PPP_LCP *c, UINT type, IP *ip);
 bool PPPSetIPAddressValueToLCP(PPP_LCP *c, UINT type, IP *ip, bool only_modify);
+// EAP packet utilities
+bool PPPProcessEAPTlsResponse(PPP_SESSION* p, PPP_EAP* eap_packet, UINT32 datasize);
 // Other packet utilities
 PPP_OPTION *PPPGetOptionValue(PPP_LCP *c, UCHAR type);
 bool IsHubExistsWithLock(CEDAR *cedar, char *hubname);