freebsd-skq/contrib/tcpdump/print-eap.c
emaste 37e2725e53 Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.

One other notable change:
  Do not use getprotobynumber() for protocol name resolution.
  Do not do any protocol name resolution if -n is specified.

Submitted by:	gordon
Reviewed by:	delphij, emaste, glebius
MFC after:	1 week
Relnotes:	Yes
Security:	CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security:	CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security:	CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security:	CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security:	CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security:	CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security:	CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security:	CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security:	CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security:	CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security:	CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security:	CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security:	CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security:	CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security:	CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security:	CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security:	CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security:	CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security:	CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security:	CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security:	CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security:	CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security:	CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security:	CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security:	CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security:	CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security:	CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security:	CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security:	CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security:	CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision:	https://reviews.freebsd.org/D12404
2017-12-06 02:21:11 +00:00

305 lines
9.3 KiB
C

/*
* Copyright (c) 2004 - Michael Richardson <mcr@xelerance.com>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
/* \summary: Extensible Authentication Protocol (EAP) printer */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include <netdissect-stdinc.h>
#include "netdissect.h"
#include "extract.h"
#define EAP_FRAME_TYPE_PACKET 0
#define EAP_FRAME_TYPE_START 1
#define EAP_FRAME_TYPE_LOGOFF 2
#define EAP_FRAME_TYPE_KEY 3
#define EAP_FRAME_TYPE_ENCAP_ASF_ALERT 4
struct eap_frame_t {
unsigned char version;
unsigned char type;
unsigned char length[2];
};
static const struct tok eap_frame_type_values[] = {
{ EAP_FRAME_TYPE_PACKET, "EAP packet" },
{ EAP_FRAME_TYPE_START, "EAPOL start" },
{ EAP_FRAME_TYPE_LOGOFF, "EAPOL logoff" },
{ EAP_FRAME_TYPE_KEY, "EAPOL key" },
{ EAP_FRAME_TYPE_ENCAP_ASF_ALERT, "Encapsulated ASF alert" },
{ 0, NULL}
};
/* RFC 3748 */
struct eap_packet_t {
unsigned char code;
unsigned char id;
unsigned char length[2];
};
#define EAP_REQUEST 1
#define EAP_RESPONSE 2
#define EAP_SUCCESS 3
#define EAP_FAILURE 4
static const struct tok eap_code_values[] = {
{ EAP_REQUEST, "Request" },
{ EAP_RESPONSE, "Response" },
{ EAP_SUCCESS, "Success" },
{ EAP_FAILURE, "Failure" },
{ 0, NULL}
};
#define EAP_TYPE_NO_PROPOSED 0
#define EAP_TYPE_IDENTITY 1
#define EAP_TYPE_NOTIFICATION 2
#define EAP_TYPE_NAK 3
#define EAP_TYPE_MD5_CHALLENGE 4
#define EAP_TYPE_OTP 5
#define EAP_TYPE_GTC 6
#define EAP_TYPE_TLS 13 /* RFC 2716 */
#define EAP_TYPE_SIM 18 /* RFC 4186 */
#define EAP_TYPE_TTLS 21 /* draft-funk-eap-ttls-v0-01.txt */
#define EAP_TYPE_AKA 23 /* RFC 4187 */
#define EAP_TYPE_FAST 43 /* RFC 4851 */
#define EAP_TYPE_EXPANDED_TYPES 254
#define EAP_TYPE_EXPERIMENTAL 255
static const struct tok eap_type_values[] = {
{ EAP_TYPE_NO_PROPOSED, "No proposed" },
{ EAP_TYPE_IDENTITY, "Identity" },
{ EAP_TYPE_NOTIFICATION, "Notification" },
{ EAP_TYPE_NAK, "Nak" },
{ EAP_TYPE_MD5_CHALLENGE, "MD5-challenge" },
{ EAP_TYPE_OTP, "OTP" },
{ EAP_TYPE_GTC, "GTC" },
{ EAP_TYPE_TLS, "TLS" },
{ EAP_TYPE_SIM, "SIM" },
{ EAP_TYPE_TTLS, "TTLS" },
{ EAP_TYPE_AKA, "AKA" },
{ EAP_TYPE_FAST, "FAST" },
{ EAP_TYPE_EXPANDED_TYPES, "Expanded types" },
{ EAP_TYPE_EXPERIMENTAL, "Experimental" },
{ 0, NULL}
};
#define EAP_TLS_EXTRACT_BIT_L(x) (((x)&0x80)>>7)
/* RFC 2716 - EAP TLS bits */
#define EAP_TLS_FLAGS_LEN_INCLUDED (1 << 7)
#define EAP_TLS_FLAGS_MORE_FRAGMENTS (1 << 6)
#define EAP_TLS_FLAGS_START (1 << 5)
static const struct tok eap_tls_flags_values[] = {
{ EAP_TLS_FLAGS_LEN_INCLUDED, "L bit" },
{ EAP_TLS_FLAGS_MORE_FRAGMENTS, "More fragments bit"},
{ EAP_TLS_FLAGS_START, "Start bit"},
{ 0, NULL}
};
#define EAP_TTLS_VERSION(x) ((x)&0x07)
/* EAP-AKA and EAP-SIM - RFC 4187 */
#define EAP_AKA_CHALLENGE 1
#define EAP_AKA_AUTH_REJECT 2
#define EAP_AKA_SYNC_FAILURE 4
#define EAP_AKA_IDENTITY 5
#define EAP_SIM_START 10
#define EAP_SIM_CHALLENGE 11
#define EAP_AKA_NOTIFICATION 12
#define EAP_AKA_REAUTH 13
#define EAP_AKA_CLIENT_ERROR 14
static const struct tok eap_aka_subtype_values[] = {
{ EAP_AKA_CHALLENGE, "Challenge" },
{ EAP_AKA_AUTH_REJECT, "Auth reject" },
{ EAP_AKA_SYNC_FAILURE, "Sync failure" },
{ EAP_AKA_IDENTITY, "Identity" },
{ EAP_SIM_START, "Start" },
{ EAP_SIM_CHALLENGE, "Challenge" },
{ EAP_AKA_NOTIFICATION, "Notification" },
{ EAP_AKA_REAUTH, "Reauth" },
{ EAP_AKA_CLIENT_ERROR, "Client error" },
{ 0, NULL}
};
/*
* Print EAP requests / responses
*/
void
eap_print(netdissect_options *ndo,
register const u_char *cp,
u_int length)
{
const struct eap_frame_t *eap;
const u_char *tptr;
u_int tlen, type, subtype;
int count=0, len;
tptr = cp;
tlen = length;
eap = (const struct eap_frame_t *)cp;
ND_TCHECK(*eap);
/* in non-verbose mode just lets print the basic info */
if (ndo->ndo_vflag < 1) {
ND_PRINT((ndo, "%s (%u) v%u, len %u",
tok2str(eap_frame_type_values, "unknown", eap->type),
eap->type,
eap->version,
EXTRACT_16BITS(eap->length)));
return;
}
ND_PRINT((ndo, "%s (%u) v%u, len %u",
tok2str(eap_frame_type_values, "unknown", eap->type),
eap->type,
eap->version,
EXTRACT_16BITS(eap->length)));
tptr += sizeof(const struct eap_frame_t);
tlen -= sizeof(const struct eap_frame_t);
switch (eap->type) {
case EAP_FRAME_TYPE_PACKET:
ND_TCHECK_8BITS(tptr);
type = *(tptr);
ND_TCHECK_16BITS(tptr+2);
len = EXTRACT_16BITS(tptr+2);
ND_PRINT((ndo, ", %s (%u), id %u, len %u",
tok2str(eap_code_values, "unknown", type),
type,
*(tptr+1),
len));
ND_TCHECK2(*tptr, len);
if (type <= 2) { /* For EAP_REQUEST and EAP_RESPONSE only */
ND_TCHECK_8BITS(tptr+4);
subtype = *(tptr+4);
ND_PRINT((ndo, "\n\t\t Type %s (%u)",
tok2str(eap_type_values, "unknown", subtype),
subtype));
switch (subtype) {
case EAP_TYPE_IDENTITY:
if (len - 5 > 0) {
ND_PRINT((ndo, ", Identity: "));
safeputs(ndo, tptr + 5, len - 5);
}
break;
case EAP_TYPE_NOTIFICATION:
if (len - 5 > 0) {
ND_PRINT((ndo, ", Notification: "));
safeputs(ndo, tptr + 5, len - 5);
}
break;
case EAP_TYPE_NAK:
count = 5;
/*
* one or more octets indicating
* the desired authentication
* type one octet per type
*/
while (count < len) {
ND_TCHECK_8BITS(tptr+count);
ND_PRINT((ndo, " %s (%u),",
tok2str(eap_type_values, "unknown", *(tptr+count)),
*(tptr + count)));
count++;
}
break;
case EAP_TYPE_TTLS:
case EAP_TYPE_TLS:
ND_TCHECK_8BITS(tptr + 5);
if (subtype == EAP_TYPE_TTLS)
ND_PRINT((ndo, " TTLSv%u",
EAP_TTLS_VERSION(*(tptr + 5))));
ND_PRINT((ndo, " flags [%s] 0x%02x,",
bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
*(tptr + 5)));
if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
ND_TCHECK_32BITS(tptr + 6);
ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6)));
}
break;
case EAP_TYPE_FAST:
ND_TCHECK_8BITS(tptr + 5);
ND_PRINT((ndo, " FASTv%u",
EAP_TTLS_VERSION(*(tptr + 5))));
ND_PRINT((ndo, " flags [%s] 0x%02x,",
bittok2str(eap_tls_flags_values, "none", *(tptr+5)),
*(tptr + 5)));
if (EAP_TLS_EXTRACT_BIT_L(*(tptr+5))) {
ND_TCHECK_32BITS(tptr + 6);
ND_PRINT((ndo, " len %u", EXTRACT_32BITS(tptr + 6)));
}
/* FIXME - TLV attributes follow */
break;
case EAP_TYPE_AKA:
case EAP_TYPE_SIM:
ND_TCHECK_8BITS(tptr + 5);
ND_PRINT((ndo, " subtype [%s] 0x%02x,",
tok2str(eap_aka_subtype_values, "unknown", *(tptr+5)),
*(tptr + 5)));
/* FIXME - TLV attributes follow */
break;
case EAP_TYPE_MD5_CHALLENGE:
case EAP_TYPE_OTP:
case EAP_TYPE_GTC:
case EAP_TYPE_EXPANDED_TYPES:
case EAP_TYPE_EXPERIMENTAL:
default:
break;
}
}
break;
case EAP_FRAME_TYPE_LOGOFF:
case EAP_FRAME_TYPE_ENCAP_ASF_ALERT:
default:
break;
}
return;
trunc:
ND_PRINT((ndo, "\n\t[|EAP]"));
}
/*
* Local Variables:
* c-basic-offset: 4
* End:
*/