pcsc-lite based SIM card backend.
- The eap-peap plugin implements the EAP PEAP protocol. Interoperates
- successfully with a FreeRADIUS server but not yet with a Windows 7
- Agile VPN client.
+ successfully with a FreeRADIUS server and Windows 7 Agile VPN clients.
- The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs
all plugins to reload. Currently only the eap-radius and the attr plugins
.BR charon.plugins.eap-peap.max_message_count " [32]"
Maximum number of processed EAP-PEAP packets
.TP
+.BR charon.plugins.eap-peap.include_length " [no]"
+Include length in non-fragmented EAP-PEAP packets
+.TP
.BR charon.plugins.eap-peap.phase2_method " [mschapv2]"
Phase2 EAP client authentication method
.TP
.BR charon.plugins.eap-tls.max_message_count " [32]"
Maximum number of processed EAP-TLS packets
.TP
+.BR charon.plugins.eap-tls.include_length " [yes]"
+Include length in non-fragmented EAP-TLS packets
+.TP
.BR charon.plugins.eap-tnc.fragment_size " [50000]"
Maximum size of an EAP-TNC packet
.TP
.BR charon.plugins.eap-tnc.max_message_count " [10]"
Maximum number of processed EAP-TNC packets
.TP
+.BR charon.plugins.eap-tnc.include_length " [yes]"
+Include length in non-fragmented EAP-TNC packets
+.TP
.BR charon.plugins.eap-ttls.fragment_size " [1024]"
Maximum size of an EAP-TTLS packet
.TP
.BR charon.plugins.eap-ttls.max_message_count " [32]"
Maximum number of processed EAP-TTLS packets
.TP
+.BR charon.plugins.eap-ttls.include_length " [yes]"
+Include length in non-fragmented EAP-TTLS packets
+.TP
.BR charon.plugins.eap-ttls.phase2_method " [md5]"
Phase2 EAP client authentication method
.TP
{
size_t frag_size;
int max_msg_count;
+ bool include_length;
tls_t *tls;
if (is_server && !lib->settings->get_bool(lib->settings,
"charon.plugins.eap-peap.fragment_size", MAX_FRAGMENT_LEN);
max_msg_count = lib->settings->get_int(lib->settings,
"charon.plugins.eap-peap.max_message_count", MAX_MESSAGE_COUNT);
- tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP, application);
- this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count);
+ include_length = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-peap.include_length", FALSE);
+ tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_PEAP, application);
+ this->tls_eap = tls_eap_create(EAP_PEAP, tls, frag_size, max_msg_count,
+ include_length);
if (!this->tls_eap)
{
application->destroy(application);
private_eap_tls_t *this;
size_t frag_size;
int max_msg_count;
+ bool include_length;
tls_t *tls;
INIT(this,
"charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN);
max_msg_count = lib->settings->get_int(lib->settings,
"charon.plugins.eap-tls.max_message_count", MAX_MESSAGE_COUNT);
+ include_length = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-tls.include_length", TRUE);
tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL);
- this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count);
+ this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size, max_msg_count,
+ include_length);
if (!this->tls_eap)
{
free(this);
private_eap_tnc_t *this;
size_t frag_size;
int max_msg_count;
+ bool include_length;
char* protocol;
tnccs_type_t type;
tnccs_t *tnccs;
"charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN);
max_msg_count = lib->settings->get_int(lib->settings,
"charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT);
- protocol = lib->settings->get_str(lib->settings,
+ include_length = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-tnc.include_length", TRUE);
+ protocol = lib->settings->get_str(lib->settings,
"charon.plugins.eap-tnc.protocol", "tnccs-1.1");
if (strcaseeq(protocol, "tnccs-2.0"))
{
return NULL;
}
tnccs = charon->tnccs->create_instance(charon->tnccs, type, is_server);
- this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count);
+ this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size,
+ max_msg_count, include_length);
if (!this->tls_eap)
{
free(this);
private_eap_ttls_t *this;
size_t frag_size;
int max_msg_count;
+ bool include_length;
tls_t *tls;
INIT(this,
"charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN);
max_msg_count = lib->settings->get_int(lib->settings,
"charon.plugins.eap-ttls.max_message_count", MAX_MESSAGE_COUNT);
- tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application);
- this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count);
+ include_length = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap-ttls.include_length", TRUE);
+ tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application);
+ this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size, max_msg_count,
+ include_length);
if (!this->tls_eap)
{
application->destroy(application);
+
/*
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
bool is_server;
/**
+ * If FALSE include the total length of an EAP message
+ * in the first fragment of fragmented messages only.
+ * If TRUE also include the length in non-fragmented messages.
+ */
+ bool include_length;
+
+ /**
* First fragment of a multi-fragment record?
*/
bool first_fragment;
htoun16(&pkt.length, sizeof(eap_tls_packet_t));
pkt.identifier = this->identifier;
- DBG2(DBG_IKE, "sending %N start packet", eap_type_names, this->type);
*out = chunk_clone(chunk_from_thing(pkt));
+ DBG2(DBG_IKE, "sending %N start packet (%u bytes)",
+ eap_type_names, this->type, sizeof(eap_tls_packet_t));
+ DBG3(DBG_IKE, "%B", out);
return NEED_MORE;
}
return FAILED;
if (this->first_fragment)
{
- pkt->flags |= EAP_TLS_LENGTH;
len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t) +
sizeof(u_int32_t), &len, &reclen);
kind = "further fragment";
if (this->first_fragment)
{
+ pkt->flags |= EAP_TLS_LENGTH;
this->first_fragment = FALSE;
kind = "first fragment";
}
break;
case ALREADY_DONE:
- kind = "packet";
- if (!this->first_fragment)
+ if (this->first_fragment)
+ {
+ if (this->include_length)
+ {
+ pkt->flags |= EAP_TLS_LENGTH;
+ }
+ kind = "packet";
+ }
+ else
{
this->first_fragment = TRUE;
kind = "final fragment";
default:
return status;
}
- DBG2(DBG_TLS, "sending %N %s (%u bytes)",
- eap_type_names, this->type, kind, len);
if (reclen)
{
- htoun32(pkt + 1, reclen);
- len += sizeof(u_int32_t);
- pkt->flags |= EAP_TLS_LENGTH;
+ if (pkt->flags & EAP_TLS_LENGTH)
+ {
+ htoun32(pkt + 1, reclen);
+ len += sizeof(u_int32_t);
+ pkt->flags |= EAP_TLS_LENGTH;
+ }
+ else
+ {
+ /* get rid of the reserved length field */
+ memcpy(buf+sizeof(eap_packet_t),
+ buf+sizeof(eap_packet_t)+sizeof(u_int32_t), len);
+ }
}
len += sizeof(eap_tls_packet_t);
htoun16(&pkt->length, len);
*out = chunk_clone(chunk_create(buf, len));
+ DBG2(DBG_TLS, "sending %N %s (%u bytes)",
+ eap_type_names, this->type, kind, len);
+ DBG3(DBG_TLS, "%B", out);
return NEED_MORE;
}
}
/* update EAP identifier */
- this->identifier = pkt->identifier;
+ if (!this->is_server)
+ {
+ this->identifier = pkt->identifier;
+ }
+ DBG3(DBG_TLS, "%N payload %B", eap_type_names, this->type, &in);
if (pkt->flags & EAP_TLS_START)
{
* See header
*/
tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
- int max_msg_count)
+ int max_msg_count, bool include_length)
{
private_tls_eap_t *this;
.first_fragment = TRUE,
.frag_size = frag_size,
.max_msg_count = max_msg_count,
+ .include_length = include_length,
.tls = tls,
);
* @param tls TLS implementation
* @param frag_size maximum size of a TLS fragment we send
* @param max_msg_count maximum number of processed messages
+ * @param include_length if TRUE include length in non-fragmented packets
*/
tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
- int max_msg_count);
+ int max_msg_count, bool include_length);
#endif /** TLS_EAP_H_ @}*/