iPXE
|
Extensible Authentication Protocol. More...
Go to the source code of this file.
Data Structures | |
struct | eap_header |
EAP header. More... | |
struct | eap_message |
EAP request/response message. More... | |
struct | eap_md5 |
EAP MD5 challenge request/response type data. More... | |
struct | eap_mschapv2 |
EAP MS-CHAPv2 request/response type data. More... | |
union | eap_packet |
EAP packet. More... | |
struct | eap_supplicant |
An EAP supplicant. More... | |
struct | eap_method |
An EAP method. More... | |
Macros | |
#define | EAP_CODE_REQUEST 1 |
EAP request. More... | |
#define | EAP_CODE_RESPONSE 2 |
EAP response. More... | |
#define | EAP_TYPE_NONE 0 |
EAP "no available types" marker. More... | |
#define | EAP_TYPE_IDENTITY 1 |
EAP identity. More... | |
#define | EAP_TYPE_NAK 3 |
EAP NAK. More... | |
#define | EAP_TYPE_MD5 4 |
EAP MD5 challenge request/response. More... | |
#define | EAP_TYPE_MSCHAPV2 26 |
EAP MS-CHAPv2 request/response. More... | |
#define | EAP_CODE_SUCCESS 3 |
EAP success. More... | |
#define | EAP_CODE_FAILURE 4 |
EAP failure. More... | |
#define | EAP_BLOCK_TIMEOUT ( 45 * TICKS_PER_SEC ) |
EAP link block timeout. More... | |
#define | EAP_WAIT_TIMEOUT ( EAP_BLOCK_TIMEOUT * 7 / 8 ) |
EAP protocol wait timeout. More... | |
#define | EAP_FL_ONGOING 0x0001 |
EAP authentication is in progress. More... | |
#define | EAP_FL_PASSIVE 0x0002 |
EAP supplicant is passive. More... | |
#define | EAP_METHODS __table ( struct eap_method, "eap_methods" ) |
EAP method table. More... | |
#define | __eap_method __table_entry ( EAP_METHODS, 01 ) |
Declare an EAP method. More... | |
Functions | |
FILE_LICENCE (GPL2_OR_LATER_OR_UBDL) | |
int | eap_tx_response (struct eap_supplicant *supplicant, const void *rsp, size_t rsp_len) |
Transmit EAP response. More... | |
int | eap_rx (struct eap_supplicant *supplicant, const void *data, size_t len) |
Handle EAP packet. More... | |
Extensible Authentication Protocol.
Definition in file eap.h.
#define EAP_BLOCK_TIMEOUT ( 45 * TICKS_PER_SEC ) |
EAP link block timeout.
We mark the link as blocked upon receiving a Request-Identity, on the basis that this most likely indicates that the switch will not yet be forwarding packets.
There is no way to tell how frequently the Request-Identity packet will be retransmitted by the switch. The default value for Cisco switches seems to be 30 seconds, so treat the link as blocked for 45 seconds.
#define EAP_WAIT_TIMEOUT ( EAP_BLOCK_TIMEOUT * 7 / 8 ) |
EAP protocol wait timeout.
In the EAP model, the supplicant is a pure responder. The model also defines no acknowledgement response for the final Success or Failure "requests". This leaves open the possibility that the final Success or Failure packet is lost, with the supplicant having no way to determine the final authentication status.
Sideband mechanisms such as EAPoL-Start may be used to restart the entire EAP process, as a (crude) workaround for this protocol flaw. When expecting to receive a further EAP request (e.g. an authentication challenge), we may wait for some length of time before triggering this restart. Choose a duration that is shorter than the link block timeout, so that there is no period during which we erroneously leave the link marked as not blocked.
#define EAP_FL_ONGOING 0x0001 |
#define EAP_FL_PASSIVE 0x0002 |
EAP supplicant is passive.
This indicates that the supplicant should not transmit any futher unsolicited packets (e.g. EAPoL-Start for a supplicant running over EAPoL). This could be because authentication has already completed, or because we are relying upon MAC Authentication Bypass (MAB) which may have a very long timeout.
#define EAP_METHODS __table ( struct eap_method, "eap_methods" ) |
#define __eap_method __table_entry ( EAP_METHODS, 01 ) |
FILE_LICENCE | ( | GPL2_OR_LATER_OR_UBDL | ) |
int eap_tx_response | ( | struct eap_supplicant * | supplicant, |
const void * | rsp, | ||
size_t | rsp_len | ||
) |
Transmit EAP response.
supplicant | EAP supplicant |
rsp | Response type data |
rsp_len | Length of response type data |
rc | Return status code |
Definition at line 47 of file eap.c.
References DBGC, EAP_CODE_RESPONSE, ENOMEM, free, htons, eap_supplicant::id, len, malloc(), memcpy(), msg(), net_device::name, netdev, eap_supplicant::netdev, rc, rsp, strerror(), eap_supplicant::tx, and eap_supplicant::type.
Referenced by eap_rx_identity(), eap_rx_md5(), eap_rx_mschapv2_request(), eap_rx_mschapv2_success(), and eap_tx_nak().
int eap_rx | ( | struct eap_supplicant * | supplicant, |
const void * | data, | ||
size_t | len | ||
) |
Handle EAP packet.
supplicant | EAP supplicant |
data | EAP packet |
len | Length of EAP packet |
rc | Return status code |
Definition at line 263 of file eap.c.
References eap_header::code, data, DBGC, DBGC2, DBGC_HDA, EAP_CODE_FAILURE, EAP_CODE_REQUEST, EAP_CODE_RESPONSE, EAP_CODE_SUCCESS, eap_rx_failure(), eap_rx_request(), eap_rx_success(), EINVAL, ENOTSUP, eap_packet::hdr, len, eap_packet::msg, net_device::name, netdev, and eap_supplicant::netdev.
Referenced by eapol_eap_rx().