iPXE
Data Structures | Macros | Functions
eap.h File Reference

Extensible Authentication Protocol. More...

#include <stdint.h>
#include <ipxe/netdevice.h>
#include <ipxe/timer.h>
#include <ipxe/tables.h>

Go to the source code of this file.

Data Structures

struct  eap_header
 EAP header. More...
struct  eap_message
 EAP request/response message. More...
struct  eap_md5
 EAP MD5 challenge request/response type data. More...
struct  eap_mschapv2
 EAP MS-CHAPv2 request/response type data. More...
union  eap_packet
 EAP packet. More...
struct  eap_supplicant
 An EAP supplicant. More...
struct  eap_method
 An EAP method. More...

Macros

#define EAP_CODE_REQUEST   1
 EAP request.
#define EAP_CODE_RESPONSE   2
 EAP response.
#define EAP_TYPE_NONE   0
 EAP "no available types" marker.
#define EAP_TYPE_IDENTITY   1
 EAP identity.
#define EAP_TYPE_NAK   3
 EAP NAK.
#define EAP_TYPE_MD5   4
 EAP MD5 challenge request/response.
#define EAP_TYPE_MSCHAPV2   26
 EAP MS-CHAPv2 request/response.
#define EAP_CODE_SUCCESS   3
 EAP success.
#define EAP_CODE_FAILURE   4
 EAP failure.
#define EAP_BLOCK_TIMEOUT   ( 45 * TICKS_PER_SEC )
 EAP link block timeout.
#define EAP_WAIT_TIMEOUT   ( EAP_BLOCK_TIMEOUT * 7 / 8 )
 EAP protocol wait timeout.
#define EAP_FL_ONGOING   0x0001
 EAP authentication is in progress.
#define EAP_FL_PASSIVE   0x0002
 EAP supplicant is passive.
#define EAP_METHODS   __table ( struct eap_method, "eap_methods" )
 EAP method table.
#define __eap_method   __table_entry ( EAP_METHODS, 01 )
 Declare an EAP method.

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 FILE_SECBOOT (PERMITTED)
int eap_tx_response (struct eap_supplicant *supplicant, const void *rsp, size_t rsp_len)
 Transmit EAP response.
int eap_rx (struct eap_supplicant *supplicant, const void *data, size_t len)
 Handle EAP packet.

Detailed Description

Extensible Authentication Protocol.

Definition in file eap.h.

Macro Definition Documentation

◆ EAP_CODE_REQUEST

#define EAP_CODE_REQUEST   1

EAP request.

Definition at line 29 of file eap.h.

Referenced by eap_rx(), and eap_rx_mschapv2().

◆ EAP_CODE_RESPONSE

#define EAP_CODE_RESPONSE   2

EAP response.

Definition at line 32 of file eap.h.

Referenced by eap_rx(), eap_rx_mschapv2_request(), and eap_tx_response().

◆ EAP_TYPE_NONE

#define EAP_TYPE_NONE   0

EAP "no available types" marker.

Definition at line 45 of file eap.h.

Referenced by eap_tx_nak().

◆ EAP_TYPE_IDENTITY

#define EAP_TYPE_IDENTITY   1

EAP identity.

Definition at line 48 of file eap.h.

◆ EAP_TYPE_NAK

#define EAP_TYPE_NAK   3

EAP NAK.

Definition at line 51 of file eap.h.

Referenced by eap_rx_request(), and eap_tx_nak().

◆ EAP_TYPE_MD5

#define EAP_TYPE_MD5   4

EAP MD5 challenge request/response.

Definition at line 54 of file eap.h.

◆ EAP_TYPE_MSCHAPV2

#define EAP_TYPE_MSCHAPV2   26

EAP MS-CHAPv2 request/response.

Definition at line 65 of file eap.h.

◆ EAP_CODE_SUCCESS

#define EAP_CODE_SUCCESS   3

EAP success.

Definition at line 94 of file eap.h.

Referenced by eap_rx(), eap_rx_mschapv2(), and eap_rx_mschapv2_success().

◆ EAP_CODE_FAILURE

#define EAP_CODE_FAILURE   4

EAP failure.

Definition at line 97 of file eap.h.

Referenced by eap_rx().

◆ EAP_BLOCK_TIMEOUT

#define EAP_BLOCK_TIMEOUT   ( 45 * TICKS_PER_SEC )

EAP link block timeout.

We mark the link as blocked upon receiving a Request-Identity, on the basis that this most likely indicates that the switch will not yet be forwarding packets.

There is no way to tell how frequently the Request-Identity packet will be retransmitted by the switch. The default value for Cisco switches seems to be 30 seconds, so treat the link as blocked for 45 seconds.

Definition at line 118 of file eap.h.

Referenced by eap_rx_identity().

◆ EAP_WAIT_TIMEOUT

#define EAP_WAIT_TIMEOUT   ( EAP_BLOCK_TIMEOUT * 7 / 8 )

EAP protocol wait timeout.

In the EAP model, the supplicant is a pure responder. The model also defines no acknowledgement response for the final Success or Failure "requests". This leaves open the possibility that the final Success or Failure packet is lost, with the supplicant having no way to determine the final authentication status.

Sideband mechanisms such as EAPoL-Start may be used to restart the entire EAP process, as a (crude) workaround for this protocol flaw. When expecting to receive a further EAP request (e.g. an authentication challenge), we may wait for some length of time before triggering this restart. Choose a duration that is shorter than the link block timeout, so that there is no period during which we erroneously leave the link marked as not blocked.

Definition at line 136 of file eap.h.

Referenced by eapol_eap_rx().

◆ EAP_FL_ONGOING

#define EAP_FL_ONGOING   0x0001

EAP authentication is in progress.

This indicates that we have received an EAP Request-Identity, but have not yet received a final EAP Success or EAP Failure.

Definition at line 165 of file eap.h.

Referenced by eap_rx_identity(), and eapol_eap_rx().

◆ EAP_FL_PASSIVE

#define EAP_FL_PASSIVE   0x0002

EAP supplicant is passive.

This indicates that the supplicant should not transmit any futher unsolicited packets (e.g. EAPoL-Start for a supplicant running over EAPoL). This could be because authentication has already completed, or because we are relying upon MAC Authentication Bypass (MAB) which may have a very long timeout.

Definition at line 175 of file eap.h.

Referenced by eap_rx_failure(), eap_rx_identity(), eap_rx_success(), eapol_eap_rx(), and eapol_notify().

◆ EAP_METHODS

#define EAP_METHODS   __table ( struct eap_method, "eap_methods" )

EAP method table.

Definition at line 194 of file eap.h.

Referenced by eap_rx_request(), and eap_tx_nak().

◆ __eap_method

#define __eap_method   __table_entry ( EAP_METHODS, 01 )

Declare an EAP method.

Definition at line 197 of file eap.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

◆ eap_tx_response()

int eap_tx_response ( struct eap_supplicant * supplicant,
const void * rsp,
size_t rsp_len )
extern

Transmit EAP response.

Parameters
supplicantEAP supplicant
rspResponse type data
rsp_lenLength of response type data
Return values
rcReturn status code

Definition at line 48 of file eap.c.

49 {
50 struct net_device *netdev = supplicant->netdev;
51 struct eap_message *msg;
52 size_t len;
53 int rc;
54
55 /* Allocate and populate response */
56 len = ( sizeof ( *msg ) + rsp_len );
57 msg = malloc ( len );
58 if ( ! msg ) {
59 rc = -ENOMEM;
60 goto err_alloc;
61 }
62 msg->hdr.code = EAP_CODE_RESPONSE;
63 msg->hdr.id = supplicant->id;
64 msg->hdr.len = htons ( len );
65 msg->type = supplicant->type;
66 memcpy ( msg->data, rsp, rsp_len );
67 DBGC ( netdev, "EAP %s Response id %#02x type %d\n",
68 netdev->name, msg->hdr.id, msg->type );
69
70 /* Transmit response */
71 if ( ( rc = supplicant->tx ( supplicant, msg, len ) ) != 0 ) {
72 DBGC ( netdev, "EAP %s could not transmit: %s\n",
73 netdev->name, strerror ( rc ) );
74 goto err_tx;
75 }
76
77 err_tx:
78 free ( msg );
79 err_alloc:
80 return rc;
81}
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
len
ring len
Length.
Definition dwmac.h:226
EAP_CODE_RESPONSE
#define EAP_CODE_RESPONSE
EAP response.
Definition eap.h:32
netdev
static struct net_device * netdev
Definition gdbudp.c:53
DBGC
#define DBGC(...)
Definition compiler.h:505
ENOMEM
#define ENOMEM
Not enough space.
Definition errno.h:535
htons
#define htons(value)
Definition byteswap.h:136
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
rsp
uint64_t rsp
Definition librm.h:18
malloc
void * malloc(size_t size)
Allocate memory.
Definition malloc.c:621
msg
void msg(unsigned int row, const char *fmt,...)
Print message centred on specified row.
Definition message.c:62
free
static void(* free)(struct refcnt *refcnt))
Definition refcnt.h:55
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition strerror.c:79
eap_message
EAP request/response message.
Definition eap.h:35
eap_supplicant::id
uint8_t id
ID for current request/response.
Definition eap.h:145
eap_supplicant::type
uint8_t type
Type for current request/response.
Definition eap.h:147
eap_supplicant::netdev
struct net_device * netdev
Network device.
Definition eap.h:141
eap_supplicant::tx
int(* tx)(struct eap_supplicant *supplicant, const void *data, size_t len)
Transmit EAP response.
Definition eap.h:156
net_device
A network device.
Definition netdevice.h:353

References DBGC, EAP_CODE_RESPONSE, ENOMEM, free, htons, eap_supplicant::id, len, malloc(), memcpy(), msg(), eap_supplicant::netdev, netdev, rc, rsp, strerror(), eap_supplicant::tx, and eap_supplicant::type.

Referenced by eap_rx_identity(), eap_rx_md5(), eap_rx_mschapv2_request(), eap_rx_mschapv2_success(), and eap_tx_nak().

◆ eap_rx()

int eap_rx ( struct eap_supplicant * supplicant,
const void * data,
size_t len )
extern

Handle EAP packet.

Parameters
supplicantEAP supplicant
dataEAP packet
lenLength of EAP packet
Return values
rcReturn status code

Definition at line 264 of file eap.c.

265 {
266 struct net_device *netdev = supplicant->netdev;
267 const union eap_packet *eap = data;
268
269 /* Sanity check */
270 if ( len < sizeof ( eap->hdr ) ) {
271 DBGC ( netdev, "EAP %s underlength header:\n", netdev->name );
272 DBGC_HDA ( netdev, 0, eap, len );
273 return -EINVAL;
274 }
275
276 /* Handle according to code */
277 switch ( eap->hdr.code ) {
278 case EAP_CODE_REQUEST:
279 return eap_rx_request ( supplicant, &eap->msg, len );
280 case EAP_CODE_RESPONSE:
281 DBGC2 ( netdev, "EAP %s ignoring response\n", netdev->name );
282 return 0;
283 case EAP_CODE_SUCCESS:
284 return eap_rx_success ( supplicant );
285 case EAP_CODE_FAILURE:
286 return eap_rx_failure ( supplicant );
287 default:
288 DBGC ( netdev, "EAP %s unsupported code %d\n",
289 netdev->name, eap->hdr.code );
290 DBGC_HDA ( netdev, 0, eap, len );
291 return -ENOTSUP;
292 }
293}
eap_rx_request
static int eap_rx_request(struct eap_supplicant *supplicant, const struct eap_message *msg, size_t len)
Handle EAP Request.
Definition eap.c:177
eap_rx_success
static int eap_rx_success(struct eap_supplicant *supplicant)
Handle EAP Success.
Definition eap.c:226
eap_rx_failure
static int eap_rx_failure(struct eap_supplicant *supplicant)
Handle EAP Failure.
Definition eap.c:245
EAP_CODE_REQUEST
#define EAP_CODE_REQUEST
EAP request.
Definition eap.h:29
EAP_CODE_FAILURE
#define EAP_CODE_FAILURE
EAP failure.
Definition eap.h:97
EAP_CODE_SUCCESS
#define EAP_CODE_SUCCESS
EAP success.
Definition eap.h:94
data
uint8_t data[48]
Additional event data.
Definition ena.h:11
DBGC2
#define DBGC2(...)
Definition compiler.h:522
DBGC_HDA
#define DBGC_HDA(...)
Definition compiler.h:506
EINVAL
#define EINVAL
Invalid argument.
Definition errno.h:429
ENOTSUP
#define ENOTSUP
Operation not supported.
Definition errno.h:590
eap_header::code
uint8_t code
Code.
Definition eap.h:21
eap_packet
EAP packet.
Definition eap.h:100
eap_packet::msg
struct eap_message msg
Request/response message.
Definition eap.h:104
eap_packet::hdr
struct eap_header hdr
Header.
Definition eap.h:102

References eap_header::code, data, DBGC, DBGC2, DBGC_HDA, EAP_CODE_FAILURE, EAP_CODE_REQUEST, EAP_CODE_RESPONSE, EAP_CODE_SUCCESS, eap_rx_failure(), eap_rx_request(), eap_rx_success(), EINVAL, ENOTSUP, eap_packet::hdr, len, eap_packet::msg, eap_supplicant::netdev, and netdev.

Referenced by eapol_eap_rx(), and REQUIRING_SYMBOL().

Generated by doxygen 1.14.0