|
iPXE
|
Extensible Authentication Protocol. More...
Go to the source code of this file.
Data Structures | |
| struct | eap_header |
| EAP header. More... | |
| struct | eap_request |
| EAP request. More... | |
| union | eap_packet |
| EAP packet. More... | |
| struct | eap_supplicant |
| An EAP supplicant. More... | |
Macros | |
| #define | EAP_CODE_REQUEST 1 |
| EAP request. More... | |
| #define | EAP_TYPE_IDENTITY 1 |
| EAP identity. More... | |
| #define | EAP_CODE_SUCCESS 3 |
| EAP success. More... | |
| #define | EAP_CODE_FAILURE 4 |
| EAP failure. More... | |
| #define | EAP_BLOCK_TIMEOUT ( 45 * TICKS_PER_SEC ) |
| EAP link block timeout. More... | |
| #define | EAP_WAIT_TIMEOUT ( EAP_BLOCK_TIMEOUT * 7 / 8 ) |
| EAP protocol wait timeout. More... | |
| #define | EAP_FL_ONGOING 0x0001 |
| EAP authentication is in progress. More... | |
| #define | EAP_FL_PASSIVE 0x0002 |
| EAP supplicant is passive. More... | |
Functions | |
| FILE_LICENCE (GPL2_OR_LATER_OR_UBDL) | |
| int | eap_rx (struct eap_supplicant *supplicant, const void *data, size_t len) |
| Handle EAP packet. More... | |
Extensible Authentication Protocol.
Definition in file eap.h.
| #define EAP_BLOCK_TIMEOUT ( 45 * TICKS_PER_SEC ) |
EAP link block timeout.
We mark the link as blocked upon receiving a Request-Identity, on the basis that this most likely indicates that the switch will not yet be forwarding packets.
There is no way to tell how frequently the Request-Identity packet will be retransmitted by the switch. The default value for Cisco switches seems to be 30 seconds, so treat the link as blocked for 45 seconds.
| #define EAP_WAIT_TIMEOUT ( EAP_BLOCK_TIMEOUT * 7 / 8 ) |
EAP protocol wait timeout.
In the EAP model, the supplicant is a pure responder. The model also defines no acknowledgement response for the final Success or Failure "requests". This leaves open the possibility that the final Success or Failure packet is lost, with the supplicant having no way to determine the final authentication status.
Sideband mechanisms such as EAPoL-Start may be used to restart the entire EAP process, as a (crude) workaround for this protocol flaw. When expecting to receive a further EAP request (e.g. an authentication challenge), we may wait for some length of time before triggering this restart. Choose a duration that is shorter than the link block timeout, so that there is no period during which we erroneously leave the link marked as not blocked.
| #define EAP_FL_ONGOING 0x0001 |
| #define EAP_FL_PASSIVE 0x0002 |
EAP supplicant is passive.
This indicates that the supplicant should not transmit any futher unsolicited packets (e.g. EAPoL-Start for a supplicant running over EAPoL). This could be because authentication has already completed, or because we are relying upon MAC Authentication Bypass (MAB) which may have a very long timeout.
| FILE_LICENCE | ( | GPL2_OR_LATER_OR_UBDL | ) |
| int eap_rx | ( | struct eap_supplicant * | supplicant, |
| const void * | data, | ||
| size_t | len | ||
| ) |
Handle EAP packet.
| supplicant | EAP supplicant |
| data | EAP packet |
| len | Length of EAP packet |
| rc | Return status code |
Definition at line 136 of file eap.c.
References eap_header::code, data, DBGC, DBGC_HDA, EAP_CODE_FAILURE, EAP_CODE_REQUEST, EAP_CODE_SUCCESS, eap_rx_failure(), eap_rx_request(), eap_rx_success(), EINVAL, ENOTSUP, eap_packet::hdr, len, net_device::name, netdev, eap_supplicant::netdev, and eap_packet::req.
Referenced by eapol_eap_rx().
1.8.15