Michael Brown
25ffcd79bf
RFC 3748 states that implementations must support the MD5-Challenge method. However, some network environments may wish to disable it as a matter of policy. Allow support for MD5-Challenge to be controllable via the build configuration option EAP_METHOD_MD5 in config/general.h. Signed-off-by: Michael Brown <mcb30@ipxe.org>
117 lines
3.3 KiB
C
117 lines
3.3 KiB
C
/*
|
|
* Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation; either version 2 of the
|
|
* License, or any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*
|
|
* You can also choose to distribute this program under the terms of
|
|
* the Unmodified Binary Distribution Licence (as given in the file
|
|
* COPYING.UBDL), provided that you have satisfied its requirements.
|
|
*/
|
|
|
|
FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
|
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <ipxe/md5.h>
|
|
#include <ipxe/chap.h>
|
|
#include <ipxe/eap.h>
|
|
|
|
/** @file
|
|
*
|
|
* EAP MD5-Challenge authentication method
|
|
*
|
|
*/
|
|
|
|
/**
|
|
* Handle EAP MD5-Challenge
|
|
*
|
|
* @v supplicant EAP supplicant
|
|
* @v req Request type data
|
|
* @v req_len Length of request type data
|
|
* @ret rc Return status code
|
|
*/
|
|
static int eap_rx_md5 ( struct eap_supplicant *supplicant,
|
|
const void *req, size_t req_len ) {
|
|
struct net_device *netdev = supplicant->netdev;
|
|
const struct eap_md5 *md5req = req;
|
|
struct {
|
|
uint8_t len;
|
|
uint8_t value[MD5_DIGEST_SIZE];
|
|
} __attribute__ (( packed )) md5rsp;
|
|
struct chap_response chap;
|
|
void *secret;
|
|
int secret_len;
|
|
int rc;
|
|
|
|
/* Sanity checks */
|
|
if ( req_len < sizeof ( *md5req ) ) {
|
|
DBGC ( netdev, "EAP %s underlength MD5-Challenge:\n",
|
|
netdev->name );
|
|
DBGC_HDA ( netdev, 0, req, req_len );
|
|
rc = -EINVAL;
|
|
goto err_sanity;
|
|
}
|
|
if ( ( req_len - sizeof ( *md5req ) ) < md5req->len ) {
|
|
DBGC ( netdev, "EAP %s truncated MD5-Challenge:\n",
|
|
netdev->name );
|
|
DBGC_HDA ( netdev, 0, req, req_len );
|
|
rc = -EINVAL;
|
|
goto err_sanity;
|
|
}
|
|
|
|
/* Construct response */
|
|
if ( ( rc = chap_init ( &chap, &md5_algorithm ) ) != 0 ) {
|
|
DBGC ( netdev, "EAP %s could not initialise CHAP: %s\n",
|
|
netdev->name, strerror ( rc ) );
|
|
goto err_chap;
|
|
}
|
|
chap_set_identifier ( &chap, supplicant->id );
|
|
secret_len = fetch_raw_setting_copy ( netdev_settings ( netdev ),
|
|
&password_setting, &secret );
|
|
if ( secret_len < 0 ) {
|
|
rc = secret_len;
|
|
DBGC ( netdev, "EAP %s has no secret: %s\n",
|
|
netdev->name, strerror ( rc ) );
|
|
goto err_secret;
|
|
}
|
|
chap_update ( &chap, secret, secret_len );
|
|
chap_update ( &chap, md5req->value, md5req->len );
|
|
chap_respond ( &chap );
|
|
assert ( chap.response_len == sizeof ( md5rsp.value ) );
|
|
md5rsp.len = sizeof ( md5rsp.value );
|
|
memcpy ( md5rsp.value, chap.response, sizeof ( md5rsp.value ) );
|
|
|
|
/* Transmit response */
|
|
if ( ( rc = eap_tx_response ( supplicant, &md5rsp,
|
|
sizeof ( md5rsp ) ) ) != 0 )
|
|
goto err_tx;
|
|
|
|
err_tx:
|
|
free ( secret );
|
|
err_secret:
|
|
chap_finish ( &chap );
|
|
err_chap:
|
|
err_sanity:
|
|
return rc;
|
|
}
|
|
|
|
/** EAP MD5-Challenge method */
|
|
struct eap_method eap_md5_method __eap_method = {
|
|
.type = EAP_TYPE_MD5,
|
|
.rx = eap_rx_md5,
|
|
};
|