diff options
| author | Michael Brown <mcb30@ipxe.org> | 2024-02-23 14:15:22 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2024-02-23 16:37:07 +0000 |
| commit | 43e385091a36af34e495ac8c6595bddab55665bb (patch) | |
| tree | ac7aa27b06906a47859cb8cfd078a7744a2765bf /src/include/ipxe | |
| parent | 25ffcd79bfd38da96f9905b78e3d5c3cab33dad3 (diff) | |
| download | ipxe-43e385091a36af34e495ac8c6595bddab55665bb.zip ipxe-43e385091a36af34e495ac8c6595bddab55665bb.tar.gz ipxe-43e385091a36af34e495ac8c6595bddab55665bb.tar.bz2 | |
[eap] Add support for the MS-CHAPv2 authentication method
Add support for EAP-MSCHAPv2 (note that this is not the same as
PEAP-MSCHAPv2), controllable via the build configuration option
EAP_METHOD_MSCHAPV2 in config/general.h.
Our model for EAP does not encompass mutual authentication: we will
starting sending plaintext packets (e.g. DHCP requests) over the link
even before EAP completes, and our only use for an EAP success is to
mark the link as unblocked.
We therefore ignore the content of the EAP-MSCHAPv2 success request
(containing the MS-CHAPv2 authenticator response) and just send back
an EAP-MSCHAPv2 success response, so that the EAP authenticator will
complete the process and send through the real EAP success packet
(which will, in turn, cause us to unblock the link).
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/include/ipxe')
| -rw-r--r-- | src/include/ipxe/eap.h | 29 | ||||
| -rw-r--r-- | src/include/ipxe/errfile.h | 1 |
2 files changed, 30 insertions, 0 deletions
diff --git a/src/include/ipxe/eap.h b/src/include/ipxe/eap.h index fe1bb52..a44f01e 100644 --- a/src/include/ipxe/eap.h +++ b/src/include/ipxe/eap.h @@ -60,6 +60,35 @@ struct eap_md5 { uint8_t value[0]; } __attribute__ (( packed )); +/** EAP MS-CHAPv2 request/response */ +#define EAP_TYPE_MSCHAPV2 26 + +/** EAP MS-CHAPv2 request/response type data */ +struct eap_mschapv2 { + /** Code + * + * This is in the same namespace as the EAP header's code + * field, but is used to extend the handshake by allowing for + * "success request" and "success response" packets. + */ + uint8_t code; + /** Identifier + * + * This field serves no purposes: it always has the same value + * as the EAP header's identifier field (located 5 bytes + * earlier in the same packet). + */ + uint8_t id; + /** Length + * + * This field serves no purpose: it always has the same value + * as the EAP header's length field (located 5 bytes earlier + * in the same packet), minus the 5 byte length of the EAP + * header. + */ + uint16_t len; +} __attribute__ (( packed )); + /** EAP success */ #define EAP_CODE_SUCCESS 3 diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h index 1768748..662f849 100644 --- a/src/include/ipxe/errfile.h +++ b/src/include/ipxe/errfile.h @@ -298,6 +298,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #define ERRFILE_eap ( ERRFILE_NET | 0x004b0000 ) #define ERRFILE_lldp ( ERRFILE_NET | 0x004c0000 ) #define ERRFILE_eap_md5 ( ERRFILE_NET | 0x004d0000 ) +#define ERRFILE_eap_mschapv2 ( ERRFILE_NET | 0x004e0000 ) #define ERRFILE_image ( ERRFILE_IMAGE | 0x00000000 ) #define ERRFILE_elf ( ERRFILE_IMAGE | 0x00010000 ) |