ipxe/src/net/eap.c

/*
 * Copyright (C) 2021 Michael Brown <mbrown@fensystems.co.uk>.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 *
 * You can also choose to distribute this program under the terms of
 * the Unmodified Binary Distribution Licence (as given in the file
 * COPYING.UBDL), provided that you have satisfied its requirements.
 */

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <byteswap.h>
#include <ipxe/netdevice.h>
#include <ipxe/eap.h>

/** @file
 *
 * Extensible Authentication Protocol
 *
 */

/**
 * Transmit EAP response
 *
 * @v supplicant	EAP supplicant
 * @v rsp		Response type data
 * @v rsp_len		Length of response type data
 * @ret rc		Return status code
 */
int eap_tx_response ( struct eap_supplicant *supplicant,
		      const void *rsp, size_t rsp_len ) {
	struct net_device *netdev = supplicant->netdev;
	struct eap_message *msg;
	size_t len;
	int rc;

	/* Allocate and populate response */
	len = ( sizeof ( *msg ) + rsp_len );
	msg = malloc ( len );
	if ( ! msg ) {
		rc = -ENOMEM;
		goto err_alloc;
	}
	msg->hdr.code = EAP_CODE_RESPONSE;
	msg->hdr.id = supplicant->id;
	msg->hdr.len = htons ( len );
	msg->type = supplicant->type;
	memcpy ( msg->data, rsp, rsp_len );
	DBGC ( netdev, "EAP %s Response id %#02x type %d\n",
	       netdev->name, msg->hdr.id, msg->type );

	/* Transmit response */
	if ( ( rc = supplicant->tx ( supplicant, msg, len ) ) != 0 ) {
		DBGC ( netdev, "EAP %s could not transmit: %s\n",
		       netdev->name, strerror ( rc ) );
		goto err_tx;
	}

 err_tx:
	free ( msg );
 err_alloc:
	return rc;
}

/**
 * Transmit EAP NAK
 *
 * @v supplicant	EAP supplicant
 * @ret rc		Return status code
 */
static int eap_tx_nak ( struct eap_supplicant *supplicant ) {
	struct net_device *netdev = supplicant->netdev;
	unsigned int max = table_num_entries ( EAP_METHODS );
	uint8_t methods[ max + 1 /* potential EAP_TYPE_NONE */ ];
	unsigned int count = 0;
	struct eap_method *method;

	/* Populate methods list */
	DBGC ( netdev, "EAP %s Nak offering types {", netdev->name );
	for_each_table_entry ( method, EAP_METHODS ) {
		if ( method->type > EAP_TYPE_NAK ) {
			DBGC ( netdev, "%s%d",
			       ( count ? ", " : "" ), method->type );
			methods[count++] = method->type;
		}
	}
	if ( ! count )
		methods[count++] = EAP_TYPE_NONE;
	DBGC ( netdev, "}\n" );
	assert ( count <= max );

	/* Transmit response */
	supplicant->type = EAP_TYPE_NAK;
	return eap_tx_response ( supplicant, methods, count );
}

/**
 * Handle EAP Request-Identity
 *
 * @v supplicant	EAP supplicant
 * @v req		Request type data
 * @v req_len		Length of request type data
 * @ret rc		Return status code
 */
static int eap_rx_identity ( struct eap_supplicant *supplicant,
			     const void *req, size_t req_len ) {
	struct net_device *netdev = supplicant->netdev;
	void *rsp;
	int rsp_len;
	int rc;

	/* Treat Request-Identity as blocking the link */
	DBGC ( netdev, "EAP %s Request-Identity blocking link\n",
	       netdev->name );
	DBGC_HDA ( netdev, 0, req, req_len );
	netdev_link_block ( netdev, EAP_BLOCK_TIMEOUT );

	/* Mark EAP as in progress */
	supplicant->flags |= EAP_FL_ONGOING;

	/* Construct response, if applicable */
	rsp_len = fetch_raw_setting_copy ( netdev_settings ( netdev ),
					   &username_setting, &rsp );
	if ( rsp_len < 0 ) {
		/* We have no identity to offer, so wait until the
		 * switch times out and switches to MAC Authentication
		 * Bypass (MAB).
		 */
		DBGC2 ( netdev, "EAP %s has no identity\n", netdev->name );
		supplicant->flags |= EAP_FL_PASSIVE;
		rc = 0;
		goto no_response;
	}

	/* Transmit response */
	if ( ( rc = eap_tx_response ( supplicant, rsp, rsp_len ) ) != 0 )
		goto err_tx;

 err_tx:
	free ( rsp );
 no_response:
	return rc;
}

/** EAP Request-Identity method */
struct eap_method eap_identity_method __eap_method = {
	.type = EAP_TYPE_IDENTITY,
	.rx = eap_rx_identity,
};

/**
 * Handle EAP Request
 *
 * @v supplicant	EAP supplicant
 * @v msg		EAP request
 * @v len		Length of EAP request
 * @ret rc		Return status code
 */
static int eap_rx_request ( struct eap_supplicant *supplicant,
			    const struct eap_message *msg, size_t len ) {
	struct net_device *netdev = supplicant->netdev;
	struct eap_method *method;
	const void *req;
	size_t req_len;

	/* Sanity checks */
	if ( len < sizeof ( *msg ) ) {
		DBGC ( netdev, "EAP %s underlength request:\n", netdev->name );
		DBGC_HDA ( netdev, 0, msg, len );
		return -EINVAL;
	}
	if ( len < ntohs ( msg->hdr.len ) ) {
		DBGC ( netdev, "EAP %s truncated request:\n", netdev->name );
		DBGC_HDA ( netdev, 0, msg, len );
		return -EINVAL;
	}
	req = msg->data;
	req_len = ( ntohs ( msg->hdr.len ) - sizeof ( *msg ) );

	/* Record request details */
	supplicant->id = msg->hdr.id;
	supplicant->type = msg->type;
	DBGC ( netdev, "EAP %s Request id %#02x type %d\n",
	       netdev->name, msg->hdr.id, msg->type );

	/* Handle according to type */
	for_each_table_entry ( method, EAP_METHODS ) {
		if ( msg->type == method->type )
			return method->rx ( supplicant, req, req_len );
	}
	DBGC ( netdev, "EAP %s requested type %d unknown:\n",
	       netdev->name, msg->type );
	DBGC_HDA ( netdev, 0, msg, len );

	/* Send NAK if applicable */
	if ( msg->type > EAP_TYPE_NAK )
		return eap_tx_nak ( supplicant );

	return -ENOTSUP;
}

/**
 * Handle EAP Success
 *
 * @v supplicant	EAP supplicant
 * @ret rc		Return status code
 */
static int eap_rx_success ( struct eap_supplicant *supplicant ) {
	struct net_device *netdev = supplicant->netdev;

	/* Mark authentication as complete */
	supplicant->flags = EAP_FL_PASSIVE;

	/* Mark link as unblocked */
	DBGC ( netdev, "EAP %s Success\n", netdev->name );
	netdev_link_unblock ( netdev );

	return 0;
}

/**
 * Handle EAP Failure
 *
 * @v supplicant	EAP supplicant
 * @ret rc		Return status code
 */
static int eap_rx_failure ( struct eap_supplicant *supplicant ) {
	struct net_device *netdev = supplicant->netdev;

	/* Mark authentication as complete */
	supplicant->flags = EAP_FL_PASSIVE;

	/* Record error */
	DBGC ( netdev, "EAP %s Failure\n", netdev->name );
	return -EPERM;
}

/**
 * Handle EAP packet
 *
 * @v supplicant	EAP supplicant
 * @v data		EAP packet
 * @v len		Length of EAP packet
 * @ret rc		Return status code
 */
int eap_rx ( struct eap_supplicant *supplicant, const void *data,
	     size_t len ) {
	struct net_device *netdev = supplicant->netdev;
	const union eap_packet *eap = data;

	/* Sanity check */
	if ( len < sizeof ( eap->hdr ) ) {
		DBGC ( netdev, "EAP %s underlength header:\n", netdev->name );
		DBGC_HDA ( netdev, 0, eap, len );
		return -EINVAL;
	}

	/* Handle according to code */
	switch ( eap->hdr.code ) {
	case EAP_CODE_REQUEST:
		return eap_rx_request ( supplicant, &eap->msg, len );
	case EAP_CODE_RESPONSE:
		DBGC2 ( netdev, "EAP %s ignoring response\n", netdev->name );
		return 0;
	case EAP_CODE_SUCCESS:
		return eap_rx_success ( supplicant );
	case EAP_CODE_FAILURE:
		return eap_rx_failure ( supplicant );
	default:
		DBGC ( netdev, "EAP %s unsupported code %d\n",
		       netdev->name, eap->hdr.code );
		DBGC_HDA ( netdev, 0, eap, len );
		return -ENOTSUP;
	}
}

/* Drag in objects via eap_rx() */
REQUIRING_SYMBOL ( eap_rx );

/* Drag in EAP configuration */
REQUIRE_OBJECT ( config_eap );