| /* |
| * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>. |
| * |
| * This program is free software; you can redistribute it and/or |
| * modify it under the terms of the GNU General Public License as |
| * published by the Free Software Foundation; either version 2 of the |
| * License, or any later version. |
| * |
| * This program is distributed in the hope that it will be useful, but |
| * WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| * General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License |
| * along with this program; if not, write to the Free Software |
| * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
| * 02110-1301, USA. |
| * |
| * You can also choose to distribute this program under the terms of |
| * the Unmodified Binary Distribution Licence (as given in the file |
| * COPYING.UBDL), provided that you have satisfied its requirements. |
| */ |
| |
| FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); |
| |
| #include <stdlib.h> |
| #include <string.h> |
| #include <errno.h> |
| #include <byteswap.h> |
| #include <ipxe/mschapv2.h> |
| #include <ipxe/eap.h> |
| |
| /** @file |
| * |
| * EAP MS-CHAPv2 authentication method |
| * |
| * EAP-MSCHAPv2 was described in a draft RFC first published in 2002 |
| * (draft-kamath-pppext-eap-mschapv2-02.txt). The draft eventually |
| * expired in 2007 without becoming an official RFC, quite possibly |
| * because the protocol design was too ugly to be called an IETF |
| * standard. It is, however, fairly widely used. |
| */ |
| |
| /** An EAP MS-CHAPv2 request message */ |
| struct eap_mschapv2_request { |
| /** EAP-MSCHAPv2 header */ |
| struct eap_mschapv2 hdr; |
| /** MS-CHAPv2 challenge length (fixed value) */ |
| uint8_t len; |
| /** MS-CHAPv2 challenge */ |
| struct mschapv2_challenge msg; |
| } __attribute__ (( packed )); |
| |
| /** An EAP MS-CHAPv2 response message */ |
| struct eap_mschapv2_response { |
| /** EAP-MSCHAPv2 header */ |
| struct eap_mschapv2 hdr; |
| /** MS-CHAPv2 response length (fixed value) */ |
| uint8_t len; |
| /** MS-CHAPv2 response */ |
| struct mschapv2_response msg; |
| /** User name */ |
| char name[0]; |
| } __attribute__ (( packed )); |
| |
| /** An EAP MS-CHAPv2 success request message */ |
| struct eap_mschapv2_success_request { |
| /** EAP-MSCHAPv2 header */ |
| struct eap_mschapv2 hdr; |
| /** Message */ |
| char message[0]; |
| } __attribute__ (( packed )); |
| |
| /** An EAP MS-CHAPv2 success response message */ |
| struct eap_mschapv2_success_response { |
| /** Opcode */ |
| uint8_t code; |
| } __attribute__ (( packed )); |
| |
| /** |
| * Handle EAP MS-CHAPv2 request |
| * |
| * @v supplicant EAP supplicant |
| * @v hdr EAP-MSCHAPv2 header |
| * @v len Message length |
| * @ret rc Return status code |
| */ |
| static int eap_rx_mschapv2_request ( struct eap_supplicant *supplicant, |
| const struct eap_mschapv2 *hdr, |
| size_t len ) { |
| struct net_device *netdev = supplicant->netdev; |
| struct settings *settings = netdev_settings ( netdev ); |
| const struct eap_mschapv2_request *msreq = |
| container_of ( hdr, struct eap_mschapv2_request, hdr ); |
| struct eap_mschapv2_response *msrsp; |
| struct mschapv2_challenge peer; |
| char *username; |
| char *password; |
| int username_len; |
| int password_len; |
| size_t msrsp_len; |
| unsigned int i; |
| int rc; |
| |
| /* Sanity check */ |
| if ( len < sizeof ( *msreq ) ) { |
| DBGC ( netdev, "EAP %s underlength MS-CHAPv2 request\n", |
| netdev->name ); |
| DBGC_HDA ( netdev, 0, hdr, len ); |
| rc = -EINVAL; |
| goto err_sanity; |
| } |
| |
| /* Fetch username and password */ |
| username_len = fetch_string_setting_copy ( settings, &username_setting, |
| &username ); |
| if ( username_len < 0 ) { |
| rc = username_len; |
| DBGC ( netdev, "EAP %s has no username: %s\n", |
| netdev->name, strerror ( rc ) ); |
| goto err_username; |
| } |
| password_len = fetch_string_setting_copy ( settings, &password_setting, |
| &password ); |
| if ( password_len < 0 ) { |
| rc = password_len; |
| DBGC ( netdev, "EAP %s has no password: %s\n", |
| netdev->name, strerror ( rc ) ); |
| goto err_password; |
| } |
| |
| /* Construct a peer challenge. We do not perform mutual |
| * authentication, so this does not need to be strong. |
| */ |
| for ( i = 0 ; i < ( sizeof ( peer.byte ) / |
| sizeof ( peer.byte[0] ) ) ; i++ ) { |
| peer.byte[i] = random(); |
| } |
| |
| /* Allocate response */ |
| msrsp_len = ( sizeof ( *msrsp ) + username_len ); |
| msrsp = malloc ( msrsp_len ); |
| if ( ! msrsp ) { |
| rc = -ENOMEM; |
| goto err_alloc; |
| } |
| |
| /* Construct response */ |
| msrsp->hdr.code = EAP_CODE_RESPONSE; |
| msrsp->hdr.id = msreq->hdr.id; |
| msrsp->hdr.len = htons ( msrsp_len ); |
| msrsp->len = sizeof ( msrsp->msg ); |
| mschapv2_response ( username, password, &msreq->msg, &peer, |
| &msrsp->msg ); |
| memcpy ( msrsp->name, username, username_len ); |
| |
| /* Send response */ |
| if ( ( rc = eap_tx_response ( supplicant, msrsp, msrsp_len ) ) != 0 ) |
| goto err_tx; |
| |
| err_tx: |
| free ( msrsp ); |
| err_alloc: |
| free ( password ); |
| err_password: |
| free ( username ); |
| err_username: |
| err_sanity: |
| return rc; |
| } |
| |
| /** |
| * Handle EAP MS-CHAPv2 success request |
| * |
| * @v supplicant EAP supplicant |
| * @v hdr EAP-MSCHAPv2 header |
| * @v len Message length |
| * @ret rc Return status code |
| */ |
| static int eap_rx_mschapv2_success ( struct eap_supplicant *supplicant, |
| const struct eap_mschapv2 *hdr, |
| size_t len ) { |
| const struct eap_mschapv2_success_request *msreq = |
| container_of ( hdr, struct eap_mschapv2_success_request, hdr ); |
| static const struct eap_mschapv2_success_response msrsp = { |
| .code = EAP_CODE_SUCCESS, |
| }; |
| |
| /* Sanity check */ |
| assert ( len >= sizeof ( *msreq ) ); |
| |
| /* The success request contains the MS-CHAPv2 authenticator |
| * response, which could potentially be used to verify that |
| * the EAP authenticator also knew the password (or, at least, |
| * the MD4 hash of the password). |
| * |
| * Our model for EAP does not encompass mutual authentication: |
| * we will starting sending plaintext packets (e.g. DHCP |
| * requests) over the link even before EAP completes, and our |
| * only use for an EAP success is to mark the link as |
| * unblocked. |
| * |
| * We therefore ignore the content of the success request and |
| * just send back a success response, so that the EAP |
| * authenticator will complete the process and send through |
| * the real EAP success packet (which will, in turn, cause us |
| * to unblock the link). |
| */ |
| return eap_tx_response ( supplicant, &msrsp, sizeof ( msrsp ) ); |
| } |
| |
| /** |
| * Handle EAP MS-CHAPv2 |
| * |
| * @v supplicant EAP supplicant |
| * @v req Request type data |
| * @v req_len Length of request type data |
| * @ret rc Return status code |
| */ |
| static int eap_rx_mschapv2 ( struct eap_supplicant *supplicant, |
| const void *req, size_t req_len ) { |
| struct net_device *netdev = supplicant->netdev; |
| const struct eap_mschapv2 *hdr = req; |
| |
| /* Sanity check */ |
| if ( req_len < sizeof ( *hdr ) ) { |
| DBGC ( netdev, "EAP %s underlength MS-CHAPv2:\n", |
| netdev->name ); |
| DBGC_HDA ( netdev, 0, req, req_len ); |
| return -EINVAL; |
| } |
| |
| /* Handle according to opcode */ |
| switch ( hdr->code ) { |
| case EAP_CODE_REQUEST: |
| return eap_rx_mschapv2_request ( supplicant, hdr, req_len ); |
| case EAP_CODE_SUCCESS: |
| return eap_rx_mschapv2_success ( supplicant, hdr, req_len ); |
| default: |
| DBGC ( netdev, "EAP %s unsupported MS-CHAPv2 opcode %d\n", |
| netdev->name, hdr->code ); |
| DBGC_HDA ( netdev, 0, req, req_len ); |
| return -ENOTSUP; |
| } |
| } |
| |
| /** EAP MS-CHAPv2 method */ |
| struct eap_method eap_mschapv2_method __eap_method = { |
| .type = EAP_TYPE_MSCHAPV2, |
| .rx = eap_rx_mschapv2, |
| }; |
