1 files changed, 116 insertions, 0 deletions
diff --git a/src/net/eap_md5.c b/src/net/eap_md5.c
new file mode 100644
index 000000000..0664174f9
--- /dev/null
+++ b/src/net/eap_md5.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ *
+ * You can also choose to distribute this program under the terms of
+ * the Unmodified Binary Distribution Licence (as given in the file
+ * COPYING.UBDL), provided that you have satisfied its requirements.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
+
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <ipxe/md5.h>
+#include <ipxe/chap.h>
+#include <ipxe/eap.h>
+
+/** @file
+ *
+ * EAP MD5-Challenge authentication method
+ *
+ */
+
+/**
+ * Handle EAP MD5-Challenge
+ *
+ * @v supplicant	EAP supplicant
+ * @v req		Request type data
+ * @v req_len		Length of request type data
+ * @ret rc		Return status code
+ */
+static int eap_rx_md5 ( struct eap_supplicant *supplicant,
+			const void *req, size_t req_len ) {
+	struct net_device *netdev = supplicant->netdev;
+	const struct eap_md5 *md5req = req;
+	struct {
+		uint8_t len;
+		uint8_t value[MD5_DIGEST_SIZE];
+	} __attribute__ (( packed )) md5rsp;
+	struct chap_response chap;
+	void *secret;
+	int secret_len;
+	int rc;
+
+	/* Sanity checks */
+	if ( req_len < sizeof ( *md5req ) ) {
+		DBGC ( netdev, "EAP %s underlength MD5-Challenge:\n",
+		       netdev->name );
+		DBGC_HDA ( netdev, 0, req, req_len );
+		rc = -EINVAL;
+		goto err_sanity;
+	}
+	if ( ( req_len - sizeof ( *md5req ) ) < md5req->len ) {
+		DBGC ( netdev, "EAP %s truncated MD5-Challenge:\n",
+		       netdev->name );
+		DBGC_HDA ( netdev, 0, req, req_len );
+		rc = -EINVAL;
+		goto err_sanity;
+	}
+
+	/* Construct response */
+	if ( ( rc = chap_init ( &chap, &md5_algorithm ) ) != 0 ) {
+		DBGC ( netdev, "EAP %s could not initialise CHAP: %s\n",
+		       netdev->name, strerror ( rc ) );
+		goto err_chap;
+	}
+	chap_set_identifier ( &chap, supplicant->id );
+	secret_len = fetch_raw_setting_copy ( netdev_settings ( netdev ),
+					      &password_setting, &secret );
+	if ( secret_len < 0 ) {
+		rc = secret_len;
+		DBGC ( netdev, "EAP %s has no secret: %s\n",
+		       netdev->name, strerror ( rc ) );
+		goto err_secret;
+	}
+	chap_update ( &chap, secret, secret_len );
+	chap_update ( &chap, md5req->value, md5req->len );
+	chap_respond ( &chap );
+	assert ( chap.response_len == sizeof ( md5rsp.value ) );
+	md5rsp.len = sizeof ( md5rsp.value );
+	memcpy ( md5rsp.value, chap.response, sizeof ( md5rsp.value ) );
+
+	/* Transmit response */
+	if ( ( rc = eap_tx_response ( supplicant, &md5rsp,
+				      sizeof ( md5rsp ) ) ) != 0 )
+		goto err_tx;
+
+ err_tx:
+	free ( secret );
+ err_secret:
+	chap_finish ( &chap );
+ err_chap:
+ err_sanity:
+	return rc;
+}
+
+/** EAP MD5-Challenge method */
+struct eap_method eap_md5_method __eap_method = {
+	.type = EAP_TYPE_MD5,
+	.rx = eap_rx_md5,
+};