[eapol] Add basic support for 802.1X EAP over LANs

EAPOL is a container protocol that can wrap either EAP packets or
802.11 EAPOL-Key frames. For cleanliness' sake, add a stub that strips
the framing and sends packets off to the appropriate handler if it
is compiled in.

Signed-off-by: Marty Connor <mdc@etherboot.org>

src/include/gpxe/eapol.h

@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#ifndef _GPXE_EAPOL_H
+#define _GPXE_EAPOL_H
+
+/** @file
+ *
+ * Definitions for EAPOL (Extensible Authentication Protocol over
+ * LANs) frames. Definitions for the packets usually encapsulated in
+ * them are elsewhere.
+ */
+
+#include <gpxe/tables.h>
+#include <stdint.h>
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+
+/**
+ * @defgroup eapol_type EAPOL archetype identifiers
+ * @{
+ */
+#define EAPOL_TYPE_EAP		0 /**< EAP authentication handshake packet */
+#define EAPOL_TYPE_START	1 /**< Request by Peer to begin (no data) */
+#define EAPOL_TYPE_LOGOFF	2 /**< Request by Peer to terminate (no data) */
+#define EAPOL_TYPE_KEY		3 /**< EAPOL-Key packet */
+/** @} */
+
+/** Expected EAPOL version field value
+ *
+ * Version 2 is often seen and has no format differences from version 1;
+ * however, many older APs will completely drop version-2 packets, so
+ * we advertise ourselves as version 1.
+ */
+#define EAPOL_THIS_VERSION	1
+
+/** Length of an EAPOL frame header */
+#define EAPOL_HDR_LEN		4
+
+/** An EAPOL frame
+ *
+ * This may encapsulate an eap_pkt, an eapol_key_pkt, or a Start or
+ * Logoff request with no data attached. It is transmitted directly in
+ * an Ethernet frame, with no IP packet header.
+ */
+struct eapol_frame
+{
+	/** EAPOL version identifier, always 1 */
+	u8 version;
+
+	/** EAPOL archetype identifier indicating format of payload */
+	u8 type;
+
+	/** Length of payload, in network byte order */
+	u16 length;
+
+	/** Payload, if @a type is EAP or EAPOL-Key */
+	u8 data[0];
+} __attribute__ (( packed ));
+
+
+/** An EAPOL frame type handler
+ *
+ * Normally there will be at most two of these, one for EAP and one
+ * for EAPOL-Key frames. The EAPOL interface code handles Start and
+ * Logoff directly.
+ */
+struct eapol_handler
+{
+	/** EAPOL archetype identifier for payload this handler will handle */
+	u8 type;
+
+	/** Receive EAPOL-encapsulated packet of specified type
+	 *
+	 * @v iob	I/O buffer containing packet payload
+	 * @v netdev	Network device from which packet was received
+	 * @v ll_source	Source link-layer address from which packet was received
+	 * @ret rc	Return status code
+	 *
+	 * The I/O buffer will have the EAPOL header pulled off it, so
+	 * @c iob->data points to the first byte of the payload.
+	 *
+	 * This function takes ownership of the I/O buffer passed to it.
+	 */
+	int ( * rx ) ( struct io_buffer *iob, struct net_device *netdev,
+		       const void *ll_source );
+};
+
+#define EAPOL_HANDLERS	__table ( struct eapol_handler, "eapol_handlers" )
+#define __eapol_handler	__table_entry ( EAPOL_HANDLERS, 01 )
+
+
+extern struct net_protocol eapol_protocol __net_protocol;
+
+
+#endif /* _GPXE_EAPOL_H */

src/include/gpxe/errfile.h

@@ -160,6 +160,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #define ERRFILE_ib_srp			( ERRFILE_NET | 0x00220000 )
 #define ERRFILE_sec80211		( ERRFILE_NET | 0x00230000 )
 #define ERRFILE_wep			( ERRFILE_NET | 0x00240000 )
+#define ERRFILE_eapol			( ERRFILE_NET | 0x00250000 )
 
 #define ERRFILE_image		      ( ERRFILE_IMAGE | 0x00000000 )
 #define ERRFILE_elf		      ( ERRFILE_IMAGE | 0x00010000 )

src/include/gpxe/if_ether.h

@@ -20,6 +20,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #define ETH_P_RARP	0x8035	/* Reverse Address resolution Protocol */
 #define ETH_P_IPV6	0x86DD	/* IPv6 over blueblook */
 #define ETH_P_SLOW	0x8809	/* Ethernet slow protocols */
+#define ETH_P_EAPOL	0x888E	/* 802.1X EAP over LANs */
 #define ETH_P_AOE	0x88A2	/* ATA over Ethernet */
 
 /** An Ethernet link-layer header */

src/net/eapol.c

@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2009 Joshua Oreman <oremanj@rwcr.net>.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+/** @file
+ *
+ * 802.1X Extensible Authentication Protocol over LANs demultiplexer
+ *
+ */
+
+#include <gpxe/netdevice.h>
+#include <gpxe/iobuf.h>
+#include <gpxe/if_ether.h>
+#include <gpxe/eapol.h>
+#include <errno.h>
+#include <byteswap.h>
+
+/**
+ * Receive EAPOL network-layer packet
+ *
+ * @v iob	I/O buffer
+ * @v netdev	Network device
+ * @v ll_source	Link-layer source address
+ *
+ * This function takes ownership of the I/O buffer passed to it.
+ */
+static int eapol_rx ( struct io_buffer *iob, struct net_device *netdev,
+		      const void *ll_source )
+{
+	struct eapol_frame *eapol = iob->data;
+	struct eapol_handler *handler;
+
+	if ( iob_len ( iob ) < EAPOL_HDR_LEN ) {
+		free_iob ( iob );
+		return -EINVAL;
+	}
+
+	for_each_table_entry ( handler, EAPOL_HANDLERS ) {
+		if ( handler->type == eapol->type ) {
+			iob_pull ( iob, EAPOL_HDR_LEN );
+			return handler->rx ( iob, netdev, ll_source );
+		}
+	}
+
+	free_iob ( iob );
+	return -( ENOTSUP | ( ( eapol->type & 0x1f ) << 8 ) );
+}
+
+/**
+ * Transcribe EAPOL network-layer address
+ *
+ * @v net_addr	Network-layer address
+ * @ret str	String representation of network-layer address
+ *
+ * EAPOL doesn't have network-layer addresses, so we just return the
+ * string @c "<EAPOL>".
+ */
+static const char * eapol_ntoa ( const void *net_addr __unused )
+{
+	return "<EAPOL>";
+}
+
+/** EAPOL network protocol */
+struct net_protocol eapol_protocol __net_protocol = {
+	.name = "EAPOL",
+	.rx = eapol_rx,
+	.ntoa = eapol_ntoa,
+	.net_proto = htons ( ETH_P_EAPOL ),
+};