* Rest of data is MAC. */
switch (protocol) {
case AUTH_PROTO_TOKEN:
- secretid = 0;
+ secretid = auth->token_rcv_secretid;
break;
case AUTH_PROTO_DELAYED:
if (dlen < sizeof(secretid) + sizeof(hmac_code)) {
return NULL;
}
memcpy(&secretid, d, sizeof(secretid));
+ secretid = ntohl(secretid);
d += sizeof(secretid);
dlen -= sizeof(secretid);
break;
dlen -= realm_len;
}
memcpy(&secretid, d, sizeof(secretid));
+ secretid = ntohl(secretid);
d += sizeof(secretid);
dlen -= sizeof(secretid);
break;
}
/* Find a token for the realm and secret */
- secretid = ntohl(secretid);
TAILQ_FOREACH(t, &auth->tokens, next) {
if (t->secretid == secretid &&
t->realm_len == realm_len &&
uint32_t giaddr, secretid;
bool auth_info;
- if (auth->protocol == 0 && t == NULL) {
+ /* Ignore the token argument given to us - always send using the
+ * configured token. */
+ if (auth->protocol == AUTH_PROTO_TOKEN) {
TAILQ_FOREACH(t, &auth->tokens, next) {
- if (t->secretid == 0 &&
- t->realm_len == 0)
- break;
+ if (t->secretid == auth->token_snd_secretid)
+ break;
}
if (t == NULL) {
errno = EINVAL;
uint64_t last_replay;
uint8_t last_replay_set;
struct token_head tokens;
+ uint32_t token_snd_secretid;
+ uint32_t token_rcv_secretid;
#endif
};
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd February 2, 2018
+.Dd April 29, 2018
.Dt DHCPCD.CONF 5
.Os
.Sh NAME
.D1 # A generic 192.168.0.1 network
.D1 profile 192.168.0.1
.D1 static ip_address=192.168.0.98/24
-.It Ic authprotocol Ar protocol Ar algorithm Ar rdm
+.It Ic authprotocol Ar protocol Op Ar algorithm Op Ar rdm
Authenticate DHCP messages.
See the Supported Authentication Protocols section.
+If
+.Ar protocol
+is
+.Ar token
+then
+.Ar algorithm is
+snd_secretid/rcv_secretid so you can send and recieve different tokens.
.It Ic authtoken Ar secretid Ar realm Ar expire Ar key
Define a shared key for use in authentication.
.Ar realm
.Ss Supported Authentication Protocols
.Bl -tag -width -indent
.It Ic token
-Sends and expects the token with the secretid 0 and realm of "" in each message.
+Sends a plain text token the server expects and matches a token sent by
+the server.
+The tokens to not have to be the same.
+If unspecified, the token with secretid of 0 will be used in sending messages
+and validating received messages.
.It Ic delayedrealm
Delayed Authentication.
.Nm dhcpcd
}
if (fp)
*fp++ = '\0';
- if (strcasecmp(arg, "hmacmd5") == 0 ||
- strcasecmp(arg, "hmac-md5") == 0)
- ifo->auth.algorithm = AUTH_ALG_HMAC_MD5;
- else {
- logerrx("%s: unsupported algorithm", arg);
- return 1;
+ if (ifo->auth.protocol == AUTH_PROTO_TOKEN) {
+ np = strchr(arg, '/');
+ if (np) {
+ if (fp == NULL || np < fp)
+ *np++ = '\0';
+ else
+ np = NULL;
+ }
+ if (parse_uint32(&ifo->auth.token_snd_secretid,
+ arg) == -1)
+ logerrx("%s: not a number", arg);
+ else
+ ifo->auth.token_rcv_secretid =
+ ifo->auth.token_snd_secretid;
+ if (np &&
+ parse_uint32(&ifo->auth.token_rcv_secretid,
+ np) == -1)
+ logerrx("%s: not a number", arg);
+ } else {
+ if (strcasecmp(arg, "hmacmd5") == 0 ||
+ strcasecmp(arg, "hmac-md5") == 0)
+ ifo->auth.algorithm = AUTH_ALG_HMAC_MD5;
+ else {
+ logerrx("%s: unsupported algorithm", arg);
+ return 1;
+ }
}
arg = fp;
if (arg == NULL) {
projects / thirdparty / dhcpcd.git / commitdiff
