]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
Move checkcode calculations from state machine to module
authorArran Cudbard-Bell <a.cudbardb@freeradius.org>
Thu, 1 Apr 2021 16:32:15 +0000 (17:32 +0100)
committerArran Cudbard-Bell <a.cudbardb@freeradius.org>
Thu, 1 Apr 2021 16:32:15 +0000 (17:32 +0100)
src/lib/eap_aka_sim/base.h
src/lib/eap_aka_sim/crypto.c
src/lib/eap_aka_sim/module.c
src/lib/eap_aka_sim/module.h
src/lib/eap_aka_sim/state_machine.c
src/lib/eap_aka_sim/state_machine.h
src/modules/rlm_eap/types/rlm_eap_aka/eap_aka.h

index 64e8b5608b6f6e6bcf4d36b5b9cd942f1f474a81..4e59dfc2e8bbc88c747ce630ee237eab8b90a4d9 100644 (file)
@@ -285,7 +285,7 @@ int         fr_aka_sim_crypto_init_checkcode(TALLOC_CTX *ctx, fr_aka_sim_checkcode_t **
 
 int            fr_aka_sim_crypto_update_checkcode(fr_aka_sim_checkcode_t *checkcode, eap_packet_t *eap_packet);
 
-ssize_t                fr_aka_sim_crypto_finalise_checkcode(uint8_t *out, fr_aka_sim_checkcode_t **checkcode);
+ssize_t        fr_aka_sim_crypto_finalise_checkcode(TALLOC_CTX *ctx, uint8_t **out, fr_aka_sim_checkcode_t *checkcode);
 
 ssize_t                fr_aka_sim_crypto_sign_packet(uint8_t out[static AKA_SIM_MAC_DIGEST_SIZE],
                                              eap_packet_t *eap_packet, bool zero_mac,
index 4a283b3872c295ab7ac7de601d3f32c752c1ac55..2b5512e6621187a8446ca2c0ce8c50bf135594f7 100644 (file)
@@ -179,26 +179,28 @@ int fr_aka_sim_crypto_update_checkcode(fr_aka_sim_checkcode_t *checkcode, eap_pa
 
 /** Write out the final checkcode value
  *
- * @param[out] out             Where to write the checkcode value.  Must be at least 20
+ * @param[in] ctx              ctx to allocate buffer containing the checkcode.
+ * @param[out] out             talloced buffer containing the checkcode.
  *                             bytes if MD was SHA1, or 32 bytes if MD was SHA256.
  * @param[in,out] checkcode    structure to get final digest from and to tree.
  * @return
  *     - <= 0 on failure.
  *     - > 0 the number of bytes written to out.
  */
-ssize_t fr_aka_sim_crypto_finalise_checkcode(uint8_t *out, fr_aka_sim_checkcode_t **checkcode)
+ssize_t fr_aka_sim_crypto_finalise_checkcode(TALLOC_CTX *ctx, uint8_t **out, fr_aka_sim_checkcode_t *checkcode)
 {
-       unsigned int len;
+       size_t  len;
+       uint8_t *buff;
 
-       if (EVP_DigestFinal_ex((*checkcode)->md_ctx, out, &len) != 1) {
+       len = (size_t)EVP_MD_CTX_size((*checkcode).md_ctx);
+       MEM(buff = talloc_array(ctx, uint8_t, len));
+       if (EVP_DigestFinal_ex((*checkcode).md_ctx, buff, NULL) != 1) {
                tls_strerror_printf("Failed finalising checkcode digest");
-               TALLOC_FREE(*checkcode);
                return -1;
        }
+       *out = buff;
 
-       TALLOC_FREE(*checkcode);
-
-       return len;
+       return (size_t)len;
 }
 
 /** Locate the start of the AT_MAC value in the buffer
index 091e376414eba0fd4bd645b0aeff64080af3e8d6..7e2230c1693421007f9e6a10cdbeaa8cff199e3e 100644 (file)
@@ -64,6 +64,7 @@ static unlang_action_t mod_encode(rlm_rcode_t *p_result, module_ctx_t const *mct
        fr_aka_sim_ctx_t                encode_ctx;
        uint8_t const                   *request_hmac_extra = NULL;
        size_t                          request_hmac_extra_len = 0;
+       fr_pair_t                       *vp;
        int                             ret;
 
        /*
@@ -105,9 +106,6 @@ static unlang_action_t mod_encode(rlm_rcode_t *p_result, module_ctx_t const *mct
                return UNLANG_ACTION_CALCULATE_RESULT;
        }
 
-       RDEBUG2("Encoding attributes");
-       log_request_pair_list(L_DBG_LVL_2, request, NULL, &request->reply_pairs, NULL);
-
        /*
         *      It's not an EAP-Success or an EAP-Failure
         *      it's a real EAP-SIM/AKA/AKA' response.
@@ -132,25 +130,21 @@ static unlang_action_t mod_encode(rlm_rcode_t *p_result, module_ctx_t const *mct
         *      of request we're sending.
         */
        switch (subtype_vp->vp_uint16) {
-       case FR_SUBTYPE_VALUE_SIM_START:
        case FR_SUBTYPE_VALUE_AKA_IDENTITY:
-       {
-               fr_pair_t       *id_vp;
-
+       case FR_SUBTYPE_VALUE_SIM_START:
                if (RDEBUG_ENABLED2) break;
 
                /*
                 *      Figure out if the state machine is
                 *      requesting an ID.
                 */
-               if ((id_vp = fr_pair_find_by_da(&request->reply_pairs, attr_eap_aka_sim_any_id_req)) ||
-                   (id_vp = fr_pair_find_by_da(&request->reply_pairs, attr_eap_aka_sim_fullauth_id_req)) ||
-                   (id_vp = fr_pair_find_by_da(&request->reply_pairs, attr_eap_aka_sim_permanent_id_req))) {
-                       RDEBUG2("Sending EAP-Request/%pV (%s)", &subtype_vp->data, id_vp->da->name);
+               if ((vp = fr_pair_find_by_da(&request->reply_pairs, attr_eap_aka_sim_any_id_req)) ||
+                   (vp = fr_pair_find_by_da(&request->reply_pairs, attr_eap_aka_sim_fullauth_id_req)) ||
+                   (vp = fr_pair_find_by_da(&request->reply_pairs, attr_eap_aka_sim_permanent_id_req))) {
+                       RDEBUG2("Sending EAP-Request/%pV (%s)", &subtype_vp->data, vp->da->name);
                } else {
                        RDEBUG2("Sending EAP-Request/%pV", &subtype_vp->data);
                }
-       }
                break;
 
        /*
@@ -164,29 +158,39 @@ static unlang_action_t mod_encode(rlm_rcode_t *p_result, module_ctx_t const *mct
         *      it should have used that.
         */
        case FR_SUBTYPE_VALUE_AKA_CHALLENGE:
-       {
-               fr_pair_t *bidding_vp = fr_pair_find_by_da(&request->reply_pairs, attr_eap_aka_sim_bidding);
+               vp = fr_pair_find_by_da(&request->reply_pairs, attr_eap_aka_sim_bidding);
 
                /*
                 *      Explicit NO
                 */
                if (inst->aka.send_at_bidding_prefer_prime_is_set &&
                    !inst->aka.send_at_bidding_prefer_prime) {
-                       if (bidding_vp) pair_delete_reply(attr_eap_aka_sim_bidding);
+                       if (vp) pair_delete_reply(attr_eap_aka_sim_bidding);
                /*
                 *      Implicit or explicit YES
                 */
                } else if (inst->aka.send_at_bidding_prefer_prime) {
-                       MEM(pair_append_reply(&bidding_vp, attr_eap_aka_sim_bidding) >= 0);
-                       bidding_vp->vp_uint16 = FR_BIDDING_VALUE_PREFER_AKA_PRIME;
+                       MEM(pair_append_reply(&vp, attr_eap_aka_sim_bidding) >= 0);
+                       vp->vp_uint16 = FR_BIDDING_VALUE_PREFER_AKA_PRIME;
                }
-       }
                FALL_THROUGH;
 
        case FR_SUBTYPE_VALUE_SIM_CHALLENGE:
        case FR_SUBTYPE_VALUE_AKA_SIM_REAUTHENTICATION:
-       {
-               fr_pair_t       *vp;
+               /*
+                *      Include our copy of the checkcode if we've been
+                *      calculating it.
+                */
+               if (mod_session->checkcode_state) {
+                       uint8_t *checkcode;
+
+                       MEM(pair_update_reply(&vp, attr_eap_aka_sim_checkcode) >= 0);
+                       if (fr_aka_sim_crypto_finalise_checkcode(vp, &checkcode, mod_session->checkcode_state) < 0) {
+                               RPWDEBUG("Failed calculating checkcode");
+                               pair_delete_reply(vp);
+                       }
+                       fr_pair_value_memdup_buffer_shallow(vp, checkcode, false);      /* Buffer already in the correct ctx */
+               }
 
                /*
                 *      Extra data to append to the packet when signing.
@@ -228,7 +232,6 @@ static unlang_action_t mod_encode(rlm_rcode_t *p_result, module_ctx_t const *mct
                }
 
                fr_assert(mod_session->ctx.k_encr && mod_session->ctx.k_aut);
-       }
                FALL_THROUGH;
 
        default:
@@ -241,10 +244,34 @@ static unlang_action_t mod_encode(rlm_rcode_t *p_result, module_ctx_t const *mct
        encode_ctx.hmac_extra = request_hmac_extra;
        encode_ctx.hmac_extra_len = request_hmac_extra_len;
 
+       RDEBUG2("Encoding attributes");
+       log_request_pair_list(L_DBG_LVL_2, request, NULL, &request->reply_pairs, NULL);
        ret = fr_aka_sim_encode(request, &request->reply_pairs, &encode_ctx);
-       if (ret <= 0) { /* No valid packets have length 0 */
-               RPEDEBUG("Failed encoding response");
-               RETURN_MODULE_FAIL;
+       if (ret <= 0) RETURN_MODULE_FAIL;
+
+       switch (subtype_vp->vp_uint16) {
+       case FR_SUBTYPE_VALUE_AKA_IDENTITY:
+               /*
+                *      Ingest the identity message into the checkcode
+                */
+               if (mod_session->ctx.checkcode_md) {
+                       RDEBUG2("Updating checkcode");
+                       if (!mod_session->checkcode_state &&
+                           (fr_aka_sim_crypto_init_checkcode(mod_session, &mod_session->checkcode_state,
+                                                             mod_session->ctx.checkcode_md) < 0)) {
+                               RPWDEBUG("Failed initialising checkcode");
+                               break;
+                       }
+
+                       if (fr_aka_sim_crypto_update_checkcode(mod_session->checkcode_state,
+                                                              eap_session->this_round->request) < 0) {
+                               RPWDEBUG("Failed updating checkcode");
+                       }
+               }
+               break;
+
+       default:
+               break;
        }
 
        return UNLANG_ACTION_CALCULATE_RESULT;  /* rcode is already correct */
@@ -312,10 +339,53 @@ unlang_action_t eap_aka_sim_process(rlm_rcode_t *p_result, module_ctx_t const *m
                }
 
                subtype_vp = fr_pair_find_by_da(&request->request_pairs, attr_eap_aka_sim_subtype);
-               if (subtype_vp) {
-                       RDEBUG2("Received EAP-Response/%pV", &(subtype_vp)->data);
-               } else {
-                       REDEBUG2("Missing Sub-Type");
+               if (!subtype_vp) {
+                       REDEBUG2("Missing Sub-Type");   /* Let the state machine enter the right state */
+                       break;
+               }
+
+               RDEBUG2("Received EAP-Response/%pV", &(subtype_vp)->data);
+
+               switch (subtype_vp->vp_uint16) {
+               /*
+                *      Ingest the identity message into the checkcode
+                */
+               case FR_SUBTYPE_VALUE_AKA_IDENTITY:
+                       if (mod_session->checkcode_state) {
+                               RDEBUG2("Updating checkcode");
+                               if (fr_aka_sim_crypto_update_checkcode(mod_session->checkcode_state,
+                                                                      eap_session->this_round->response) < 0) {
+                                       RPWDEBUG("Failed updating checkcode");
+                               }
+                       }
+                       break;
+
+               case FR_SUBTYPE_VALUE_AKA_CHALLENGE:
+               case FR_SUBTYPE_VALUE_AKA_SIM_REAUTHENTICATION:
+                       /*
+                        *      Include our copy of the checkcode if we've been
+                        *      calculating it.  This is put in the control list
+                        *      so the state machine can check they're identical.
+                        *
+                        *      This lets us simulate checkcode failures easily
+                        *      when testing the state machine.
+                        */
+                       if (mod_session->checkcode_state) {
+                               uint8_t         *checkcode;
+                               fr_pair_t       *vp;
+
+                               MEM(pair_update_control(&vp, attr_eap_aka_sim_checkcode) >= 0);
+                               if (fr_aka_sim_crypto_finalise_checkcode(vp, &checkcode, mod_session->checkcode_state) < 0) {
+                                       RPWDEBUG("Failed calculating checkcode");
+                                       pair_delete_control(vp);
+                               }
+                               fr_pair_value_memdup_buffer_shallow(vp, checkcode, false);      /* Buffer already in the correct ctx */
+
+                       }
+                       break;
+
+               default:
+                       break;
                }
                break;
        }
index 0e99061430917addb88e0c5a9efddd680f941c98..a900ea38eb025f80600dfb444aa8c91a4cc3dce7 100644 (file)
@@ -73,6 +73,7 @@ typedef struct {
                                                        ///< before validating.
        size_t                  response_hmac_extra_len;
 
+       fr_aka_sim_checkcode_t  *checkcode_state;       //!< Digest of all identity packets we've seen.
        fr_aka_sim_ctx_t        ctx;
 } eap_aka_sim_mod_session_t;
 
index e5b148a3a53b32353ccb8011014f5424628671e8..c4179a6483a999e5a51591b7d09cafef32948147 100644 (file)
@@ -501,6 +501,52 @@ static int identity_to_permanent_identity(request_t *request, fr_pair_t *in, eap
        return 0;
 }
 
+/** Check &control.checkcode matches &reply.checkcode
+ *
+ * @param[in] request  The current request.
+ * @return
+ *     - 1 if the check was skipped.
+ *     - 0 if the check was successful.
+ *     - -1 if the check failed.
+ */
+static int checkcode_validate(request_t *request)
+{
+       fr_pair_t               *peer_checkcode, *our_checkcode;
+       /*
+        *      Checkcode validation
+        *
+        *      The actual cryptographic calculations are
+        *      done by the calling module, we just check
+        *      the result.
+        */
+       our_checkcode = fr_pair_find_by_da(&request->control_pairs, attr_eap_aka_sim_checkcode);
+       if (our_checkcode) {
+               /*
+                *      If the peer doesn't include a checkcode then that
+                *      means they don't support it, and we can't validate
+                *      their view of the identity packets.
+                */
+               peer_checkcode = fr_pair_find_by_da(&request->request_pairs, attr_eap_aka_sim_checkcode);
+               if (peer_checkcode) {
+                       if (fr_pair_cmp(peer_checkcode, our_checkcode) == 0) {
+                               RDEBUG2("Received checkcode matches calculated checkcode");
+                               return 0;
+                       } else {
+                               REDEBUG("Received checkcode does not match calculated checkcode");
+                               RHEXDUMP_INLINE2(peer_checkcode->vp_octets, peer_checkcode->vp_length, "Received");
+                               RHEXDUMP_INLINE2(our_checkcode->vp_octets, our_checkcode->vp_length, "Expected");
+                               return -1;
+                       }
+               /*
+                *      Only print something if we calculated a checkcode
+                */
+               } else {
+                       RDEBUG2("Peer didn't include AT_CHECKCODE, skipping checkcode validation");
+               }
+       }
+       return 1;
+}
+
 /** Set the crypto identity from a received identity
  *
  */
@@ -1551,10 +1597,6 @@ RESUME(recv_common_reauthentication_response)
        ssize_t                 slen;
        fr_pair_t               *mac;
 
-#if 0
-       *checkcode;
-#endif
-
        SECTION_RCODE_PROCESS;
 
        mac = fr_pair_find_by_da(&request->request_pairs, attr_eap_aka_sim_mac);
@@ -1592,37 +1634,10 @@ RESUME(recv_common_reauthentication_response)
                goto failure;
        }
 
-#if 0
-       /*
-        *      If the peer doesn't include a checkcode then that
-        *      means they don't support it, and we can't validate
-        *      their view of the identity packets.
-        */
-       checkcode = fr_pair_find_by_da(&request->request_pairs, attr_eap_aka_sim_checkcode);
-       if (checkcode) {
-               if (checkcode->vp_length != eap_aka_sim_session->checkcode_len) {
-                       REDEBUG("Received checkcode's length (%zu) does not match calculated checkcode's length (%zu)",
-                               checkcode->vp_length, eap_aka_sim_session->checkcode_len);
-                       goto failure;
-               }
-
-               if (memcmp(checkcode->vp_octets, eap_aka_sim_session->checkcode,
-                          eap_aka_sim_session->checkcode_len) == 0) {
-                       RDEBUG2("Received checkcode matches calculated checkcode");
-               } else {
-                       REDEBUG("Received checkcode does not match calculated checkcode");
-                       RHEXDUMP_INLINE2(checkcode->vp_octets, checkcode->vp_length, "Received");
-                       RHEXDUMP_INLINE2(eap_aka_sim_session->checkcode,
-                                        eap_aka_sim_session->checkcode_len, "Expected");
-                       goto failure;
-               }
        /*
-        *      Only print something if we calculated a checkcode
+        *      Validate the checkcode
         */
-       } else if (eap_aka_sim_session->checkcode_len > 0){
-               RDEBUG2("Peer didn't include AT_CHECKCODE, skipping checkcode validation");
-       }
-#endif
+       if (checkcode_validate(request) < 0) goto failure;
 
        /*
         *      Check to see if the supplicant sent
@@ -1841,41 +1856,6 @@ static unlang_action_t common_reauthentication_request_compose(rlm_rcode_t *p_re
        MEM(pair_update_reply(&vp, attr_eap_aka_sim_mac) >= 0);
        fr_pair_value_memdup(vp, NULL, 0, false);
 
-#if 0
-       /*
-        *      If there's no checkcode_md we're not doing
-        *      checkcodes.
-        */
-       if (eap_aka_sim_session->checkcode_md) {
-               /*
-                *      If we have checkcode data, send that to the peer
-                *      in AT_CHECKCODE for validation.
-                */
-               if (eap_aka_sim_session->checkcode_state) {
-                       ssize_t slen;
-
-                       slen = fr_aka_sim_crypto_finalise_checkcode(eap_aka_sim_session->checkcode,
-                                                                   &eap_aka_sim_session->checkcode_state);
-                       if (slen < 0) {
-                               RPEDEBUG("Failed calculating checkcode");
-                               goto failure;
-                       }
-                       eap_aka_sim_session->checkcode_len = slen;
-
-                       MEM(pair_update_reply(&vp, attr_eap_aka_sim_checkcode) >= 0);
-                       fr_pair_value_memdup(vp, eap_aka_sim_session->checkcode, slen, false);
-               /*
-                *      If we don't have checkcode data, then we exchanged
-                *      no identity packets, so checkcode is zero.
-                */
-               } else {
-                       MEM(pair_update_reply(&vp, attr_eap_aka_sim_checkcode) >= 0);
-                       fr_pair_value_memdup(vp, NULL, 0, false);
-                       eap_aka_sim_session->checkcode_len = 0;
-               }
-       }
-#endif
-
        /*
         *      We've sent the challenge so the peer should now be able
         *      to accept encrypted attributes.
@@ -2172,9 +2152,7 @@ RESUME(recv_aka_challenge_response)
        uint8_t                 calc_mac[AKA_SIM_MAC_DIGEST_SIZE];
        ssize_t                 slen;
        fr_pair_t               *vp = NULL, *mac;
-#if 0
-       *checkcode;
-#endif
+
        SECTION_RCODE_PROCESS;
 
 
@@ -2213,39 +2191,9 @@ RESUME(recv_aka_challenge_response)
        }
 
        /*
-        *      If the peer doesn't include a checkcode then that
-        *      means they don't support it, and we can't validate
-        *      their view of the identity packets.
+        *      Validate the checkcode
         */
-#if 0
-       if (eap_aka_sim_session->checkcode_md) {
-               checkcode = fr_pair_find_by_da(&request->request_pairs, attr_eap_aka_sim_checkcode);
-               if (checkcode) {
-                       if (checkcode->vp_length != eap_aka_sim_session->checkcode_len) {
-                               REDEBUG("Received checkcode's length (%zu) does not match "
-                                       "calculated checkcode's length (%zu)",
-                                       checkcode->vp_length, eap_aka_sim_session->checkcode_len);
-                               goto failure;
-                       }
-
-                       if (memcmp(checkcode->vp_octets,
-                                  eap_aka_sim_session->checkcode, eap_aka_sim_session->checkcode_len) == 0) {
-                               RDEBUG2("Received checkcode matches calculated checkcode");
-                       } else {
-                               REDEBUG("Received checkcode does not match calculated checkcode");
-                               RHEXDUMP_INLINE2(checkcode->vp_octets, checkcode->vp_length, "Received");
-                               RHEXDUMP_INLINE2(eap_aka_sim_session->checkcode,
-                                                eap_aka_sim_session->checkcode_len, "Expected");
-                               goto failure;
-                       }
-               /*
-                *      Only print something if we calculated a checkcode
-                */
-               } else if (eap_aka_sim_session->checkcode_len > 0){
-                       RDEBUG2("Peer didn't include AT_CHECKCODE, skipping checkcode validation");
-               }
-       }
-#endif
+       if (checkcode_validate(request) < 0) goto failure;
 
        vp = fr_pair_find_by_da(&request->request_pairs, attr_eap_aka_sim_res);
        if (!vp) {
@@ -2525,35 +2473,6 @@ RESUME(send_aka_challenge_request)
        MEM(pair_update_reply(&vp, attr_eap_aka_sim_mac) >= 0);
        fr_pair_value_memdup(vp, NULL, 0, false);
 
-#if 0
-       /*
-        *      If we have checkcode data, send that to the peer
-        *      in AT_CHECKCODE for validation.
-        */
-       if (eap_aka_sim_session->checkcode_state) {
-               ssize_t slen;
-
-               slen = fr_aka_sim_crypto_finalise_checkcode(eap_aka_sim_session->checkcode,
-                                                           &eap_aka_sim_session->checkcode_state);
-               if (slen < 0) {
-                       RPEDEBUG("Failed calculating checkcode");
-                       goto failure;
-               }
-               eap_aka_sim_session->checkcode_len = slen;
-
-               MEM(pair_update_reply(&vp, attr_eap_aka_sim_checkcode) >= 0);
-               fr_pair_value_memdup(vp, eap_aka_sim_session->checkcode, slen, false);
-       /*
-        *      If we don't have checkcode data, then we exchanged
-        *      no identity packets, so AT_CHECKCODE is zero.
-        */
-       } else {
-               MEM(pair_update_reply(&vp, attr_eap_aka_sim_checkcode) >= 0);
-               fr_pair_value_memdup(vp, NULL, 0, false);
-               eap_aka_sim_session->checkcode_len = 0;
-       }
-#endif
-
        /*
         *      We've sent the challenge so the peer should now be able
         *      to accept encrypted attributes.
@@ -2913,21 +2832,6 @@ RESUME(recv_aka_identity_response)
 
        SECTION_RCODE_PROCESS;
 
-#if 0
-       /*
-        *      Digest the identity response
-        */
-       if (eap_aka_sim_session->checkcode_md) {
-               // TODO: Need another way of doing this
-               if (fr_aka_sim_crypto_update_checkcode(eap_aka_sim_session->checkcode_state,
-                                                      eap_session->this_round->response) < 0) {
-                       RPEDEBUG("Failed updating checkcode");
-               failure:
-                       return STATE_TRANSITION(common_failure_notification);
-               }
-       }
-#endif
-
        /*
         *      See if the user wants us to request another
         *      identity.
@@ -3140,26 +3044,6 @@ RESUME(send_aka_identity_request)
         */
        common_reply(request, eap_aka_sim_session, FR_SUBTYPE_VALUE_AKA_IDENTITY);
 
-#if 0
-       /*
-        *      Digest the packet contents, updating our checkcode.
-        */
-       if (eap_aka_sim_session->checkcode_md) {
-               if (!eap_aka_sim_session->checkcode_state &&
-                   fr_aka_sim_crypto_init_checkcode(eap_aka_sim_session, &eap_aka_sim_session->checkcode_state,
-                                                    eap_aka_sim_session->checkcode_md) < 0) {
-                       RPEDEBUG("Failed initialising checkcode");
-                       goto failure;
-               }
-               // TODO: Need another way of doing this
-               if (fr_aka_sim_crypto_update_checkcode(eap_aka_sim_session->checkcode_state,
-                                                      eap_session->this_round->request) < 0) {
-                       RPEDEBUG("Failed updating checkcode");
-                       goto failure;
-               }
-       }
-#endif
-
        RETURN_MODULE_HANDLED;
 }
 
@@ -3582,7 +3466,7 @@ RESUME(recv_common_identity_response)
                running = AKA_SIM_METHOD_HINT_SIM;
 
                eap_aka_sim_session->type = FR_EAP_METHOD_SIM;
-               eap_aka_sim_session->mac_md = EVP_sha1();       /* no checkcode support, so no checkcode_md */
+               eap_aka_sim_session->mac_md = EVP_sha1();
                break;
 
        case FR_EAP_METHOD_AKA:
@@ -3591,7 +3475,7 @@ RESUME(recv_common_identity_response)
                running = AKA_SIM_METHOD_HINT_AKA;
 
                eap_aka_sim_session->type = FR_EAP_METHOD_AKA;
-               eap_aka_sim_session->checkcode_md = eap_aka_sim_session->mac_md = EVP_sha1();
+               eap_aka_sim_session->mac_md = EVP_sha1();
                break;
 
        case FR_EAP_METHOD_AKA_PRIME:
@@ -3601,7 +3485,7 @@ RESUME(recv_common_identity_response)
 
                eap_aka_sim_session->type = FR_EAP_METHOD_AKA_PRIME;
                eap_aka_sim_session->kdf = FR_KDF_VALUE_PRIME_WITH_CK_PRIME_IK_PRIME;
-               eap_aka_sim_session->checkcode_md = eap_aka_sim_session->mac_md = EVP_sha256();
+               eap_aka_sim_session->mac_md = EVP_sha256();
                break;
 
        default:
index cd5a46025251b9f731425078db15bcf88da1d1ec..de5140baea09bc6c52f1f675b5800d24c49604d2 100644 (file)
@@ -97,13 +97,6 @@ struct eap_aka_sim_session_s {
 
        fr_aka_sim_keys_t               keys;                           //!< Various EAP-AKA/AKA'/SIMkeys.
 
-       EVP_MD const                    *checkcode_md;                  //!< Message digest we use to generate the
-                                                                       ///< checkcode. EVP_sha1() for EAP-AKA/SIM,
-                                                                       ///< EVP_sha256() for EAP-AKA'.
-       fr_aka_sim_checkcode_t          *checkcode_state;               //!< Digest of all identity packets we've seen.
-       uint8_t                         checkcode[32];                  //!< Checkcode we calculated.
-       size_t                          checkcode_len;                  //!< 0, 20 or 32 bytes.
-
 
        uint16_t                        kdf;                            //!< The key derivation function used to derive
                                                                        ///< session keys.
@@ -225,9 +218,6 @@ typedef struct {
                                                                        ///< EVP_sha1() for EAP-AKA, EVP_sha256()
                                                                        ///< for EAP-AKA'.
 
-       EVP_MD const                    *checkcode_md;                  //!< The hmac used for validating packets
-                                                                       ///< checkcodes.
-
        eap_aka_sim_actions_t           actions;                        //!< Pre-compiled virtual server sections.
 } eap_aka_sim_process_conf_t;
 
index 4a46d40d18a318d3c687f01ecde878f5fc9812ef..f405dad5ad202d8d7ae67a7f268775d63b554796 100644 (file)
@@ -123,13 +123,6 @@ typedef struct {
        bool                            send_at_bidding;                //!< Indicate that we prefer EAP-AKA' and
                                                                        ///< include an AT_BIDDING attribute.
 
-       EVP_MD const                    *checkcode_md;                  //!< Message digest we use to generate the
-                                                                       ///< checkcode. EVP_sha1() for EAP-AKA,
-                                                                       ///< EVP_sha256() for EAP-AKA'.
-       fr_sim_checkcode_t              *checkcode_state;               //!< Digest of all identity packets we've seen.
-       uint8_t                         checkcode[32];                  //!< Checkcode we calculated.
-       size_t                          checkcode_len;                  //!< 0, 20 or 32 bytes.
-
        EVP_MD const                    *mac_md;                        //!< HMAC-MD we use to generate the MAC.
                                                                        ///< EVP_sha1() for EAP-AKA, EVP_sha256()
                                                                        ///< for EAP-AKA'.