/* number of triplets for one authentication */
#define TRIPLET_COUNT 3
-/** length of the AT_NONCE_MT/AT_NONCE_S nonce value */
+/** length of the AT_NONCE_MT nonce value */
#define NONCE_LEN 16
typedef struct private_eap_sim_peer_t private_eap_sim_peer_t;
*/
identification_t *pseudonym;
+ /**
+ * Reauthentication identity the peer uses
+ */
+ identification_t *reauth;
+
/**
* EAP-SIM crypto helper
*/
* MSK, used for EAP-SIM based IKEv2 authentication
*/
chunk_t msk;
+
+ /**
+ * Master key, if reauthentication is used
+ */
+ char mk[HASH_SIZE_SHA1];
+
+ /**
+ * Counter value if reauthentication is used
+ */
+ u_int16_t counter;
};
/* version of SIM protocol we speak */
return success;
}
+/**
+ * Find a stored reauthentication identity on a SIM card
+ */
+static identification_t *get_reauth(private_eap_sim_peer_t *this)
+{
+ enumerator_t *enumerator;
+ sim_card_t *card;
+ identification_t *reauth = NULL;
+
+ enumerator = charon->sim->create_card_enumerator(charon->sim);
+ while (enumerator->enumerate(enumerator, &card))
+ {
+ reauth = card->get_reauth(card, this->permanent,
+ this->mk, &this->counter);
+ if (reauth)
+ {
+ DBG1(DBG_IKE, "using stored reauthentication identity '%Y' "
+ "instead of '%Y'", reauth, this->permanent);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return reauth;
+}
+
+/**
+ * Store received next fast reauthentication identity, along with mk/counter
+ */
+static void set_reauth(private_eap_sim_peer_t *this, chunk_t data)
+{
+ enumerator_t *enumerator;
+ sim_card_t *card;
+ identification_t *reauth;
+ char buf[data.len + 1];
+
+ snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
+ reauth = identification_create_from_string(buf);
+ DBG1(DBG_IKE, "received next reauthentication identity '%Y'", reauth);
+
+ enumerator = charon->sim->create_card_enumerator(charon->sim);
+ while (enumerator->enumerate(enumerator, &card))
+ {
+ card->set_reauth(card, this->permanent, reauth, this->mk, this->counter);
+ }
+ enumerator->destroy(enumerator);
+ reauth->destroy(reauth);
+}
+
/**
* Find a stored pseudonym on a SIM card
*/
bool supported = FALSE;
simaka_attribute_t id_req = 0;
- /* if this is the second invocation, server did not accept our pseudonym */
+ /* reset previously uses reauthentication/pseudonym data */
+ this->crypto->clear_keys(this->crypto);
DESTROY_IF(this->pseudonym);
this->pseudonym = NULL;
+ DESTROY_IF(this->reauth);
+ this->reauth = NULL;
enumerator = in->create_attribute_enumerator(in);
while (enumerator->enumerate(enumerator, &type, &data))
switch (id_req)
{
case AT_ANY_ID_REQ:
- /* TODO: reauth handling */
+ this->reauth = get_reauth(this);
+ if (this->reauth)
+ {
+ id = this->reauth->get_encoding(this->reauth);
+ break;
+ }
+ /* FALL */
case AT_FULLAUTH_ID_REQ:
this->pseudonym = get_pseudonym(this);
if (this->pseudonym)
message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
SIM_START, this->crypto);
- message->add_attribute(message, AT_SELECTED_VERSION, version);
- message->add_attribute(message, AT_NONCE_MT, this->nonce);
+ if (!this->reauth)
+ {
+ message->add_attribute(message, AT_SELECTED_VERSION, version);
+ message->add_attribute(message, AT_NONCE_MT, this->nonce);
+ }
if (id.len)
{
message->add_attribute(message, AT_IDENTITY, id);
simaka_message_t *message;
enumerator_t *enumerator;
simaka_attribute_t type;
- chunk_t data, rands = chunk_empty, kcs, kc, sreses, sres;
+ chunk_t data, rands = chunk_empty, kcs, kc, sreses, sres, mk;
identification_t *peer;
if (this->tries-- <= 0)
}
data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version);
free(this->msk.ptr);
- this->msk = this->crypto->derive_keys_full(this->crypto, peer, data);
+ this->msk = this->crypto->derive_keys_full(this->crypto, peer, data, &mk);
+ memcpy(this->mk, mk.ptr, mk.len);
+ free(mk.ptr);
/* Verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT", and
* parse() again after key derivation, reading encrypted attributes */
{
switch (type)
{
+ case AT_NEXT_REAUTH_ID:
+ this->counter = 0;
+ set_reauth(this, data);
+ break;
case AT_NEXT_PSEUDONYM:
set_pseudonym(this, data);
break;
return NEED_MORE;
}
+/**
+ * Check if a received counter value is acceptable
+ */
+static bool counter_too_small(private_eap_sim_peer_t *this, chunk_t chunk)
+{
+ u_int16_t counter;
+
+ memcpy(&counter, chunk.ptr, sizeof(counter));
+ counter = htons(counter);
+ return counter < this->counter;
+}
+
+/**
+ * process an EAP-SIM/Request/Re-Authentication message
+ */
+static status_t process_reauthentication(private_eap_sim_peer_t *this,
+ simaka_message_t *in, eap_payload_t **out)
+{
+ simaka_message_t *message;
+ enumerator_t *enumerator;
+ simaka_attribute_t type;
+ chunk_t data, counter = chunk_empty, nonce = chunk_empty, id = chunk_empty;
+
+ if (!this->reauth)
+ {
+ DBG1(DBG_IKE, "received %N, but not expected",
+ simaka_subtype_names, SIM_REAUTHENTICATION);
+ *out = create_client_error(this, in->get_identifier(in),
+ SIM_UNABLE_TO_PROCESS);
+ return NEED_MORE;
+ }
+
+ this->crypto->derive_keys_reauth(this->crypto,
+ chunk_create(this->mk, HASH_SIZE_SHA1));
+
+ /* parse again with decryption key */
+ if (!in->parse(in))
+ {
+ *out = create_client_error(this, in->get_identifier(in),
+ SIM_UNABLE_TO_PROCESS);
+ return NEED_MORE;
+ }
+
+ enumerator = in->create_attribute_enumerator(in);
+ while (enumerator->enumerate(enumerator, &type, &data))
+ {
+ switch (type)
+ {
+ case AT_COUNTER:
+ counter = data;
+ break;
+ case AT_NONCE_S:
+ nonce = data;
+ break;
+ case AT_NEXT_REAUTH_ID:
+ id = data;
+ break;
+ default:
+ if (!simaka_attribute_skippable(type))
+ {
+ *out = create_client_error(this, in->get_identifier(in),
+ SIM_UNABLE_TO_PROCESS);
+ enumerator->destroy(enumerator);
+ return NEED_MORE;
+ }
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!nonce.len || !counter.len)
+ {
+ DBG1(DBG_IKE, "EAP-SIM/Request/Re-Authentication message incomplete");
+ *out = create_client_error(this, in->get_identifier(in),
+ SIM_UNABLE_TO_PROCESS);
+ return NEED_MORE;
+ }
+ if (!in->verify(in, nonce))
+ {
+ *out = create_client_error(this, in->get_identifier(in),
+ SIM_UNABLE_TO_PROCESS);
+ return NEED_MORE;
+ }
+
+ message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
+ SIM_REAUTHENTICATION, this->crypto);
+ if (counter_too_small(this, counter))
+ {
+ DBG1(DBG_IKE, "reauthentication counter too small");
+ message->add_attribute(message, AT_COUNTER_TOO_SMALL, chunk_empty);
+ }
+ else
+ {
+ free(this->msk.ptr);
+ this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+ this->reauth, counter, nonce,
+ chunk_create(this->mk, HASH_SIZE_SHA1));
+ if (id.len)
+ {
+ set_reauth(this, id);
+ }
+ }
+ message->add_attribute(message, AT_COUNTER, counter);
+ *out = message->generate(message, nonce);
+ message->destroy(message);
+ return NEED_MORE;
+}
+
/**
* process an EAP-SIM/Request/Notification message
*/
case SIM_CHALLENGE:
status = process_challenge(this, message, out);
break;
+ case SIM_REAUTHENTICATION:
+ status = process_reauthentication(this, message, out);
+ break;
case SIM_NOTIFICATION:
status = process_notification(this, message, out);
break;
{
this->permanent->destroy(this->permanent);
DESTROY_IF(this->pseudonym);
+ DESTROY_IF(this->reauth);
this->crypto->destroy(this->crypto);
free(this->version_list.ptr);
free(this->nonce.ptr);
}
this->permanent = peer->clone(peer);
this->pseudonym = NULL;
+ this->reauth = NULL;
this->tries = MAX_TRIES;
this->version_list = chunk_empty;
this->nonce = chunk_empty;
/* number of triplets for one authentication */
#define TRIPLET_COUNT 3
+/** length of the AT_NONCE_S value */
+#define NONCE_LEN 16
+
typedef struct private_eap_sim_server_t private_eap_sim_server_t;
/**
*/
identification_t *pseudonym;
+ /**
+ * reauthentication ID of peer
+ */
+ identification_t *reauth;
+
/**
* EAP-SIM/AKA crypto helper
*/
*/
chunk_t sreses;
+ /**
+ * Nonce value used in AT_NONCE_S
+ */
+ chunk_t nonce;
+
+ /**
+ * Counter value negotiated, network order
+ */
+ chunk_t counter;
+
/**
* MSK, used for EAP-SIM based IKEv2 authentication
*/
return FALSE;
}
+/**
+ * Generate a new reauthentication identity for next fast reauthentication
+ */
+static identification_t* gen_reauth(private_eap_sim_server_t *this,
+ char mk[HASH_SIZE_SHA1])
+{
+ enumerator_t *enumerator;
+ sim_provider_t *provider;
+ identification_t *reauth = NULL;
+
+ enumerator = charon->sim->create_provider_enumerator(charon->sim);
+ while (enumerator->enumerate(enumerator, &provider))
+ {
+ reauth = provider->gen_reauth(provider, this->permanent, mk);
+ if (reauth)
+ {
+ DBG1(DBG_IKE, "proposing new reauthentication identity '%Y'", reauth);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return reauth;
+}
+
+/**
+ * Check if an identity is a known reauthentication identity
+ */
+static identification_t* is_reauth(private_eap_sim_server_t *this,
+ identification_t *id, char mk[HASH_SIZE_SHA1],
+ u_int16_t *counter)
+{
+ enumerator_t *enumerator;
+ sim_provider_t *provider;
+ identification_t *permanent = NULL;
+
+ enumerator = charon->sim->create_provider_enumerator(charon->sim);
+ while (enumerator->enumerate(enumerator, &provider))
+ {
+ permanent = provider->is_reauth(provider, id, mk, counter);
+ if (permanent)
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return permanent;
+}
+
/**
* Generate a new pseudonym for next authentication
*/
pseudonym = provider->gen_pseudonym(provider, this->permanent);
if (pseudonym)
{
+ DBG1(DBG_IKE, "proposing new pseudonym '%Y'", pseudonym);
break;
}
}
return NEED_MORE;
}
+/**
+ * Initiate EAP-SIM/Request/Re-authentication message
+ */
+static status_t reauthenticate(private_eap_sim_server_t *this,
+ char mk[HASH_SIZE_SHA1], u_int16_t counter,
+ eap_payload_t **out)
+{
+ simaka_message_t *message;
+ identification_t *next;
+ chunk_t mkc;
+ rng_t *rng;
+
+ DBG1(DBG_IKE, "initiating EAP-SIM reauthentication");
+
+ rng = this->crypto->get_rng(this->crypto);
+ rng->allocate_bytes(rng, NONCE_LEN, &this->nonce);
+
+ mkc = chunk_create(mk, HASH_SIZE_SHA1);
+ counter = htons(counter);
+ this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter)));
+
+ this->crypto->derive_keys_reauth(this->crypto, mkc);
+ this->msk = this->crypto->derive_keys_reauth_msk(this->crypto,
+ this->reauth, this->counter, this->nonce, mkc);
+
+ message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
+ SIM_REAUTHENTICATION, this->crypto);
+ message->add_attribute(message, AT_COUNTER, this->counter);
+ message->add_attribute(message, AT_NONCE_S, this->nonce);
+ next = gen_reauth(this, mk);
+ if (next)
+ {
+ message->add_attribute(message, AT_NEXT_REAUTH_ID,
+ next->get_encoding(next));
+ next->destroy(next);
+ }
+ /* create AT_MAC over EAP-Message|NONCE_S */
+ *out = message->generate(message, this->nonce);
+ message->destroy(message);
+
+ this->pending = SIM_REAUTHENTICATION;
+ return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Response/Reauthentication message
+ */
+static status_t process_reauthentication(private_eap_sim_server_t *this,
+ simaka_message_t *in, eap_payload_t **out)
+{
+ enumerator_t *enumerator;
+ simaka_attribute_t type;
+ chunk_t data, counter = chunk_empty;
+ bool too_small = FALSE;
+
+ if (this->pending != SIM_REAUTHENTICATION)
+ {
+ DBG1(DBG_IKE, "received %N, but not expected",
+ simaka_subtype_names, SIM_REAUTHENTICATION);
+ return FAILED;
+ }
+
+ enumerator = in->create_attribute_enumerator(in);
+ while (enumerator->enumerate(enumerator, &type, &data))
+ {
+ switch (type)
+ {
+ case AT_COUNTER:
+ counter = data;
+ break;
+ case AT_COUNTER_TOO_SMALL:
+ too_small = TRUE;
+ break;
+ default:
+ if (!simaka_attribute_skippable(type))
+ {
+ enumerator->destroy(enumerator);
+ return FAILED;
+ }
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* verify AT_MAC attribute, signature is over "EAP packet | NONCE_S" */
+ if (!in->verify(in, this->nonce))
+ {
+ return FAILED;
+ }
+ if (too_small)
+ {
+ DBG1(DBG_IKE, "received %N, initiating full authentication",
+ simaka_attribute_names, AT_COUNTER_TOO_SMALL);
+ this->use_reauth = FALSE;
+ this->crypto->clear_keys(this->crypto);
+ return initiate(this, out);
+ }
+ if (!chunk_equals(counter, this->counter))
+ {
+ DBG1(DBG_IKE, "received counter does not match");
+ return FAILED;
+ }
+ return SUCCESS;
+}
+
/**
* process an EAP-SIM/Response/Start message
*/
simaka_message_t *message;
enumerator_t *enumerator;
simaka_attribute_t type;
- chunk_t data, identity = chunk_empty, nonce = chunk_empty;
+ chunk_t data, identity = chunk_empty, nonce = chunk_empty, mk;
chunk_t rands, rand, kcs, kc, sreses, sres;
bool supported = FALSE;
identification_t *id;
}
enumerator->destroy(enumerator);
- if (!supported || !nonce.len)
- {
- DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start");
- return FAILED;
- }
-
if (identity.len)
{
+ identification_t *permanent;
char buf[identity.len + 1];
snprintf(buf, sizeof(buf), "%.*s", identity.len, identity.ptr);
id = identification_create_from_string(buf);
- if (this->use_pseudonym)
+ if (this->use_reauth)
{
- identification_t *permanent;
+ char mk[HASH_SIZE_SHA1];
+ u_int16_t counter;
+ permanent = is_reauth(this, id, mk, &counter);
+ if (permanent)
+ {
+ DBG1(DBG_IKE, "received reauthentication identity '%Y' "
+ "mapping to '%Y'", id, permanent);
+ this->permanent->destroy(this->permanent);
+ this->permanent = permanent;
+ this->reauth = id;
+ return reauthenticate(this, mk, counter, out);
+ }
+ }
+ if (this->use_pseudonym)
+ {
permanent = is_pseudonym(this, id);
if (permanent)
{
- DBG1(DBG_IKE, "received pseudonym identity '%Y' mapping to '%Y'",
- id, permanent);
+ DBG1(DBG_IKE, "received pseudonym identity '%Y' "
+ "mapping to '%Y'", id, permanent);
this->permanent->destroy(this->permanent);
this->permanent = permanent;
this->pseudonym = id->clone(id);
+ this->use_permanent = FALSE;
}
}
if (!this->pseudonym && this->use_permanent)
id->destroy(id);
}
+ if (!supported || !nonce.len)
+ {
+ DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start");
+ return FAILED;
+ }
+
/* read triplets from provider */
rand = rands = chunk_alloca(SIM_RAND_LEN * TRIPLET_COUNT);
kc = kcs = chunk_alloca(SIM_KC_LEN * TRIPLET_COUNT);
{
id = this->pseudonym;
}
- this->msk = this->crypto->derive_keys_full(this->crypto, id, data);
+ this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk);
/* build response with AT_MAC, built over "EAP packet | NONCE_MT" */
message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
SIM_CHALLENGE, this->crypto);
message->add_attribute(message, AT_RAND, rands);
- if (this->use_pseudonym)
+ if (this->use_reauth && (id = gen_reauth(this, mk.ptr)))
{
- /* generate new pseudonym for next authentication */
- id = gen_pseudonym(this);
- if (id)
- {
- DBG1(DBG_IKE, "proposing new pseudonym '%Y'", id);
- message->add_attribute(message, AT_NEXT_PSEUDONYM,
- id->get_encoding(id));
- id->destroy(id);
- }
+ message->add_attribute(message, AT_NEXT_REAUTH_ID,
+ id->get_encoding(id));
+ id->destroy(id);
+ }
+ else if (this->use_pseudonym && (id = gen_pseudonym(this)))
+ {
+ message->add_attribute(message, AT_NEXT_PSEUDONYM,
+ id->get_encoding(id));
+ id->destroy(id);
}
*out = message->generate(message, nonce);
message->destroy(message);
+ free(mk.ptr);
this->pending = SIM_CHALLENGE;
return NEED_MORE;
}
/* verify AT_MAC attribute, signature is over "EAP packet | n*SRES" */
if (!in->verify(in, this->sreses))
{
- DBG1(DBG_IKE, "AT_MAC verification failed");
return FAILED;
}
return SUCCESS;
case SIM_CHALLENGE:
status = process_challenge(this, message, out);
break;
+ case SIM_REAUTHENTICATION:
+ status = process_reauthentication(this, message, out);
+ break;
case SIM_CLIENT_ERROR:
status = process_client_error(this, message);
break;
this->crypto->destroy(this->crypto);
this->permanent->destroy(this->permanent);
DESTROY_IF(this->pseudonym);
+ DESTROY_IF(this->reauth);
free(this->sreses.ptr);
+ free(this->nonce.ptr);
free(this->msk.ptr);
+ free(this->counter.ptr);
free(this);
}
}
this->permanent = peer->clone(peer);
this->pseudonym = NULL;
+ this->reauth = NULL;
this->sreses = chunk_empty;
+ this->nonce = chunk_empty;
this->msk = chunk_empty;
+ this->counter = chunk_empty;
this->pending = 0;
this->use_reauth = lib->settings->get_bool(lib->settings,
- "charon.plugins.eap-sim.use_reauth", FALSE);
+ "charon.plugins.eap-sim.use_reauth", TRUE);
this->use_pseudonym = lib->settings->get_bool(lib->settings,
"charon.plugins.eap-sim.use_pseudonym", TRUE);
this->use_permanent = lib->settings->get_bool(lib->settings,
projects / thirdparty / strongswan.git / commitdiff
