bool supported = FALSE;
simaka_attribute_t id_req = 0;
+ /* if this is the second invocation, server did not accept our pseudonym */
+ DESTROY_IF(this->pseudonym);
+ this->pseudonym = NULL;
+
enumerator = in->create_attribute_enumerator(in);
while (enumerator->enumerate(enumerator, &type, &data))
{
case AT_ANY_ID_REQ:
/* TODO: reauth handling */
case AT_FULLAUTH_ID_REQ:
- DESTROY_IF(this->pseudonym);
this->pseudonym = get_pseudonym(this);
if (this->pseudonym)
{
}
enumerator->destroy(enumerator);
- peer = this->permanent;
- if (this->pseudonym)
- {
- peer = this->pseudonym;
- }
-
/* excepting two or three RAND, each 16 bytes. We require two valid
* and different RANDs */
if ((rands.len != 2 * SIM_RAND_LEN && rands.len != 3 * SIM_RAND_LEN) ||
sreses = sres = chunk_alloca(rands.len / 4);
while (rands.len >= SIM_RAND_LEN)
{
- if (!get_triplet(this, peer, rands.ptr, sres.ptr, kc.ptr))
+ if (!get_triplet(this, this->permanent, rands.ptr, sres.ptr, kc.ptr))
{
DBG1(DBG_IKE, "unable to get EAP-SIM triplet");
*out = create_client_error(this, in->get_identifier(in),
rands = chunk_skip(rands, SIM_RAND_LEN);
}
+ peer = this->permanent;
+ if (this->pseudonym)
+ {
+ peer = this->pseudonym;
+ }
data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version);
free(this->msk.ptr);
this->msk = this->crypto->derive_keys_full(this->crypto, peer, data);
*/
identification_t *permanent;
+ /**
+ * pseudonym ID of peer
+ */
+ identification_t *pseudonym;
+
/**
* EAP-SIM/AKA crypto helper
*/
return pseudonym;
}
+/**
+ * Check if an identity is a known pseudonym
+ */
+static identification_t* is_pseudonym(private_eap_sim_server_t *this,
+ identification_t *pseudonym)
+{
+ enumerator_t *enumerator;
+ sim_provider_t *provider;
+ identification_t *permanent = NULL;
+
+ enumerator = charon->sim->create_provider_enumerator(charon->sim);
+ while (enumerator->enumerate(enumerator, &provider))
+ {
+ permanent = provider->is_pseudonym(provider, pseudonym);
+ if (permanent)
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return permanent;
+}
+
+/**
+ * Implementation of eap_method_t.initiate
+ */
+static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out)
+{
+ simaka_message_t *message;
+
+ message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
+ SIM_START, this->crypto);
+ message->add_attribute(message, AT_VERSION_LIST, version);
+ if (this->use_reauth)
+ {
+ message->add_attribute(message, AT_ANY_ID_REQ, chunk_empty);
+ }
+ else if (this->use_pseudonym)
+ {
+ message->add_attribute(message, AT_FULLAUTH_ID_REQ, chunk_empty);
+ }
+ else if (this->use_permanent)
+ {
+ message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
+ }
+ *out = message->generate(message, chunk_empty);
+ message->destroy(message);
+
+ this->pending = SIM_START;
+ return NEED_MORE;
+}
+
/**
* process an EAP-SIM/Response/Start message
*/
simaka_message_t *message;
enumerator_t *enumerator;
simaka_attribute_t type;
- chunk_t data, id = chunk_empty, nonce = chunk_empty;
+ chunk_t data, identity = chunk_empty, nonce = chunk_empty;
chunk_t rands, rand, kcs, kc, sreses, sres;
bool supported = FALSE;
- identification_t *peer = NULL, *pseudonym;
+ identification_t *id;
int i;
if (this->pending != SIM_START)
}
break;
case AT_IDENTITY:
- id = data;
+ identity = data;
break;
default:
if (!simaka_attribute_skippable(type))
return FAILED;
}
- if (id.len)
+ if (identity.len)
{
- if (this->use_reauth)
+ char buf[identity.len + 1];
+
+ snprintf(buf, sizeof(buf), "%.*s", identity.len, identity.ptr);
+ id = identification_create_from_string(buf);
+
+ if (this->use_pseudonym)
{
- /* TODO: handle reauthentication identity */
+ identification_t *permanent;
+
+ permanent = is_pseudonym(this, id);
+ if (permanent)
+ {
+ DBG1(DBG_IKE, "received pseudonym identity '%Y' mapping to '%Y'",
+ id, permanent);
+ this->permanent->destroy(this->permanent);
+ this->permanent = permanent;
+ this->pseudonym = id->clone(id);
+ }
}
- if (this->use_pseudonym || this->use_permanent)
+ if (!this->pseudonym && this->use_permanent)
{
- char buf[id.len + 1];
-
- snprintf(buf, sizeof(buf), "%.*s", id.len, id.ptr);
- peer = identification_create_from_string(buf);
- DBG1(DBG_CFG, "received (pseudonym) identity '%Y'", peer);
+ DBG1(DBG_IKE, "received %spermanent identity '%Y'",
+ this->use_pseudonym ? "pseudonym or " : "", id);
+ this->permanent->destroy(this->permanent);
+ this->permanent = id->clone(id);
}
- }
- if (!peer)
- {
- peer = this->permanent->clone(this->permanent);
+ id->destroy(id);
}
/* read triplets from provider */
rands.len = kcs.len = sreses.len = 0;
for (i = 0; i < TRIPLET_COUNT; i++)
{
- if (!get_triplet(this, peer, rand.ptr, sres.ptr, kc.ptr))
+ if (!get_triplet(this, this->permanent, rand.ptr, sres.ptr, kc.ptr))
{
- peer->destroy(peer);
+ if (this->use_pseudonym)
+ {
+ /* probably received a pseudonym we couldn't map */
+ DBG1(DBG_IKE, "failed to map pseudonym identity '%Y', "
+ "fallback to fullauth identity request", this->permanent);
+ this->use_pseudonym = FALSE;
+ DESTROY_IF(this->pseudonym);
+ this->pseudonym = NULL;
+ return initiate(this, out);
+ }
return FAILED;
}
rands.len += SIM_RAND_LEN;
data = chunk_cata("cccc", kcs, nonce, version, version);
free(this->msk.ptr);
- this->msk = this->crypto->derive_keys_full(this->crypto, peer, data);
- peer->destroy(peer);
+ id = this->permanent;
+ if (this->pseudonym)
+ {
+ id = this->pseudonym;
+ }
+ this->msk = this->crypto->derive_keys_full(this->crypto, id, data);
/* build response with AT_MAC, built over "EAP packet | NONCE_MT" */
message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
if (this->use_pseudonym)
{
/* generate new pseudonym for next authentication */
- pseudonym = gen_pseudonym(this);
- if (peer)
+ id = gen_pseudonym(this);
+ if (id)
{
- DBG1(DBG_IKE, "proposing new pseudonym '%Y'", pseudonym);
+ DBG1(DBG_IKE, "proposing new pseudonym '%Y'", id);
message->add_attribute(message, AT_NEXT_PSEUDONYM,
- pseudonym->get_encoding(pseudonym));
- pseudonym->destroy(pseudonym);
+ id->get_encoding(id));
+ id->destroy(id);
}
}
*out = message->generate(message, nonce);
return status;
}
-/**
- * Implementation of eap_method_t.initiate
- */
-static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out)
-{
- simaka_message_t *message;
-
- message = simaka_message_create(TRUE, this->identifier++, EAP_SIM,
- SIM_START, this->crypto);
- message->add_attribute(message, AT_VERSION_LIST, version);
- if (this->use_reauth)
- {
- message->add_attribute(message, AT_ANY_ID_REQ, chunk_empty);
- }
- else if (this->use_pseudonym)
- {
- message->add_attribute(message, AT_FULLAUTH_ID_REQ, chunk_empty);
- }
- else if (this->use_permanent)
- {
- message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
- }
- *out = message->generate(message, chunk_empty);
- message->destroy(message);
-
- this->pending = SIM_START;
- return NEED_MORE;
-}
-
/**
* Implementation of eap_method_t.get_type.
*/
{
this->crypto->destroy(this->crypto);
this->permanent->destroy(this->permanent);
+ DESTROY_IF(this->pseudonym);
free(this->sreses.ptr);
free(this->msk.ptr);
free(this);
return NULL;
}
this->permanent = peer->clone(peer);
+ this->pseudonym = NULL;
this->sreses = chunk_empty;
this->msk = chunk_empty;
this->pending = 0;
this->use_reauth = lib->settings->get_bool(lib->settings,
- "charon.plugins.eap-sim.use_reauth", TRUE);
+ "charon.plugins.eap-sim.use_reauth", FALSE);
this->use_pseudonym = lib->settings->get_bool(lib->settings,
"charon.plugins.eap-sim.use_pseudonym", TRUE);
this->use_permanent = lib->settings->get_bool(lib->settings,
projects / thirdparty / strongswan.git / commitdiff
