From: Martin Willi Date: Wed, 21 Oct 2009 12:21:00 +0000 (+0200) Subject: Use the EAP-SIM/AKA crypto helper in EAP-SIM X-Git-Tag: 4.3.6~237 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e9c03f524326e04a1d2feffce3747e311a5a5d78;p=thirdparty%2Fstrongswan.git Use the EAP-SIM/AKA crypto helper in EAP-SIM --- diff --git a/src/charon/plugins/eap_sim/eap_sim_peer.c b/src/charon/plugins/eap_sim/eap_sim_peer.c index 78b7c9ce61..43abfdab05 100644 --- a/src/charon/plugins/eap_sim/eap_sim_peer.c +++ b/src/charon/plugins/eap_sim/eap_sim_peer.c @@ -35,14 +35,6 @@ #define KC_LEN 8 /** length of SRES */ #define SRES_LEN 4 -/** length of the k_encr key */ -#define KENCR_LEN 16 -/** length of the k_auth key */ -#define KAUTH_LEN 16 -/** length of the MSK */ -#define MSK_LEN 64 -/** length of the EMSK */ -#define EMSK_LEN 64 typedef struct private_eap_sim_peer_t private_eap_sim_peer_t; @@ -62,29 +54,9 @@ struct private_eap_sim_peer_t { identification_t *peer; /** - * RNG to create nonces, IVs + * EAP-SIM crypto helper */ - rng_t *rng; - - /** - * hashing function - */ - hasher_t *hasher; - - /** - * prf - */ - prf_t *prf; - - /** - * MAC function - */ - signer_t *signer; - - /** - * encryption function - */ - crypter_t *crypter; + simaka_crypto_t *crypto; /** * how many times we try to authenticate @@ -141,43 +113,6 @@ static bool get_card_triplet(private_eap_sim_peer_t *this, return success; } -/** - * Derive EAP keys from kc when using full authentication - */ -static void derive_keys_full(private_eap_sim_peer_t *this, chunk_t kcs) -{ - char mk[HASH_SIZE_SHA1], k_encr[KENCR_LEN], k_auth[KAUTH_LEN]; - chunk_t tmp; - int i; - - /* MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */ - tmp = chunk_cata("ccccc", this->peer->get_encoding(this->peer), - kcs, this->nonce, this->version_list, version); - this->hasher->get_hash(this->hasher, tmp, mk); - DBG3(DBG_IKE, "MK = SHA1(%B\n) = %b", &tmp, mk, HASH_SIZE_SHA1); - - /* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf() - * We currently don't need EMSK, so three prf() are sufficient */ - this->prf->set_key(this->prf, chunk_create(mk, HASH_SIZE_SHA1)); - tmp = chunk_alloca(this->prf->get_block_size(this->prf) * 3); - for (i = 0; i < 3; i++) - { - this->prf->get_bytes(this->prf, chunk_empty, tmp.ptr + tmp.len / 3 * i); - } - memcpy(k_encr, tmp.ptr, KENCR_LEN); - tmp = chunk_skip(tmp, KENCR_LEN); - memcpy(k_auth, tmp.ptr, KAUTH_LEN); - tmp = chunk_skip(tmp, KAUTH_LEN); - free(this->msk.ptr); - this->msk = chunk_alloc(MSK_LEN); - memcpy(this->msk.ptr, tmp.ptr, MSK_LEN); - DBG3(DBG_IKE, "K_encr %b\nK_auth %b\nMSK %B", - k_encr, KENCR_LEN, k_auth, KAUTH_LEN, &this->msk); - - this->signer->set_key(this->signer, chunk_create(k_auth, KAUTH_LEN)); - this->crypter->set_key(this->crypter, chunk_create(k_encr, KENCR_LEN)); -} - /** * Send a SIM_CLIENT_ERROR */ @@ -190,7 +125,7 @@ static eap_payload_t* create_client_error(private_eap_sim_peer_t *this, message = simaka_message_create(FALSE, identifier, EAP_SIM, SIM_CLIENT_ERROR); message->add_attribute(message, AT_CLIENT_ERROR_CODE, code); - out = message->generate(message, NULL, NULL, NULL, chunk_empty); + out = message->generate(message, this->crypto, chunk_empty); message->destroy(message); return out; } @@ -205,6 +140,7 @@ static status_t process_start(private_eap_sim_peer_t *this, enumerator_t *enumerator; simaka_attribute_t type; chunk_t data; + rng_t *rng; bool supported = FALSE; enumerator = in->create_attribute_enumerator(in); @@ -243,14 +179,15 @@ static status_t process_start(private_eap_sim_peer_t *this, } /* generate AT_NONCE_MT value */ + rng = this->crypto->get_rng(this->crypto); free(this->nonce.ptr); - this->rng->allocate_bytes(this->rng, NONCE_LEN, &this->nonce); + rng->allocate_bytes(rng, NONCE_LEN, &this->nonce); message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM, SIM_START); message->add_attribute(message, AT_SELECTED_VERSION, version); message->add_attribute(message, AT_NONCE_MT, this->nonce); - *out = message->generate(message, NULL, NULL, NULL, chunk_empty); + *out = message->generate(message, this->crypto, chunk_empty); message->destroy(message); return NEED_MORE; @@ -321,10 +258,12 @@ static status_t process_challenge(private_eap_sim_peer_t *this, rands = chunk_skip(rands, RAND_LEN); } - derive_keys_full(this, kcs); + data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version); + free(this->msk.ptr); + this->msk = this->crypto->derive_keys_full(this->crypto, this->peer, data); /* verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT" */ - if (!in->verify(in, this->signer, this->nonce)) + if (!in->verify(in, this->crypto, this->nonce)) { DBG1(DBG_IKE, "AT_MAC verification failed"); *out = create_client_error(this, in->get_identifier(in), @@ -335,7 +274,7 @@ static status_t process_challenge(private_eap_sim_peer_t *this, /* build response with AT_MAC, built over "EAP packet | n*SRES" */ message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM, SIM_CHALLENGE); - *out = message->generate(message, NULL, NULL, this->signer, sreses); + *out = message->generate(message, this->crypto, sreses); message->destroy(message); return NEED_MORE; } @@ -375,7 +314,7 @@ static status_t process_notification(private_eap_sim_peer_t *this, { /* empty notification reply */ message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM, SIM_NOTIFICATION); - *out = message->generate(message, NULL, NULL, NULL, chunk_empty); + *out = message->generate(message, this->crypto, chunk_empty); message->destroy(message); } else @@ -402,7 +341,7 @@ static status_t process(private_eap_sim_peer_t *this, client_error_general); return NEED_MORE; } - if (!message->parse(message, this->crypter)) + if (!message->parse(message, this->crypto)) { message->destroy(message); *out = create_client_error(this, in->get_identifier(in), @@ -475,11 +414,7 @@ static bool is_mutual(private_eap_sim_peer_t *this) static void destroy(private_eap_sim_peer_t *this) { this->peer->destroy(this->peer); - DESTROY_IF(this->rng); - DESTROY_IF(this->hasher); - DESTROY_IF(this->prf); - DESTROY_IF(this->signer); - DESTROY_IF(this->crypter); + this->crypto->destroy(this->crypto); free(this->version_list.ptr); free(this->nonce.ptr); free(this->msk.ptr); @@ -494,12 +429,6 @@ eap_sim_peer_t *eap_sim_peer_create(identification_t *server, { private_eap_sim_peer_t *this = malloc_thing(private_eap_sim_peer_t); - this->peer = peer->clone(peer); - this->tries = MAX_TRIES; - this->version_list = chunk_empty; - this->nonce = chunk_empty; - this->msk = chunk_empty; - this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate; this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process; this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; @@ -507,18 +436,18 @@ eap_sim_peer_t *eap_sim_peer_create(identification_t *server, this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; this->public.interface.destroy = (void(*)(eap_method_t*))destroy; - this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160); - this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128); - this->crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16); - if (!this->rng || !this->hasher || !this->prf || - !this->signer || !this->crypter) + this->crypto = simaka_crypto_create(); + if (!this->crypto) { - DBG1(DBG_IKE, "unable to use EAP-SIM, missing algorithms"); - destroy(this); + free(this); return NULL; } + this->peer = peer->clone(peer); + this->tries = MAX_TRIES; + this->version_list = chunk_empty; + this->nonce = chunk_empty; + this->msk = chunk_empty; + return &this->public; } diff --git a/src/charon/plugins/eap_sim/eap_sim_server.c b/src/charon/plugins/eap_sim/eap_sim_server.c index 9b9bc9decb..47726103ba 100644 --- a/src/charon/plugins/eap_sim/eap_sim_server.c +++ b/src/charon/plugins/eap_sim/eap_sim_server.c @@ -18,12 +18,11 @@ #include #include +#include /* number of triplets for one authentication */ #define TRIPLET_COUNT 3 -/** length of the AT_NONCE_MT/AT_NONCE_S nonce value */ -#define NONCE_LEN 16 /** length of the AT_MAC value */ #define MAC_LEN 16 /** length of the AT_RAND value */ @@ -32,14 +31,6 @@ #define KC_LEN 8 /** length of SRES */ #define SRES_LEN 4 -/** length of the k_encr key */ -#define KENCR_LEN 16 -/** length of the k_auth key */ -#define KAUTH_LEN 16 -/** length of the MSK */ -#define MSK_LEN 64 -/** length of the EMSK */ -#define EMSK_LEN 64 typedef struct private_eap_sim_server_t private_eap_sim_server_t; @@ -59,29 +50,9 @@ struct private_eap_sim_server_t { identification_t *peer; /** - * Random number generator for nonce, IVs + * EAP-SIM/AKA crypto helper */ - rng_t *rng; - - /** - * hashing function - */ - hasher_t *hasher; - - /** - * prf - */ - prf_t *prf; - - /** - * MAC function - */ - signer_t *signer; - - /** - * encryption function - */ - crypter_t *crypter; + simaka_crypto_t *crypto; /** * unique EAP identifier @@ -99,6 +70,9 @@ struct private_eap_sim_server_t { chunk_t msk; }; +/* version of SIM protocol we speak */ +static chunk_t version = chunk_from_chars(0x00,0x01); + /** * Fetch a triplet from a provider */ @@ -125,44 +99,6 @@ static bool get_provider_triplet(private_eap_sim_server_t *this, return FALSE; } -/** - * Derive EAP keys from kc when using full authentication - */ -static void derive_keys_full(private_eap_sim_server_t *this, - chunk_t kcs, chunk_t nonce) -{ - char mk[HASH_SIZE_SHA1], k_encr[KENCR_LEN], k_auth[KAUTH_LEN]; - chunk_t tmp; - int i; - - /* MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */ - tmp = chunk_cata("ccccc", this->peer->get_encoding(this->peer), - kcs, nonce, version, version); - this->hasher->get_hash(this->hasher, tmp, mk); - DBG3(DBG_IKE, "MK = SHA1(%B\n) = %b", &tmp, mk, HASH_SIZE_SHA1); - - /* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf() - * We currently don't need EMSK, so three prf() are sufficient */ - this->prf->set_key(this->prf, chunk_create(mk, HASH_SIZE_SHA1)); - tmp = chunk_alloca(this->prf->get_block_size(this->prf) * 3); - for (i = 0; i < 3; i++) - { - this->prf->get_bytes(this->prf, chunk_empty, tmp.ptr + tmp.len / 3 * i); - } - memcpy(k_encr, tmp.ptr, KENCR_LEN); - tmp = chunk_skip(tmp, KENCR_LEN); - memcpy(k_auth, tmp.ptr, KAUTH_LEN); - tmp = chunk_skip(tmp, KAUTH_LEN); - free(this->msk.ptr); - this->msk = chunk_alloc(MSK_LEN); - memcpy(this->msk.ptr, tmp.ptr, MSK_LEN); - DBG3(DBG_IKE, "K_encr %b\nK_auth %b\nMSK %B", - k_encr, KENCR_LEN, k_auth, KAUTH_LEN, &this->msk); - - this->signer->set_key(this->signer, chunk_create(k_auth, KAUTH_LEN)); - this->crypter->set_key(this->crypter, chunk_create(k_encr, KENCR_LEN)); -} - /** * process an EAP-SIM/Response/Start message */ @@ -226,13 +162,15 @@ static status_t process_start(private_eap_sim_server_t *this, free(this->sreses.ptr); this->sreses = chunk_clone(sreses); - derive_keys_full(this, kcs, nonce); + data = chunk_cata("cccc", kcs, nonce, version, version); + free(this->msk.ptr); + this->msk = this->crypto->derive_keys_full(this->crypto, this->peer, data); /* build response with AT_MAC, built over "EAP packet | NONCE_MT" */ message = simaka_message_create(TRUE, this->identifier++, EAP_SIM, SIM_CHALLENGE); message->add_attribute(message, AT_RAND, rands); - *out = message->generate(message, NULL, NULL, this->signer, nonce); + *out = message->generate(message, this->crypto, nonce); message->destroy(message); return NEED_MORE; } @@ -256,7 +194,7 @@ static status_t process_challenge(private_eap_sim_server_t *this, enumerator->destroy(enumerator); /* verify AT_MAC attribute, signature is over "EAP packet | n*SRES" */ - if (!in->verify(in, this->signer, this->sreses)) + if (!in->verify(in, this->crypto, this->sreses)) { DBG1(DBG_IKE, "AT_MAC verification failed"); return FAILED; @@ -305,7 +243,7 @@ static status_t process(private_eap_sim_server_t *this, { return FAILED; } - if (!message->parse(message, this->crypter)) + if (!message->parse(message, this->crypto)) { message->destroy(message); return FAILED; @@ -341,7 +279,7 @@ static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out) message = simaka_message_create(TRUE, this->identifier++, EAP_SIM, SIM_START); message->add_attribute(message, AT_VERSION_LIST, version); - *out = message->generate(message, NULL, NULL, NULL, chunk_empty); + *out = message->generate(message, this->crypto, chunk_empty); message->destroy(message); return NEED_MORE; } @@ -381,12 +319,8 @@ static bool is_mutual(private_eap_sim_server_t *this) */ static void destroy(private_eap_sim_server_t *this) { + this->crypto->destroy(this->crypto); this->peer->destroy(this->peer); - DESTROY_IF(this->rng); - DESTROY_IF(this->hasher); - DESTROY_IF(this->prf); - DESTROY_IF(this->signer); - DESTROY_IF(this->crypter); free(this->sreses.ptr); free(this->msk.ptr); free(this); @@ -400,14 +334,6 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server, { private_eap_sim_server_t *this = malloc_thing(private_eap_sim_server_t); - this->peer = peer->clone(peer); - this->sreses = chunk_empty; - this->msk = chunk_empty; - /* generate a non-zero identifier */ - do { - this->identifier = random(); - } while (!this->identifier); - this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate; this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process; this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; @@ -415,18 +341,20 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server, this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; this->public.interface.destroy = (void(*)(eap_method_t*))destroy; - this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160); - this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128); - this->crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16); - if (!this->rng || !this->hasher || !this->prf || - !this->signer || !this->crypter) + this->crypto = simaka_crypto_create(); + if (!this->crypto) { - DBG1(DBG_IKE, "unable to use EAP-SIM, missing algorithms"); - destroy(this); + free(this); return NULL; } + this->peer = peer->clone(peer); + this->sreses = chunk_empty; + this->msk = chunk_empty; + /* generate a non-zero identifier */ + do { + this->identifier = random(); + } while (!this->identifier); + return &this->public; } diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c index 84e9ceac10..182ffd1a60 100644 --- a/src/libsimaka/simaka_message.c +++ b/src/libsimaka/simaka_message.c @@ -217,8 +217,8 @@ static void add_attribute(private_simaka_message_t *this, /** * Implementation of simaka_message_t.parse */ -static bool parse(private_simaka_message_t *this, crypter_t *crypter, - signer_t *signer, chunk_t sigdata) +static bool parse(private_simaka_message_t *this, simaka_crypto_t *crypto, + chunk_t sigdata) { chunk_t in, iv = chunk_empty, encr = chunk_empty; @@ -397,6 +397,7 @@ static bool parse(private_simaka_message_t *this, crypter_t *crypter, if (iv.len && encr.len) { bool success; + crypter_t *crypter; if (this->encrypted) { @@ -404,6 +405,7 @@ static bool parse(private_simaka_message_t *this, crypter_t *crypter, eap_type_names, this->hdr->type); return FALSE; } + crypter = crypto->get_crypter(crypto); if (!crypter) { DBG1(DBG_IKE, "%N message contains unexpected encrypted data", @@ -421,7 +423,7 @@ static bool parse(private_simaka_message_t *this, crypter_t *crypter, crypter->decrypt(crypter, encr, iv, NULL); this->encrypted = TRUE; - success = parse(this, NULL, NULL, chunk_empty); + success = parse(this, crypto, chunk_empty); this->encrypted = FALSE; return success; } @@ -432,9 +434,12 @@ static bool parse(private_simaka_message_t *this, crypter_t *crypter, * Implementation of simaka_message_t.verify */ static bool verify(private_simaka_message_t *this, - signer_t *signer, chunk_t sigdata) + simaka_crypto_t *crypto, chunk_t sigdata) { chunk_t data, backup; + signer_t *signer; + + signer = crypto->get_signer(crypto); switch (this->hdr->subtype) { @@ -502,8 +507,7 @@ static bool verify(private_simaka_message_t *this, * Implementation of simaka_message_t.generate */ static eap_payload_t* generate(private_simaka_message_t *this, - crypter_t *crypter, rng_t *rng, - signer_t *signer, chunk_t sigdata) + simaka_crypto_t *crypto, chunk_t sigdata) { /* buffers large enough for messages we generate */ char out_buf[1024], encr_buf[512]; @@ -512,6 +516,7 @@ static eap_payload_t* generate(private_simaka_message_t *this, simaka_attribute_t type; attr_hdr_t *hdr; u_int16_t len; + signer_t *signer; out = chunk_create(out_buf, sizeof(out_buf)); encr = chunk_create(encr_buf, sizeof(encr_buf)); @@ -640,7 +645,10 @@ static eap_payload_t* generate(private_simaka_message_t *this, { chunk_t iv; size_t bs; + crypter_t *crypter; + rng_t *rng; + crypter = crypto->get_crypter(crypto); encr = chunk_create(encr_buf, sizeof(encr_buf) - encr.len); bs = crypter->get_block_size(crypter); @@ -651,6 +659,7 @@ static eap_payload_t* generate(private_simaka_message_t *this, memset(out.ptr + 2, 0, 2); out = chunk_skip(out, 4); + rng = crypto->get_rng(crypto); rng->get_bytes(rng, bs, out.ptr); iv = chunk_clonea(chunk_create(out.ptr, bs)); @@ -669,6 +678,7 @@ static eap_payload_t* generate(private_simaka_message_t *this, } /* include MAC ? */ + signer = crypto->get_signer(crypto); switch (this->hdr->subtype) { case SIM_CHALLENGE: @@ -750,9 +760,9 @@ static simaka_message_t *simaka_message_create_data(chunk_t data) this->public.get_subtype = (simaka_subtype_t(*)(simaka_message_t*))get_subtype; this->public.create_attribute_enumerator = (enumerator_t*(*)(simaka_message_t*))create_attribute_enumerator; this->public.add_attribute = (void(*)(simaka_message_t*, simaka_attribute_t type, chunk_t data))add_attribute; - this->public.parse = (bool(*)(simaka_message_t*, crypter_t *crypter))parse; - this->public.verify = (bool(*)(simaka_message_t*, signer_t *signer, chunk_t sigdata))verify; - this->public.generate = (eap_payload_t*(*)(simaka_message_t*, crypter_t *crypter, rng_t *rng, signer_t *signer, chunk_t sigdata))generate; + this->public.parse = (bool(*)(simaka_message_t*, simaka_crypto_t* crypto))parse; + this->public.verify = (bool(*)(simaka_message_t*, simaka_crypto_t* crypto, chunk_t sigdata))verify; + this->public.generate = (eap_payload_t*(*)(simaka_message_t*, simaka_crypto_t* crypto, chunk_t sigdata))generate; this->public.destroy = (void(*)(simaka_message_t*))destroy; this->attributes = linked_list_create(); diff --git a/src/libsimaka/simaka_message.h b/src/libsimaka/simaka_message.h index b7014e92d2..a09d72fa45 100644 --- a/src/libsimaka/simaka_message.h +++ b/src/libsimaka/simaka_message.h @@ -21,8 +21,10 @@ #ifndef SIMAKA_MESSAGE_H_ #define SIMAKA_MESSAGE_H_ -#include #include +#include + +#include "simaka_crypto.h" typedef struct simaka_message_t simaka_message_t; typedef enum simaka_attribute_t simaka_attribute_t; @@ -147,31 +149,30 @@ struct simaka_message_t { * This method does not verify message integrity, as the key is available * only after the payload has been parsed. * - * @param crypter crypter to decrypt AT_ENCR_DATA attribute + * @param crypto EAP-SIM/AKA crypto helper * @return TRUE if message parsed successfully */ - bool (*parse)(simaka_message_t *this, crypter_t *crypter); + bool (*parse)(simaka_message_t *this, simaka_crypto_t *crypto); /** * Verify the message integrity of a parsed message. * - * @param signer signer to verify AT_MAC attribute + * @param crypto EAP-SIM/AKA crypto helper * @param sigdata additional data to include in signature, if any * @return TRUE if message integrity check successful */ - bool (*verify)(simaka_message_t *this, signer_t *signer, chunk_t sigdata); + bool (*verify)(simaka_message_t *this, simaka_crypto_t *crypto, + chunk_t sigdata); /** * Generate a message, optionally encrypt attributes and create a MAC. * - * @param crypter crypter to encrypt attributes requiring encryption - * @param rng random number generator for IV - * @param signer signer to create AT_MAC attribute + * @param crypto EAP-SIM/AKA crypto helper * @param sigdata additional data to include in signature, if any * @return generated eap payload, NULL if failed */ - eap_payload_t* (*generate)(simaka_message_t *this, crypter_t *crypter, - rng_t *rng, signer_t *signer, chunk_t sigdata); + eap_payload_t* (*generate)(simaka_message_t *this, simaka_crypto_t *crypto, + chunk_t sigdata); /** * Destroy a simaka_message_t.