| /* |
| * Copyright (C) 2007-2009 Martin Willi |
| * HSR Hochschule fuer Technik Rapperswil |
| * |
| * This program is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License as published by the |
| * Free Software Foundation; either version 2 of the License, or (at your |
| * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
| * |
| * This program is distributed in the hope that it will be useful, but |
| * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
| * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * for more details. |
| */ |
| |
| #include "eap_sim_peer.h" |
| |
| #include <daemon.h> |
| |
| #include <simaka_message.h> |
| #include <simaka_manager.h> |
| |
| /* number of tries we do authenticate */ |
| #define MAX_TRIES 3 |
| |
| /* number of triplets for one authentication */ |
| #define TRIPLET_COUNT 3 |
| |
| /** length of the AT_NONCE_MT nonce value */ |
| #define NONCE_LEN 16 |
| |
| typedef struct private_eap_sim_peer_t private_eap_sim_peer_t; |
| |
| /** |
| * Private data of an eap_sim_peer_t object. |
| */ |
| struct private_eap_sim_peer_t { |
| |
| /** |
| * Public authenticator_t interface. |
| */ |
| eap_sim_peer_t public; |
| |
| /** |
| * SIM backend manager |
| */ |
| simaka_manager_t *mgr; |
| |
| /** |
| * permanent ID of peer |
| */ |
| identification_t *permanent; |
| |
| /** |
| * Pseudonym identity the peer uses |
| */ |
| identification_t *pseudonym; |
| |
| /** |
| * Reauthentication identity the peer uses |
| */ |
| identification_t *reauth; |
| |
| /** |
| * EAP message identifier |
| */ |
| uint8_t identifier; |
| |
| /** |
| * EAP-SIM crypto helper |
| */ |
| simaka_crypto_t *crypto; |
| |
| /** |
| * how many times we try to authenticate |
| */ |
| int tries; |
| |
| /** |
| * version list received from server |
| */ |
| chunk_t version_list; |
| |
| /** |
| * Nonce value used in AT_NONCE_MT/AT_NONCE_S |
| */ |
| chunk_t nonce; |
| |
| /** |
| * MSK, used for EAP-SIM based IKEv2 authentication |
| */ |
| chunk_t msk; |
| |
| /** |
| * Master key, if reauthentication is used |
| */ |
| char mk[HASH_SIZE_SHA1]; |
| |
| /** |
| * Counter value if reauthentication is used |
| */ |
| uint16_t counter; |
| }; |
| |
| /* version of SIM protocol we speak */ |
| static chunk_t version = chunk_from_chars(0x00,0x01); |
| |
| /** |
| * Generate a payload from a message, destroy message |
| */ |
| static bool generate_payload(simaka_message_t *message, chunk_t data, |
| eap_payload_t **out) |
| { |
| chunk_t chunk; |
| bool ok; |
| |
| ok = message->generate(message, data, &chunk); |
| if (ok) |
| { |
| *out = eap_payload_create_data_own(chunk); |
| } |
| message->destroy(message); |
| return ok; |
| } |
| |
| /** |
| * Create a SIM_CLIENT_ERROR |
| */ |
| static bool create_client_error(private_eap_sim_peer_t *this, |
| simaka_client_error_t code, eap_payload_t **out) |
| { |
| simaka_message_t *message; |
| uint16_t encoded; |
| |
| DBG1(DBG_IKE, "sending client error '%N'", simaka_client_error_names, code); |
| |
| message = simaka_message_create(FALSE, this->identifier, EAP_SIM, |
| SIM_CLIENT_ERROR, this->crypto); |
| encoded = htons(code); |
| message->add_attribute(message, AT_CLIENT_ERROR_CODE, |
| chunk_create((char*)&encoded, sizeof(encoded))); |
| return generate_payload(message, chunk_empty, out); |
| } |
| |
| /** |
| * process an EAP-SIM/Request/Start message |
| */ |
| static status_t process_start(private_eap_sim_peer_t *this, |
| simaka_message_t *in, eap_payload_t **out) |
| { |
| simaka_message_t *message; |
| enumerator_t *enumerator; |
| simaka_attribute_t type; |
| chunk_t data, id = chunk_empty; |
| rng_t *rng; |
| bool supported = FALSE; |
| simaka_attribute_t id_req = 0; |
| |
| /* reset previously uses reauthentication/pseudonym data */ |
| this->crypto->clear_keys(this->crypto); |
| DESTROY_IF(this->pseudonym); |
| this->pseudonym = NULL; |
| DESTROY_IF(this->reauth); |
| this->reauth = NULL; |
| |
| enumerator = in->create_attribute_enumerator(in); |
| while (enumerator->enumerate(enumerator, &type, &data)) |
| { |
| switch (type) |
| { |
| case AT_VERSION_LIST: |
| { |
| free(this->version_list.ptr); |
| this->version_list = chunk_clone(data); |
| while (data.len >= version.len) |
| { |
| if (memeq(data.ptr, version.ptr, version.len)) |
| { |
| supported = TRUE; |
| break; |
| } |
| } |
| break; |
| } |
| case AT_ANY_ID_REQ: |
| case AT_FULLAUTH_ID_REQ: |
| case AT_PERMANENT_ID_REQ: |
| id_req = type; |
| break; |
| default: |
| if (!simaka_attribute_skippable(type)) |
| { |
| enumerator->destroy(enumerator); |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| break; |
| } |
| } |
| enumerator->destroy(enumerator); |
| |
| if (!supported) |
| { |
| DBG1(DBG_IKE, "server does not support EAP-SIM version number 1"); |
| if (!create_client_error(this, SIM_UNSUPPORTED_VERSION, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| |
| switch (id_req) |
| { |
| case AT_ANY_ID_REQ: |
| this->reauth = this->mgr->card_get_reauth(this->mgr, |
| this->permanent, this->mk, &this->counter); |
| if (this->reauth) |
| { |
| id = this->reauth->get_encoding(this->reauth); |
| break; |
| } |
| /* FALL */ |
| case AT_FULLAUTH_ID_REQ: |
| this->pseudonym = this->mgr->card_get_pseudonym(this->mgr, |
| this->permanent); |
| if (this->pseudonym) |
| { |
| id = this->pseudonym->get_encoding(this->pseudonym); |
| break; |
| } |
| /* FALL */ |
| case AT_PERMANENT_ID_REQ: |
| id = this->permanent->get_encoding(this->permanent); |
| break; |
| default: |
| break; |
| } |
| |
| /* generate AT_NONCE_MT value */ |
| rng = this->crypto->get_rng(this->crypto); |
| free(this->nonce.ptr); |
| if (!rng->allocate_bytes(rng, NONCE_LEN, &this->nonce)) |
| { |
| return FAILED; |
| } |
| |
| message = simaka_message_create(FALSE, this->identifier, EAP_SIM, |
| SIM_START, this->crypto); |
| if (!this->reauth) |
| { |
| message->add_attribute(message, AT_SELECTED_VERSION, version); |
| message->add_attribute(message, AT_NONCE_MT, this->nonce); |
| } |
| if (id.len) |
| { |
| message->add_attribute(message, AT_IDENTITY, id); |
| } |
| if (!generate_payload(message, chunk_empty, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| |
| /** |
| * process an EAP-SIM/Request/Challenge message |
| */ |
| static status_t process_challenge(private_eap_sim_peer_t *this, |
| simaka_message_t *in, eap_payload_t **out) |
| { |
| simaka_message_t *message; |
| enumerator_t *enumerator; |
| simaka_attribute_t type; |
| chunk_t data, rands = chunk_empty, kcs, kc, sreses, sres, mk; |
| identification_t *id; |
| |
| if (this->tries-- <= 0) |
| { |
| /* give up without notification. This hack is required as some buggy |
| * server implementations won't respect our client-error. */ |
| return FAILED; |
| } |
| |
| enumerator = in->create_attribute_enumerator(in); |
| while (enumerator->enumerate(enumerator, &type, &data)) |
| { |
| switch (type) |
| { |
| case AT_RAND: |
| rands = data; |
| break; |
| default: |
| if (!simaka_attribute_skippable(type)) |
| { |
| enumerator->destroy(enumerator); |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| break; |
| } |
| } |
| enumerator->destroy(enumerator); |
| |
| /* excepting two or three RAND, each 16 bytes. We require two valid |
| * and different RANDs */ |
| if ((rands.len != 2 * SIM_RAND_LEN && rands.len != 3 * SIM_RAND_LEN) || |
| memeq_const(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN)) |
| { |
| DBG1(DBG_IKE, "no valid AT_RAND received"); |
| if (!create_client_error(this, SIM_INSUFFICIENT_CHALLENGES, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| /* get two or three KCs/SRESes from SIM using RANDs */ |
| kcs = kc = chunk_alloca(rands.len / 2); |
| sreses = sres = chunk_alloca(rands.len / 4); |
| while (rands.len >= SIM_RAND_LEN) |
| { |
| if (!this->mgr->card_get_triplet(this->mgr, this->permanent, |
| rands.ptr, sres.ptr, kc.ptr)) |
| { |
| DBG1(DBG_IKE, "unable to get EAP-SIM triplet"); |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| DBG3(DBG_IKE, "got triplet for RAND %b\n Kc %b\n SRES %b", |
| rands.ptr, SIM_RAND_LEN, sres.ptr, SIM_SRES_LEN, kc.ptr, SIM_KC_LEN); |
| kc = chunk_skip(kc, SIM_KC_LEN); |
| sres = chunk_skip(sres, SIM_SRES_LEN); |
| rands = chunk_skip(rands, SIM_RAND_LEN); |
| } |
| |
| id = this->permanent; |
| if (this->pseudonym) |
| { |
| id = this->pseudonym; |
| } |
| data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version); |
| chunk_clear(&this->msk); |
| if (!this->crypto->derive_keys_full(this->crypto, id, data, &mk, &this->msk)) |
| { |
| return FAILED; |
| } |
| memcpy(this->mk, mk.ptr, mk.len); |
| chunk_clear(&mk); |
| |
| /* Verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT", and |
| * parse() again after key derivation, reading encrypted attributes */ |
| if (!in->verify(in, this->nonce) || !in->parse(in)) |
| { |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| |
| enumerator = in->create_attribute_enumerator(in); |
| while (enumerator->enumerate(enumerator, &type, &data)) |
| { |
| switch (type) |
| { |
| case AT_NEXT_REAUTH_ID: |
| this->counter = 0; |
| id = identification_create_from_data(data); |
| this->mgr->card_set_reauth(this->mgr, this->permanent, id, |
| this->mk, this->counter); |
| id->destroy(id); |
| break; |
| case AT_NEXT_PSEUDONYM: |
| id = identification_create_from_data(data); |
| this->mgr->card_set_pseudonym(this->mgr, this->permanent, id); |
| id->destroy(id); |
| break; |
| default: |
| break; |
| } |
| } |
| enumerator->destroy(enumerator); |
| |
| /* build response with AT_MAC, built over "EAP packet | n*SRES" */ |
| message = simaka_message_create(FALSE, this->identifier, EAP_SIM, |
| SIM_CHALLENGE, this->crypto); |
| if (!generate_payload(message, sreses, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| |
| /** |
| * Check if a received counter value is acceptable |
| */ |
| static bool counter_too_small(private_eap_sim_peer_t *this, chunk_t chunk) |
| { |
| uint16_t counter; |
| |
| memcpy(&counter, chunk.ptr, sizeof(counter)); |
| counter = htons(counter); |
| return counter < this->counter; |
| } |
| |
| /** |
| * process an EAP-SIM/Request/Re-Authentication message |
| */ |
| static status_t process_reauthentication(private_eap_sim_peer_t *this, |
| simaka_message_t *in, eap_payload_t **out) |
| { |
| simaka_message_t *message; |
| enumerator_t *enumerator; |
| simaka_attribute_t type; |
| chunk_t data, counter = chunk_empty, nonce = chunk_empty, id = chunk_empty; |
| |
| if (!this->reauth) |
| { |
| DBG1(DBG_IKE, "received %N, but not expected", |
| simaka_subtype_names, SIM_REAUTHENTICATION); |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| |
| if (!this->crypto->derive_keys_reauth(this->crypto, |
| chunk_create(this->mk, HASH_SIZE_SHA1))) |
| { |
| return FAILED; |
| } |
| |
| /* verify MAC and parse again with decryption key */ |
| if (!in->verify(in, chunk_empty) || !in->parse(in)) |
| { |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| |
| enumerator = in->create_attribute_enumerator(in); |
| while (enumerator->enumerate(enumerator, &type, &data)) |
| { |
| switch (type) |
| { |
| case AT_COUNTER: |
| counter = data; |
| break; |
| case AT_NONCE_S: |
| nonce = data; |
| break; |
| case AT_NEXT_REAUTH_ID: |
| id = data; |
| break; |
| default: |
| if (!simaka_attribute_skippable(type)) |
| { |
| enumerator->destroy(enumerator); |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| break; |
| } |
| } |
| enumerator->destroy(enumerator); |
| |
| if (!nonce.len || !counter.len) |
| { |
| DBG1(DBG_IKE, "EAP-SIM/Request/Re-Authentication message incomplete"); |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| |
| message = simaka_message_create(FALSE, this->identifier, EAP_SIM, |
| SIM_REAUTHENTICATION, this->crypto); |
| if (counter_too_small(this, counter)) |
| { |
| DBG1(DBG_IKE, "reauthentication counter too small"); |
| message->add_attribute(message, AT_COUNTER_TOO_SMALL, chunk_empty); |
| } |
| else |
| { |
| chunk_clear(&this->msk); |
| if (!this->crypto->derive_keys_reauth_msk(this->crypto, |
| this->reauth, counter, nonce, |
| chunk_create(this->mk, HASH_SIZE_SHA1), &this->msk)) |
| { |
| message->destroy(message); |
| return FAILED; |
| } |
| if (id.len) |
| { |
| identification_t *reauth; |
| |
| reauth = identification_create_from_data(data); |
| this->mgr->card_set_reauth(this->mgr, this->permanent, reauth, |
| this->mk, this->counter); |
| reauth->destroy(reauth); |
| } |
| } |
| message->add_attribute(message, AT_COUNTER, counter); |
| if (!generate_payload(message, nonce, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| |
| /** |
| * process an EAP-SIM/Request/Notification message |
| */ |
| static status_t process_notification(private_eap_sim_peer_t *this, |
| simaka_message_t *in, eap_payload_t **out) |
| { |
| simaka_message_t *message; |
| enumerator_t *enumerator; |
| simaka_attribute_t type; |
| chunk_t data; |
| bool success = TRUE; |
| |
| enumerator = in->create_attribute_enumerator(in); |
| while (enumerator->enumerate(enumerator, &type, &data)) |
| { |
| if (type == AT_NOTIFICATION) |
| { |
| uint16_t code; |
| |
| memcpy(&code, data.ptr, sizeof(code)); |
| code = ntohs(code); |
| |
| /* test success bit */ |
| if (!(data.ptr[0] & 0x80)) |
| { |
| DBG1(DBG_IKE, "received EAP-SIM notification error '%N'", |
| simaka_notification_names, code); |
| } |
| else |
| { |
| DBG1(DBG_IKE, "received EAP-SIM notification '%N'", |
| simaka_notification_names, code); |
| } |
| } |
| else if (!simaka_attribute_skippable(type)) |
| { |
| success = FALSE; |
| break; |
| } |
| } |
| enumerator->destroy(enumerator); |
| |
| if (success) |
| { /* empty notification reply */ |
| message = simaka_message_create(FALSE, this->identifier, EAP_SIM, |
| SIM_NOTIFICATION, this->crypto); |
| if (!generate_payload(message, chunk_empty, out)) |
| { |
| return FAILED; |
| } |
| } |
| else |
| { |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| } |
| return NEED_MORE; |
| } |
| |
| METHOD(eap_method_t, process, status_t, |
| private_eap_sim_peer_t *this, eap_payload_t *in, eap_payload_t **out) |
| { |
| simaka_message_t *message; |
| status_t status; |
| |
| /* store received EAP message identifier */ |
| this->identifier = in->get_identifier(in); |
| |
| message = simaka_message_create_from_payload(in->get_data(in), this->crypto); |
| if (!message) |
| { |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| if (!message->parse(message)) |
| { |
| message->destroy(message); |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| return FAILED; |
| } |
| return NEED_MORE; |
| } |
| switch (message->get_subtype(message)) |
| { |
| case SIM_START: |
| status = process_start(this, message, out); |
| break; |
| case SIM_CHALLENGE: |
| status = process_challenge(this, message, out); |
| break; |
| case SIM_REAUTHENTICATION: |
| status = process_reauthentication(this, message, out); |
| break; |
| case SIM_NOTIFICATION: |
| status = process_notification(this, message, out); |
| break; |
| default: |
| DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N", |
| simaka_subtype_names, message->get_subtype(message)); |
| if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) |
| { |
| status = FAILED; |
| } |
| else |
| { |
| status = NEED_MORE; |
| } |
| break; |
| } |
| message->destroy(message); |
| return status; |
| } |
| |
| METHOD(eap_method_t, initiate, status_t, |
| private_eap_sim_peer_t *this, eap_payload_t **out) |
| { |
| /* peer never initiates */ |
| return FAILED; |
| } |
| |
| METHOD(eap_method_t, get_type, eap_type_t, |
| private_eap_sim_peer_t *this, uint32_t *vendor) |
| { |
| *vendor = 0; |
| return EAP_SIM; |
| } |
| |
| METHOD(eap_method_t, get_msk, status_t, |
| private_eap_sim_peer_t *this, chunk_t *msk) |
| { |
| if (this->msk.ptr) |
| { |
| *msk = this->msk; |
| return SUCCESS; |
| } |
| return FAILED; |
| } |
| |
| METHOD(eap_method_t, get_identifier, uint8_t, |
| private_eap_sim_peer_t *this) |
| { |
| return this->identifier; |
| } |
| |
| METHOD(eap_method_t, set_identifier, void, |
| private_eap_sim_peer_t *this, uint8_t identifier) |
| { |
| this->identifier = identifier; |
| } |
| |
| METHOD(eap_method_t, is_mutual, bool, |
| private_eap_sim_peer_t *this) |
| { |
| return TRUE; |
| } |
| |
| METHOD(eap_method_t, destroy, void, |
| private_eap_sim_peer_t *this) |
| { |
| this->permanent->destroy(this->permanent); |
| DESTROY_IF(this->pseudonym); |
| DESTROY_IF(this->reauth); |
| this->crypto->destroy(this->crypto); |
| free(this->version_list.ptr); |
| free(this->nonce.ptr); |
| free(this->msk.ptr); |
| free(this); |
| } |
| |
| /* |
| * Described in header. |
| */ |
| eap_sim_peer_t *eap_sim_peer_create(identification_t *server, |
| identification_t *peer) |
| { |
| private_eap_sim_peer_t *this; |
| |
| INIT(this, |
| .public = { |
| .interface = { |
| .initiate = _initiate, |
| .process = _process, |
| .get_type = _get_type, |
| .is_mutual = _is_mutual, |
| .get_msk = _get_msk, |
| .get_identifier = _get_identifier, |
| .set_identifier = _set_identifier, |
| .destroy = _destroy, |
| }, |
| }, |
| .crypto = simaka_crypto_create(EAP_SIM), |
| .mgr = lib->get(lib, "sim-manager"), |
| ); |
| |
| if (!this->crypto) |
| { |
| free(this); |
| return NULL; |
| } |
| |
| this->permanent = peer->clone(peer); |
| this->tries = MAX_TRIES; |
| |
| return &this->public; |
| } |