diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
| commit | c1343b3278cdf99533b7902744d15969f9d6fdc1 (patch) | |
| tree | d5ed3dc5677a59260ec41cd39bb284d3e94c91b3 /src/libcharon/plugins/eap_sim | |
| parent | b34738ed08c2227300d554b139e2495ca5da97d6 (diff) | |
| download | vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.tar.gz vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.zip | |
Imported Upstream version 5.0.1
Diffstat (limited to 'src/libcharon/plugins/eap_sim')
| -rw-r--r-- | src/libcharon/plugins/eap_sim/Makefile.in | 14 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_sim/eap_sim_peer.c | 161 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_sim/eap_sim_peer.h | 2 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_sim/eap_sim_server.c | 63 | ||||
| -rw-r--r-- | src/libcharon/plugins/eap_sim/eap_sim_server.h | 2 |
5 files changed, 179 insertions, 63 deletions
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index d06929522..99a5c1cc5 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -49,6 +49,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; @@ -86,7 +87,7 @@ libstrongswan_eap_sim_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @MONOLITHIC_FALSE@am_libstrongswan_eap_sim_la_rpath = -rpath \ @MONOLITHIC_FALSE@ $(plugindir) @MONOLITHIC_TRUE@am_libstrongswan_eap_sim_la_rpath = -DEFAULT_INCLUDES = -I.@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f @@ -112,6 +113,7 @@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BFDLIB = @BFDLIB@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ @@ -206,11 +208,14 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ -default_pkcs11 = @default_pkcs11@ +dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ @@ -227,11 +232,12 @@ imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ -libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ @@ -247,6 +253,7 @@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ @@ -256,7 +263,6 @@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c index 1d1ab99e0..ff96e9279 100644 --- a/src/libcharon/plugins/eap_sim/eap_sim_peer.c +++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c @@ -106,13 +106,30 @@ struct private_eap_sim_peer_t { static chunk_t version = chunk_from_chars(0x00,0x01); /** + * Generate a payload from a message, destroy message + */ +static bool generate_payload(simaka_message_t *message, chunk_t data, + eap_payload_t **out) +{ + chunk_t chunk; + bool ok; + + ok = message->generate(message, data, &chunk); + if (ok) + { + *out = eap_payload_create_data_own(chunk); + } + message->destroy(message); + return ok; +} + +/** * Create a SIM_CLIENT_ERROR */ -static eap_payload_t* create_client_error(private_eap_sim_peer_t *this, - simaka_client_error_t code) +static bool create_client_error(private_eap_sim_peer_t *this, + simaka_client_error_t code, eap_payload_t **out) { simaka_message_t *message; - eap_payload_t *out; u_int16_t encoded; DBG1(DBG_IKE, "sending client error '%N'", simaka_client_error_names, code); @@ -122,9 +139,7 @@ static eap_payload_t* create_client_error(private_eap_sim_peer_t *this, encoded = htons(code); message->add_attribute(message, AT_CLIENT_ERROR_CODE, chunk_create((char*)&encoded, sizeof(encoded))); - out = eap_payload_create_data_own(message->generate(message, chunk_empty)); - message->destroy(message); - return out; + return generate_payload(message, chunk_empty, out); } /** @@ -175,8 +190,11 @@ static status_t process_start(private_eap_sim_peer_t *this, default: if (!simaka_attribute_skippable(type)) { - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); enumerator->destroy(enumerator); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } break; @@ -187,7 +205,10 @@ static status_t process_start(private_eap_sim_peer_t *this, if (!supported) { DBG1(DBG_IKE, "server does not support EAP-SIM version number 1"); - *out = create_client_error(this, SIM_UNSUPPORTED_VERSION); + if (!create_client_error(this, SIM_UNSUPPORTED_VERSION, out)) + { + return FAILED; + } return NEED_MORE; } @@ -221,7 +242,10 @@ static status_t process_start(private_eap_sim_peer_t *this, /* generate AT_NONCE_MT value */ rng = this->crypto->get_rng(this->crypto); free(this->nonce.ptr); - rng->allocate_bytes(rng, NONCE_LEN, &this->nonce); + if (!rng->allocate_bytes(rng, NONCE_LEN, &this->nonce)) + { + return FAILED; + } message = simaka_message_create(FALSE, this->identifier, EAP_SIM, SIM_START, this->crypto); @@ -234,9 +258,10 @@ static status_t process_start(private_eap_sim_peer_t *this, { message->add_attribute(message, AT_IDENTITY, id); } - *out = eap_payload_create_data_own(message->generate(message, chunk_empty)); - message->destroy(message); - + if (!generate_payload(message, chunk_empty, out)) + { + return FAILED; + } return NEED_MORE; } @@ -270,8 +295,11 @@ static status_t process_challenge(private_eap_sim_peer_t *this, default: if (!simaka_attribute_skippable(type)) { - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); enumerator->destroy(enumerator); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } break; @@ -285,7 +313,10 @@ static status_t process_challenge(private_eap_sim_peer_t *this, memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN)) { DBG1(DBG_IKE, "no valid AT_RAND received"); - *out = create_client_error(this, SIM_INSUFFICIENT_CHALLENGES); + if (!create_client_error(this, SIM_INSUFFICIENT_CHALLENGES, out)) + { + return FAILED; + } return NEED_MORE; } /* get two or three KCs/SRESes from SIM using RANDs */ @@ -297,7 +328,10 @@ static status_t process_challenge(private_eap_sim_peer_t *this, rands.ptr, sres.ptr, kc.ptr)) { DBG1(DBG_IKE, "unable to get EAP-SIM triplet"); - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } DBG3(DBG_IKE, "got triplet for RAND %b\n Kc %b\n SRES %b", @@ -313,16 +347,22 @@ static status_t process_challenge(private_eap_sim_peer_t *this, id = this->pseudonym; } data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version); - free(this->msk.ptr); - this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk); + chunk_clear(&this->msk); + if (!this->crypto->derive_keys_full(this->crypto, id, data, &mk, &this->msk)) + { + return FAILED; + } memcpy(this->mk, mk.ptr, mk.len); - free(mk.ptr); + chunk_clear(&mk); /* Verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT", and * parse() again after key derivation, reading encrypted attributes */ if (!in->verify(in, this->nonce) || !in->parse(in)) { - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } @@ -352,8 +392,10 @@ static status_t process_challenge(private_eap_sim_peer_t *this, /* build response with AT_MAC, built over "EAP packet | n*SRES" */ message = simaka_message_create(FALSE, this->identifier, EAP_SIM, SIM_CHALLENGE, this->crypto); - *out = eap_payload_create_data_own(message->generate(message, sreses)); - message->destroy(message); + if (!generate_payload(message, sreses, out)) + { + return FAILED; + } return NEED_MORE; } @@ -384,17 +426,26 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this, { DBG1(DBG_IKE, "received %N, but not expected", simaka_subtype_names, SIM_REAUTHENTICATION); - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } - this->crypto->derive_keys_reauth(this->crypto, - chunk_create(this->mk, HASH_SIZE_SHA1)); + if (!this->crypto->derive_keys_reauth(this->crypto, + chunk_create(this->mk, HASH_SIZE_SHA1))) + { + return FAILED; + } /* verify MAC and parse again with decryption key */ if (!in->verify(in, chunk_empty) || !in->parse(in)) { - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } @@ -415,8 +466,11 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this, default: if (!simaka_attribute_skippable(type)) { - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); enumerator->destroy(enumerator); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } break; @@ -427,7 +481,10 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this, if (!nonce.len || !counter.len) { DBG1(DBG_IKE, "EAP-SIM/Request/Re-Authentication message incomplete"); - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } @@ -440,10 +497,14 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this, } else { - free(this->msk.ptr); - this->msk = this->crypto->derive_keys_reauth_msk(this->crypto, - this->reauth, counter, nonce, - chunk_create(this->mk, HASH_SIZE_SHA1)); + chunk_clear(&this->msk); + if (!this->crypto->derive_keys_reauth_msk(this->crypto, + this->reauth, counter, nonce, + chunk_create(this->mk, HASH_SIZE_SHA1), &this->msk)) + { + message->destroy(message); + return FAILED; + } if (id.len) { identification_t *reauth; @@ -455,8 +516,10 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this, } } message->add_attribute(message, AT_COUNTER, counter); - *out = eap_payload_create_data_own(message->generate(message, nonce)); - message->destroy(message); + if (!generate_payload(message, nonce, out)) + { + return FAILED; + } return NEED_MORE; } @@ -506,13 +569,17 @@ static status_t process_notification(private_eap_sim_peer_t *this, { /* empty notification reply */ message = simaka_message_create(FALSE, this->identifier, EAP_SIM, SIM_NOTIFICATION, this->crypto); - *out = eap_payload_create_data_own(message->generate(message, - chunk_empty)); - message->destroy(message); + if (!generate_payload(message, chunk_empty, out)) + { + return FAILED; + } } else { - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } } return NEED_MORE; } @@ -529,13 +596,19 @@ METHOD(eap_method_t, process, status_t, message = simaka_message_create_from_payload(in->get_data(in), this->crypto); if (!message) { - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } if (!message->parse(message)) { message->destroy(message); - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + return FAILED; + } return NEED_MORE; } switch (message->get_subtype(message)) @@ -555,8 +628,14 @@ METHOD(eap_method_t, process, status_t, default: DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N", simaka_subtype_names, message->get_subtype(message)); - *out = create_client_error(this, SIM_UNABLE_TO_PROCESS); - status = NEED_MORE; + if (!create_client_error(this, SIM_UNABLE_TO_PROCESS, out)) + { + status = FAILED; + } + else + { + status = NEED_MORE; + } break; } message->destroy(message); diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.h b/src/libcharon/plugins/eap_sim/eap_sim_peer.h index ba72ce484..38315b75a 100644 --- a/src/libcharon/plugins/eap_sim/eap_sim_peer.h +++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.h @@ -21,7 +21,7 @@ #ifndef EAP_SIM_PEER_H_ #define EAP_SIM_PEER_H_ -#include <sa/authenticators/eap/eap_method.h> +#include <sa/eap/eap_method.h> typedef struct eap_sim_peer_t eap_sim_peer_t; diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.c b/src/libcharon/plugins/eap_sim/eap_sim_server.c index e0f7e92ad..334e2df1d 100644 --- a/src/libcharon/plugins/eap_sim/eap_sim_server.c +++ b/src/libcharon/plugins/eap_sim/eap_sim_server.c @@ -113,6 +113,24 @@ struct private_eap_sim_server_t { /* version of SIM protocol we speak */ static chunk_t version = chunk_from_chars(0x00,0x01); +/** + * Generate a payload from a message, destroy message + */ +static bool generate_payload(simaka_message_t *message, chunk_t data, + eap_payload_t **out) +{ + chunk_t chunk; + bool ok; + + ok = message->generate(message, data, &chunk); + if (ok) + { + *out = eap_payload_create_data_own(chunk); + } + message->destroy(message); + return ok; +} + METHOD(eap_method_t, initiate, status_t, private_eap_sim_server_t *this, eap_payload_t **out) { @@ -133,9 +151,10 @@ METHOD(eap_method_t, initiate, status_t, { message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty); } - *out = eap_payload_create_data_own(message->generate(message, chunk_empty)); - message->destroy(message); - + if (!generate_payload(message, chunk_empty, out)) + { + return FAILED; + } this->pending = SIM_START; return NEED_MORE; } @@ -155,15 +174,21 @@ static status_t reauthenticate(private_eap_sim_server_t *this, DBG1(DBG_IKE, "initiating EAP-SIM reauthentication"); rng = this->crypto->get_rng(this->crypto); - rng->allocate_bytes(rng, NONCE_LEN, &this->nonce); + if (!rng->allocate_bytes(rng, NONCE_LEN, &this->nonce)) + { + return FAILED; + } mkc = chunk_create(mk, HASH_SIZE_SHA1); counter = htons(counter); this->counter = chunk_clone(chunk_create((char*)&counter, sizeof(counter))); - this->crypto->derive_keys_reauth(this->crypto, mkc); - this->msk = this->crypto->derive_keys_reauth_msk(this->crypto, - this->reauth, this->counter, this->nonce, mkc); + if (!this->crypto->derive_keys_reauth(this->crypto, mkc) || + !this->crypto->derive_keys_reauth_msk(this->crypto, + this->reauth, this->counter, this->nonce, mkc, &this->msk)) + { + return FAILED; + } message = simaka_message_create(TRUE, this->identifier++, EAP_SIM, SIM_REAUTHENTICATION, this->crypto); @@ -176,9 +201,10 @@ static status_t reauthenticate(private_eap_sim_server_t *this, next->get_encoding(next)); next->destroy(next); } - *out = eap_payload_create_data_own(message->generate(message, chunk_empty)); - message->destroy(message); - + if (!generate_payload(message, chunk_empty, out)) + { + return FAILED; + } this->pending = SIM_REAUTHENTICATION; return NEED_MORE; } @@ -386,13 +412,17 @@ static status_t process_start(private_eap_sim_server_t *this, { id = this->pseudonym; } - this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk); + if (!this->crypto->derive_keys_full(this->crypto, id, data, &mk, &this->msk)) + { + return FAILED; + } /* build response with AT_MAC, built over "EAP packet | NONCE_MT" */ message = simaka_message_create(TRUE, this->identifier++, EAP_SIM, SIM_CHALLENGE, this->crypto); message->add_attribute(message, AT_RAND, rands); id = this->mgr->provider_gen_reauth(this->mgr, this->permanent, mk.ptr); + free(mk.ptr); if (id) { message->add_attribute(message, AT_NEXT_REAUTH_ID, @@ -406,10 +436,10 @@ static status_t process_start(private_eap_sim_server_t *this, id->get_encoding(id)); id->destroy(id); } - *out = eap_payload_create_data_own(message->generate(message, nonce)); - message->destroy(message); - - free(mk.ptr); + if (!generate_payload(message, nonce, out)) + { + return FAILED; + } this->pending = SIM_CHALLENGE; return NEED_MORE; } @@ -604,7 +634,8 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server, this->permanent = peer->clone(peer); this->use_reauth = this->use_pseudonym = this->use_permanent = lib->settings->get_bool(lib->settings, - "charon.plugins.eap-sim.request_identity", TRUE); + "%s.plugins.eap-sim.request_identity", TRUE, + charon->name); /* generate a non-zero identifier */ do { diff --git a/src/libcharon/plugins/eap_sim/eap_sim_server.h b/src/libcharon/plugins/eap_sim/eap_sim_server.h index c0ed64ff2..84408c43c 100644 --- a/src/libcharon/plugins/eap_sim/eap_sim_server.h +++ b/src/libcharon/plugins/eap_sim/eap_sim_server.h @@ -21,7 +21,7 @@ #ifndef EAP_SIM_SERVER_H_ #define EAP_SIM_SERVER_H_ -#include <sa/authenticators/eap/eap_method.h> +#include <sa/eap/eap_method.h> typedef struct eap_sim_server_t eap_sim_server_t; |