diff options
Diffstat (limited to 'src/charon/plugins/eap_sim/eap_sim_peer.c')
| -rw-r--r-- | src/charon/plugins/eap_sim/eap_sim_peer.c | 654 |
1 files changed, 654 insertions, 0 deletions
diff --git a/src/charon/plugins/eap_sim/eap_sim_peer.c b/src/charon/plugins/eap_sim/eap_sim_peer.c new file mode 100644 index 000000000..961cfd30d --- /dev/null +++ b/src/charon/plugins/eap_sim/eap_sim_peer.c @@ -0,0 +1,654 @@ +/* + * Copyright (C) 2007-2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_sim_peer.h" + +#include <daemon.h> + +#include <simaka_message.h> + +/* number of tries we do authenticate */ +#define MAX_TRIES 3 + +/* number of triplets for one authentication */ +#define TRIPLET_COUNT 3 + +/** length of the AT_NONCE_MT nonce value */ +#define NONCE_LEN 16 + +typedef struct private_eap_sim_peer_t private_eap_sim_peer_t; + +/** + * Private data of an eap_sim_peer_t object. + */ +struct private_eap_sim_peer_t { + + /** + * Public authenticator_t interface. + */ + eap_sim_peer_t public; + + /** + * permanent ID of peer + */ + identification_t *permanent; + + /** + * Pseudonym identity the peer uses + */ + identification_t *pseudonym; + + /** + * Reauthentication identity the peer uses + */ + identification_t *reauth; + + /** + * EAP-SIM crypto helper + */ + simaka_crypto_t *crypto; + + /** + * how many times we try to authenticate + */ + int tries; + + /** + * version list received from server + */ + chunk_t version_list; + + /** + * Nonce value used in AT_NONCE_MT/AT_NONCE_S + */ + chunk_t nonce; + + /** + * MSK, used for EAP-SIM based IKEv2 authentication + */ + chunk_t msk; + + /** + * Master key, if reauthentication is used + */ + char mk[HASH_SIZE_SHA1]; + + /** + * Counter value if reauthentication is used + */ + u_int16_t counter; +}; + +/* version of SIM protocol we speak */ +static chunk_t version = chunk_from_chars(0x00,0x01); + +/** + * Create a SIM_CLIENT_ERROR + */ +static eap_payload_t* create_client_error(private_eap_sim_peer_t *this, + u_int8_t identifier, simaka_client_error_t code) +{ + simaka_message_t *message; + eap_payload_t *out; + u_int16_t encoded; + + DBG1(DBG_IKE, "sending client error '%N'", simaka_client_error_names, code); + + message = simaka_message_create(FALSE, identifier, EAP_SIM, + SIM_CLIENT_ERROR, this->crypto); + encoded = htons(code); + message->add_attribute(message, AT_CLIENT_ERROR_CODE, + chunk_create((char*)&encoded, sizeof(encoded))); + out = message->generate(message, chunk_empty); + message->destroy(message); + return out; +} + +/** + * process an EAP-SIM/Request/Start message + */ +static status_t process_start(private_eap_sim_peer_t *this, + simaka_message_t *in, eap_payload_t **out) +{ + simaka_message_t *message; + enumerator_t *enumerator; + simaka_attribute_t type; + chunk_t data, id = chunk_empty; + rng_t *rng; + bool supported = FALSE; + simaka_attribute_t id_req = 0; + + /* reset previously uses reauthentication/pseudonym data */ + this->crypto->clear_keys(this->crypto); + DESTROY_IF(this->pseudonym); + this->pseudonym = NULL; + DESTROY_IF(this->reauth); + this->reauth = NULL; + + enumerator = in->create_attribute_enumerator(in); + while (enumerator->enumerate(enumerator, &type, &data)) + { + switch (type) + { + case AT_VERSION_LIST: + { + free(this->version_list.ptr); + this->version_list = chunk_clone(data); + while (data.len >= version.len) + { + if (memeq(data.ptr, version.ptr, version.len)) + { + supported = TRUE; + break; + } + } + break; + } + case AT_ANY_ID_REQ: + case AT_FULLAUTH_ID_REQ: + case AT_PERMANENT_ID_REQ: + id_req = type; + break; + default: + if (!simaka_attribute_skippable(type)) + { + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + enumerator->destroy(enumerator); + return NEED_MORE; + } + break; + } + } + enumerator->destroy(enumerator); + + if (!supported) + { + DBG1(DBG_IKE, "server does not support EAP-SIM version number 1"); + *out = create_client_error(this, in->get_identifier(in), + SIM_UNSUPPORTED_VERSION); + return NEED_MORE; + } + + switch (id_req) + { + case AT_ANY_ID_REQ: + this->reauth = charon->sim->card_get_reauth(charon->sim, + this->permanent, this->mk, &this->counter); + if (this->reauth) + { + id = this->reauth->get_encoding(this->reauth); + break; + } + /* FALL */ + case AT_FULLAUTH_ID_REQ: + this->pseudonym = charon->sim->card_get_pseudonym(charon->sim, + this->permanent); + if (this->pseudonym) + { + id = this->pseudonym->get_encoding(this->pseudonym); + break; + } + /* FALL */ + case AT_PERMANENT_ID_REQ: + id = this->permanent->get_encoding(this->permanent); + break; + default: + break; + } + + /* generate AT_NONCE_MT value */ + rng = this->crypto->get_rng(this->crypto); + free(this->nonce.ptr); + rng->allocate_bytes(rng, NONCE_LEN, &this->nonce); + + message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM, + SIM_START, this->crypto); + if (!this->reauth) + { + message->add_attribute(message, AT_SELECTED_VERSION, version); + message->add_attribute(message, AT_NONCE_MT, this->nonce); + } + if (id.len) + { + message->add_attribute(message, AT_IDENTITY, id); + } + *out = message->generate(message, chunk_empty); + message->destroy(message); + + return NEED_MORE; +} + +/** + * process an EAP-SIM/Request/Challenge message + */ +static status_t process_challenge(private_eap_sim_peer_t *this, + simaka_message_t *in, eap_payload_t **out) +{ + simaka_message_t *message; + enumerator_t *enumerator; + simaka_attribute_t type; + chunk_t data, rands = chunk_empty, kcs, kc, sreses, sres, mk; + identification_t *id; + + if (this->tries-- <= 0) + { + /* give up without notification. This hack is required as some buggy + * server implementations won't respect our client-error. */ + return FAILED; + } + + enumerator = in->create_attribute_enumerator(in); + while (enumerator->enumerate(enumerator, &type, &data)) + { + switch (type) + { + case AT_RAND: + rands = data; + break; + default: + if (!simaka_attribute_skippable(type)) + { + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + enumerator->destroy(enumerator); + return NEED_MORE; + } + break; + } + } + enumerator->destroy(enumerator); + + /* excepting two or three RAND, each 16 bytes. We require two valid + * and different RANDs */ + if ((rands.len != 2 * SIM_RAND_LEN && rands.len != 3 * SIM_RAND_LEN) || + memeq(rands.ptr, rands.ptr + SIM_RAND_LEN, SIM_RAND_LEN)) + { + DBG1(DBG_IKE, "no valid AT_RAND received"); + *out = create_client_error(this, in->get_identifier(in), + SIM_INSUFFICIENT_CHALLENGES); + return NEED_MORE; + } + /* get two or three KCs/SRESes from SIM using RANDs */ + kcs = kc = chunk_alloca(rands.len / 2); + sreses = sres = chunk_alloca(rands.len / 4); + while (rands.len >= SIM_RAND_LEN) + { + if (!charon->sim->card_get_triplet(charon->sim, this->permanent, + rands.ptr, sres.ptr, kc.ptr)) + { + DBG1(DBG_IKE, "unable to get EAP-SIM triplet"); + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + return NEED_MORE; + } + DBG3(DBG_IKE, "got triplet for RAND %b\n Kc %b\n SRES %b", + rands.ptr, SIM_RAND_LEN, sres.ptr, SIM_SRES_LEN, kc.ptr, SIM_KC_LEN); + kc = chunk_skip(kc, SIM_KC_LEN); + sres = chunk_skip(sres, SIM_SRES_LEN); + rands = chunk_skip(rands, SIM_RAND_LEN); + } + + id = this->permanent; + if (this->pseudonym) + { + id = this->pseudonym; + } + data = chunk_cata("cccc", kcs, this->nonce, this->version_list, version); + free(this->msk.ptr); + this->msk = this->crypto->derive_keys_full(this->crypto, id, data, &mk); + memcpy(this->mk, mk.ptr, mk.len); + free(mk.ptr); + + /* Verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT", and + * parse() again after key derivation, reading encrypted attributes */ + if (!in->verify(in, this->nonce) || !in->parse(in)) + { + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + return NEED_MORE; + } + + enumerator = in->create_attribute_enumerator(in); + while (enumerator->enumerate(enumerator, &type, &data)) + { + switch (type) + { + case AT_NEXT_REAUTH_ID: + this->counter = 0; + id = identification_create_from_data(data); + charon->sim->card_set_reauth(charon->sim, this->permanent, id, + this->mk, this->counter); + id->destroy(id); + break; + case AT_NEXT_PSEUDONYM: + id = identification_create_from_data(data); + charon->sim->card_set_pseudonym(charon->sim, this->permanent, id); + id->destroy(id); + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + /* build response with AT_MAC, built over "EAP packet | n*SRES" */ + message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM, + SIM_CHALLENGE, this->crypto); + *out = message->generate(message, sreses); + message->destroy(message); + return NEED_MORE; +} + +/** + * Check if a received counter value is acceptable + */ +static bool counter_too_small(private_eap_sim_peer_t *this, chunk_t chunk) +{ + u_int16_t counter; + + memcpy(&counter, chunk.ptr, sizeof(counter)); + counter = htons(counter); + return counter < this->counter; +} + +/** + * process an EAP-SIM/Request/Re-Authentication message + */ +static status_t process_reauthentication(private_eap_sim_peer_t *this, + simaka_message_t *in, eap_payload_t **out) +{ + simaka_message_t *message; + enumerator_t *enumerator; + simaka_attribute_t type; + chunk_t data, counter = chunk_empty, nonce = chunk_empty, id = chunk_empty; + + if (!this->reauth) + { + DBG1(DBG_IKE, "received %N, but not expected", + simaka_subtype_names, SIM_REAUTHENTICATION); + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + return NEED_MORE; + } + + this->crypto->derive_keys_reauth(this->crypto, + chunk_create(this->mk, HASH_SIZE_SHA1)); + + /* verify MAC and parse again with decryption key */ + if (!in->verify(in, chunk_empty) || !in->parse(in)) + { + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + return NEED_MORE; + } + + enumerator = in->create_attribute_enumerator(in); + while (enumerator->enumerate(enumerator, &type, &data)) + { + switch (type) + { + case AT_COUNTER: + counter = data; + break; + case AT_NONCE_S: + nonce = data; + break; + case AT_NEXT_REAUTH_ID: + id = data; + break; + default: + if (!simaka_attribute_skippable(type)) + { + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + enumerator->destroy(enumerator); + return NEED_MORE; + } + break; + } + } + enumerator->destroy(enumerator); + + if (!nonce.len || !counter.len) + { + DBG1(DBG_IKE, "EAP-SIM/Request/Re-Authentication message incomplete"); + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + return NEED_MORE; + } + + message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM, + SIM_REAUTHENTICATION, this->crypto); + if (counter_too_small(this, counter)) + { + DBG1(DBG_IKE, "reauthentication counter too small"); + message->add_attribute(message, AT_COUNTER_TOO_SMALL, chunk_empty); + } + else + { + free(this->msk.ptr); + this->msk = this->crypto->derive_keys_reauth_msk(this->crypto, + this->reauth, counter, nonce, + chunk_create(this->mk, HASH_SIZE_SHA1)); + if (id.len) + { + identification_t *reauth; + + reauth = identification_create_from_data(data); + charon->sim->card_set_reauth(charon->sim, this->permanent, reauth, + this->mk, this->counter); + reauth->destroy(reauth); + } + } + message->add_attribute(message, AT_COUNTER, counter); + *out = message->generate(message, nonce); + message->destroy(message); + return NEED_MORE; +} + +/** + * process an EAP-SIM/Request/Notification message + */ +static status_t process_notification(private_eap_sim_peer_t *this, + simaka_message_t *in, eap_payload_t **out) +{ + simaka_message_t *message; + enumerator_t *enumerator; + simaka_attribute_t type; + chunk_t data; + bool success = TRUE; + + enumerator = in->create_attribute_enumerator(in); + while (enumerator->enumerate(enumerator, &type, &data)) + { + if (type == AT_NOTIFICATION) + { + u_int16_t code; + + memcpy(&code, data.ptr, sizeof(code)); + code = ntohs(code); + + /* test success bit */ + if (!(data.ptr[0] & 0x80)) + { + success = FALSE; + DBG1(DBG_IKE, "received EAP-SIM notification error '%N'", + simaka_notification_names, code); + } + else + { + DBG1(DBG_IKE, "received EAP-SIM notification '%N'", + simaka_notification_names, code); + } + } + else if (!simaka_attribute_skippable(type)) + { + success = FALSE; + break; + } + } + enumerator->destroy(enumerator); + + if (success) + { /* empty notification reply */ + message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM, + SIM_NOTIFICATION, this->crypto); + *out = message->generate(message, chunk_empty); + message->destroy(message); + } + else + { + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + } + return NEED_MORE; +} + +/** + * Implementation of eap_method_t.process + */ +static status_t process(private_eap_sim_peer_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + simaka_message_t *message; + status_t status; + + message = simaka_message_create_from_payload(in, this->crypto); + if (!message) + { + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + return NEED_MORE; + } + if (!message->parse(message)) + { + message->destroy(message); + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + return NEED_MORE; + } + switch (message->get_subtype(message)) + { + case SIM_START: + status = process_start(this, message, out); + break; + case SIM_CHALLENGE: + status = process_challenge(this, message, out); + break; + case SIM_REAUTHENTICATION: + status = process_reauthentication(this, message, out); + break; + case SIM_NOTIFICATION: + status = process_notification(this, message, out); + break; + default: + DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N", + simaka_subtype_names, message->get_subtype(message)); + *out = create_client_error(this, in->get_identifier(in), + SIM_UNABLE_TO_PROCESS); + status = NEED_MORE; + break; + } + message->destroy(message); + return status; +} + +/** + * Implementation of eap_method_t.initiate + */ +static status_t initiate(private_eap_sim_peer_t *this, eap_payload_t **out) +{ + /* peer never initiates */ + return FAILED; +} + +/** + * Implementation of eap_method_t.get_type. + */ +static eap_type_t get_type(private_eap_sim_peer_t *this, u_int32_t *vendor) +{ + *vendor = 0; + return EAP_SIM; +} + +/** + * Implementation of eap_method_t.get_msk. + */ +static status_t get_msk(private_eap_sim_peer_t *this, chunk_t *msk) +{ + if (this->msk.ptr) + { + *msk = this->msk; + return SUCCESS; + } + return FAILED; +} + +/** + * Implementation of eap_method_t.is_mutual. + */ +static bool is_mutual(private_eap_sim_peer_t *this) +{ + return TRUE; +} + +/** + * Implementation of eap_method_t.destroy. + */ +static void destroy(private_eap_sim_peer_t *this) +{ + this->permanent->destroy(this->permanent); + DESTROY_IF(this->pseudonym); + DESTROY_IF(this->reauth); + this->crypto->destroy(this->crypto); + free(this->version_list.ptr); + free(this->nonce.ptr); + free(this->msk.ptr); + free(this); +} + +/* + * Described in header. + */ +eap_sim_peer_t *eap_sim_peer_create(identification_t *server, + identification_t *peer) +{ + private_eap_sim_peer_t *this = malloc_thing(private_eap_sim_peer_t); + + this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate; + this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process; + this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; + this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; + this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; + this->public.interface.destroy = (void(*)(eap_method_t*))destroy; + + this->crypto = simaka_crypto_create(); + if (!this->crypto) + { + free(this); + return NULL; + } + this->permanent = peer->clone(peer); + this->pseudonym = NULL; + this->reauth = NULL; + this->tries = MAX_TRIES; + this->version_list = chunk_empty; + this->nonce = chunk_empty; + this->msk = chunk_empty; + + return &this->public; +} + |