summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/authenticators/eap/sim_manager.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/sa/authenticators/eap/sim_manager.h')
-rw-r--r--src/libcharon/sa/authenticators/eap/sim_manager.h229
1 files changed, 3 insertions, 226 deletions
diff --git a/src/libcharon/sa/authenticators/eap/sim_manager.h b/src/libcharon/sa/authenticators/eap/sim_manager.h
index 9aa661ac8..db4a65011 100644
--- a/src/libcharon/sa/authenticators/eap/sim_manager.h
+++ b/src/libcharon/sa/authenticators/eap/sim_manager.h
@@ -27,9 +27,6 @@
#include <sa/authenticators/eap/eap_method.h>
typedef struct sim_manager_t sim_manager_t;
-typedef struct sim_card_t sim_card_t;
-typedef struct sim_provider_t sim_provider_t;
-typedef struct sim_hooks_t sim_hooks_t;
/** implemented in libsimaka, but we need it for the message hook */
typedef struct simaka_message_t simaka_message_t;
@@ -45,229 +42,9 @@ typedef struct simaka_message_t simaka_message_t;
#define AKA_AUTN_LEN 16
#define AKA_AUTS_LEN 14
-/**
- * Interface for a (U)SIM card (used as EAP client).
- *
- * The SIM card completes triplets/quintuplets requested in a challenge
- * received from the server.
- * An implementation supporting only one of SIM/AKA authentication may
- * implement the other methods with return_false()/return NOT_SUPPORTED/NULL.
- */
-struct sim_card_t {
-
- /**
- * Calculate SRES/KC from a RAND for SIM authentication.
- *
- * @param id permanent identity to get a triplet for
- * @param rand RAND input buffer, fixed size 16 bytes
- * @param sres SRES output buffer, fixed size 4 byte
- * @param kc KC output buffer, fixed size 8 bytes
- * @return TRUE if SRES/KC calculated, FALSE on error/wrong identity
- */
- bool (*get_triplet)(sim_card_t *this, identification_t *id,
- char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
- char kc[SIM_KC_LEN]);
-
- /**
- * Calculate CK/IK/RES from RAND/AUTN for AKA authentication.
- *
- * If the received sequence number (in autn) is out of sync, INVALID_STATE
- * is returned.
- * The RES value is the only one with variable length. Pass a buffer
- * of at least AKA_RES_MAX, the actual number of bytes is written to the
- * res_len value. While the standard would allow any bit length between
- * 32 and 128 bits, we support only full bytes for now.
- *
- * @param id permanent identity to request quintuplet for
- * @param rand random value rand
- * @param autn authentication token autn
- * @param ck buffer receiving encryption key ck
- * @param ik buffer receiving integrity key ik
- * @param res buffer receiving authentication result res
- * @param res_len nubmer of bytes written to res buffer
- * @return SUCCESS, FAILED, or INVALID_STATE if out of sync
- */
- status_t (*get_quintuplet)(sim_card_t *this, identification_t *id,
- char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
- char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
- char res[AKA_RES_MAX], int *res_len);
-
- /**
- * Calculate AUTS from RAND for AKA resynchronization.
- *
- * @param id permanent identity to request quintuplet for
- * @param rand random value rand
- * @param auts resynchronization parameter auts
- * @return TRUE if parameter generated successfully
- */
- bool (*resync)(sim_card_t *this, identification_t *id,
- char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
- /**
- * Set the pseudonym to use for next authentication.
- *
- * @param id permanent identity of the peer
- * @param pseudonym pseudonym identity received from the server
- */
- void (*set_pseudonym)(sim_card_t *this, identification_t *id,
- identification_t *pseudonym);
-
- /**
- * Get the pseudonym previously stored via set_pseudonym().
- *
- * @param id permanent identity of the peer
- * @return associated pseudonym identity, NULL if none stored
- */
- identification_t* (*get_pseudonym)(sim_card_t *this, identification_t *id);
-
- /**
- * Store parameters to use for the next fast reauthentication.
- *
- * @param id permanent identity of the peer
- * @param next next fast reauthentication identity to use
- * @param mk master key MK to store for reauthentication
- * @param counter counter value to store, host order
- */
- void (*set_reauth)(sim_card_t *this, identification_t *id,
- identification_t *next, char mk[HASH_SIZE_SHA1],
- u_int16_t counter);
-
- /**
- * Retrieve parameters for fast reauthentication stored via set_reauth().
- *
- * @param id permanent identity of the peer
- * @param mk buffer receiving master key MK
- * @param counter pointer receiving counter value, in host order
- * @return fast reauthentication identity, NULL if not found
- */
- identification_t* (*get_reauth)(sim_card_t *this, identification_t *id,
- char mk[HASH_SIZE_SHA1], u_int16_t *counter);
-};
-
-/**
- * Interface for a triplet/quintuplet provider (used as EAP server).
- *
- * A SIM provider hands out triplets for SIM authentication and quintuplets
- * for AKA authentication. Multiple SIM provider instances can serve as
- * authentication backend to authenticate clients using SIM/AKA.
- * An implementation supporting only one of SIM/AKA authentication may
- * implement the other methods with return_false().
- */
-struct sim_provider_t {
-
- /**
- * Create a challenge for SIM authentication.
- *
- * @param id permanent identity of peer to gen triplet for
- * @param rand RAND output buffer, fixed size 16 bytes
- * @param sres SRES output buffer, fixed size 4 byte
- * @param kc KC output buffer, fixed size 8 bytes
- * @return TRUE if triplet received, FALSE otherwise
- */
- bool (*get_triplet)(sim_provider_t *this, identification_t *id,
- char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
- char kc[SIM_KC_LEN]);
-
- /**
- * Create a challenge for AKA authentication.
- *
- * The XRES value is the only one with variable length. Pass a buffer
- * of at least AKA_RES_MAX, the actual number of bytes is written to the
- * xres_len value. While the standard would allow any bit length between
- * 32 and 128 bits, we support only full bytes for now.
- *
- * @param id permanent identity of peer to create challenge for
- * @param rand buffer receiving random value rand
- * @param xres buffer receiving expected authentication result xres
- * @param xres_len nubmer of bytes written to xres buffer
- * @param ck buffer receiving encryption key ck
- * @param ik buffer receiving integrity key ik
- * @param autn authentication token autn
- * @return TRUE if quintuplet generated successfully
- */
- bool (*get_quintuplet)(sim_provider_t *this, identification_t *id,
- char rand[AKA_RAND_LEN],
- char xres[AKA_RES_MAX], int *xres_len,
- char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
- char autn[AKA_AUTN_LEN]);
-
- /**
- * Process AKA resynchroniusation request of a peer.
- *
- * @param id permanent identity of peer requesting resynchronisation
- * @param rand random value rand
- * @param auts synchronization parameter auts
- * @return TRUE if resynchronized successfully
- */
- bool (*resync)(sim_provider_t *this, identification_t *id,
- char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
- /**
- * Check if peer uses a pseudonym, get permanent identity.
- *
- * @param id pseudonym identity candidate
- * @return permanent identity, NULL if id not a pseudonym
- */
- identification_t* (*is_pseudonym)(sim_provider_t *this,
- identification_t *id);
-
- /**
- * Generate a pseudonym identitiy for a given peer identity.
- *
- * @param id permanent identity to generate a pseudonym for
- * @return generated pseudonym, NULL to not use a pseudonym identity
- */
- identification_t* (*gen_pseudonym)(sim_provider_t *this,
- identification_t *id);
-
- /**
- * Check if peer uses reauthentication, retrieve reauth parameters.
- *
- * @param id reauthentication identity (candidate)
- * @param mk buffer receiving master key MK
- * @param counter pointer receiving current counter value, host order
- * @return permanent identity, NULL if id not a reauth identity
- */
- identification_t* (*is_reauth)(sim_provider_t *this, identification_t *id,
- char mk[HASH_SIZE_SHA1], u_int16_t *counter);
-
- /**
- * Generate a fast reauthentication identity, associated to a master key.
- *
- * @param id permanent peer identity
- * @param mk master key to store along with generated identity
- * @return fast reauthentication identity, NULL to not use reauth
- */
- identification_t* (*gen_reauth)(sim_provider_t *this, identification_t *id,
- char mk[HASH_SIZE_SHA1]);
-};
-
-/**
- * Additional hooks invoked during EAP-SIM/AKA message processing.
- */
-struct sim_hooks_t {
-
- /**
- * SIM/AKA message parsing.
- *
- * As a SIM/AKA optionally contains encrypted attributes, the hook
- * might get invoked twice, once before and once after decryption.
- *
- * @param message SIM/AKA message
- * @param inbound TRUE for incoming messages, FALSE for outgoing
- * @param decrypted TRUE if AT_ENCR_DATA has been decrypted
- */
- void (*message)(sim_hooks_t *this, simaka_message_t *message,
- bool inbound, bool decrypted);
-
- /**
- * SIM/AKA encryption/authentication key hooks.
- *
- * @param k_encr derived SIM/AKA encryption key k_encr
- * @param k_auth derived SIM/AKA authentication key k_auth
- */
- void (*keys)(sim_hooks_t *this, chunk_t k_encr, chunk_t k_auth);
-};
+#include <sa/authenticators/eap/sim_card.h>
+#include <sa/authenticators/eap/sim_provider.h>
+#include <sa/authenticators/eap/sim_hooks.h>
/**
* The SIM manager handles multiple (U)SIM cards/providers and hooks.
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-20 08:32:03 +0000