Annotation of embedaddon/strongswan/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2008-2009 Martin Willi
! 3: * HSR Hochschule fuer Technik Rapperswil
! 4: *
! 5: * This program is free software; you can redistribute it and/or modify it
! 6: * under the terms of the GNU General Public License as published by the
! 7: * Free Software Foundation; either version 2 of the License, or (at your
! 8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 9: *
! 10: * This program is distributed in the hope that it will be useful, but
! 11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 13: * for more details.
! 14: */
! 15:
! 16: #include "eap_aka_3gpp2_card.h"
! 17:
! 18: #include <daemon.h>
! 19:
! 20: typedef struct private_eap_aka_3gpp2_card_t private_eap_aka_3gpp2_card_t;
! 21:
! 22: /**
! 23: * Private data of an eap_aka_3gpp2_card_t object.
! 24: */
! 25: struct private_eap_aka_3gpp2_card_t {
! 26:
! 27: /**
! 28: * Public eap_aka_3gpp2_card_t interface.
! 29: */
! 30: eap_aka_3gpp2_card_t public;
! 31:
! 32: /**
! 33: * AKA functions
! 34: */
! 35: eap_aka_3gpp2_functions_t *f;
! 36:
! 37: /**
! 38: * do sequence number checking?
! 39: */
! 40: bool seq_check;
! 41:
! 42: /**
! 43: * SQN stored in this pseudo-USIM
! 44: */
! 45: char sqn[AKA_SQN_LEN];
! 46: };
! 47:
! 48: /**
! 49: * Functions from eap_aka_3gpp2_provider.c
! 50: */
! 51: bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN]);
! 52: void eap_aka_3gpp2_get_sqn(char sqn[AKA_SQN_LEN], int offset);
! 53:
! 54: METHOD(simaka_card_t, get_quintuplet, status_t,
! 55: private_eap_aka_3gpp2_card_t *this, identification_t *id,
! 56: char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN],
! 57: char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len)
! 58: {
! 59: char *amf, *mac;
! 60: char k[AKA_K_LEN], ak[AKA_AK_LEN], sqn[AKA_SQN_LEN], xmac[AKA_MAC_LEN];
! 61:
! 62: if (!eap_aka_3gpp2_get_k(id, k))
! 63: {
! 64: DBG1(DBG_IKE, "no EAP key found for %Y to authenticate with AKA", id);
! 65: return FAILED;
! 66: }
! 67:
! 68: /* AUTN = SQN xor AK | AMF | MAC */
! 69: DBG3(DBG_IKE, "received autn %b", autn, AKA_AUTN_LEN);
! 70: DBG3(DBG_IKE, "using K %b", k, AKA_K_LEN);
! 71: DBG3(DBG_IKE, "using rand %b", rand, AKA_RAND_LEN);
! 72: memcpy(sqn, autn, AKA_SQN_LEN);
! 73: amf = autn + AKA_SQN_LEN;
! 74: mac = autn + AKA_SQN_LEN + AKA_AMF_LEN;
! 75:
! 76: /* XOR anonymity key AK into SQN to decrypt it */
! 77: if (!this->f->f5(this->f, k, rand, ak))
! 78: {
! 79: return FAILED;
! 80: }
! 81: DBG3(DBG_IKE, "using ak %b", ak, AKA_AK_LEN);
! 82: memxor(sqn, ak, AKA_SQN_LEN);
! 83: DBG3(DBG_IKE, "using sqn %b", sqn, AKA_SQN_LEN);
! 84:
! 85: /* calculate expected MAC and compare against received one */
! 86: if (!this->f->f1(this->f, k, rand, sqn, amf, xmac))
! 87: {
! 88: return FAILED;
! 89: }
! 90: if (!memeq_const(mac, xmac, AKA_MAC_LEN))
! 91: {
! 92: DBG1(DBG_IKE, "received MAC does not match XMAC");
! 93: DBG3(DBG_IKE, "MAC %b\nXMAC %b", mac, AKA_MAC_LEN, xmac, AKA_MAC_LEN);
! 94: return FAILED;
! 95: }
! 96:
! 97: if (this->seq_check && memcmp(this->sqn, sqn, AKA_SQN_LEN) >= 0)
! 98: {
! 99: DBG3(DBG_IKE, "received SQN %b\ncurrent SQN %b",
! 100: sqn, AKA_SQN_LEN, this->sqn, AKA_SQN_LEN);
! 101: return INVALID_STATE;
! 102: }
! 103:
! 104: /* update stored SQN to the received one */
! 105: memcpy(this->sqn, sqn, AKA_SQN_LEN);
! 106:
! 107: /* CK/IK, calculate RES */
! 108: if (!this->f->f3(this->f, k, rand, ck) ||
! 109: !this->f->f4(this->f, k, rand, ik) ||
! 110: !this->f->f2(this->f, k, rand, res))
! 111: {
! 112: return FAILED;
! 113: }
! 114: *res_len = AKA_RES_MAX;
! 115:
! 116: return SUCCESS;
! 117: }
! 118:
! 119: METHOD(simaka_card_t, resync, bool,
! 120: private_eap_aka_3gpp2_card_t *this, identification_t *id,
! 121: char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN])
! 122: {
! 123: char amf[AKA_AMF_LEN], k[AKA_K_LEN], aks[AKA_AK_LEN], macs[AKA_MAC_LEN];
! 124:
! 125: if (!eap_aka_3gpp2_get_k(id, k))
! 126: {
! 127: DBG1(DBG_IKE, "no EAP key found for %Y to resync AKA", id);
! 128: return FALSE;
! 129: }
! 130:
! 131: /* AMF is set to zero in resync */
! 132: memset(amf, 0, AKA_AMF_LEN);
! 133: if (!this->f->f5star(this->f, k, rand, aks) ||
! 134: !this->f->f1star(this->f, k, rand, this->sqn, amf, macs))
! 135: {
! 136: return FALSE;
! 137: }
! 138: /* AUTS = SQN xor AKS | MACS */
! 139: memcpy(auts, this->sqn, AKA_SQN_LEN);
! 140: memxor(auts, aks, AKA_AK_LEN);
! 141: memcpy(auts + AKA_AK_LEN, macs, AKA_MAC_LEN);
! 142:
! 143: return TRUE;
! 144: }
! 145:
! 146: METHOD(eap_aka_3gpp2_card_t, destroy, void,
! 147: private_eap_aka_3gpp2_card_t *this)
! 148: {
! 149: free(this);
! 150: }
! 151:
! 152: /**
! 153: * See header
! 154: */
! 155: eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f)
! 156: {
! 157: private_eap_aka_3gpp2_card_t *this;
! 158:
! 159: INIT(this,
! 160: .public = {
! 161: .card = {
! 162: .get_triplet = (void*)return_false,
! 163: .get_quintuplet = _get_quintuplet,
! 164: .resync = _resync,
! 165: .get_pseudonym = (void*)return_null,
! 166: .set_pseudonym = (void*)nop,
! 167: .get_reauth = (void*)return_null,
! 168: .set_reauth = (void*)nop,
! 169: },
! 170: .destroy = _destroy,
! 171: },
! 172: .f = f,
! 173: .seq_check = lib->settings->get_bool(lib->settings,
! 174: "%s.plugins.eap-aka-3gpp2.seq_check",
! 175: #ifdef SEQ_CHECK /* handle legacy compile time configuration as default */
! 176: TRUE,
! 177: #else /* !SEQ_CHECK */
! 178: FALSE,
! 179: #endif /* SEQ_CHECK */
! 180: lib->ns),
! 181: );
! 182:
! 183: eap_aka_3gpp2_get_sqn(this->sqn, 0);
! 184:
! 185: return &this->public;
! 186: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>