Migrated EAP-SIM to libsimaka, separated server/peer implementations
[strongswan.git] / src / charon / plugins / eap_sim / eap_sim_server.c
1 /*
2 * Copyright (C) 2007-2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "eap_sim_server.h"
17
18 #include <daemon.h>
19
20 #include <simaka_message.h>
21
22 /* number of triplets for one authentication */
23 #define TRIPLET_COUNT 3
24
25 /** length of the AT_NONCE_MT/AT_NONCE_S nonce value */
26 #define NONCE_LEN 16
27 /** length of the AT_MAC value */
28 #define MAC_LEN 16
29 /** length of the AT_RAND value */
30 #define RAND_LEN 16
31 /** length of Kc */
32 #define KC_LEN 8
33 /** length of SRES */
34 #define SRES_LEN 4
35 /** length of the k_encr key */
36 #define KENCR_LEN 16
37 /** length of the k_auth key */
38 #define KAUTH_LEN 16
39 /** length of the MSK */
40 #define MSK_LEN 64
41 /** length of the EMSK */
42 #define EMSK_LEN 64
43
44 typedef struct private_eap_sim_server_t private_eap_sim_server_t;
45
46 /**
47 * Private data of an eap_sim_server_t object.
48 */
49 struct private_eap_sim_server_t {
50
51 /**
52 * Public authenticator_t interface.
53 */
54 eap_sim_server_t public;
55
56 /**
57 * permanent ID of peer
58 */
59 identification_t *peer;
60
61 /**
62 * Random number generator for nonce, IVs
63 */
64 rng_t *rng;
65
66 /**
67 * hashing function
68 */
69 hasher_t *hasher;
70
71 /**
72 * prf
73 */
74 prf_t *prf;
75
76 /**
77 * MAC function
78 */
79 signer_t *signer;
80
81 /**
82 * encryption function
83 */
84 crypter_t *crypter;
85
86 /**
87 * unique EAP identifier
88 */
89 u_int8_t identifier;
90
91 /**
92 * concatenated SRES values
93 */
94 chunk_t sreses;
95
96 /**
97 * MSK, used for EAP-SIM based IKEv2 authentication
98 */
99 chunk_t msk;
100 };
101
102 /**
103 * Fetch a triplet from a provider
104 */
105 static bool get_provider_triplet(private_eap_sim_server_t *this,
106 char *rand, char *sres, char *kc)
107 {
108 enumerator_t *enumerator;
109 sim_provider_t *provider;
110 int tried = 0;
111
112 enumerator = charon->sim->create_provider_enumerator(charon->sim);
113 while (enumerator->enumerate(enumerator, &provider))
114 {
115 if (provider->get_triplet(provider, this->peer, rand, sres, kc))
116 {
117 enumerator->destroy(enumerator);
118 return TRUE;
119 }
120 tried++;
121 }
122 enumerator->destroy(enumerator);
123 DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
124 tried, this->peer);
125 return FALSE;
126 }
127
128 /**
129 * Derive EAP keys from kc when using full authentication
130 */
131 static void derive_keys_full(private_eap_sim_server_t *this,
132 chunk_t kcs, chunk_t nonce)
133 {
134 char mk[HASH_SIZE_SHA1], k_encr[KENCR_LEN], k_auth[KAUTH_LEN];
135 chunk_t tmp;
136 int i;
137
138 /* MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */
139 tmp = chunk_cata("ccccc", this->peer->get_encoding(this->peer),
140 kcs, nonce, version, version);
141 this->hasher->get_hash(this->hasher, tmp, mk);
142 DBG3(DBG_IKE, "MK = SHA1(%B\n) = %b", &tmp, mk, HASH_SIZE_SHA1);
143
144 /* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf()
145 * We currently don't need EMSK, so three prf() are sufficient */
146 this->prf->set_key(this->prf, chunk_create(mk, HASH_SIZE_SHA1));
147 tmp = chunk_alloca(this->prf->get_block_size(this->prf) * 3);
148 for (i = 0; i < 3; i++)
149 {
150 this->prf->get_bytes(this->prf, chunk_empty, tmp.ptr + tmp.len / 3 * i);
151 }
152 memcpy(k_encr, tmp.ptr, KENCR_LEN);
153 tmp = chunk_skip(tmp, KENCR_LEN);
154 memcpy(k_auth, tmp.ptr, KAUTH_LEN);
155 tmp = chunk_skip(tmp, KAUTH_LEN);
156 free(this->msk.ptr);
157 this->msk = chunk_alloc(MSK_LEN);
158 memcpy(this->msk.ptr, tmp.ptr, MSK_LEN);
159 DBG3(DBG_IKE, "K_encr %b\nK_auth %b\nMSK %B",
160 k_encr, KENCR_LEN, k_auth, KAUTH_LEN, &this->msk);
161
162 this->signer->set_key(this->signer, chunk_create(k_auth, KAUTH_LEN));
163 this->crypter->set_key(this->crypter, chunk_create(k_encr, KENCR_LEN));
164 }
165
166 /**
167 * process an EAP-SIM/Response/Start message
168 */
169 static status_t process_start(private_eap_sim_server_t *this,
170 simaka_message_t *in, eap_payload_t **out)
171 {
172 simaka_message_t *message;
173 enumerator_t *enumerator;
174 simaka_attribute_t type;
175 chunk_t data, rands, rand, kcs, kc, sreses, sres, nonce = chunk_empty;
176 bool supported = FALSE;
177 int i;
178
179 enumerator = in->create_attribute_enumerator(in);
180 while (enumerator->enumerate(enumerator, &type, &data))
181 {
182 switch (type)
183 {
184 case AT_NONCE_MT:
185 nonce = data;
186 break;
187 case AT_SELECTED_VERSION:
188 if (chunk_equals(data, version))
189 {
190 supported = TRUE;
191 }
192 break;
193 default:
194 DBG1(DBG_IKE, "ignoring EAP-SIM attribute %N",
195 simaka_attribute_names, type);
196 break;
197 }
198 }
199 enumerator->destroy(enumerator);
200
201 if (!supported || !nonce.len)
202 {
203 DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start");
204 return FAILED;
205 }
206
207 /* read triplets from provider */
208 rand = rands = chunk_alloca(RAND_LEN * TRIPLET_COUNT);
209 kc = kcs = chunk_alloca(KC_LEN * TRIPLET_COUNT);
210 sres = sreses = chunk_alloca(SRES_LEN * TRIPLET_COUNT);
211 rands.len = kcs.len = sreses.len = 0;
212 for (i = 0; i < TRIPLET_COUNT; i++)
213 {
214 if (!get_provider_triplet(this, rand.ptr, sres.ptr, kc.ptr))
215 {
216 DBG1(DBG_IKE, "getting EAP-SIM triplet %d failed", i);
217 return FAILED;
218 }
219 rands.len += RAND_LEN;
220 sreses.len += SRES_LEN;
221 kcs.len += KC_LEN;
222 rand = chunk_skip(rand, RAND_LEN);
223 sres = chunk_skip(sres, SRES_LEN);
224 kc = chunk_skip(kc, KC_LEN);
225 }
226 free(this->sreses.ptr);
227 this->sreses = chunk_clone(sreses);
228
229 derive_keys_full(this, kcs, nonce);
230
231 /* build response with AT_MAC, built over "EAP packet | NONCE_MT" */
232 message = simaka_message_create(TRUE, this->identifier++,
233 EAP_SIM, SIM_CHALLENGE);
234 message->add_attribute(message, AT_RAND, rands);
235 *out = message->generate(message, NULL, NULL, this->signer, nonce);
236 message->destroy(message);
237 return NEED_MORE;
238 }
239
240 /**
241 * process an EAP-SIM/Response/Challenge message
242 */
243 static status_t process_challenge(private_eap_sim_server_t *this,
244 simaka_message_t *in, eap_payload_t **out)
245 {
246 enumerator_t *enumerator;
247 simaka_attribute_t type;
248 chunk_t data;
249
250 enumerator = in->create_attribute_enumerator(in);
251 while (enumerator->enumerate(enumerator, &type, &data))
252 {
253 DBG1(DBG_IKE, "ignoring EAP-SIM attribute %N",
254 simaka_attribute_names, type);
255 }
256 enumerator->destroy(enumerator);
257
258 /* verify AT_MAC attribute, signature is over "EAP packet | n*SRES" */
259 if (!in->verify(in, this->signer, this->sreses))
260 {
261 DBG1(DBG_IKE, "AT_MAC verification failed");
262 return FAILED;
263 }
264 return SUCCESS;
265 }
266
267 /**
268 * EAP-SIM/Response/ClientErrorCode message
269 */
270 static status_t process_client_error(private_eap_sim_server_t *this,
271 simaka_message_t *in, eap_payload_t **out)
272 {
273 enumerator_t *enumerator;
274 simaka_attribute_t type;
275 chunk_t data;
276
277 enumerator = in->create_attribute_enumerator(in);
278 while (enumerator->enumerate(enumerator, &type, &data))
279 {
280 if (type == AT_CLIENT_ERROR_CODE)
281 {
282 DBG1(DBG_IKE, "received EAP-SIM client error code %#B", &data);
283 }
284 else
285 {
286 DBG1(DBG_IKE, "ignoring EAP-SIM attribute %N",
287 simaka_attribute_names, type);
288 }
289 }
290 enumerator->destroy(enumerator);
291 return FAILED;
292 }
293
294 /**
295 * Implementation of eap_method_t.process
296 */
297 static status_t process(private_eap_sim_server_t *this,
298 eap_payload_t *in, eap_payload_t **out)
299 {
300 simaka_message_t *message;
301 status_t status;
302
303 message = simaka_message_create_from_payload(in);
304 if (!message)
305 {
306 return FAILED;
307 }
308 if (!message->parse(message, this->crypter))
309 {
310 message->destroy(message);
311 return FAILED;
312 }
313 switch (message->get_subtype(message))
314 {
315 case SIM_START:
316 status = process_start(this, message, out);
317 break;
318 case SIM_CHALLENGE:
319 status = process_challenge(this, message, out);
320 break;
321 case SIM_CLIENT_ERROR:
322 status = process_client_error(this, message, out);
323 break;
324 default:
325 DBG1(DBG_IKE, "unable to process EAP-SIM subtype %N",
326 simaka_subtype_names, message->get_subtype(message));
327 status = FAILED;
328 break;
329 }
330 message->destroy(message);
331 return status;
332 }
333
334 /**
335 * Implementation of eap_method_t.initiate
336 */
337 static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out)
338 {
339 simaka_message_t *message;
340
341 message = simaka_message_create(TRUE, this->identifier++,
342 EAP_SIM, SIM_START);
343 message->add_attribute(message, AT_VERSION_LIST, version);
344 *out = message->generate(message, NULL, NULL, NULL, chunk_empty);
345 message->destroy(message);
346 return NEED_MORE;
347 }
348
349 /**
350 * Implementation of eap_method_t.get_type.
351 */
352 static eap_type_t get_type(private_eap_sim_server_t *this, u_int32_t *vendor)
353 {
354 *vendor = 0;
355 return EAP_SIM;
356 }
357
358 /**
359 * Implementation of eap_method_t.get_msk.
360 */
361 static status_t get_msk(private_eap_sim_server_t *this, chunk_t *msk)
362 {
363 if (this->msk.ptr)
364 {
365 *msk = this->msk;
366 return SUCCESS;
367 }
368 return FAILED;
369 }
370
371 /**
372 * Implementation of eap_method_t.is_mutual.
373 */
374 static bool is_mutual(private_eap_sim_server_t *this)
375 {
376 return TRUE;
377 }
378
379 /**
380 * Implementation of eap_method_t.destroy.
381 */
382 static void destroy(private_eap_sim_server_t *this)
383 {
384 this->peer->destroy(this->peer);
385 DESTROY_IF(this->rng);
386 DESTROY_IF(this->hasher);
387 DESTROY_IF(this->prf);
388 DESTROY_IF(this->signer);
389 DESTROY_IF(this->crypter);
390 free(this->sreses.ptr);
391 free(this->msk.ptr);
392 free(this);
393 }
394
395 /*
396 * Described in header.
397 */
398 eap_sim_server_t *eap_sim_server_create(identification_t *server,
399 identification_t *peer)
400 {
401 private_eap_sim_server_t *this = malloc_thing(private_eap_sim_server_t);
402
403 this->peer = peer->clone(peer);
404 this->sreses = chunk_empty;
405 this->msk = chunk_empty;
406 /* generate a non-zero identifier */
407 do {
408 this->identifier = random();
409 } while (!this->identifier);
410
411 this->public.interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
412 this->public.interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
413 this->public.interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type;
414 this->public.interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
415 this->public.interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
416 this->public.interface.destroy = (void(*)(eap_method_t*))destroy;
417
418 this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
419 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
420 this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160);
421 this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
422 this->crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16);
423 if (!this->rng || !this->hasher || !this->prf ||
424 !this->signer || !this->crypter)
425 {
426 DBG1(DBG_IKE, "unable to use EAP-SIM, missing algorithms");
427 destroy(this);
428 return NULL;
429 }
430 return &this->public;
431 }
432