ported EAP-AKA branch into trunk
authorMartin Willi <martin@strongswan.org>
Thu, 13 Dec 2007 10:54:29 +0000 (10:54 -0000)
committerMartin Willi <martin@strongswan.org>
Thu, 13 Dec 2007 10:54:29 +0000 (10:54 -0000)
14 files changed:
configure.in
src/Makefile.am
src/charon/Makefile.am
src/charon/sa/authenticators/eap/eap_aka.c [new file with mode: 0644]
src/charon/sa/authenticators/eap/eap_aka.h [new file with mode: 0644]
testing/tests/ikev2/rw-eapaka-rsa/description.txt [new file with mode: 0644]
testing/tests/ikev2/rw-eapaka-rsa/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-eapaka-rsa/hosts/carol/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/rw-eapaka-rsa/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev2/rw-eapaka-rsa/hosts/moon/etc/ipsec.conf [new file with mode: 0755]
testing/tests/ikev2/rw-eapaka-rsa/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/ikev2/rw-eapaka-rsa/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-eapaka-rsa/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-eapaka-rsa/test.conf [new file with mode: 0644]

index 308d6c6..4b0b0ed 100644 (file)
@@ -250,7 +250,16 @@ AC_ARG_ENABLE(
         eap_md5=true
     fi]
 )
-AM_CONDITIONAL(BUILD_EAP_MD5, test x$eap_md5 = xtrue)
+AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
+
+AC_ARG_ENABLE(
+    [eap-aka],
+    AS_HELP_STRING([--enable-eap-aka],[build AKA authentication module for EAP (default is NO).]),
+    [if test x$enableval = xyes; then
+        eap_aka=true
+    fi]
+)
+AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
 
 AC_ARG_ENABLE(
     [nat-transport],
index da498fe..e01ad84 100644 (file)
@@ -4,14 +4,13 @@ if USE_FILE_CONFIG
   SUBDIRS += libfreeswan starter ipsec _copyright
 endif
 
-if USE_PLUTO
-  SUBDIRS += libcrypto pluto whack
-endif
-
 if USE_LIBSTRONGSWAN
   SUBDIRS += libstrongswan
 endif
 
+if USE_PLUTO
+  SUBDIRS += libcrypto pluto whack
+endif
 if USE_CHARON
   SUBDIRS += charon
 endif
index 2a6bc20..9111191 100644 (file)
@@ -128,10 +128,16 @@ if USE_EAP_SIM
   libcharon_eapsim_la_LDFLAGS = -module
 endif
 
-if BUILD_EAP_MD5
-  eap_LTLIBRARIES += libeapmd5.la
-  libeapmd5_la_SOURCES = sa/authenticators/eap/eap_md5.h sa/authenticators/eap/eap_md5.c
-  libeapmd5_la_LDFLAGS = -module
+if USE_EAP_MD5
+  eap_LTLIBRARIES += libcharon-eapmd5.la
+  libcharon_eapmd5_la_SOURCES = sa/authenticators/eap/eap_md5.h sa/authenticators/eap/eap_md5.c
+  libcharon_eapmd5_la_LDFLAGS = -module
+endif
+
+if USE_EAP_AKA
+  eap_LTLIBRARIES += libcharon-eapaka.la
+  libcharon_eapaka_la_SOURCES = sa/authenticators/eap/eap_aka.h sa/authenticators/eap/eap_aka.c
+  libcharon_eapaka_la_LDFLAGS = -module
 endif
 
 # build backends
diff --git a/src/charon/sa/authenticators/eap/eap_aka.c b/src/charon/sa/authenticators/eap/eap_aka.c
new file mode 100644 (file)
index 0000000..fc2ffcd
--- /dev/null
@@ -0,0 +1,1437 @@
+/**
+ * @file eap_aka.c
+ *
+ * @brief Implementation of eap_aka_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+/* The EAP-AKA method uses it's own simple parser for processing EAP-AKA
+ * payloads, as the IKEv2 parser is not suitable for that job. There are
+ * two simple methods for parsing payloads, read_header() and read_attribute().
+ * Every EAP-AKA payload consists of a header and a list of attributes. Those
+ * functions mentioned read the data and return the type of the found
+ * attribute/EAP-AKA-type. For generating a EAP-AKA message, we have a
+ * build_aka_payload(), which builds the whole message from a variable
+ * argument list containing its attributes.
+ * The processing of messages is split up in various functions:
+ * - peer_process() - General processing multiplexer for the peer
+ *   - peer_process_challenge() - Specific AKA-Challenge processor
+ *   - peer_process_notification() - Processing of AKA-Notification
+ * - server_process() - General processing multiplexer for the server
+ *   - peer_process_challenge() - Processing of a received Challenge response
+ *   - peer_process_synchronize() - Process a sequence number synchronization
+ * - server_initiate() - Initiation method for the server, calls
+ *   - server_initiate_challenge() - Initiation of AKA-Challenge
+ */
+
+#include <string.h>
+#include <unistd.h>
+
+#include "eap_aka.h"
+
+#include <daemon.h>
+#include <library.h>
+#include <utils/randomizer.h>
+#include <crypto/hashers/hasher.h>
+#include <crypto/prfs/fips_prf.h>
+
+/* Use test vectors specified in S.S0055
+#define TEST_VECTORS */
+
+#define RAND_LENGTH            16
+#define RES_LENGTH             16
+#define SQN_LENGTH              6
+#define K_LENGTH               16
+#define MAC_LENGTH              8
+#define CK_LENGTH              16
+#define IK_LENGTH              16
+#define AK_LENGTH               6
+#define AMF_LENGTH              2
+#define FMK_LENGTH              4
+#define AUTN_LENGTH    (SQN_LENGTH + AMF_LENGTH + MAC_LENGTH)
+#define AUTS_LENGTH    (SQN_LENGTH + MAC_LENGTH)
+#define PAYLOAD_LENGTH 64
+#define MK_LENGTH              20
+#define MSK_LENGTH             64
+#define EMSK_LENGTH            64
+#define KAUTH_LENGTH   16
+#define KENCR_LENGTH   16
+#define AT_MAC_LENGTH  16
+
+#define F1                       0x42
+#define F1STAR           0x43
+#define F2                       0x44
+#define F3                       0x45
+#define F4                       0x46
+#define F5                       0x47
+#define F5STAR           0x48
+
+ENUM_BEGIN(aka_subtype_names, AKA_CHALLENGE, AKA_IDENTITY,
+       "AKA_CHALLENGE",
+       "AKA_AUTHENTICATION_REJECT",
+       "AKA_3",
+       "AKA_SYNCHRONIZATION_FAILURE",
+       "AKA_IDENTITY");
+ENUM_NEXT(aka_subtype_names, AKA_NOTIFICATION, AKA_CLIENT_ERROR, AKA_IDENTITY,
+       "AKA_NOTIFICATION",
+       "AKA_REAUTHENTICATION",
+       "AKA_CLIENT_ERROR");
+ENUM_END(aka_subtype_names, AKA_CLIENT_ERROR);
+
+
+ENUM_BEGIN(aka_attribute_names, AT_END, AT_CLIENT_ERROR_CODE,
+       "AT_END",
+       "AT_0",
+       "AT_RAND",
+       "AT_AUTN",
+       "AT_RES",
+       "AT_AUTS",
+       "AT_5",
+       "AT_PADDING",
+       "AT_NONCE_MT",
+       "AT_8",
+       "AT_9",
+       "AT_PERMANENT_ID_REQ",
+       "AT_MAC",
+       "AT_NOTIFICATION",
+       "AT_ANY_ID_REQ",
+       "AT_IDENTITY",
+       "AT_VERSION_LIST",
+       "AT_SELECTED_VERSION",
+       "AT_FULLAUTH_ID_REQ",
+       "AT_18",
+       "AT_COUNTER",
+       "AT_COUNTER_TOO_SMALL",
+       "AT_NONCE_S",
+       "AT_CLIENT_ERROR_CODE");
+ENUM_NEXT(aka_attribute_names, AT_IV, AT_RESULT_IND, AT_CLIENT_ERROR_CODE,
+       "AT_IV",
+       "AT_ENCR_DATA",
+       "AT_131",
+       "AT_NEXT_PSEUDONYM",
+       "AT_NEXT_REAUTH_ID",
+       "AT_CHECKCODE",
+       "AT_RESULT_IND");
+ENUM_END(aka_attribute_names, AT_RESULT_IND);
+
+
+typedef struct private_eap_aka_t private_eap_aka_t;
+
+/**
+ * Private data of an eap_aka_t object.
+ */
+struct private_eap_aka_t {
+       
+       /**
+        * Public authenticator_t interface.
+        */
+       eap_aka_t public;
+       
+       /**
+        * ID of the server
+        */
+       identification_t *server;
+       
+       /**
+        * ID of the peer
+        */
+       identification_t *peer;
+       
+       /**
+        * Key for EAP MAC
+        */
+       chunk_t k_auth;
+       
+       /**
+        * Key for EAP encryption
+        */
+       chunk_t k_encr;
+       
+       /**
+        * MSK
+        */
+       chunk_t msk;
+       
+       /**
+        * Extendend MSK
+        */
+       chunk_t emsk;
+       
+       /**
+        * Expected result from client XRES
+        */
+       chunk_t xres;
+       
+       /**
+        * Shared secret K from ipsec.conf (padded)
+        */
+       chunk_t k;
+       
+       /**
+        * random value RAND generated by server
+        */
+        chunk_t rand;
+};
+
+/** Family key, as proposed in S.S0055 */
+static u_int8_t fmk_buf[] = {0x41, 0x48, 0x41, 0x47};
+static chunk_t fmk = chunk_from_buf(fmk_buf);
+
+/** Authentication management field */
+static u_int8_t amf_buf[] = {0x00, 0x01};
+static chunk_t amf = chunk_from_buf(amf_buf);
+
+/** AT_CLIENT_ERROR_CODE AKA attribute */
+static u_int8_t client_error_code_buf[] = {0, 0};
+static chunk_t client_error_code = chunk_from_buf(client_error_code_buf);
+
+/** previously used sqn by peer, next one must be greater */
+static u_int8_t peer_sqn_buf[6];
+static chunk_t peer_sqn = chunk_from_buf(peer_sqn_buf);
+
+/** set SQN to the current time */
+static void update_sqn(u_int8_t *sqn, time_t offset)
+{
+       timeval_t time;
+       gettimeofday(&time, NULL);
+       /* set sqb_sqn to an integer containing seconds followed by most
+        * significant useconds */
+       time.tv_sec = htonl(time.tv_sec + offset);
+       /* usec's are never larger than 0x000f423f, so we shift the 12 first bits */
+       time.tv_usec <<= 12;
+       time.tv_usec = htonl(time.tv_usec);
+       memcpy(sqn, &time.tv_sec, 4);
+       memcpy(sqn + 4, &time.tv_usec, 2);
+}
+
+/** initialize peers SQN to the current system time at startup */
+static void __attribute__ ((constructor))init_sqn(void)
+{
+       update_sqn(peer_sqn_buf, 0);
+}
+
+/**
+ * Binary represnation of the polynom T^160 + T^5 + T^3 + T^2 + 1
+ */
+static u_int8_t g[] = {
+       0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00, 0x2d
+};
+
+/**
+ * Predefined random bits from the RAND Corporation book
+ */
+static u_int8_t a[] = {
+       0x9d, 0xe9, 0xc9, 0xc8, 0xef, 0xd5, 0x78, 0x11,
+       0x48, 0x23, 0x14, 0x01, 0x90, 0x1f, 0x2d, 0x49,
+       0x3f, 0x4c, 0x63, 0x65
+};
+
+/**
+ * Predefined random bits from the RAND Corporation book
+ */
+static u_int8_t b[] = {
+       0x75, 0xef, 0xd1, 0x5c, 0x4b, 0x8f, 0x8f, 0x51,
+       0x4e, 0xf3, 0xbc, 0xc3, 0x79, 0x4a, 0x76, 0x5e,
+       0x7e, 0xec, 0x45, 0xe0
+};
+
+/**
+ * Multiplicate two mpz_t with bits interpreted as polynoms.
+ */
+static void mpz_mul_poly(mpz_t r, mpz_t a, mpz_t b)
+{
+       mpz_t bm, rm;
+       int current = 0, shifted = 0, shift;
+       
+       mpz_init_set(bm, b);
+       mpz_init_set_ui(rm, 0);
+       /* scan through a, for each found bit: */
+       while ((current = mpz_scan1(a, current)) != ULONG_MAX)
+       {
+               /* XOR shifted b into r */
+               shift = current - shifted;
+               mpz_mul_2exp(bm, bm, shift);
+               shifted += shift;
+               mpz_xor(rm, rm, bm);
+               current++;
+       }
+       
+       mpz_swap(r, rm);
+       mpz_clear(rm);
+       mpz_clear(bm);
+}
+
+/**
+ * Calculate the sum of a + b interpreted as polynoms.
+ */
+static void mpz_add_poly(mpz_t res, mpz_t a, mpz_t b)
+{
+       /* addition of polynominals is just the XOR */
+       mpz_xor(res, a, b);
+}
+
+/**
+ * Calculate the remainder of a/b interpreted as polynoms.
+ */
+static void mpz_mod_poly(mpz_t r, mpz_t a, mpz_t b)
+{
+       /* Example:
+        * a = 10001010
+        * b = 00000101
+        */
+       int a_bit, b_bit, diff;
+       mpz_t bm, am;
+       
+       mpz_init_set(am, a);
+       mpz_init(bm);
+       
+       a_bit = mpz_sizeinbase(a, 2);
+       b_bit = mpz_sizeinbase(b, 2);
+       
+       /* don't do anything if b > a */
+       if (a_bit >= b_bit)
+       {
+               /* shift b left to align up most signaficant "1" to a:
+                * a = 10001010
+                * b = 10100000
+                */
+               mpz_mul_2exp(bm, b, a_bit - b_bit);
+               do
+               {
+                       /* XOR b into a, this kills the most significant "1":
+                        * a = 00101010
+                        */
+                       mpz_xor(am, am, bm);
+                       /* find the next most significant "1" in a, and align up b:
+                        * a = 00101010
+                        * b = 00101000
+                        */
+                       diff = a_bit - mpz_sizeinbase(am, 2);
+                       mpz_div_2exp(bm, bm, diff);
+                       a_bit -= diff;
+               }
+               while (b_bit <= mpz_sizeinbase(bm, 2));
+               /* While b is not shifted to its original value */
+       }
+       /* after another iteration:
+        * a = 00000010
+        * which is the polynomial modulo
+        */
+       
+       mpz_swap(r, am);
+       mpz_clear(am);
+       mpz_clear(bm);
+}
+
+/**
+ * Step 4 of the various fx() functions:
+ * Polynomial whiten calculations
+ */
+static void step4(u_int8_t x[])
+{
+       mpz_t xm, am, bm, gm;
+       
+       mpz_init(xm);
+       mpz_init(am);
+       mpz_init(bm);
+       mpz_init(gm);
+       
+       mpz_import(xm, HASH_SIZE_SHA1, 1, 1, 1, 0, x);
+       mpz_import(am, sizeof(a), 1, 1, 1, 0, a);
+       mpz_import(bm, sizeof(b), 1, 1, 1, 0, b);
+       mpz_import(gm, sizeof(g), 1, 1, 1, 0, g);
+
+       mpz_mul_poly(xm, am, xm);
+       mpz_add_poly(xm, bm, xm);
+       mpz_mod_poly(xm, xm, gm);
+       
+       mpz_export(x, NULL, 1, HASH_SIZE_SHA1, 1, 0, xm);
+       
+       mpz_clear(xm);
+       mpz_clear(am);
+       mpz_clear(bm);
+       mpz_clear(gm);
+}
+
+/**
+ * Step 3 of the various fx() functions:
+ * XOR the key into the SHA1 IV
+ */
+static void step3(chunk_t k, chunk_t payload, u_int8_t h[])
+{
+       u_int8_t iv[] = {
+               0x67,0x45,0x23,0x01,0xEF,0xCD,0xAB,0x89,0x98,0xBA,
+               0xDC,0xFE,0x10,0x32,0x54,0x76,0xC3,0xD2,0xE1,0xF0,
+       };
+       
+       /* XOR key into IV */
+       memxor(iv, k.ptr, k.len);
+       
+       /* hash it with the G() function defined in FIPS 186-2 from fips_prf.h */
+       g_sha1(iv, payload, h);
+}
+
+/**
+ * Calculation function for f2(), f3(), f4()
+ */
+static void fx(u_int8_t f, chunk_t k, chunk_t rand, u_int8_t out[])
+{
+       chunk_t payload = chunk_alloca(PAYLOAD_LENGTH);
+       u_int8_t h[HASH_SIZE_SHA1];
+       u_int8_t i;
+       
+       for (i = 0; i < 2; i++)
+       {
+               memset(payload.ptr, 0x5c, payload.len);
+               payload.ptr[11] ^= f;
+               memxor(payload.ptr + 12, fmk.ptr, fmk.len);
+               memxor(payload.ptr + 24, rand.ptr, rand.len);
+               
+               payload.ptr[3]  ^= i;
+               payload.ptr[19] ^= i;
+               payload.ptr[35] ^= i;
+               payload.ptr[51] ^= i;
+               
+               step3(k, payload, h);
+               step4(h);
+               memcpy(out + i * 8, h, 8);
+       }
+}
+
+/**
+ * Calculation function of f1() and f1star()
+ */
+static void f1x(u_int8_t f, chunk_t k, chunk_t rand, chunk_t sqn,
+                               chunk_t amf, u_int8_t mac[])
+{
+       /* generate MAC = f1(FMK, SQN, RAND, AMF)
+        * K is loaded into hashers IV; FMK, RAND, SQN, AMF are XORed in a 512-bit
+        * payload which gets hashed
+        */
+       chunk_t payload = chunk_alloca(PAYLOAD_LENGTH);
+       u_int8_t h[HASH_SIZE_SHA1];
+       
+       memset(payload.ptr, 0x5c, PAYLOAD_LENGTH);
+       payload.ptr[11] ^= f;
+       memxor(payload.ptr + 12, fmk.ptr, fmk.len);
+       memxor(payload.ptr + 16, rand.ptr, rand.len);
+       memxor(payload.ptr + 34, sqn.ptr, sqn.len);
+       memxor(payload.ptr + 42, amf.ptr, amf.len);
+       
+       step3(k, payload, h);
+       step4(h);
+       memcpy(mac, h, MAC_LENGTH);
+}
+
+/**
+ * Calculation function of f5() and f5star()
+ */
+static void f5x(u_int8_t f, chunk_t k, chunk_t rand, u_int8_t ak[])
+{
+       chunk_t payload = chunk_alloca(PAYLOAD_LENGTH);
+       u_int8_t h[HASH_SIZE_SHA1];
+       
+       memset(payload.ptr, 0x5c, payload.len);
+       payload.ptr[11] ^= f;
+       memxor(payload.ptr + 12, fmk.ptr, fmk.len);
+       memxor(payload.ptr + 16, rand.ptr, rand.len);
+       
+       step3(k, payload, h);
+       step4(h);
+       memcpy(ak, h, AK_LENGTH);
+}
+
+/**
+ * Calculate the MAC from a RAND, SQN, AMF value using K
+ */
+static void f1(chunk_t k, chunk_t rand, chunk_t sqn, chunk_t amf, u_int8_t mac[])
+{
+       f1x(F1, k, rand, sqn, amf, mac);
+       DBG3(DBG_IKE, "MAC %b", mac, MAC_LENGTH);
+}
+
+/**
+ * Calculate the MACS from a RAND, SQN, AMF value using K
+ */
+static void f1star(chunk_t k, chunk_t rand, chunk_t sqn, chunk_t amf, u_int8_t macs[])
+{
+       f1x(F1STAR, k, rand, sqn, amf, macs);
+       DBG3(DBG_IKE, "MACS %b", macs, MAC_LENGTH);
+}
+
+/**
+ * Calculate RES from RAND using K
+ */
+static void f2(chunk_t k, chunk_t rand, u_int8_t res[])
+{
+       fx(F2, k, rand, res);
+       DBG3(DBG_IKE, "RES %b", res, RES_LENGTH);
+}
+
+/**
+ * Calculate CK from RAND using K
+ */
+static void f3(chunk_t k, chunk_t rand, u_int8_t ck[])
+{
+       fx(F3, k, rand, ck);
+       DBG3(DBG_IKE, "CK %b", ck, CK_LENGTH);
+}
+
+/**
+ * Calculate IK from RAND using K
+ */
+static void f4(chunk_t k, chunk_t rand, u_int8_t ik[])
+{
+       fx(F4, k, rand, ik);
+       DBG3(DBG_IKE, "IK %b", ik, IK_LENGTH);
+}
+
+/**
+ * Calculate AK from a RAND using K
+ */
+static void f5(chunk_t k, chunk_t rand, u_int8_t ak[])
+{
+       f5x(F5, k, rand, ak);
+       DBG3(DBG_IKE, "AK %b", ak, AK_LENGTH);
+}
+
+/**
+ * Calculate AKS from a RAND using K
+ */
+static void f5star(chunk_t k, chunk_t rand, u_int8_t aks[])
+{
+       f5x(F5STAR, k, rand, aks);
+       DBG3(DBG_IKE, "AKS %b", aks, AK_LENGTH);
+}
+
+/**
+ * derive the keys needed for EAP_AKA
+ */
+static void derive_keys(private_eap_aka_t *this, identification_t *id)
+{
+       hasher_t *hasher;
+       prf_t *prf;
+       chunk_t ck, ik, mk, identity, tmp;
+       
+       ck = chunk_alloca(CK_LENGTH);
+       ik = chunk_alloca(IK_LENGTH);
+       mk = chunk_alloca(MK_LENGTH);
+       identity = id->get_encoding(id);
+       
+       /* MK = SHA1( Identity | IK | CK ) */
+       f3(this->k, this->rand, ck.ptr);
+       f4(this->k, this->rand, ik.ptr);
+       DBG3(DBG_IKE, "Identity %B", &identity);
+       tmp = chunk_cata("ccc", identity, ik, ck);
+       DBG3(DBG_IKE, "Identity|IK|CK %B", &tmp);
+       hasher = hasher_create(HASH_SHA1);
+       hasher->get_hash(hasher, tmp, mk.ptr);
+       hasher->destroy(hasher);
+       
+       /* K_encr | K_auth | MSK | EMSK = prf(0) | prf(0)
+        * FIPS PRF has 320 bit block size, we need 160 byte for keys
+        *  => run prf four times */
+       prf = prf_create(PRF_FIPS_SHA1_160);
+       prf->set_key(prf, mk);
+       tmp = chunk_alloca(prf->get_block_size(prf) * 4);
+       prf->get_bytes(prf, chunk_empty, tmp.ptr);
+       prf->get_bytes(prf, chunk_empty, tmp.ptr + tmp.len / 4 * 1);
+       prf->get_bytes(prf, chunk_empty, tmp.ptr + tmp.len / 4 * 2);
+       prf->get_bytes(prf, chunk_empty, tmp.ptr + tmp.len / 4 * 3);
+       prf->destroy(prf);
+       chunk_free(&this->k_encr);
+       chunk_free(&this->k_auth);
+       chunk_free(&this->msk);
+       chunk_free(&this->emsk);
+       chunk_split(tmp, "aaaa", 16, &this->k_encr, 16, &this->k_auth,
+                               64, &this->msk, 64, &this->emsk);
+       DBG3(DBG_IKE, "MK %B", &mk);
+       DBG3(DBG_IKE, "PRF res %B", &tmp);
+       DBG3(DBG_IKE, "K_encr %B", &this->k_encr);
+       DBG3(DBG_IKE, "K_auth %B", &this->k_auth);
+       DBG3(DBG_IKE, "MSK %B", &this->msk);
+       DBG3(DBG_IKE, "EMSK %B", &this->emsk);
+}
+
+/*
+ * Get a shared key from ipsec.secrets.
+ * We use the standard keys as used in preshared key authentication. As
+ * these keys have an undefined length, we:
+ * - strip them if they are longer
+ * - fill them up with '\0' if they are shorter
+ */
+static status_t load_key(identification_t *me, identification_t *other, chunk_t *k)
+{
+       chunk_t shared_key;
+
+       if (charon->credentials->get_shared_key(charon->credentials, me,
+                                                                                       other, &shared_key) != SUCCESS)
+       {
+               return NOT_FOUND;
+       }
+       chunk_free(k);
+       *k = chunk_alloc(K_LENGTH);
+       memset(k->ptr, '\0', k->len);
+       memcpy(k->ptr, shared_key.ptr, min(shared_key.len, k->len));
+       chunk_free(&shared_key);
+       return SUCCESS;
+}
+
+/**
+ * skip EAP_AKA header in message and returns its AKA subtype
+ */
+static aka_subtype_t read_header(chunk_t *message)
+{
+       aka_subtype_t type;
+
+       if (message->len < 8)
+       {
+               *message = chunk_empty;
+               return 0;
+       }
+       type = *(message->ptr + 5);
+       *message = chunk_skip(*message, 8);
+       return type;
+}
+
+/**
+ * read the next attribute from the chunk data
+ */
+static aka_attribute_t read_attribute(chunk_t *data, chunk_t *attr_data)
+{
+       aka_attribute_t attribute;
+       size_t length;
+       
+       DBG3(DBG_IKE, "reading attribute from %B", data);
+       
+       if (data->len < 2)
+       {
+               return AT_END;
+       }
+       /* read attribute and length */
+       attribute = *data->ptr++;
+       length = *data->ptr++ * 4 - 2;
+       data->len -= 2;
+       DBG3(DBG_IKE, "found attribute %N with length %d",
+                aka_attribute_names, attribute, length);
+       if (length > data->len)
+       {
+               return AT_END;
+       }
+       /* apply attribute value to attr_data */
+       attr_data->len = length;
+       attr_data->ptr = data->ptr;
+       /* update data to point to next attribute */
+       *data = chunk_skip(*data, length);
+       return attribute;
+}
+
+/**
+ * Build an AKA payload from different attributes.
+ * The variable argument takes an aka_attribute_t
+ * followed by its data in a chunk.
+ */
+static eap_payload_t *build_aka_payload(private_eap_aka_t *this, eap_code_t code,
+                                                                               u_int8_t identifier, aka_subtype_t type, ...)
+{
+       chunk_t message = chunk_alloca(512); /* is enought for all current messages */
+       chunk_t pos = message;
+       eap_payload_t *payload;
+       va_list args;
+       aka_attribute_t attr;
+       u_int8_t *mac_pos = NULL;
+       
+       /* write EAP header, skip length bytes */
+       *pos.ptr++ = code;
+       *pos.ptr++ = identifier;
+       pos.ptr += 2;
+       pos.len -= 4;
+       /* write AKA header with type and subtype, null reserved bytes */
+       *pos.ptr++ = EAP_AKA;
+       *pos.ptr++ = type;
+       *pos.ptr++ = 0;
+       *pos.ptr++ = 0;
+       pos.len -= 4;
+       
+       va_start(args, type);
+       while ((attr = va_arg(args, aka_attribute_t)) != AT_END)
+       {
+               chunk_t data = va_arg(args, chunk_t);
+               
+               DBG3(DBG_IKE, "building %N %B", aka_attribute_names, attr, &data);
+               
+               /* write attribute header */
+               *pos.ptr++ = attr;
+               pos.len--;
+               
+               switch (attr)
+               {
+                       case AT_RES:
+                       {
+                               /* attribute length in 4byte words */
+                               *pos.ptr = data.len/4 + 1;
+                               pos = chunk_skip(pos, 1);
+                               /* RES length in bits */
+                               *(u_int16_t*)pos.ptr = htons(data.len * 8);
+                               pos = chunk_skip(pos, sizeof(u_int16_t));
+                               memcpy(pos.ptr, data.ptr, data.len);
+                               pos = chunk_skip(pos, data.len);
+                               break;
+                       }
+                       case AT_AUTN:
+                       case AT_RAND:
+                       {
+                               *pos.ptr++ = data.len/4 + 1; pos.len--;
+                               *pos.ptr++ = 0; pos.len--;
+                               *pos.ptr++ = 0; pos.len--;
+                               memcpy(pos.ptr, data.ptr, data.len);
+                               pos = chunk_skip(pos, data.len);
+                               break;
+                       }
+                       case AT_MAC:
+                       {
+                               *pos.ptr++ = 5; pos.len--;
+                               *pos.ptr++ = 0; pos.len--;
+                               *pos.ptr++ = 0; pos.len--;
+                               mac_pos = pos.ptr;
+                               /* MAC is calculated over message including zeroed AT_MAC attribute */
+                               memset(mac_pos, 0, AT_MAC_LENGTH);
+                               pos.ptr += AT_MAC_LENGTH;
+                               pos.len -= AT_MAC_LENGTH;
+                               break;
+                       }
+                       default:
+                       {
+                               /* length is data length in 4-bytes + 1 for header */
+                               *pos.ptr = data.len/4 + 1;
+                               pos = chunk_skip(pos, 1);
+                               memcpy(pos.ptr, data.ptr, data.len);
+                               pos = chunk_skip(pos, data.len);
+                       }
+               }
+       }
+       va_end(args);
+       
+       /* calculate message length, write into header */
+       message.len = pos.ptr - message.ptr;
+       *(u_int16_t*)(message.ptr + 2) = htons(message.len);
+       
+       /* create MAC if AT_MAC attribte was included */
+       if (mac_pos)
+       {
+               signer_t *signer = signer_create(AUTH_HMAC_SHA1_128);
+               signer->set_key(signer, this->k_auth);
+               DBG3(DBG_IKE, "AT_MAC signature of %B", &message);
+               DBG3(DBG_IKE, "using key %B", &this->k_auth);
+               signer->get_signature(signer, message, mac_pos);
+               DBG3(DBG_IKE, "is %b", mac_pos, AT_MAC_LENGTH);
+               signer->destroy(signer);
+       }
+       
+       /* payload constructor takes data with some bytes skipped */
+       payload = eap_payload_create_data(message);
+       
+       DBG3(DBG_IKE, "created EAP message %B", &message);
+       return payload;
+}
+
+/**
+ * Initiate a AKA-Challenge using SQN
+ */
+static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn, eap_payload_t **out)
+{
+       randomizer_t *randomizer;
+       status_t status;
+       chunk_t mac, ak, autn;
+       
+       mac = chunk_alloca(MAC_LENGTH);
+       ak = chunk_alloca(AK_LENGTH);
+       chunk_free(&this->rand);
+       chunk_free(&this->xres);
+       
+       /* generate RAND:
+        * we use our standard randomizer, not f0() proposed in S.S0055
+        */
+       randomizer = randomizer_create();
+       status = randomizer->allocate_pseudo_random_bytes(randomizer, RAND_LENGTH, &this->rand);
+       randomizer->destroy(randomizer);
+       if (status != SUCCESS)
+       {
+               DBG1(DBG_IKE, "generating RAND for EAP-AKA authentication failed");
+               return FAILED;
+       }
+       
+#      ifdef TEST_VECTORS
+       /* Test vector for RAND */
+       u_int8_t test_rand[] = {
+               0x4b,0x05,0x2b,0x20,0xe2,0xa0,0x6c,0x8f,
+               0xf7,0x00,0xda,0x51,0x2b,0x4e,0x11,0x1e,
+       };
+       memcpy(this->rand.ptr, test_rand, this->rand.len); 
+#      endif /* TEST_VECTORS */
+       
+       /* Get the shared key K: */
+       if (load_key(this->server, this->peer, &this->k) != SUCCESS)
+       {
+               DBG1(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+                               "with EAP-AKA", this->server, this->peer);
+               return FAILED;
+       }
+       
+#      ifdef TEST_VECTORS
+       /* Test vector for K */
+       u_int8_t test_k[] = {
+               0xad,0x1b,0x5a,0x15,0x9b,0xe8,0x6b,0x2c,
+               0xa6,0x6c,0x7a,0xe4,0x0b,0xba,0x9b,0x9d,
+       };
+       memcpy(this->k.ptr, test_k, this->k.len);
+#      endif /* TEST_VECTORS */
+       
+       /* generate MAC */
+       f1(this->k, this->rand, sqn, amf, mac.ptr);
+       
+       /* generate AK */
+       f5(this->k, this->rand, ak.ptr);
+       
+       /* precalculate XRES as expected from client */
+       this->xres = chunk_alloc(RES_LENGTH);
+       f2(this->k, this->rand, this->xres.ptr);
+       
+       /* calculate AUTN = (SQN xor AK) || AMF || MAC */
+       autn = chunk_cata("ccc", sqn, amf, mac);
+       memxor(autn.ptr, ak.ptr, ak.len);
+       DBG3(DBG_IKE, "AUTN %B", &autn);
+       
+       
+       /* derive K_encr, K_auth, MSK, EMSK  */
+       derive_keys(this, this->peer);
+       
+       /* build payload */
+       *out = build_aka_payload(this, EAP_REQUEST, 0, AKA_CHALLENGE,
+                                                        AT_RAND, this->rand, AT_AUTN, autn, AT_MAC,
+                                                        chunk_empty, AT_END);
+       return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.initiate for an EAP_AKA server
+ */
+static status_t server_initiate(private_eap_aka_t *this, eap_payload_t **out)
+{
+       chunk_t sqn = chunk_alloca(SQN_LENGTH);
+       
+       /* we use an offset of 3 minutes to tolerate clock inaccuracy
+        * without the need to synchronize sequence numbers */
+       update_sqn(sqn.ptr, 180);
+       
+#      ifdef TEST_VECTORS
+       /* Test vector for SQN */
+       u_int8_t test_sqn[] = {0x00,0x00,0x00,0x00,0x00,0x01};
+       memcpy(sqn.ptr, test_sqn, sqn.len); 
+#      endif /* TEST_VECTORS */
+       
+       return server_initiate_challenge(this, sqn, out);
+}
+
+static status_t server_process_synchronize(private_eap_aka_t *this,
+                                                                                  eap_payload_t *in, eap_payload_t **out)
+{
+       chunk_t attr, auts = chunk_empty, pos, message, macs, xmacs, sqn, aks, amf;
+       u_int i;
+       
+       message = in->get_data(in);
+       pos = message;
+       read_header(&pos);
+       
+       /* iterate over attributes */
+       while (TRUE)
+       {
+               aka_attribute_t attribute = read_attribute(&pos, &attr);
+               switch (attribute)
+               {
+                       case AT_END:
+                               break;
+                       case AT_AUTS:
+                               auts = attr;
+                               continue;
+                       default:
+                               if (attribute >= 0 && attribute <= 127)
+                               {
+                                       DBG1(DBG_IKE, "found non skippable attribute %N",
+                                                aka_attribute_names, attribute);
+                                       return FAILED;
+                               }
+                               DBG1(DBG_IKE, "ignoring skippable attribute %N",
+                                        aka_attribute_names, attribute);
+                               continue;
+               }
+               break;
+       }
+       
+       if (auts.len != AUTS_LENGTH)
+       {
+               DBG1(DBG_IKE, "synchronization request didn't contain useable AUTS");
+               return FAILED;
+       }
+       
+       chunk_split(auts, "mm", SQN_LENGTH, &sqn, MAC_LENGTH, &macs);
+       aks = chunk_alloca(AK_LENGTH);
+       f5star(this->k, this->rand, aks.ptr);
+       /* decrypt serial number by XORing AKS */
+       memxor(sqn.ptr, aks.ptr, aks.len);
+       
+       /* verify MACS */
+       xmacs = chunk_alloca(MAC_LENGTH);
+       amf = chunk_alloca(AMF_LENGTH);
+       /* an AMF of zero is used for MACS calculation */
+       memset(amf.ptr, 0, amf.len);
+       f1star(this->k, this->rand, sqn, amf, xmacs.ptr);
+       if (!chunk_equals(macs, xmacs))
+       {
+               DBG1(DBG_IKE, "received MACS does not match XMACS");
+               DBG3(DBG_IKE, "MACS %B XMACS %B", &macs, &xmacs);
+               return FAILED;
+       }
+       
+       /* retry the challenge with the received SQN + 1*/
+       for (i = SQN_LENGTH - 1; i >= 0; i--)
+       {
+               if (++sqn.ptr[i] != 0)
+               {
+                       break;
+               }
+       }
+       return server_initiate_challenge(this, sqn, out);
+}
+
+/**
+ * process an AKA_Challenge response
+ */
+static status_t server_process_challenge(private_eap_aka_t *this, eap_payload_t *in)
+{
+       chunk_t attr, res = chunk_empty, at_mac = chunk_empty, pos, message;
+       
+       message = in->get_data(in);
+       pos = message;
+       read_header(&pos);
+       
+       /* iterate over attributes */
+       while (TRUE)
+       {
+               aka_attribute_t attribute = read_attribute(&pos, &attr);
+               switch (attribute)
+               {
+                       case AT_END:
+                               break;
+                       case AT_RES:
+                               res = attr;
+                               if (attr.len == 2 + RES_LENGTH &&
+                                       *(u_int16_t*)attr.ptr == htons(RES_LENGTH * 8))
+                               {
+                                       res = chunk_skip(attr, 2);
+                               }
+                               continue;
+
+                       case AT_MAC:
+                               attr = chunk_skip(attr, 2);
+                               at_mac = chunk_clonea(attr);
+                               /* zero MAC in message for MAC verification */
+                               memset(attr.ptr, 0, attr.len);
+                               continue;
+                       default:
+                               if (attribute >= 0 && attribute <= 127)
+                               {
+                                       DBG1(DBG_IKE, "found non skippable attribute %N",
+                                                aka_attribute_names, attribute);
+                                       return FAILED;
+                               }
+                               DBG1(DBG_IKE, "ignoring skippable attribute %N",
+                                        aka_attribute_names, attribute);
+                               continue;
+               }
+               break;
+       }
+       
+       /* verify EAP message MAC AT_MAC */
+       {
+               bool valid;
+               signer_t *signer = signer_create(AUTH_HMAC_SHA1_128);
+               signer->set_key(signer, this->k_auth);
+               DBG3(DBG_IKE, "verifying AT_MAC signature of %B", &message);
+               DBG3(DBG_IKE, "using key %B", &this->k_auth);
+               valid = signer->verify_signature(signer, message, at_mac);
+               signer->destroy(signer);
+               if (!valid)
+               {
+                       DBG1(DBG_IKE, "MAC in AT_MAC attribute verification failed");
+                       return FAILED;
+               }
+       }
+       
+       /* compare received RES against stored precalculated XRES */
+       if (!chunk_equals(res, this->xres))
+       {
+               DBG1(DBG_IKE, "received RES does not match XRES");
+               DBG3(DBG_IKE, "RES %Bb XRES %B", &res, &this->xres);
+               return FAILED;
+       }
+       return SUCCESS;
+}
+
+/**
+ * Implementation of eap_method_t.process for EAP_AKA servers
+ */
+static status_t server_process(private_eap_aka_t *this,
+                                                          eap_payload_t *in, eap_payload_t **out)
+{
+       chunk_t message;
+       aka_subtype_t type;
+       
+       message = in->get_data(in);
+       type = read_header(&message);
+       
+       DBG3(DBG_IKE, "received EAP message %B",  &message);
+       
+       switch (type)
+       {
+               case AKA_CHALLENGE:
+               {
+                       return server_process_challenge(this, in);
+               }
+               case AKA_AUTHENTICATION_REJECT:
+               case AKA_CLIENT_ERROR:
+               {
+                       DBG1(DBG_IKE, "received %N, authentication failed",
+                                aka_subtype_names, type);
+                       return FAILED;
+               }
+               case AKA_SYNCHRONIZATION_FAILURE:
+               {
+                       DBG1(DBG_IKE, "received %N, retrying with received SQN",
+                                aka_subtype_names, type);
+                       return server_process_synchronize(this, in, out);
+               }
+               default:
+                       DBG1(DBG_IKE, "received unknown AKA subtype %N, authentication failed",
+                                aka_subtype_names, type);
+                       return FAILED;
+       }
+}
+
+/**
+ * Process an incoming AKA-Challenge client side
+ */
+static status_t peer_process_challenge(private_eap_aka_t *this,
+                                                                          eap_payload_t *in, eap_payload_t **out)
+{
+       chunk_t attr = chunk_empty;
+       chunk_t autn = chunk_empty, at_mac = chunk_empty;
+       chunk_t ak, sqn, sqn_ak, mac, xmac, res, amf, message, pos;
+       u_int8_t identifier;
+       
+       ak = chunk_alloca(AK_LENGTH);
+       xmac = chunk_alloca(MAC_LENGTH);
+       res = chunk_alloca(RES_LENGTH);
+       chunk_free(&this->rand);
+       
+       message = in->get_data(in);
+       pos = message;
+       read_header(&pos);
+       identifier = in->get_identifier(in);
+       
+       DBG3(DBG_IKE, "reading attributes from %B", &pos);
+       
+       /* iterate over attributes */
+       while (TRUE)
+       {
+               aka_attribute_t attribute = read_attribute(&pos, &attr);
+               switch (attribute)
+               {
+                       case AT_END:
+                               break;
+                       case AT_RAND:
+                               this->rand = chunk_clone(chunk_skip(attr, 2));
+                               continue;
+                       case AT_AUTN:
+                               autn = chunk_skip(attr, 2);
+                               continue;
+                       case AT_MAC:
+                               attr = chunk_skip(attr, 2);
+                               at_mac = chunk_clonea(attr);
+                               /* set MAC in message to zero for own MAC verification */
+                               memset(attr.ptr, 0, attr.len);
+                               continue;
+                       default:
+                               if (attribute >= 0 && attribute <= 127)
+                               {
+                                       /* non skippable attribute, abort */
+                                       *out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CLIENT_ERROR,
+                                                               AT_CLIENT_ERROR_CODE, client_error_code, AT_END);
+                                       DBG1(DBG_IKE, "found non skippable attribute %N, sending %N %d",
+                                                aka_attribute_names, attribute,
+                                                aka_attribute_names, AT_CLIENT_ERROR_CODE, 0);
+                                       return NEED_MORE;
+                               }
+                               DBG1(DBG_IKE, "ignoring skippable attribute %N",
+                                        aka_attribute_names, attribute);
+                               continue;
+               }
+               break;
+       }
+       
+       if (this->rand.len != RAND_LENGTH || autn.len != AUTN_LENGTH)
+       {
+               /* required attributes wrong/not found, abort */
+               *out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CLIENT_ERROR,
+                                       AT_CLIENT_ERROR_CODE, client_error_code, AT_END);
+               DBG1(DBG_IKE, "could not find valid RAND/AUTN attribute, sending %N %d",
+                        aka_attribute_names, AT_CLIENT_ERROR_CODE, 0);
+               return NEED_MORE;
+       }
+       
+       DBG3(DBG_IKE, "using autn %B", &autn);
+       /* split up AUTN = SQN xor AK | AMF | MAC */
+       chunk_split(autn, "mmm", SQN_LENGTH, &sqn_ak, AMF_LENGTH, &amf, MAC_LENGTH, &mac);
+       
+       /* Get the shared key K: */
+       chunk_free(&this->k);
+       if (load_key(this->peer, this->server, &this->k) != SUCCESS)
+       {
+               *out = build_aka_payload(this, EAP_RESPONSE, identifier,
+                                                                AKA_AUTHENTICATION_REJECT, AT_END);
+               DBG3(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+                        "with EAP-AKA, sending %N", this->peer, this->server,
+                        aka_subtype_names, AKA_AUTHENTICATION_REJECT);
+               return NEED_MORE;
+       }
+       DBG3(DBG_IKE, "using K %B", &this->k);
+#      ifdef TEST_VECTORS
+       /* Test vector for K */
+       u_int8_t test_k[] = {
+               0xad,0x1b,0x5a,0x15,0x9b,0xe8,0x6b,0x2c,
+               0xa6,0x6c,0x7a,0xe4,0x0b,0xba,0x9b,0x9d,
+       };
+       memcpy(this->k.ptr, test_k, this->k.len);
+#      endif /* TEST_VECTORS */
+       
+       /* calculate anonymity key AK */
+       f5(this->k, this->rand, ak.ptr);
+       DBG3(DBG_IKE, "using rand %B", &this->rand);
+       DBG3(DBG_IKE, "using ak %B", &ak);
+       /* XOR AK into SQN to decrypt it */
+       
+       sqn = chunk_clonea(sqn_ak);
+       
+       DBG3(DBG_IKE, "using ak xor sqn %B", &sqn_ak);
+       memxor(sqn.ptr, ak.ptr, sqn.len);
+       DBG3(DBG_IKE, "using sqn %B", &sqn);
+       
+       /* calculate expected MAC and compare against received one */
+       f1(this->k, this->rand, sqn, amf, xmac.ptr);
+       if (!chunk_equals(mac, xmac))
+       {
+               *out = build_aka_payload(this, EAP_RESPONSE, identifier,
+                                                                AKA_AUTHENTICATION_REJECT, AT_END);
+               DBG1(DBG_IKE, "received MAC does not match XMAC, sending %N",
+                        aka_subtype_names, AKA_AUTHENTICATION_REJECT);
+               DBG3(DBG_IKE, "MAC %B\nXMAC %B", &mac, &xmac);
+               return NEED_MORE;
+       }
+
+#if SEQ_CHECK
+       if (memcmp(peer_sqn.ptr, sqn.ptr, sqn.len) >= 0)
+       {
+               /* sequence number invalid. send AUTS */
+               chunk_t auts, macs, aks, amf;
+               
+               macs = chunk_alloca(MAC_LENGTH);
+               aks = chunk_alloca(AK_LENGTH);
+               amf = chunk_alloca(AMF_LENGTH);
+               
+               /* AMF is set to zero in AKA_SYNCHRONIZATION_FAILURE */
+               memset(amf.ptr, 0, amf.len);            
+               /* AKS = f5*(RAND) */
+               f5star(this->k, this->rand, aks.ptr);
+               /* MACS = f1*(RAND) */
+               f1star(this->k, this->rand, peer_sqn, amf, macs.ptr);
+               /* AUTS = SQN xor AKS | MACS */
+               memxor(aks.ptr, peer_sqn.ptr, aks.len);
+               auts = chunk_cata("cc", aks, macs);
+               
+               *out = build_aka_payload(this, EAP_RESPONSE, identifier,
+                                                                AKA_SYNCHRONIZATION_FAILURE,
+                                                                AT_AUTS, auts, AT_END);
+               DBG1(DBG_IKE, "received SQN invalid, sending %N",
+                        aka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
+               DBG3(DBG_IKE, "received SQN %B\ncurrent SQN %B", &sqn, &peer_sqn);
+               return NEED_MORE;
+       }
+#endif /* SEQ_CHECK */
+
+       /* derive K_encr, K_auth, MSK, EMSK  */
+       derive_keys(this, this->peer);
+                               
+       /* verify EAP message MAC AT_MAC */
+       {
+               bool valid;
+               signer_t *signer = signer_create(AUTH_HMAC_SHA1_128);
+               signer->set_key(signer, this->k_auth);
+               
+               DBG3(DBG_IKE, "verifying AT_MAC signature of %B", &message);
+               DBG3(DBG_IKE, "using key %B", &this->k_auth);
+               valid = signer->verify_signature(signer, message, at_mac);
+               signer->destroy(signer);
+               if (!valid)
+               {
+                       *out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CLIENT_ERROR,
+                                                       AT_CLIENT_ERROR_CODE, client_error_code, AT_END);
+                       DBG1(DBG_IKE, "MAC in AT_MAC attribute verification "
+                                "failed, sending %N %d", aka_attribute_names,
+                                AT_CLIENT_ERROR_CODE, 0);
+                       return NEED_MORE;
+               }
+       }
+       
+       /* update stored SQN to the received one */
+       memcpy(peer_sqn.ptr, sqn.ptr, sqn.len);
+       
+       /* calculate RES */
+       f2(this->k, this->rand, res.ptr);
+       
+       /* build response */
+       *out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CHALLENGE,
+                                                        AT_RES, res, AT_MAC, chunk_empty, AT_END);
+       return NEED_MORE;
+}
+
+/**
+ * Process an incoming AKA-Notification as client
+ */
+static status_t peer_process_notification(private_eap_aka_t *this,
+                                                                                 eap_payload_t *in, eap_payload_t **out)
+{
+       chunk_t message, pos, attr;
+       u_int8_t identifier;
+       
+       message = in->get_data(in);
+       pos = message;
+       read_header(&pos);
+       identifier = in->get_identifier(in);
+       
+       DBG3(DBG_IKE, "reading attributes from %B", &pos);
+       
+       /* iterate over attributes */
+       while (TRUE)
+       {
+               aka_attribute_t attribute = read_attribute(&pos, &attr);
+               switch (attribute)
+               {
+                       case AT_END:
+                               break;
+                       case AT_NOTIFICATION:
+                       {
+                               u_int16_t code;
+                       
+                               if (attr.len != 2)
+                               {
+                                       DBG1(DBG_IKE, "received invalid AKA notification, ignored");
+                                       continue;
+                               }
+                               code = ntohs(*(u_int16_t*)attr.ptr);
+                               switch (code)
+                               {
+                                       case 0: 
+                                               DBG1(DBG_IKE, "received AKA notification 'general "
+                                                        "failure after authentication' (%d)", code);
+                                               return FAILED;
+                                       case 16384:
+                                               DBG1(DBG_IKE, "received AKA notification 'general "
+                                                        "failure' (%d)", code);
+                                               return FAILED;
+                                       case 32768:
+                                               DBG1(DBG_IKE, "received AKA notification 'successfully "
+                                                        "authenticated' (%d)", code);
+                                               continue;
+                                       case 1026:
+                                               DBG1(DBG_IKE, "received AKA notification 'access "
+                                                        "temporarily denied' (%d)", code);
+                                               return FAILED;
+                                       case 1031:
+                                               DBG1(DBG_IKE, "received AKA notification 'not "
+                                                        "subscribed to service' (%d)", code);
+                                               return FAILED;
+                                       default:
+                                               DBG1(DBG_IKE, "received AKA notification code %d, "
+                                                        "ignored", code);
+                                       continue;
+                               }
+                       }
+                       default:
+                               if (attribute >= 0 && attribute <= 127)
+                               {
+                                       DBG1(DBG_IKE, "ignoring non-skippable attribute %N in %N",
+                                               aka_attribute_names, attribute, aka_subtype_names,
+                                               AKA_NOTIFICATION);
+                               }
+                               else
+                               {
+                                       DBG1(DBG_IKE, "ignoring skippable attribute %N",
+                                                aka_attribute_names, attribute);
+                               }
+                               continue;
+               }
+               break;
+       }
+       return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process for an EAP_AKA peer
+ */
+static status_t peer_process(private_eap_aka_t *this,
+                                                        eap_payload_t *in, eap_payload_t **out)
+{
+       aka_subtype_t type;
+       chunk_t message;
+       u_int8_t identifier;
+       
+       message = in->get_data(in);
+       type = read_header(&message);
+       identifier = in->get_identifier(in);
+       
+       DBG3(DBG_IKE, "received EAP message %B",  &message);
+       
+       switch (type)
+       {
+               case AKA_CHALLENGE:
+               {
+                       return peer_process_challenge(this, in, out);
+               }
+               case AKA_NOTIFICATION:
+               {
+                       return peer_process_notification(this, in, out);
+               }
+               default:
+               {
+                       *out = build_aka_payload(this, EAP_RESPONSE, identifier, AKA_CLIENT_ERROR,
+                                               AT_CLIENT_ERROR_CODE, client_error_code, AT_END);
+                       DBG1(DBG_IKE, "received unsupported %N request, sending %N %d",
+                                aka_subtype_names, type,
+                                aka_attribute_names, AT_CLIENT_ERROR_CODE, 0);
+                       return NEED_MORE;
+               }
+       }
+}
+
+/**
+ * Implementation of eap_method_t.initiate for an EAP AKA peer
+ */
+static status_t peer_initiate(private_eap_aka_t *this, eap_payload_t **out)
+{
+       /* peer never initiates */
+       return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_aka_t *this)
+{
+       return EAP_AKA;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_aka_t *this, chunk_t *msk)
+{
+       if (this->msk.ptr)
+       {
+               *msk = this->msk;
+               return SUCCESS;
+       }
+       return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_aka_t *this)
+{
+       return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_aka_t *this)
+{
+       chunk_free(&this->k_encr);
+       chunk_free(&this->k_auth);
+       chunk_free(&this->msk);
+       chunk_free(&this->emsk);
+       chunk_free(&this->xres);
+       chunk_free(&this->k);
+       chunk_free(&this->rand);
+       free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_aka_t *eap_create(eap_role_t role,
+                                         identification_t *server, identification_t *peer)
+{
+       private_eap_aka_t *this = malloc_thing(private_eap_aka_t);
+       
+       /* public functions */
+       switch (role)
+       {
+               case EAP_SERVER:
+                       this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))server_initiate;
+                       this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))server_process;
+                       break;
+               case EAP_PEER:
+                       this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))peer_initiate;
+                       this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))peer_process;
+                       break;
+               default:
+                       free(this);
+                       return NULL;
+       }
+       this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*))get_type;
+       this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+       this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+       this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+       
+       /* private data */
+       this->server = server;
+       this->peer = peer;
+       this->k_encr = chunk_empty;
+       this->k_auth = chunk_empty;
+       this->msk = chunk_empty;
+       this->emsk = chunk_empty;
+       this->xres = chunk_empty;
+       this->k = chunk_empty;
+       this->rand = chunk_empty;
+       
+       return &this->public;
+}
diff --git a/src/charon/sa/authenticators/eap/eap_aka.h b/src/charon/sa/authenticators/eap/eap_aka.h
new file mode 100644 (file)
index 0000000..a886863
--- /dev/null
@@ -0,0 +1,141 @@
+/**
+ * @file eap_aka.h
+ *
+ * @brief Interface of eap_aka_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef EAP_AKA_H_
+#define EAP_AKA_H_
+
+typedef struct eap_aka_t eap_aka_t;
+typedef enum aka_subtype_t aka_subtype_t;
+typedef enum aka_attribute_t aka_attribute_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+
+/**
+ * Subtypes of AKA messages
+ */
+enum aka_subtype_t {
+       AKA_CHALLENGE = 1,
+       AKA_AUTHENTICATION_REJECT = 2,
+       AKA_SYNCHRONIZATION_FAILURE = 4,
+       AKA_IDENTITY = 5,
+       AKA_NOTIFICATION = 12,
+       AKA_REAUTHENTICATION = 13,
+       AKA_CLIENT_ERROR = 14,
+};
+
+/**
+ * enum names for aka_subtype_t
+ */
+extern enum_name_t *aka_subtype_names;
+
+/**
+ * Attribute types in AKA messages
+ */
+enum aka_attribute_t {
+       /** defines the end of attribute list */
+       AT_END = -1,
+       AT_RAND = 1,
+       AT_AUTN = 2,
+       AT_RES = 3,
+       AT_AUTS = 4,
+       AT_PADDING = 6,
+       AT_NONCE_MT = 7,
+       AT_PERMANENT_ID_REQ = 10,
+       AT_MAC = 11,
+       AT_NOTIFICATION = 12,
+       AT_ANY_ID_REQ = 13,
+       AT_IDENTITY = 14,
+       AT_VERSION_LIST = 15,
+       AT_SELECTED_VERSION = 16,
+       AT_FULLAUTH_ID_REQ = 17,
+       AT_COUNTER = 19,
+       AT_COUNTER_TOO_SMALL = 20,
+       AT_NONCE_S = 21,
+       AT_CLIENT_ERROR_CODE = 22,
+       AT_IV = 129,
+       AT_ENCR_DATA = 130,
+       AT_NEXT_PSEUDONYM = 132,
+       AT_NEXT_REAUTH_ID = 133,
+       AT_CHECKCODE = 134,
+       AT_RESULT_IND = 135,
+};
+
+/**
+ * enum names for aka_attribute_t
+ */
+extern enum_name_t *aka_attribute_names;
+
+/**  check SEQ values as client for validity, disabled by default */
+#ifndef SEQ_CHECK
+# define SEQ_CHECK 0
+#endif
+
+/**
+ * @brief Implementation of the eap_method_t interface using EAP-AKA.
+ *
+ * EAP-AKA uses 3rd generation mobile phone standard authentication
+ * mechanism for authentication. It is a mutual authentication
+ * mechanism which establishs a shared key and therefore supports EAP_ONLY
+ * authentication. This implementation follows the standard of the
+ * 3GPP2 (S.S0055) and not the one of 3GGP.
+ * The shared key used for authentication is from ipsec.secrets. The
+ * peers ID is used to query it.
+ * The AKA mechanism uses sequence numbers to detect replay attacks. The
+ * peer stores the sequence number normally in a USIM and accepts
+ * incremental sequence numbers (incremental for lifetime of the USIM). To
+ * prevent a complex sequence number management, this implementation uses
+ * a sequence number derived from time. It is initialized to the startup
+ * time of the daemon. As long as the (UTC) time of the system is not
+ * turned back while the daemon is not running, this method is secure.
+ * To enable time based SEQs, #define SEQ_CHECK as 1. Default is to accept
+ * any SEQ numbers. This allows an attacker to do replay attacks. But since
+ * the server has proven his identity via IKE, such an attack is only
+ * possible between server and AAA (if any).
+ *
+ * @b Constructors:
+ *  - eap_aka_create()
+ *  - eap_client_create() using eap_method EAP_AKA
+ *
+ * @ingroup eap
+ */
+struct eap_aka_t {
+
+       /**
+        * Implemented eap_method_t interface.
+        */
+       eap_method_t eap_method_interface;
+};
+
+/**
+ * @brief Creates the EAP method EAP-AKA.
+ *
+ * @param server       ID of the EAP server
+ * @param peer         ID of the EAP client
+ * @return                     eap_aka_t object
+ *
+ * @ingroup eap
+ */
+eap_aka_t *eap_create(eap_role_t role,
+                                         identification_t *server, identification_t *peer);
+
+#endif /* EAP_AKA_H_ */
diff --git a/testing/tests/ikev2/rw-eapaka-rsa/description.txt b/testing/tests/ikev2/rw-eapaka-rsa/description.txt
new file mode 100644 (file)
index 0000000..af3e53f
--- /dev/null
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with the <i>Authentication and Key Agreement</i> protocol
+(<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
+in UMTS, but here a secret from ipsec.secrets is used instead of a USIM/(R)UIM.
+Gateway <b>moon</b> additionaly uses an RSA signature to authenticate itself
+against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eapaka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eapaka-rsa/evaltest.dat
new file mode 100644 (file)
index 0000000..4ab5fd7
--- /dev/null
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of '@moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of '@moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eapaka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eapaka-rsa/hosts/carol/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..c2fe026
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       plutostart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+       authby=eap
+
+conn home
+       left=PH_IP_CAROL
+       leftnexthop=%direct
+       leftid=carol@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       rightsendcert=never
+       auto=add
diff --git a/testing/tests/ikev2/rw-eapaka-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eapaka-rsa/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..ea73220
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : PSK "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eapaka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eapaka-rsa/hosts/moon/etc/ipsec.conf
new file mode 100755 (executable)
index 0000000..dbf3816
--- /dev/null
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       strictcrlpolicy=no
+       plutostart=no
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn rw-eapaka
+       authby=rsasig
+       eap=aka
+       left=PH_IP_MOON
+       leftsubnet=10.1.0.0/16
+       leftid=@moon.strongswan.org
+       leftcert=moonCert.pem
+       leftfirewall=yes
+       rightid=*@strongswan.org
+       right=%any
+       auto=add
diff --git a/testing/tests/ikev2/rw-eapaka-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eapaka-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..64de708
--- /dev/null
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : PSK "Ar3etTnp01qlpOgb"
diff --git a/testing/tests/ikev2/rw-eapaka-rsa/posttest.dat b/testing/tests/ikev2/rw-eapaka-rsa/posttest.dat
new file mode 100644 (file)
index 0000000..c6d6235
--- /dev/null
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/rw-eapaka-rsa/pretest.dat b/testing/tests/ikev2/rw-eapaka-rsa/pretest.dat
new file mode 100644 (file)
index 0000000..5e36462
--- /dev/null
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/rw-eapaka-rsa/test.conf b/testing/tests/ikev2/rw-eapaka-rsa/test.conf
new file mode 100644 (file)
index 0000000..2bd2149
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"