Splitted sim_manager.h header to sim_{card,provider,hooks}.h
authorMartin Willi <martin@revosec.ch>
Tue, 8 Mar 2011 13:17:53 +0000 (14:17 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 8 Mar 2011 15:42:27 +0000 (16:42 +0100)
src/libcharon/Makefile.am
src/libcharon/sa/authenticators/eap/sim_card.h [new file with mode: 0644]
src/libcharon/sa/authenticators/eap/sim_hooks.h [new file with mode: 0644]
src/libcharon/sa/authenticators/eap/sim_manager.h
src/libcharon/sa/authenticators/eap/sim_provider.h [new file with mode: 0644]

index a995cae..bfddb80 100644 (file)
@@ -62,6 +62,8 @@ sa/authenticators/eap_authenticator.c sa/authenticators/eap_authenticator.h \
 sa/authenticators/eap/eap_method.c sa/authenticators/eap/eap_method.h \
 sa/authenticators/eap/eap_manager.c sa/authenticators/eap/eap_manager.h \
 sa/authenticators/eap/sim_manager.c sa/authenticators/eap/sim_manager.h \
+sa/authenticators/eap/sim_card.h sa/authenticators/eap/sim_provider.h \
+sa/authenticators/eap/sim_hooks.h \
 sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
 sa/authenticators/pubkey_authenticator.c sa/authenticators/pubkey_authenticator.h \
 sa/child_sa.c sa/child_sa.h \
diff --git a/src/libcharon/sa/authenticators/eap/sim_card.h b/src/libcharon/sa/authenticators/eap/sim_card.h
new file mode 100644 (file)
index 0000000..5f5dc58
--- /dev/null
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sim_card sim_card
+ * @{ @ingroup eap
+ */
+
+#ifndef SIM_CARD_H_
+#define SIM_CARD_H_
+
+typedef struct sim_card_t sim_card_t;
+
+/**
+ * Interface for a (U)SIM card (used as EAP client).
+ *
+ * The SIM card completes triplets/quintuplets requested in a challenge
+ * received from the server.
+ * An implementation supporting only one of SIM/AKA authentication may
+ * implement the other methods with return_false()/return NOT_SUPPORTED/NULL.
+ */
+struct sim_card_t {
+
+       /**
+        * Calculate SRES/KC from a RAND for SIM authentication.
+        *
+        * @param id            permanent identity to get a triplet for
+        * @param rand          RAND input buffer, fixed size 16 bytes
+        * @param sres          SRES output buffer, fixed size 4 byte
+        * @param kc            KC output buffer, fixed size 8 bytes
+        * @return                      TRUE if SRES/KC calculated, FALSE on error/wrong identity
+        */
+       bool (*get_triplet)(sim_card_t *this, identification_t *id,
+                                               char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+                                               char kc[SIM_KC_LEN]);
+
+       /**
+        * Calculate CK/IK/RES from RAND/AUTN for AKA authentication.
+        *
+        * If the received sequence number (in autn) is out of sync, INVALID_STATE
+        * is returned.
+        * The RES value is the only one with variable length. Pass a buffer
+        * of at least AKA_RES_MAX, the actual number of bytes is written to the
+        * res_len value. While the standard would allow any bit length between
+        * 32 and 128 bits, we support only full bytes for now.
+        *
+        * @param id            permanent identity to request quintuplet for
+        * @param rand          random value rand
+        * @param autn          authentication token autn
+        * @param ck            buffer receiving encryption key ck
+        * @param ik            buffer receiving integrity key ik
+        * @param res           buffer receiving authentication result res
+        * @param res_len       nubmer of bytes written to res buffer
+        * @return                      SUCCESS, FAILED, or INVALID_STATE if out of sync
+        */
+       status_t (*get_quintuplet)(sim_card_t *this, identification_t *id,
+                                                          char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
+                                                          char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+                                                          char res[AKA_RES_MAX], int *res_len);
+
+       /**
+        * Calculate AUTS from RAND for AKA resynchronization.
+        *
+        * @param id            permanent identity to request quintuplet for
+        * @param rand          random value rand
+        * @param auts          resynchronization parameter auts
+        * @return                      TRUE if parameter generated successfully
+        */
+       bool (*resync)(sim_card_t *this, identification_t *id,
+                                  char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+       /**
+        * Set the pseudonym to use for next authentication.
+        *
+        * @param id            permanent identity of the peer
+        * @param pseudonym     pseudonym identity received from the server
+        */
+       void (*set_pseudonym)(sim_card_t *this, identification_t *id,
+                                                 identification_t *pseudonym);
+
+       /**
+        * Get the pseudonym previously stored via set_pseudonym().
+        *
+        * @param id            permanent identity of the peer
+        * @return                      associated pseudonym identity, NULL if none stored
+        */
+       identification_t* (*get_pseudonym)(sim_card_t *this, identification_t *id);
+
+       /**
+        * Store parameters to use for the next fast reauthentication.
+        *
+        * @param id            permanent identity of the peer
+        * @param next          next fast reauthentication identity to use
+        * @param mk            master key MK to store for reauthentication
+        * @param counter       counter value to store, host order
+        */
+       void (*set_reauth)(sim_card_t *this, identification_t *id,
+                                          identification_t *next, char mk[HASH_SIZE_SHA1],
+                                          u_int16_t counter);
+
+       /**
+        * Retrieve parameters for fast reauthentication stored via set_reauth().
+        *
+        * @param id            permanent identity of the peer
+        * @param mk            buffer receiving master key MK
+        * @param counter       pointer receiving counter value, in host order
+        * @return                      fast reauthentication identity, NULL if not found
+        */
+       identification_t* (*get_reauth)(sim_card_t *this, identification_t *id,
+                                                                       char mk[HASH_SIZE_SHA1], u_int16_t *counter);
+};
+
+#endif /** SIM_CARD_H_ @}*/
diff --git a/src/libcharon/sa/authenticators/eap/sim_hooks.h b/src/libcharon/sa/authenticators/eap/sim_hooks.h
new file mode 100644 (file)
index 0000000..0a675e4
--- /dev/null
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sim_hooks sim_hooks
+ * @{ @ingroup eap
+ */
+
+#ifndef SIM_HOOKS_H_
+#define SIM_HOOKS_H_
+
+typedef struct sim_hooks_t sim_hooks_t;
+
+/**
+ * Additional hooks invoked during EAP-SIM/AKA message processing.
+ */
+struct sim_hooks_t {
+
+       /**
+        * SIM/AKA message parsing.
+        *
+        * As a SIM/AKA optionally contains encrypted attributes, the hook
+        * might get invoked twice, once before and once after decryption.
+        *
+        * @param message       SIM/AKA message
+        * @param inbound       TRUE for incoming messages, FALSE for outgoing
+        * @param decrypted     TRUE if AT_ENCR_DATA has been decrypted
+        */
+       void (*message)(sim_hooks_t *this, simaka_message_t *message,
+                                       bool inbound, bool decrypted);
+
+       /**
+        * SIM/AKA encryption/authentication key hooks.
+        *
+        * @param k_encr        derived SIM/AKA encryption key k_encr
+        * @param k_auth        derived SIM/AKA authentication key k_auth
+        */
+       void (*keys)(sim_hooks_t *this, chunk_t k_encr, chunk_t k_auth);
+};
+
+#endif /** SIM_HOOKS_H_ @}*/
index 9aa661a..db4a650 100644 (file)
@@ -27,9 +27,6 @@
 #include <sa/authenticators/eap/eap_method.h>
 
 typedef struct sim_manager_t sim_manager_t;
-typedef struct sim_card_t sim_card_t;
-typedef struct sim_provider_t sim_provider_t;
-typedef struct sim_hooks_t sim_hooks_t;
 
 /** implemented in libsimaka, but we need it for the message hook */
 typedef struct simaka_message_t simaka_message_t;
@@ -45,229 +42,9 @@ typedef struct simaka_message_t simaka_message_t;
 #define AKA_AUTN_LEN   16
 #define AKA_AUTS_LEN   14
 
-/**
- * Interface for a (U)SIM card (used as EAP client).
- *
- * The SIM card completes triplets/quintuplets requested in a challenge
- * received from the server.
- * An implementation supporting only one of SIM/AKA authentication may
- * implement the other methods with return_false()/return NOT_SUPPORTED/NULL.
- */
-struct sim_card_t {
-
-       /**
-        * Calculate SRES/KC from a RAND for SIM authentication.
-        *
-        * @param id            permanent identity to get a triplet for
-        * @param rand          RAND input buffer, fixed size 16 bytes
-        * @param sres          SRES output buffer, fixed size 4 byte
-        * @param kc            KC output buffer, fixed size 8 bytes
-        * @return                      TRUE if SRES/KC calculated, FALSE on error/wrong identity
-        */
-       bool (*get_triplet)(sim_card_t *this, identification_t *id,
-                                               char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
-                                               char kc[SIM_KC_LEN]);
-
-       /**
-        * Calculate CK/IK/RES from RAND/AUTN for AKA authentication.
-        *
-        * If the received sequence number (in autn) is out of sync, INVALID_STATE
-        * is returned.
-        * The RES value is the only one with variable length. Pass a buffer
-        * of at least AKA_RES_MAX, the actual number of bytes is written to the
-        * res_len value. While the standard would allow any bit length between
-        * 32 and 128 bits, we support only full bytes for now.
-        *
-        * @param id            permanent identity to request quintuplet for
-        * @param rand          random value rand
-        * @param autn          authentication token autn
-        * @param ck            buffer receiving encryption key ck
-        * @param ik            buffer receiving integrity key ik
-        * @param res           buffer receiving authentication result res
-        * @param res_len       nubmer of bytes written to res buffer
-        * @return                      SUCCESS, FAILED, or INVALID_STATE if out of sync
-        */
-       status_t (*get_quintuplet)(sim_card_t *this, identification_t *id,
-                                                          char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN],
-                                                          char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
-                                                          char res[AKA_RES_MAX], int *res_len);
-
-       /**
-        * Calculate AUTS from RAND for AKA resynchronization.
-        *
-        * @param id            permanent identity to request quintuplet for
-        * @param rand          random value rand
-        * @param auts          resynchronization parameter auts
-        * @return                      TRUE if parameter generated successfully
-        */
-       bool (*resync)(sim_card_t *this, identification_t *id,
-                                  char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
-       /**
-        * Set the pseudonym to use for next authentication.
-        *
-        * @param id            permanent identity of the peer
-        * @param pseudonym     pseudonym identity received from the server
-        */
-       void (*set_pseudonym)(sim_card_t *this, identification_t *id,
-                                                 identification_t *pseudonym);
-
-       /**
-        * Get the pseudonym previously stored via set_pseudonym().
-        *
-        * @param id            permanent identity of the peer
-        * @return                      associated pseudonym identity, NULL if none stored
-        */
-       identification_t* (*get_pseudonym)(sim_card_t *this, identification_t *id);
-
-       /**
-        * Store parameters to use for the next fast reauthentication.
-        *
-        * @param id            permanent identity of the peer
-        * @param next          next fast reauthentication identity to use
-        * @param mk            master key MK to store for reauthentication
-        * @param counter       counter value to store, host order
-        */
-       void (*set_reauth)(sim_card_t *this, identification_t *id,
-                                          identification_t *next, char mk[HASH_SIZE_SHA1],
-                                          u_int16_t counter);
-
-       /**
-        * Retrieve parameters for fast reauthentication stored via set_reauth().
-        *
-        * @param id            permanent identity of the peer
-        * @param mk            buffer receiving master key MK
-        * @param counter       pointer receiving counter value, in host order
-        * @return                      fast reauthentication identity, NULL if not found
-        */
-       identification_t* (*get_reauth)(sim_card_t *this, identification_t *id,
-                                                                       char mk[HASH_SIZE_SHA1], u_int16_t *counter);
-};
-
-/**
- * Interface for a triplet/quintuplet provider (used as EAP server).
- *
- * A SIM provider hands out triplets for SIM authentication and quintuplets
- * for AKA authentication. Multiple SIM provider instances can serve as
- * authentication backend to authenticate clients using SIM/AKA.
- * An implementation supporting only one of SIM/AKA authentication may
- * implement the other methods with return_false().
- */
-struct sim_provider_t {
-
-       /**
-        * Create a challenge for SIM authentication.
-        *
-        * @param id            permanent identity of peer to gen triplet for
-        * @param rand          RAND output buffer, fixed size 16 bytes
-        * @param sres          SRES output buffer, fixed size 4 byte
-        * @param kc            KC output buffer, fixed size 8 bytes
-        * @return                      TRUE if triplet received, FALSE otherwise
-        */
-       bool (*get_triplet)(sim_provider_t *this, identification_t *id,
-                                               char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
-                                               char kc[SIM_KC_LEN]);
-
-       /**
-        * Create a challenge for AKA authentication.
-        *
-        * The XRES value is the only one with variable length. Pass a buffer
-        * of at least AKA_RES_MAX, the actual number of bytes is written to the
-        * xres_len value. While the standard would allow any bit length between
-        * 32 and 128 bits, we support only full bytes for now.
-        *
-        * @param id            permanent identity of peer to create challenge for
-        * @param rand          buffer receiving random value rand
-        * @param xres          buffer receiving expected authentication result xres
-        * @param xres_len      nubmer of bytes written to xres buffer
-        * @param ck            buffer receiving encryption key ck
-        * @param ik            buffer receiving integrity key ik
-        * @param autn          authentication token autn
-        * @return                      TRUE if quintuplet generated successfully
-        */
-       bool (*get_quintuplet)(sim_provider_t *this, identification_t *id,
-                                                  char rand[AKA_RAND_LEN],
-                                                  char xres[AKA_RES_MAX], int *xres_len,
-                                                  char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
-                                                  char autn[AKA_AUTN_LEN]);
-
-       /**
-        * Process AKA resynchroniusation request of a peer.
-        *
-        * @param id            permanent identity of peer requesting resynchronisation
-        * @param rand          random value rand
-        * @param auts          synchronization parameter auts
-        * @return                      TRUE if resynchronized successfully
-        */
-       bool (*resync)(sim_provider_t *this, identification_t *id,
-                                  char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
-
-       /**
-        * Check if peer uses a pseudonym, get permanent identity.
-        *
-        * @param id            pseudonym identity candidate
-        * @return                      permanent identity, NULL if id not a pseudonym
-        */
-       identification_t* (*is_pseudonym)(sim_provider_t *this,
-                                                                         identification_t *id);
-
-       /**
-        * Generate a pseudonym identitiy for a given peer identity.
-        *
-        * @param id            permanent identity to generate a pseudonym for
-        * @return                      generated pseudonym, NULL to not use a pseudonym identity
-        */
-       identification_t* (*gen_pseudonym)(sim_provider_t *this,
-                                                                          identification_t *id);
-
-       /**
-        * Check if peer uses reauthentication, retrieve reauth parameters.
-        *
-        * @param id            reauthentication identity (candidate)
-        * @param mk            buffer receiving master key MK
-        * @param counter       pointer receiving current counter value, host order
-        * @return                      permanent identity, NULL if id not a reauth identity
-        */
-       identification_t* (*is_reauth)(sim_provider_t *this, identification_t *id,
-                                                                  char mk[HASH_SIZE_SHA1], u_int16_t *counter);
-
-       /**
-        * Generate a fast reauthentication identity, associated to a master key.
-        *
-        * @param id            permanent peer identity
-        * @param mk            master key to store along with generated identity
-        * @return                      fast reauthentication identity, NULL to not use reauth
-        */
-       identification_t* (*gen_reauth)(sim_provider_t *this, identification_t *id,
-                                                                       char mk[HASH_SIZE_SHA1]);
-};
-
-/**
- * Additional hooks invoked during EAP-SIM/AKA message processing.
- */
-struct sim_hooks_t {
-
-       /**
-        * SIM/AKA message parsing.
-        *
-        * As a SIM/AKA optionally contains encrypted attributes, the hook
-        * might get invoked twice, once before and once after decryption.
-        *
-        * @param message       SIM/AKA message
-        * @param inbound       TRUE for incoming messages, FALSE for outgoing
-        * @param decrypted     TRUE if AT_ENCR_DATA has been decrypted
-        */
-       void (*message)(sim_hooks_t *this, simaka_message_t *message,
-                                       bool inbound, bool decrypted);
-
-       /**
-        * SIM/AKA encryption/authentication key hooks.
-        *
-        * @param k_encr        derived SIM/AKA encryption key k_encr
-        * @param k_auth        derived SIM/AKA authentication key k_auth
-        */
-       void (*keys)(sim_hooks_t *this, chunk_t k_encr, chunk_t k_auth);
-};
+#include <sa/authenticators/eap/sim_card.h>
+#include <sa/authenticators/eap/sim_provider.h>
+#include <sa/authenticators/eap/sim_hooks.h>
 
 /**
  * The SIM manager handles multiple (U)SIM cards/providers and hooks.
diff --git a/src/libcharon/sa/authenticators/eap/sim_provider.h b/src/libcharon/sa/authenticators/eap/sim_provider.h
new file mode 100644 (file)
index 0000000..191e094
--- /dev/null
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sim_provider sim_provider
+ * @{ @ingroup eap
+ */
+
+#ifndef SIM_PROVIDER_H_
+#define SIM_PROVIDER_H_
+
+typedef struct sim_provider_t sim_provider_t;
+
+/**
+ * Interface for a triplet/quintuplet provider (used as EAP server).
+ *
+ * A SIM provider hands out triplets for SIM authentication and quintuplets
+ * for AKA authentication. Multiple SIM provider instances can serve as
+ * authentication backend to authenticate clients using SIM/AKA.
+ * An implementation supporting only one of SIM/AKA authentication may
+ * implement the other methods with return_false().
+ */
+struct sim_provider_t {
+
+       /**
+        * Create a challenge for SIM authentication.
+        *
+        * @param id            permanent identity of peer to gen triplet for
+        * @param rand          RAND output buffer, fixed size 16 bytes
+        * @param sres          SRES output buffer, fixed size 4 byte
+        * @param kc            KC output buffer, fixed size 8 bytes
+        * @return                      TRUE if triplet received, FALSE otherwise
+        */
+       bool (*get_triplet)(sim_provider_t *this, identification_t *id,
+                                               char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
+                                               char kc[SIM_KC_LEN]);
+
+       /**
+        * Create a challenge for AKA authentication.
+        *
+        * The XRES value is the only one with variable length. Pass a buffer
+        * of at least AKA_RES_MAX, the actual number of bytes is written to the
+        * xres_len value. While the standard would allow any bit length between
+        * 32 and 128 bits, we support only full bytes for now.
+        *
+        * @param id            permanent identity of peer to create challenge for
+        * @param rand          buffer receiving random value rand
+        * @param xres          buffer receiving expected authentication result xres
+        * @param xres_len      nubmer of bytes written to xres buffer
+        * @param ck            buffer receiving encryption key ck
+        * @param ik            buffer receiving integrity key ik
+        * @param autn          authentication token autn
+        * @return                      TRUE if quintuplet generated successfully
+        */
+       bool (*get_quintuplet)(sim_provider_t *this, identification_t *id,
+                                                  char rand[AKA_RAND_LEN],
+                                                  char xres[AKA_RES_MAX], int *xres_len,
+                                                  char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
+                                                  char autn[AKA_AUTN_LEN]);
+
+       /**
+        * Process AKA resynchroniusation request of a peer.
+        *
+        * @param id            permanent identity of peer requesting resynchronisation
+        * @param rand          random value rand
+        * @param auts          synchronization parameter auts
+        * @return                      TRUE if resynchronized successfully
+        */
+       bool (*resync)(sim_provider_t *this, identification_t *id,
+                                  char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
+
+       /**
+        * Check if peer uses a pseudonym, get permanent identity.
+        *
+        * @param id            pseudonym identity candidate
+        * @return                      permanent identity, NULL if id not a pseudonym
+        */
+       identification_t* (*is_pseudonym)(sim_provider_t *this,
+                                                                         identification_t *id);
+
+       /**
+        * Generate a pseudonym identitiy for a given peer identity.
+        *
+        * @param id            permanent identity to generate a pseudonym for
+        * @return                      generated pseudonym, NULL to not use a pseudonym identity
+        */
+       identification_t* (*gen_pseudonym)(sim_provider_t *this,
+                                                                          identification_t *id);
+
+       /**
+        * Check if peer uses reauthentication, retrieve reauth parameters.
+        *
+        * @param id            reauthentication identity (candidate)
+        * @param mk            buffer receiving master key MK
+        * @param counter       pointer receiving current counter value, host order
+        * @return                      permanent identity, NULL if id not a reauth identity
+        */
+       identification_t* (*is_reauth)(sim_provider_t *this, identification_t *id,
+                                                                  char mk[HASH_SIZE_SHA1], u_int16_t *counter);
+
+       /**
+        * Generate a fast reauthentication identity, associated to a master key.
+        *
+        * @param id            permanent peer identity
+        * @param mk            master key to store along with generated identity
+        * @return                      fast reauthentication identity, NULL to not use reauth
+        */
+       identification_t* (*gen_reauth)(sim_provider_t *this, identification_t *id,
+                                                                       char mk[HASH_SIZE_SHA1]);
+};
+
+#endif /** SIM_CARD_H_ @}*/