Added a stub for the EAP-AKA backend implementing the 3GPP2 functions in software

configure.in

@@ -105,6 +105,7 @@ ARG_ENABL_SET([eap-identity],   [enable EAP module providing EAP-Identity helper
 ARG_ENABL_SET([eap-md5],        [enable EAP MD5 (CHAP) authenication module.])
 ARG_ENABL_SET([eap-gtc],        [enable PAM based EAP GTC authenication module.])
 ARG_ENABL_SET([eap-aka],        [enable EAP AKA authentication module.])
+ARG_ENABL_SET([eap-aka-3gpp2],  [enable EAP AKA backend implementing 3GPP2 algorithms in software. Requires libgmp.])
 ARG_ENABL_SET([eap-mschapv2],   [enable EAP MS-CHAPv2 authenication module.])
 ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authenication module.])
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
@@ -193,8 +194,11 @@ dnl =========================
 dnl  dependency calculation
 dnl =========================
 
-if test x$eap_aka = xtrue; then
+if test x$eap_aka_3gpp2 = xtrue; then
 	gmp=true;
+fi
+
+if test x$eap_aka = xtrue; then
 	fips_prf=true;
 	sha1=true;
 fi
@@ -697,6 +701,7 @@ AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue)
 AM_CONDITIONAL(USE_EAP_MD5, test x$eap_md5 = xtrue)
 AM_CONDITIONAL(USE_EAP_GTC, test x$eap_gtc = xtrue)
 AM_CONDITIONAL(USE_EAP_AKA, test x$eap_aka = xtrue)
+AM_CONDITIONAL(USE_EAP_AKA_3GPP2, test x$eap_aka_3gpp2 = xtrue)
 AM_CONDITIONAL(USE_EAP_MSCHAPV2, test x$eap_mschapv2 = xtrue)
 AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
 AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
@@ -780,6 +785,7 @@ AC_OUTPUT(
 	src/whack/Makefile
 	src/charon/Makefile
 	src/charon/plugins/eap_aka/Makefile
+	src/charon/plugins/eap_aka_3gpp2/Makefile
 	src/charon/plugins/eap_identity/Makefile
 	src/charon/plugins/eap_md5/Makefile
 	src/charon/plugins/eap_gtc/Makefile

src/charon/Makefile.am

@@ -219,6 +219,11 @@ if USE_EAP_AKA
   PLUGINS += eapaka
 endif
 
+if USE_EAP_AKA_3GPP2
+  SUBDIRS += plugins/eap_aka_3gpp2
+  PLUGINS += eapaka-3gpp2
+endif
+
 if USE_EAP_MSCHAPV2
   SUBDIRS += plugins/eap_mschapv2
   PLUGINS += eapmschapv2

src/charon/plugins/eap_aka_3gpp2/Makefile.am

@@ -0,0 +1,14 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-eapaka-3gpp2.la
+
+libstrongswan_eapaka_3gpp2_la_SOURCES = \
+  eap_aka_3gpp2_plugin.h eap_aka_3gpp2_plugin.c \
+  eap_aka_3gpp2_card.h eap_aka_3gpp2_card.c \
+  eap_aka_3gpp2_provider.h eap_aka_3gpp2_provider.c \
+  eap_aka_3gpp2_functions.h eap_aka_3gpp2_functions.c
+libstrongswan_eapaka_3gpp2_la_LDFLAGS = -module -avoid-version
+

src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.c

@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_card.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_aka_3gpp2_card_t private_eap_aka_3gpp2_card_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_card_t object.
+ */
+struct private_eap_aka_3gpp2_card_t {
+
+	/**
+	 * Public eap_aka_3gpp2_card_t interface.
+	 */
+	eap_aka_3gpp2_card_t public;
+
+	/**
+	 * IMSI, is ID_ANY for this software implementation
+	 */
+	identification_t *imsi;
+
+	/**
+	 * AKA functions
+	 */
+	eap_aka_3gpp2_functions_t *f;
+};
+
+/**
+ * Implementation of usim_card_t.get_imsi
+ */
+static identification_t* get_imsi(private_eap_aka_3gpp2_card_t *this)
+{
+	return this->imsi;
+}
+
+/**
+ * Implementation of usim_card_t.get_quintuplet
+ */
+static status_t get_quintuplet(private_eap_aka_3gpp2_card_t *this,
+								char rand[16], char autn[16],
+								char ck[16], char ik[16], char res[16])
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of usim_card_t.resync
+ */
+static bool resync(private_eap_aka_3gpp2_card_t *this,
+								char rand[16], char auts[16])
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_aka_3gpp2_card_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_card_t *this)
+{
+	this->imsi->destroy(this->imsi);
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f)
+{
+	private_eap_aka_3gpp2_card_t *this = malloc_thing(private_eap_aka_3gpp2_card_t);
+
+	this->public.card.get_imsi = (identification_t*(*)(usim_card_t*))get_imsi;
+	this->public.card.get_quintuplet = (status_t(*)(usim_card_t*, char rand[16], char autn[16], char ck[16], char ik[16], char res[16]))get_quintuplet;
+	this->public.card.resync = (bool(*)(usim_card_t*, char rand[16], char auts[16]))resync;
+	this->public.destroy = (void(*)(eap_aka_3gpp2_card_t*))destroy;
+
+	/* this software USIM can act with all identities */
+	this->imsi = identification_create_from_encoding(ID_ANY, chunk_empty);
+	this->f = f;
+
+	return &this->public;
+}
+

src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_card.h

@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2_card eap_aka_3gpp2_card
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_CARD_H_
+#define EAP_AKA_3GPP2_CARD_H_
+
+#include "eap_aka_3gpp2_functions.h"
+
+#include <sa/authenticators/eap/usim_manager.h>
+
+typedef struct eap_aka_3gpp2_card_t eap_aka_3gpp2_card_t;
+
+/**
+ * USIM card implementation using a set of AKA functions.
+ */
+struct eap_aka_3gpp2_card_t {
+
+	/**
+	 * Implements usim_card_t interface
+	 */
+	usim_card_t card;
+
+	/**
+	 * Destroy a eap_aka_3gpp2_card_t.
+	 */
+	void (*destroy)(eap_aka_3gpp2_card_t *this);
+};
+
+/**
+ * Create a eap_aka_3gpp2_card instance.
+ *
+ * @param f		AKA functions
+ */
+eap_aka_3gpp2_card_t *eap_aka_3gpp2_card_create(eap_aka_3gpp2_functions_t *f);
+
+#endif /** EAP_AKA_3GPP2_CARD_ @}*/

src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.c

@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_functions.h"
+
+typedef struct private_eap_aka_3gpp2_functions_t private_eap_aka_3gpp2_functions_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_functions_t object.
+ */
+struct private_eap_aka_3gpp2_functions_t {
+
+	/**
+	 * Public eap_aka_3gpp2_functions_t interface.
+	 */
+	eap_aka_3gpp2_functions_t public;
+};
+
+/**
+ * Implementation of eap_aka_3gpp2_functions_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_functions_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_aka_3gpp2_functions_t *eap_aka_3gpp2_functions_create()
+{
+	private_eap_aka_3gpp2_functions_t *this = malloc_thing(private_eap_aka_3gpp2_functions_t);
+
+	this->public.destroy = (void(*)(eap_aka_3gpp2_functions_t*))destroy;
+
+	return &this->public;
+}
+

src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_functions.h

@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2_functions eap_aka_3gpp2_functions
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_FUNCTIONS_H_
+#define EAP_AKA_3GPP2_FUNCTIONS_H_
+
+#include <utils/enumerator.h>
+#include <utils/identification.h>
+
+typedef struct eap_aka_3gpp2_functions_t eap_aka_3gpp2_functions_t;
+
+/**
+ * f1-f5(), f1*() and f5*() functions from the 3GPP2 (S.S0055) standard.
+ */
+struct eap_aka_3gpp2_functions_t {
+
+	/**
+	 * Destroy a eap_aka_3gpp2_functions_t.
+	 */
+	void (*destroy)(eap_aka_3gpp2_functions_t *this);
+};
+
+/**
+ * Create a eap_aka_3gpp2_functions instance.
+ */
+eap_aka_3gpp2_functions_t *eap_aka_3gpp2_functions_create();
+
+#endif /** EAP_AKA_3GPP2_FUNCTIONS_ @}*/

src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.c

@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_plugin.h"
+#include "eap_aka_3gpp2_card.h"
+#include "eap_aka_3gpp2_provider.h"
+#include "eap_aka_3gpp2_functions.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_aka_3gpp2_t private_eap_aka_3gpp2_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_t object.
+ */
+struct private_eap_aka_3gpp2_t {
+
+	/**
+	 * Public eap_aka_3gpp2_plugin_t interface.
+	 */
+	eap_aka_3gpp2_plugin_t public;
+
+	/**
+	 * USIM card
+	 */
+	eap_aka_3gpp2_card_t *card;
+
+	/**
+	 * USIM provider
+	 */
+	eap_aka_3gpp2_provider_t *provider;
+
+	/**
+	 * AKA functions
+	 */
+	eap_aka_3gpp2_functions_t *functions;
+};
+
+/**
+ * Implementation of eap_aka_3gpp2_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_t *this)
+{
+	charon->usim->remove_card(charon->usim, &this->card->card);
+	charon->usim->remove_provider(charon->usim, &this->provider->provider);
+	this->card->destroy(this->card);
+	this->provider->destroy(this->provider);
+	this->functions->destroy(this->functions);
+	free(this);
+}
+
+/**
+ * See header
+ */
+plugin_t *plugin_create()
+{
+	private_eap_aka_3gpp2_t *this = malloc_thing(private_eap_aka_3gpp2_t);
+
+	this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+	this->functions = eap_aka_3gpp2_functions_create();
+	this->card = eap_aka_3gpp2_card_create(this->functions);
+	this->provider = eap_aka_3gpp2_provider_create(this->functions);
+
+	charon->usim->add_card(charon->usim, &this->card->card);
+	charon->usim->add_provider(charon->usim, &this->provider->provider);
+
+	return &this->public.plugin;
+}
+

src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_plugin.h

@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2 eap_aka_3gpp2
+ * @ingroup cplugins
+ *
+ * @defgroup eap_aka_3gpp2_plugin eap_aka_3gpp2_plugin
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_PLUGIN_H_
+#define EAP_AKA_3GPP2_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct eap_aka_3gpp2_plugin_t eap_aka_3gpp2_plugin_t;
+
+/**
+ * Plugin to provide a USIM card/provider using the 3GPP2 (S.S0055) standard.
+ *
+ * This plugin implements the standard of the 3GPP2 (S.S0055) and not the one
+ * of 3GGP, completely in software using the libgmp library..
+ * The shared key used for authentication is from ipsec.secrets. The
+ * peers ID is used to query it.
+ * The AKA mechanism uses sequence numbers to detect replay attacks. The
+ * peer stores the sequence number normally in a USIM and accepts
+ * incremental sequence numbers (incremental for lifetime of the USIM). To
+ * prevent a complex sequence number management, this implementation uses
+ * a sequence number derived from time. It is initialized to the startup
+ * time of the daemon.
+ * To enable time based SEQs, define SEQ_CHECK as 1. Default is to accept
+ * any SEQ numbers. This allows an attacker to do replay attacks. But since
+ * the server has proven his identity via IKE, such an attack is only
+ * possible between server and AAA (if any).
+ */
+struct eap_aka_3gpp2_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+/**
+ * Create a eap_aka_3gpp2_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** EAP_AKA_3GPP2_PLUGIN_H_ @}*/

src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c

@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_aka_3gpp2_provider.h"
+
+typedef struct private_eap_aka_3gpp2_provider_t private_eap_aka_3gpp2_provider_t;
+
+/**
+ * Private data of an eap_aka_3gpp2_provider_t object.
+ */
+struct private_eap_aka_3gpp2_provider_t {
+
+	/**
+	 * Public eap_aka_3gpp2_provider_t interface.
+	 */
+	eap_aka_3gpp2_provider_t public;
+
+	/**
+	 * AKA functions
+	 */
+	eap_aka_3gpp2_functions_t *f;
+};
+
+/**
+ * Implementation of usim_provider_t.get_quintuplet
+ */
+static bool get_quintuplet(private_eap_aka_3gpp2_provider_t *this,
+					identification_t *imsi, char rand[16], char xres[16],
+					char ck[16], char ik[16], char autn[16])
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of usim_provider_t.resync
+ */
+static bool resync(private_eap_aka_3gpp2_provider_t *this,
+					identification_t *imsi, char rand[16], char auts[16])
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_aka_3gpp2_provider_t.destroy.
+ */
+static void destroy(private_eap_aka_3gpp2_provider_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create(
+												eap_aka_3gpp2_functions_t *f)
+{
+	private_eap_aka_3gpp2_provider_t *this = malloc_thing(private_eap_aka_3gpp2_provider_t);
+
+	this->public.provider.get_quintuplet = (bool(*)(usim_provider_t*, identification_t *imsi, char rand[16], char xres[16], char ck[16], char ik[16], char autn[16]))get_quintuplet;
+	this->public.provider.resync = (bool(*)(usim_provider_t*, identification_t *imsi, char rand[16], char auts[16]))resync;
+	this->public.destroy = (void(*)(eap_aka_3gpp2_provider_t*))destroy;
+
+	this->f = f;
+
+	return &this->public;
+}
+

src/charon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.h

@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2008-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_aka_3gpp2_provider eap_aka_3gpp2_provider
+ * @{ @ingroup eap_aka_3gpp2
+ */
+
+#ifndef EAP_AKA_3GPP2_PROVIDER_H_
+#define EAP_AKA_3GPP2_PROVIDER_H_
+
+#include "eap_aka_3gpp2_functions.h"
+
+#include <sa/authenticators/eap/usim_manager.h>
+
+typedef struct eap_aka_3gpp2_provider_t eap_aka_3gpp2_provider_t;
+
+/**
+ * USIM provider implementation using a set of AKA functions.
+ */
+struct eap_aka_3gpp2_provider_t {
+
+	/**
+	 * Implements usim_provider_t interface.
+	 */
+	usim_provider_t provider;
+
+	/**
+	 * Destroy a eap_aka_3gpp2_provider_t.
+	 */
+	void (*destroy)(eap_aka_3gpp2_provider_t *this);
+};
+
+/**
+ * Create a eap_aka_3gpp2_provider instance.
+ */
+eap_aka_3gpp2_provider_t *eap_aka_3gpp2_provider_create(
+												eap_aka_3gpp2_functions_t *f);
+
+#endif /** EAP_AKA_3GPP2_PROVIDER_ @}*/