The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
state_machine.h
Go to the documentation of this file.
1 /*
2  * This program is is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or (at
5  * your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: 3a0e241a1ad2ebbeffbd682f8c8eca4f076585a7 $
19  * @file lib/eap_aka_sim/state_machine.h
20  * @brief Declarations for EAP-AKA
21  *
22  * @author Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23  *
24  * @copyright 2016-2019 The FreeRADIUS server project
25  * @copyright 2016-2019 Network RADIUS SAS <legal.com>
26  */
27 RCSIDH(lib_eap_aka_sim_state_machine_h, "$Id: 3a0e241a1ad2ebbeffbd682f8c8eca4f076585a7 $")
28 
29 #include <freeradius-devel/eap_aka_sim/base.h>
30 
31 #ifdef __cplusplus
32 extern "C" {
33 #endif
34 
35 typedef struct eap_aka_sim_session_s eap_aka_sim_session_t;
36 
37 struct eap_aka_sim_session_s {
38  /*
39  * State machine management
40  */
41  module_method_t state; //!< The process function to run when we
42  ///< receive the next round of EAP-SIM/AKA/AKA'.
43 
44  module_method_t next; //!< Resumption function to call after
45  ///< executing common code.
46 
47  eap_type_t type; //!< Either FR_TYPE_AKA, or FR_TYPE_AKA_PRIME.
48 
49  bool challenge_success; //!< Whether we received the correct
50  ///< challenge response.
51  bool reauthentication_success; //!< Whether we got a valid reauthentication
52  ///< response.
53 
54  bool allow_encrypted; //!< Whether we can send encrypted
55  ///< attributes at this phase of the attempt.
56 
57  uint16_t failure_type; //!< One of the following values:
58  ///< - FR_NOTIFICATION_VALUE_GENERAL_FAILURE_AFTER_AUTHENTICATION
59  ///< - FR_NOTIFICATION_VALUE_TEMPORARILY_DENIED
60  ///< - FR_NOTIFICATION_VALUE_NOT_SUBSCRIBED
61  ///< - FR_NOTIFICATION_VALUE_GENERAL_FAILURE
62 
63  /*
64  * Identity management
65  */
66  char *pseudonym_sent; //!< Pseudonym value we sent.
67  char *fastauth_sent; //!< Fastauth value we sent.
68 
69  fr_aka_sim_id_req_type_t id_req; //!< The type of identity we're requesting
70  fr_aka_sim_id_req_type_t last_id_req; //!< The last identity request we sent.
71 
72  /*
73  * Per-session configuration
74  */
75 
76  bool send_result_ind; //!< Say that we would like to use protected
77  ///< result indications
78  ///< (AKA-Notification-Success).
79 
80  bool prev_recv_sync_failure; //!< We only allow one sync failure per
81  ///< session for sanity.
82 
83 
84  fr_aka_sim_keys_t keys; //!< Various EAP-AKA/AKA'/SIMkeys.
85 
86 
87  uint16_t kdf; //!< The key derivation function used to derive
88  ///< session keys.
89 
90  EVP_MD const *mac_md; //!< HMAC-MD we use to generate the MAC.
91  ///< EVP_sha1() for EAP-AKA, EVP_sha256()
92  ///< for EAP-AKA'.
93 };
94 
95 /** Cache sections to call on various protocol events
96  *
97  */
98 typedef struct {
99  union {
100  /** @name EAP-AKA specific sections
101  *
102  * @{
103  */
104  struct {
105  CONF_SECTION *send_aka_identity_request; //!< Called when we're about to request a
106  ///< different identity.
107  CONF_SECTION *recv_aka_identity_response; //!< Called when we receive a new identity.
108 
109  CONF_SECTION *recv_aka_authentication_reject;//!< Called if the supplicant rejects the
110  ///< authentication attempt.
111  CONF_SECTION *recv_aka_synchronization_failure;//!< Called if the supplicant determines
112  ///< the AUTN value is invalid.
113  ///< Usually used for resyncing with the HLR.
114 
115  CONF_SECTION *send_aka_challenge_request; //!< Called when we're about to send a
116  ///< a challenge.
117  CONF_SECTION *recv_aka_challenge_response; //!< Called when we receive a response
118  ///< to a previous challenge.
119  };
120  /** @} */
121 
122  /** @name EAP-SIM specific sections
123  *
124  * @{
125  */
126  struct {
127  CONF_SECTION *send_sim_challenge_request; //!< Called when we're about to send a
128  ///< a challenge.
129  CONF_SECTION *recv_sim_challenge_response; //!< Called when we receive a response
130  ///< to a previous challenge.
131 
132  CONF_SECTION *send_sim_start_request; //!< Called when we're about to request a
133  ///< different identity.
134  CONF_SECTION *recv_sim_start_response; //!< Called when we receive a new identity.
135  };
136  /** @} */
137  };
138 
139  /** @name Common protocol sections for all methods
140  *
141  * @{
142  */
143  CONF_SECTION *send_common_identity_request; //!< Called when we're about to request a
144  ///< different identity.
145  CONF_SECTION *recv_common_identity_response; //!< Called when we receive a new identity.
146 
147  CONF_SECTION *recv_common_client_error; //!< Called if the supplicant experiences
148  ///< an error of some kind.
149 
150  CONF_SECTION *send_common_reauthentication_request; //!< Challenge the supplicant with an MK
151  ///< from an existing session.
152 
153  CONF_SECTION *recv_common_reauthentication_response; //!< Process the reauthentication response
154  ///< from the supplicant.
155 
156  CONF_SECTION *recv_common_failure_notification_ack; //!< Called when the supplicant ACKs our
157  ///< failure notification.
158 
159  CONF_SECTION *send_common_failure_notification; //!< Called when we're about to send a
160  ///< failure notification.
161 
162  CONF_SECTION *recv_common_success_notification_ack; //!< Called when the supplicant ACKs our
163  ///< success notification.
164 
165  CONF_SECTION *send_common_success_notification; //!< Called when we're about to send a
166  ///< success notification.
167 
168 
169  CONF_SECTION *send_eap_success; //!< Called when we send an EAP-Success message.
170  CONF_SECTION *send_eap_failure; //!< Called when we send an EAP-Failure message.
171  /** @} */
172 
173  /** @name Internal sections for caching
174  *
175  * @{
176  */
177  CONF_SECTION *load_pseudonym; //!< Resolve a pseudonym to a permanent ID.
178  CONF_SECTION *store_pseudonym; //!< Store a permanent ID to pseudonym mapping.
179  CONF_SECTION *clear_pseudonym; //!< Clear pseudonym to permanent ID mapping.
180 
181  CONF_SECTION *load_session; //!< Load cached authentication vectors.
182  CONF_SECTION *store_session; //!< Store authentication vectors.
183  CONF_SECTION *clear_session; //!< Clear authentication vectors.
184  /** @} */
185 } eap_aka_sim_actions_t;
186 
187 typedef struct {
188  eap_type_t type; //!< The preferred EAP-Type of this instance
189  ///< of the EAP-SIM/AKA/AKA' state machine.
190 
191  char const *network_name; //!< Network ID as described by RFC 5448.
192  fr_aka_sim_id_req_type_t request_identity; //!< Whether we always request the identity of
193  ///< the subscriber.
194  size_t ephemeral_id_length; //!< The length of any identities we're
195  ///< generating.
196 
197  bool protected_success; //!< Send a success notification as well as
198  ///< and EAP-Success packet.
199 
200  bool strip_permanent_identity_hint; //!< Control whether the hint byte is stripped
201  ///< when populating Permanent-Identity.
202 
203  EVP_MD const *hmac_md; //!< The hmac used for validating packets.
204  ///< EVP_sha1() for EAP-AKA, EVP_sha256()
205  ///< for EAP-AKA'.
206 
207  eap_aka_sim_actions_t actions; //!< Pre-compiled virtual server sections.
208 } eap_aka_sim_process_conf_t;
209 
210 unlang_action_t eap_aka_sim_state_machine_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request);
211 
212 #ifdef __cplusplus
213 }
214 #endif
215 
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition: action.h:35
RCSIDH
#define RCSIDH(h, id)
Definition: build.h:445
cf_section
A section grouping multiple CONF_PAIR.
Definition: cf_priv.h:89
eap_type_t
enum eap_type eap_type_t
fr_aka_sim_keys_t
Master key state struct for all SIMlike EAP protocols.
Definition: base.h:148
fr_aka_sim_id_req_type_t
fr_aka_sim_id_req_type_t
Identity request types.
Definition: id.h:77
uint16_t
unsigned short uint16_t
Definition: merged_model.c:31
request_t
Definition: merged_model.c:210
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition: module_ctx.h:41
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition: rcode.h:40
module_method_t
unlang_action_t(* module_method_t)(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Module section callback.
Definition: module.h:69
eap_aka_sim_actions_t::recv_common_identity_response
CONF_SECTION * recv_common_identity_response
Called when we receive a new identity.
Definition: state_machine.h:145
eap_aka_sim_process_conf_t::protected_success
bool protected_success
Send a success notification as well as and EAP-Success packet.
Definition: state_machine.h:197
eap_aka_sim_session_s::mac_md
EVP_MD const * mac_md
HMAC-MD we use to generate the MAC.
Definition: state_machine.h:90
eap_aka_sim_actions_t::recv_common_client_error
CONF_SECTION * recv_common_client_error
Called if the supplicant experiences an error of some kind.
Definition: state_machine.h:147
eap_aka_sim_process_conf_t::hmac_md
EVP_MD const * hmac_md
The hmac used for validating packets.
Definition: state_machine.h:203
eap_aka_sim_process_conf_t::actions
eap_aka_sim_actions_t actions
Pre-compiled virtual server sections.
Definition: state_machine.h:207
eap_aka_sim_session_s::id_req
fr_aka_sim_id_req_type_t id_req
The type of identity we're requesting.
Definition: state_machine.h:69
eap_aka_sim_actions_t::load_session
CONF_SECTION * load_session
Load cached authentication vectors.
Definition: state_machine.h:181
eap_aka_sim_actions_t::clear_session
CONF_SECTION * clear_session
Clear authentication vectors.
Definition: state_machine.h:183
eap_aka_sim_session_s::challenge_success
bool challenge_success
Whether we received the correct challenge response.
Definition: state_machine.h:49
eap_aka_sim_actions_t::clear_pseudonym
CONF_SECTION * clear_pseudonym
Clear pseudonym to permanent ID mapping.
Definition: state_machine.h:179
eap_aka_sim_process_conf_t::ephemeral_id_length
size_t ephemeral_id_length
The length of any identities we're generating.
Definition: state_machine.h:194
eap_aka_sim_process_conf_t::type
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Definition: state_machine.h:188
eap_aka_sim_session_s::keys
fr_aka_sim_keys_t keys
Various EAP-AKA/AKA'/SIMkeys.
Definition: state_machine.h:84
eap_aka_sim_session_s::last_id_req
fr_aka_sim_id_req_type_t last_id_req
The last identity request we sent.
Definition: state_machine.h:70
eap_aka_sim_actions_t::send_common_failure_notification
CONF_SECTION * send_common_failure_notification
Called when we're about to send a failure notification.
Definition: state_machine.h:159
eap_aka_sim_session_s::state
module_method_t state
The process function to run when we receive the next round of EAP-SIM/AKA/AKA'.
Definition: state_machine.h:41
eap_aka_sim_actions_t::send_eap_failure
CONF_SECTION * send_eap_failure
Called when we send an EAP-Failure message.
Definition: state_machine.h:170
eap_aka_sim_actions_t::store_pseudonym
CONF_SECTION * store_pseudonym
Store a permanent ID to pseudonym mapping.
Definition: state_machine.h:178
eap_aka_sim_session_s::next
module_method_t next
Resumption function to call after executing common code.
Definition: state_machine.h:44
eap_aka_sim_actions_t::recv_common_failure_notification_ack
CONF_SECTION * recv_common_failure_notification_ack
Called when the supplicant ACKs our failure notification.
Definition: state_machine.h:156
eap_aka_sim_session_s::failure_type
uint16_t failure_type
One of the following values:
Definition: state_machine.h:57
eap_aka_sim_process_conf_t::network_name
char const * network_name
Network ID as described by RFC 5448.
Definition: state_machine.h:191
eap_aka_sim_actions_t::send_common_reauthentication_request
CONF_SECTION * send_common_reauthentication_request
Challenge the supplicant with an MK from an existing session.
Definition: state_machine.h:150
eap_aka_sim_session_s::allow_encrypted
bool allow_encrypted
Whether we can send encrypted attributes at this phase of the attempt.
Definition: state_machine.h:54
eap_aka_sim_session_s::send_result_ind
bool send_result_ind
Say that we would like to use protected result indications (AKA-Notification-Success).
Definition: state_machine.h:76
eap_aka_sim_session_s::pseudonym_sent
char * pseudonym_sent
Pseudonym value we sent.
Definition: state_machine.h:66
eap_aka_sim_actions_t::recv_common_reauthentication_response
CONF_SECTION * recv_common_reauthentication_response
Process the reauthentication response from the supplicant.
Definition: state_machine.h:153
eap_aka_sim_actions_t::recv_common_success_notification_ack
CONF_SECTION * recv_common_success_notification_ack
Called when the supplicant ACKs our success notification.
Definition: state_machine.h:162
eap_aka_sim_process_conf_t::strip_permanent_identity_hint
bool strip_permanent_identity_hint
Control whether the hint byte is stripped when populating Permanent-Identity.
Definition: state_machine.h:200
eap_aka_sim_actions_t::store_session
CONF_SECTION * store_session
Store authentication vectors.
Definition: state_machine.h:182
eap_aka_sim_session_s::reauthentication_success
bool reauthentication_success
Whether we got a valid reauthentication response.
Definition: state_machine.h:51
eap_aka_sim_session_s::fastauth_sent
char * fastauth_sent
Fastauth value we sent.
Definition: state_machine.h:67
eap_aka_sim_session_s::prev_recv_sync_failure
bool prev_recv_sync_failure
We only allow one sync failure per session for sanity.
Definition: state_machine.h:80
eap_aka_sim_session_s::type
eap_type_t type
Either FR_TYPE_AKA, or FR_TYPE_AKA_PRIME.
Definition: state_machine.h:47
eap_aka_sim_actions_t::send_eap_success
CONF_SECTION * send_eap_success
Called when we send an EAP-Success message.
Definition: state_machine.h:169
eap_aka_sim_actions_t::send_common_success_notification
CONF_SECTION * send_common_success_notification
Called when we're about to send a success notification.
Definition: state_machine.h:165
eap_aka_sim_state_machine_process
unlang_action_t eap_aka_sim_state_machine_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Resumes the state machine when receiving a new response packet.
Definition: state_machine.c:3690
eap_aka_sim_session_s::kdf
uint16_t kdf
The key derivation function used to derive session keys.
Definition: state_machine.h:87
eap_aka_sim_process_conf_t::request_identity
fr_aka_sim_id_req_type_t request_identity
Whether we always request the identity of the subscriber.
Definition: state_machine.h:192
eap_aka_sim_actions_t::load_pseudonym
CONF_SECTION * load_pseudonym
Resolve a pseudonym to a permanent ID.
Definition: state_machine.h:177
eap_aka_sim_actions_t::send_common_identity_request
CONF_SECTION * send_common_identity_request
Called when we're about to request a different identity.
Definition: state_machine.h:143
eap_aka_sim_actions_t
Cache sections to call on various protocol events.
Definition: state_machine.h:98
eap_aka_sim_process_conf_t
Definition: state_machine.h:187
eap_aka_sim_session_s
Definition: state_machine.h:37
Generated by   doxygen 1.9.1