Implement a common state machine for EAP-SIM, EAP-AKA, EAP-AKA'. More...

#include <freeradius-devel/eap/base.h>
#include <freeradius-devel/eap/types.h>
#include <freeradius-devel/server/pair.h>
#include <freeradius-devel/unlang/interpret.h>
#include <freeradius-devel/unlang/module.h>
#include <freeradius-devel/util/table.h>
#include <freeradius-devel/util/rand.h>
#include "base.h"
#include "state_machine.h"
#include "attrs.h"

Include dependency graph for state_machine.c:

Go to the source code of this file.

Macros
#define	CALL_SECTION(_x)

#define	EAP_TLS_MPPE_KEY_LEN 32

#define	RESUME(_x)

#define	RESUME_NO_RESULT(_x)

#define	SECTION_RCODE_IGNORED
	Warn the user that the rcode they provided is being ignored in this section.

#define	SECTION_RCODE_PROCESS
	Trigger a state transition to FAILURE-NOTIFICATION if the section returned a failure code.

#define	STATE(_x)

#define	STATE_GUARD(_x)

#define	STATE_GUARD_NO_RESULT(_x)

#define	STATE_NO_RESULT(_x)

#define	STATE_SET(_new_state) state_set(request, talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t), state_ ## _new_state)

#define	STATE_TRANSITION(_x) guard_ ## _x(p_result, mctx, request)

Functions
static int	_eap_aka_sim_session_free (eap_aka_sim_session_t *eap_aka_sim_session)
	Zero out the eap_aka_sim_session when we free it to clear knowledge of secret keys.

static bool	after_authentication (eap_aka_sim_session_t *eap_aka_sim_session)
	Determine if we're after authentication.

static unlang_action_t	aka_challenge_request_send (unlang_result_t p_result, module_ctx_t const mctx, request_t *request)
	Called after 'store session { ... }' and 'store pseudonym { ... }'.

return	CALL_SECTION (recv_common_identity_response)

static int	checkcode_validate (request_t *request)
	Check &control.checkcode matches &reply.checkcode.

static void	client_error_debug (request_t *request)
	Print out the error the client returned.

static void	common_crypto_export (request_t request, eap_aka_sim_session_t eap_aka_sim_session, uint8_t const hmac_extra_request, size_t hmac_extra_request_len, uint8_t const hmac_extra_response, size_t hmac_extra_response_len)

static unlang_action_t	common_reauthentication_request_compose (unlang_result_t p_result, module_ctx_t const mctx, request_t request, eap_aka_sim_session_t eap_aka_sim_session)
	Send a EAP-Request/(AKA\|SIM)-Reauthenticate message to the supplicant.

static unlang_action_t	common_reauthentication_request_send (unlang_result_t p_result, module_ctx_t const mctx, request_t *request)
	Called after 'store session { ... }' and 'store pseudonym { ... }'.

static void	common_reply (request_t request, eap_aka_sim_session_t eap_aka_sim_session, uint16_t subtype)
	Export EAP-SIM/AKA['] attributes.

	crypto_identity_set (request, eap_aka_sim_session,(uint8_t const *) eap_session->identity, talloc_array_length(eap_session->identity) - 1)

static void	crypto_identity_set (request_t request, eap_aka_sim_session_t eap_aka_sim_session, uint8_t const *identity, size_t len)
	Set the crypto identity from a received identity.

unlang_action_t	eap_aka_sim_state_machine_process (unlang_result_t p_result, module_ctx_t const mctx, request_t *request)
	Resumes the state machine when receiving a new response packet.

	fr_assert (0)

	fr_pair_value_bstrdup_buffer (vp, eap_session->identity, true)

static void	identity_hint_pairs_add (fr_aka_sim_id_type_t type_p, fr_aka_sim_method_hint_t method_p, request_t request, char const identity)
	Based on the hint byte in the identity, add &Identity-Type and &Method-Hint attributes.

static int	identity_req_pairs_add (request_t request, eap_aka_sim_session_t eap_aka_sim_session)
	Add an Identity Request attribute to the reply.

static bool	identity_req_set_by_user (request_t request, eap_aka_sim_session_t eap_aka_sim_session)
	Sync up what identity we're requesting with attributes in the reply.

static int	identity_to_permanent_identity (request_t request, fr_pair_t in, eap_type_t eap_type, bool strip_hint)
	Copy the incoming identity to the permanent identity attribute.

	if (!eap_session->identity)

	if (!fr_cond_assert(request &&mctx &&eap_aka_sim_session)) RETURN_UNLANG_FAIL

	if (!subtype_vp) goto fail

	if (type==AKA_SIM_ID_TYPE_PERMANENT)

static int	mac_validate (request_t *request)
	Check &control.mac matches &reply.mac.

	MEM (pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)

static void	mod_signal (module_ctx_t const mctx, request_t request, UNUSED fr_signal_t action)
	Cancel a call to a submodule.

	RESUME (clear_pseudonym)
	Resume after 'clear pseudonym { ... }'.

	RESUME (clear_session)
	Resume after 'clear session { ... }'.

	RESUME (load_pseudonym)
	Resume after 'load pseudonym { ... }'.

	RESUME (load_session)
	Resume after 'load session { ... }'.

	RESUME (recv_aka_authentication_reject)
	Resume after 'recv Authentication-Reject { ... }'.

	RESUME (recv_aka_challenge_response)
	Resume after 'recv Challenge-Response { ... }'.

	RESUME (recv_aka_identity_response)
	Resume after 'recv Identity-Response { ... }' or 'recv AKA-Identity { ... }'.

	RESUME (recv_aka_synchronization_failure)
	Resume after 'recv Synchronization-Failure { ... }'.

	RESUME (recv_common_client_error)
	Resume after 'recv Client-Error { ... }'.

	RESUME (recv_common_failure_notification_ack)
	Resume after 'recv Failure-Notification-Ack { ... }'.

	RESUME (recv_common_identity_response)
	Resume after 'recv Identity-Response { ... }'.

	RESUME (recv_common_reauthentication_response)
	Resume after 'recv Reauthentication-Response { ... }'.

	RESUME (recv_common_success_notification_ack)
	Resume after 'recv Success-Notification-Ack { ... }'.

	RESUME (recv_sim_challenge_response)
	Resume after 'recv Challenge-Response { ... }'.

	RESUME (recv_sim_start_response)
	Resume after 'recv Identity-Response { ... }' or 'recv SIM-Start { ... }'.

	RESUME (send_aka_challenge_request)
	Resume after 'send Challenge-Request { ... }'.

	RESUME (send_aka_identity_request)
	Resume after 'send Identity-Request { ... }'.

	RESUME (send_common_failure_notification)
	Resume after 'send Failure-Notification { ... }'.

	RESUME (send_common_reauthentication_request)
	Resume after 'send Reauthentication-Request { ... }'.

	RESUME (send_common_success_notification)
	Resume after 'send Success-Notification { ... }'.

	RESUME (send_eap_failure)
	Resume after 'send EAP-Failure { ... }'.

	RESUME (send_eap_success)
	Resume after 'send EAP-Success { ... }'.

	RESUME (send_sim_challenge_request)
	Resume after 'send Challenge-Request { ... }'.

	RESUME (send_sim_start)
	Resume after 'send Start { ... }'.

	RESUME (store_pseudonym)
	Resume after 'store pseudonym { ... }'.

	RESUME (store_session)
	Resume after 'store session { ... }'.

static unlang_action_t	session_and_pseudonym_clear (unlang_result_t p_result, module_ctx_t const mctx, request_t request, eap_aka_sim_session_t eap_aka_sim_session, module_method_t next)
	Implements a set of states for clearing out pseudonym and fastauth identities.

static unlang_action_t	session_and_pseudonym_store (unlang_result_t p_result, module_ctx_t const mctx, request_t request, eap_aka_sim_session_t eap_aka_sim_session, module_method_t next)
	Implements a set of states for storing pseudonym and fastauth identities.

static unlang_action_t	sim_challenge_request_send (unlang_result_t p_result, module_ctx_t const mctx, request_t *request)
	Called after 'store session { ... }' and 'store pseudonym { ... }'.

static int	sim_start_nonce_mt_check (request_t request, eap_aka_sim_session_t eap_aka_sim_session)
	Helper function to check for the presence and length of AT_NONCE_MT and copy its value into the keys structure.

static int	sim_start_selected_version_check (request_t request, eap_aka_sim_session_t eap_aka_sim_session)
	Helper function to check for the presence and length of AT_SELECTED_VERSION and copy its value into the keys structure.

	STATE_GUARD (aka_challenge)
	Enter the AKA-CHALLENGE state.

	STATE_GUARD (aka_identity)

	STATE_GUARD (common_challenge)
	Enter the SIM-CHALLENGE or AKA-CHALLENGE state.

	STATE_GUARD (common_failure_notification)
	Enter the FAILURE-NOTIFICATION state.

	STATE_GUARD (common_identity)
	Enter the SIM-START or AKA-IDENTITY state.

	STATE_GUARD (common_reauthentication)

	STATE_GUARD (common_success_notification)

	STATE_GUARD (eap_failure)
	Enter EAP-FAILURE state.

	STATE_GUARD (eap_success)

	STATE_GUARD (sim_challenge)
	Enter the SIM-CHALLENGE state.

	STATE_GUARD (sim_start)

	STATE_GUARD_NO_RESULT (aka_identity)
	Enter the AKA-IDENTITY state.

	STATE_GUARD_NO_RESULT (common_reauthentication)
	Enter the REAUTHENTICATION state.

	STATE_GUARD_NO_RESULT (common_success_notification)
	Enter the SUCCESS-NOTIFICATION state.

	STATE_GUARD_NO_RESULT (eap_success)
	Enter EAP-SUCCESS state.

	STATE_GUARD_NO_RESULT (sim_start)
	Enter the SIM-START state.

	STATE_NO_RESULT (common_success_notification)
	SUCCESS-NOTIFICATION state - Continue the state machine after receiving a response to our EAP-Request/(AKA\|SIM)-Notification.

static void	state_set (request_t request, eap_aka_sim_session_t eap_aka_sim_session, module_method_t new_state)
	Print debugging information, and write new state to eap_aka_sim_session->state.

	switch (subtype_vp->vp_uint16)

Variables
	aka_challenge
	AKA-CHALLENGE state - Continue the state machine after receiving a response to our EAP-Request/SIM-Challenge.

	aka_identity
	AKA-IDENTITY state - Continue the state machine after receiving a response to our EAP-Request/AKA-Identity.

static fr_table_ptr_ordered_t const	aka_sim_state_table []

static size_t	aka_sim_state_table_len = NUM_ELEMENTS(aka_sim_state_table)

	common_failure_notification
	FAILURE-NOTIFICATION state - Continue the state machine after receiving a response to our EAP-Request/(AKA\|SIM)-Notification.

	common_reauthentication
	REAUTHENTICATION state - Continue the state machine after receiving a response to our EAP-Request/SIM-Start.

	common_success_notification

eap_aka_sim_session_t *	eap_aka_sim_session = talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t)

	eap_failure
	FAILURE state - State machine exit point after sending EAP-Failure.

	eap_success
	SUCCESS state - State machine exit point after sending EAP-Success.

	init
	Enter the EAP-IDENTITY state.

eap_aka_sim_process_conf_t *	inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

	RETURN_UNLANG_FAIL

	sim_challenge
	SIM-CHALLENGE state - Continue the state machine after receiving a response to our EAP-Request/SIM-Challenge.

	sim_start
	SIM-START state - Continue the state machine after receiving a response to our EAP-Request/SIM-Start.

fr_pair_t *	subtype_vp = NULL

fr_aka_sim_id_type_t	type

fr_pair_t *	vp

Detailed Description

Implement a common state machine for EAP-SIM, EAP-AKA, EAP-AKA'.

Author: Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)

Copyright: 2021 Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg); 2019 The FreeRADIUS server project; 2019 Network RADIUS (legal.nosp@m.@net.nosp@m.workr.nosp@m.adiu.nosp@m.s.com)

Definition in file state_machine.c.

Macro Definition Documentation

◆ CALL_SECTION

#define CALL_SECTION ( _x )

Value:

                                                               unlang_module_yield_to_section(&eap_aka_sim_session->result, \
                                                               request, \
                                                               inst->actions._x, \
                                                               RLM_MODULE_NOOP, \
                                                               resume_ ## _x, \
                                                               mod_signal, \
                                                               ~FR_SIGNAL_CANCEL, \
                                                               talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t))

Definition at line 74 of file state_machine.c.

◆ EAP_TLS_MPPE_KEY_LEN

#define EAP_TLS_MPPE_KEY_LEN 32

Definition at line 41 of file state_machine.c.

◆ RESUME

#define RESUME ( _x )

Value:

                                                               static inline unlang_action_t resume_ ## _x(unlang_result_t *p_result, \
                                                               module_ctx_t const *mctx, \
                                                               request_t *request)

Definition at line 52 of file state_machine.c.

◆ RESUME_NO_RESULT

#define RESUME_NO_RESULT ( _x )

Value:

        static inline unlang_action_t resume_ ## _x(UNUSED unlang_result_t *p_result, \
                                                    module_ctx_t const *mctx, \
                                                    request_t *request)

Definition at line 66 of file state_machine.c.

◆ SECTION_RCODE_IGNORED

#define SECTION_RCODE_IGNORED

Value:

do { \
        switch (eap_aka_sim_session->result.rcode) { \
        case RLM_MODULE_USER_SECTION_REJECT: \
                RWDEBUG("Ignoring rcode (%s)", \
                        fr_table_str_by_value(rcode_table, eap_aka_sim_session->result.rcode, "<invalid>")); \
                break; \
        default: \
                break; \
        } \
} while(0)

Warn the user that the rcode they provided is being ignored in this section.

Definition at line 151 of file state_machine.c.

◆ SECTION_RCODE_PROCESS

#define SECTION_RCODE_PROCESS

Value:

do { \
        if (after_authentication(eap_aka_sim_session)) { \
                switch (eap_aka_sim_session->result.rcode) { \
                case RLM_MODULE_REJECT:  \
                case RLM_MODULE_DISALLOW: \
                        eap_aka_sim_session->failure_type = FR_NOTIFICATION_VALUE_TEMPORARILY_DENIED; \
                        return STATE_TRANSITION(common_failure_notification); \
                case RLM_MODULE_NOTFOUND: \
                        eap_aka_sim_session->failure_type = FR_NOTIFICATION_VALUE_NOT_SUBSCRIBED; \
                        return STATE_TRANSITION(common_failure_notification); \
                case RLM_MODULE_INVALID: \
                case RLM_MODULE_FAIL: \
                        eap_aka_sim_session->failure_type = FR_NOTIFICATION_VALUE_GENERAL_FAILURE_AFTER_AUTHENTICATION;\
                        return STATE_TRANSITION(common_failure_notification); \
                default: \
                        break; \
                } \
        } else { \
                switch (eap_aka_sim_session->result.rcode) { \
                case RLM_MODULE_USER_SECTION_REJECT: \
                        REDEBUG("Section rcode (%s) indicates we should reject the user", \
                                fr_table_str_by_value(rcode_table, eap_aka_sim_session->result.rcode, "<INVALID>")); \
                        return STATE_TRANSITION(common_failure_notification); \
                default: \
                        break; \
                } \
        } \
} while(0)

Trigger a state transition to FAILURE-NOTIFICATION if the section returned a failure code.

Definition at line 166 of file state_machine.c.

◆ STATE

#define STATE ( _x )

Value:

                                                             static inline unlang_action_t state_ ## _x(unlang_result_t *p_result, \
                                                             module_ctx_t const *mctx, \
                                                             request_t *request)

Definition at line 44 of file state_machine.c.

◆ STATE_GUARD

#define STATE_GUARD ( _x )

Value:

                                                            static unlang_action_t guard_ ## _x(unlang_result_t *p_result, \
                                                            module_ctx_t const *mctx, \
                                                            request_t *request)

Definition at line 48 of file state_machine.c.

◆ STATE_GUARD_NO_RESULT

#define STATE_GUARD_NO_RESULT ( _x )

Value:

        static unlang_action_t guard_ ## _x(UNUSED unlang_result_t *p_result, \
                                            module_ctx_t const *mctx, \
                                            request_t *request)

Definition at line 61 of file state_machine.c.

◆ STATE_NO_RESULT

#define STATE_NO_RESULT ( _x )

Value:

        static inline unlang_action_t state_ ## _x(UNUSED unlang_result_t *p_result, \
                                                   module_ctx_t const *mctx, \
                                                   request_t *request)

Definition at line 56 of file state_machine.c.

◆ STATE_SET

#define STATE_SET ( _new_state ) state_set(request, talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t), state_ ## _new_state)

Definition at line 216 of file state_machine.c.

◆ STATE_TRANSITION

#define STATE_TRANSITION ( _x ) guard_ ## _x(p_result, mctx, request)

Definition at line 72 of file state_machine.c.

Function Documentation

◆ _eap_aka_sim_session_free()

static int _eap_aka_sim_session_free ( eap_aka_sim_session_t * eap_aka_sim_session )

static

Zero out the eap_aka_sim_session when we free it to clear knowledge of secret keys.

Parameters

[in] eap_aka_sim_session to free.

Returns: 0

Definition at line 3699 of file state_machine.c.

Here is the caller graph for this function:

◆ after_authentication()

static bool after_authentication ( eap_aka_sim_session_t * eap_aka_sim_session )

inlinestatic

Determine if we're after authentication.

Definition at line 221 of file state_machine.c.

Here is the caller graph for this function:

◆ aka_challenge_request_send()

static unlang_action_t aka_challenge_request_send	(	unlang_result_t *	p_result,
		module_ctx_t const *	mctx,
		request_t *	request
	)

static

Called after 'store session { ... }' and 'store pseudonym { ... }'.

Definition at line 1070 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ CALL_SECTION()

return CALL_SECTION ( recv_common_identity_response )

◆ checkcode_validate()

static int checkcode_validate ( request_t * request )

static

Check &control.checkcode matches &reply.checkcode.

Parameters

[in] request The current request.

Returns

1 if the check was skipped.
0 if the check was successful.
-1 if the check failed.

Definition at line 546 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ client_error_debug()

static void client_error_debug ( request_t * request )

inlinestatic

Print out the error the client returned.

Definition at line 229 of file state_machine.c.

Here is the call graph for this function:

◆ common_crypto_export()

static void common_crypto_export	(	request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session,
		uint8_t const *	hmac_extra_request,
		size_t	hmac_extra_request_len,
		uint8_t const *	hmac_extra_response,
		size_t	hmac_extra_response_len
	)

static

Definition at line 989 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ common_reauthentication_request_compose()

static unlang_action_t common_reauthentication_request_compose	(	unlang_result_t *	p_result,
		module_ctx_t const *	mctx,
		request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session
	)

static

Send a EAP-Request/(AKA|SIM)-Reauthenticate message to the supplicant.

Definition at line 1803 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ common_reauthentication_request_send()

static unlang_action_t common_reauthentication_request_send	(	unlang_result_t *	p_result,
		module_ctx_t const *	mctx,
		request_t *	request
	)

static

Called after 'store session { ... }' and 'store pseudonym { ... }'.

Definition at line 1026 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ common_reply()

static void common_reply	(	request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session,
		uint16_t	subtype
	)

static

Export EAP-SIM/AKA['] attributes.

Makes any internal data available as attributes in the response. This allows test frameworks and the encoder to access any data they need without needing to look at the eap_aka_session_t.

Definition at line 967 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ crypto_identity_set() [1/2]

crypto_identity_set	(	request	,
		eap_aka_sim_session	,
		(uint8_t const *) eap_session->	identity,
		talloc_array_length(eap_session->identity) -	1
	)

◆ crypto_identity_set() [2/2]

static void crypto_identity_set	(	request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session,
		uint8_t const *	identity,
		size_t	len
	)

static

Set the crypto identity from a received identity.

Definition at line 633 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ eap_aka_sim_state_machine_process()

unlang_action_t eap_aka_sim_state_machine_process	(	unlang_result_t *	p_result,
		module_ctx_t const *	mctx,
		request_t *	request
	)

Resumes the state machine when receiving a new response packet.

Definition at line 3708 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ fr_assert()

fr_assert ( 0 )

◆ fr_pair_value_bstrdup_buffer()

fr_pair_value_bstrdup_buffer	(	vp	,
		eap_session->	identity,
		true
	)

Here is the caller graph for this function:

◆ identity_hint_pairs_add()

static void identity_hint_pairs_add	(	fr_aka_sim_id_type_t *	type_p,
		fr_aka_sim_method_hint_t *	method_p,
		request_t *	request,
		char const *	identity
	)

static

Based on the hint byte in the identity, add &Identity-Type and &Method-Hint attributes.

Definition at line 279 of file state_machine.c.

Here is the call graph for this function:

◆ identity_req_pairs_add()

static int identity_req_pairs_add	(	request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session
	)

static

Add an Identity Request attribute to the reply.

Verify the progression of identity requests is valid.

Parameters

[in]	request	The current request.
[in]	eap_aka_sim_session	The current eap_aka_sim_session.

Returns

0 on success.
-1 on failure (progression of identities was not valid).

Definition at line 361 of file state_machine.c.

Here is the caller graph for this function:

◆ identity_req_set_by_user()

static bool identity_req_set_by_user	(	request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session
	)

static

Sync up what identity we're requesting with attributes in the reply.

Definition at line 244 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ identity_to_permanent_identity()

static int identity_to_permanent_identity	(	request_t *	request,
		fr_pair_t *	in,
		eap_type_t	eap_type,
		bool	strip_hint
	)

static

Copy the incoming identity to the permanent identity attribute.

If the incoming ID really looks like a permanent ID, and we were told it was a permanent ID, then (optionally) trim the first byte to form the real permanent ID.

Otherwise copy the entire incoming Identity to the &session-state.Permanent-Identity attribute.

Parameters

[in]	request	The current request.
[in]	in	current identity.
[in]	eap_type	The current eap_type.
[in]	strip_hint	Whether to strip the hint byte off the permanent identity

Definition at line 456 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ if() [1/4]

if ( !eap_session-> identity )

Definition at line 3661 of file state_machine.c.

◆ if() [2/4]

if ( ! fr_cond_assertrequest &&mctx &&eap_aka_sim_session )

◆ if() [3/4]

if ( ! subtype_vp )

Definition at line 1758 of file state_machine.c.

◆ if() [4/4]

if ( type = = AKA_SIM_ID_TYPE_PERMANENT )

Definition at line 3678 of file state_machine.c.

Here is the call graph for this function:

◆ mac_validate()

static int mac_validate ( request_t * request )

static

Check &control.mac matches &reply.mac.

Parameters

[in] request The current request.

Returns

0 if the check was successful.
-1 if the check failed.

Definition at line 591 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ MEM()

MEM ( pair_append_request &, attr_eap_aka_sim_identity >= 0 )

◆ mod_signal()

static void mod_signal	(	module_ctx_t const *	mctx,
		request_t *	request,
		UNUSED fr_signal_t	action
	)

static

Cancel a call to a submodule.

Parameters

[in]	mctx	UNUSED.
[in]	request	The current request.
[in]	action	to perform.

Definition at line 135 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ RESUME() [1/26]

RESUME ( clear_pseudonym )

Resume after 'clear pseudonym { ... }'.

Definition at line 893 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [2/26]

RESUME ( clear_session )

Resume after 'clear session { ... }'.

Definition at line 881 of file state_machine.c.

◆ RESUME() [3/26]

RESUME ( load_pseudonym )

Resume after 'load pseudonym { ... }'.

Definition at line 1990 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [4/26]

RESUME ( load_session )

Resume after 'load session { ... }'.

Definition at line 2052 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [5/26]

RESUME ( recv_aka_authentication_reject )

Resume after 'recv Authentication-Reject { ... }'.

Enter the FAILURE-NOTIFICATION state.

Definition at line 2193 of file state_machine.c.

◆ RESUME() [6/26]

RESUME ( recv_aka_challenge_response )

Resume after 'recv Challenge-Response { ... }'.

If the previous section returned a failure rcode, enter the FAILURE-NOTIFICATION state.
...or call a function to process the contents of the AKA-Challenge message.

Verify that MAC, and RES match what we expect.

Definition at line 2212 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [7/26]

RESUME ( recv_aka_identity_response )

Resume after 'recv Identity-Response { ... }' or 'recv AKA-Identity { ... }'.

If the previous section returned a failure rcode, enter the FAILURE-NOTIFICATION state.
...or call a function to process the contents of the AKA-Identity message, mainly the AT_IDENTITY value.
If the message does not contain AT_IDENTITY, then enter the FAILURE-NOTIFICATION state.
If the user requested another identity, re-enter the AKA-Identity state.
...or continue based on the value of &Identity-Type which was added by aka_identity, and possibly modified by the user.
- Fastauth - Enter the REAUTHENTICATION state.
- Pseudonym - Call 'load pseudonym { ... }'
- Permanent - Enter the CHALLENGE state.

Definition at line 2827 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [8/26]

RESUME ( recv_aka_synchronization_failure )

Resume after 'recv Synchronization-Failure { ... }'.

If 'recv Synchronization-Failure { ... }' returned a failure rcode, enter the FAILURE-NOTIFICATION state.
...or if no 'recv Synchronization-Failure { ... }' section was defined, then enter the FAILURE-NOTIFICATION state.
...or if the user didn't provide a new SQN value in &control.SQN then enter the FAILURE-NOTIFICATION state.
...or enter the AKA-CHALLENGE state.

Definition at line 2147 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [9/26]

RESUME ( recv_common_client_error )

Resume after 'recv Client-Error { ... }'.

Enter the EAP-FAILURE state.

Definition at line 1669 of file state_machine.c.

◆ RESUME() [10/26]

RESUME ( recv_common_failure_notification_ack )

Resume after 'recv Failure-Notification-Ack { ... }'.

Enter the EAP-FAILURE state.

Definition at line 1283 of file state_machine.c.

◆ RESUME() [11/26]

RESUME ( recv_common_identity_response )

Resume after 'recv Identity-Response { ... }'.

Perform the majority of eap_aka_sim_session_t initialisation.
If 'recv Identity-Response { ... }' returned a failure rcode, enter the FAILURE-NOTIFICATION state.
...or continue based on the identity hint byte in the AT_IDENTITY value or EAP-Identity-Response value:
- If identity is a pseudonym, call load pseudonym { ... }.
- If identity is a fastauth identity, enter the REAUTHENTICATE state.
- If identity is a permanent identity, enter the CHALLENGE state.

Definition at line 3481 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [12/26]

RESUME ( recv_common_reauthentication_response )

Resume after 'recv Reauthentication-Response { ... }'.

If 'recv Reauthentication-Response { ... }' returned a failure rcode, enter the FAILURE-NOTIFICATION state.
...or call the EAP-Request/Reauthentication-Response function to act on the contents of the response.

Definition at line 1685 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [13/26]

RESUME ( recv_common_success_notification_ack )

Resume after 'recv Success-Notification-Ack { ... }'.

Enter the EAP-SUCCESS state.

Definition at line 1558 of file state_machine.c.

◆ RESUME() [14/26]

RESUME ( recv_sim_challenge_response )

Resume after 'recv Challenge-Response { ... }'.

If the previous section returned a failure rcode, enter the FAILURE-NOTIFICATION state.
...or call a function to process the contents of the SIM-Challenge message.

Verify that MAC, and RES match what we expect.

Definition at line 2589 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [15/26]

RESUME ( recv_sim_start_response )

Resume after 'recv Identity-Response { ... }' or 'recv SIM-Start { ... }'.

If the previous section returned a failure rcode, enter the FAILURE-NOTIFICATION state.
...or call a function to process the contents of the SIM-Start message, mainly the AT_IDENTITY value.
If the message does not contain AT_IDENTITY, then enter the FAILURE-NOTIFICATION state.
If the user requested another identity, re-enter the SIM-START state.
...or continue based on the value of &Identity-Type which was added by sim_start, and possibly modified by the user.
- Fastauth
  - If AT_NONCE_MT or AT_SELECTED_VERSION are present, enter the FAILURE-NOTIFICATION state.
  - ...or enter the REAUTHENTICATION state.
- Pseudonym - Verify selected version and AT_NONCE_MT, then call 'load pseudonym { ... }'
- Permanent - Verify selected version and AT_NONCE_MT, then enter the CHALLENGE state.

Definition at line 3096 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [16/26]

RESUME ( send_aka_challenge_request )

Resume after 'send Challenge-Request { ... }'.

Definition at line 2380 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [17/26]

RESUME ( send_aka_identity_request )

Resume after 'send Identity-Request { ... }'.

There are three types of user identities that can be implemented

Permanent identities such as 01234.nosp@m.5678.nosp@m.90987.nosp@m.65@m.nosp@m.yoper.nosp@m.ator.nosp@m..com Permanent identities can be identified by the leading zero followed by by 15 digits (the IMSI number).
Ephemeral identities (pseudonyms). These are identities assigned for identity privacy so the user can't be tracked. These can identities can either be generated as per the 3GPP 'Security aspects of non-3GPP accesses' document section 14, where a set of up to 16 encryption keys are used to reversibly encrypt the IMSI. Alternatively the pseudonym can be completely randomised and stored in a datastore.
A fast resumption ID which resolves to data used for fast resumption.

In order to perform full authentication the original IMSI is required for forwarding to the HLR. In the case where we can't match/decrypt the pseudonym, or can't perform fast resumption, we need to request the full identity from the supplicant.

Definition at line 3019 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [18/26]

RESUME ( send_common_failure_notification )

Resume after 'send Failure-Notification { ... }'.

Ignores return code from send Failure-Notification { ... } section.

Definition at line 1326 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [19/26]

RESUME ( send_common_reauthentication_request )

Resume after 'send Reauthentication-Request { ... }'.

Definition at line 1932 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [20/26]

RESUME ( send_common_success_notification )

Resume after 'send Success-Notification { ... }'.

Definition at line 1596 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [21/26]

RESUME ( send_eap_failure )

Resume after 'send EAP-Failure { ... }'.

Definition at line 1238 of file state_machine.c.

◆ RESUME() [22/26]

RESUME ( send_eap_success )

Resume after 'send EAP-Success { ... }'.

Add MPPE keys to the request being sent to the supplicant

The only work to be done is the add the appropriate SEND/RECV attributes derived from the MSK.

Definition at line 1492 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [23/26]

RESUME ( send_sim_challenge_request )

Resume after 'send Challenge-Request { ... }'.

Definition at line 2679 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [24/26]

RESUME ( send_sim_start )

Resume after 'send Start { ... }'.

Send a EAP-Request/SIM-Start message to the supplicant

There are three types of user identities that can be implemented

Permanent identities such as 01234.nosp@m.5678.nosp@m.90987.nosp@m.65@m.nosp@m.yoper.nosp@m.ator.nosp@m..com Permanent identities can be identified by the leading zero followed by by 15 digits (the IMSI number).
Ephemeral identities (pseudonyms). These are identities assigned for identity privacy so the user can't be tracked. These can identities can either be generated as per the 3GPP 'Security aspects of non-3GPP accesses' document section 14, where a set of up to 16 encryption keys are used to reversibly encrypt the IMSI. Alternatively the pseudonym can be completely randomised and stored in a datastore.
A fast resumption ID which resolves to data used for fast resumption.

In order to perform full authentication the original IMSI is required for forwarding to the HLR. In the case where we can't match/decrypt the pseudonym, or can't perform fast resumption, we need to request the full identity from the supplicant.

Definition at line 3358 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [25/26]

RESUME ( store_pseudonym )

Resume after 'store pseudonym { ... }'.

Stores session data if required.

Definition at line 672 of file state_machine.c.

Here is the call graph for this function:

◆ RESUME() [26/26]

RESUME ( store_session )

Resume after 'store session { ... }'.

Definition at line 647 of file state_machine.c.

◆ session_and_pseudonym_clear()

static unlang_action_t session_and_pseudonym_clear	(	unlang_result_t *	p_result,
		module_ctx_t const *	mctx,
		request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session,
		module_method_t	next
	)

static

Implements a set of states for clearing out pseudonym and fastauth identities.

If either a Challenge round or Reauthentication round fail, we need to clear any identities that were provided during those rounds, as the supplicant will have discarded them.

Parameters

[out]	p_result	Result of calling the module.
[in]	mctx	module calling ctx.
[in]	request	the current request.
[in]	eap_aka_sim_session	the current EAP session
[in]	next	function to call after clearing sessions and pseudonyms.

Definition at line 932 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ session_and_pseudonym_store()

static unlang_action_t session_and_pseudonym_store	(	unlang_result_t *	p_result,
		module_ctx_t const *	mctx,
		request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session,
		module_method_t	next
	)

static

Implements a set of states for storing pseudonym and fastauth identities.

At the end of challenge or reauthentication rounds, the user may have specified a pseudonym and fastauth identity to return to the supplicant.

Call the appropriate sections to persist those values.

Parameters

[out]	p_result	Result of calling the module.
[in]	mctx	Module calling ctx.
[in]	request	the current request.
[in]	eap_aka_sim_session	the EAP session
[in]	next	function to call after storing sessions and pseudonyms.

Definition at line 816 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ sim_challenge_request_send()

static unlang_action_t sim_challenge_request_send	(	unlang_result_t *	p_result,
		module_ctx_t const *	mctx,
		request_t *	request
	)

static

Called after 'store session { ... }' and 'store pseudonym { ... }'.

Definition at line 1100 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ sim_start_nonce_mt_check()

static int sim_start_nonce_mt_check	(	request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session
	)

static

Helper function to check for the presence and length of AT_NONCE_MT and copy its value into the keys structure.

Does not actually perform cryptographic validation of AT_NONCE_MT, this is done later.

Definition at line 1196 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ sim_start_selected_version_check()

static int sim_start_selected_version_check	(	request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session
	)

static

Helper function to check for the presence and length of AT_SELECTED_VERSION and copy its value into the keys structure.

Also checks the version matches one of the ones we advertised in our version list, which is a bit redundant seeing as there's only one version of EAP-SIM.

Definition at line 1143 of file state_machine.c.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ STATE_GUARD() [1/11]

STATE_GUARD ( aka_challenge )

Enter the AKA-CHALLENGE state.

Definition at line 2519 of file state_machine.c.

Here is the call graph for this function:

◆ STATE_GUARD() [2/11]

STATE_GUARD ( aka_identity )

◆ STATE_GUARD() [3/11]

STATE_GUARD ( common_challenge )

Enter the SIM-CHALLENGE or AKA-CHALLENGE state.

Called by functions which are common to both the EAP-SIM and EAP-AKA state machines to enter the correct challenge state.

Definition at line 2795 of file state_machine.c.

◆ STATE_GUARD() [4/11]

STATE_GUARD ( common_failure_notification )

Enter the FAILURE-NOTIFICATION state.

Definition at line 1436 of file state_machine.c.

Here is the call graph for this function:

◆ STATE_GUARD() [5/11]

STATE_GUARD ( common_identity )

Enter the SIM-START or AKA-IDENTITY state.

Called by functions which are common to both the EAP-SIM and EAP-AKA state machines to enter the correct Identity-Request state.

Definition at line 3452 of file state_machine.c.

◆ STATE_GUARD() [6/11]

STATE_GUARD ( common_reauthentication )

◆ STATE_GUARD() [7/11]

STATE_GUARD ( common_success_notification )

◆ STATE_GUARD() [8/11]

STATE_GUARD ( eap_failure )

Enter EAP-FAILURE state.

Definition at line 1254 of file state_machine.c.

Here is the call graph for this function:

◆ STATE_GUARD() [9/11]

STATE_GUARD ( eap_success )

◆ STATE_GUARD() [10/11]

STATE_GUARD ( sim_challenge )

Enter the SIM-CHALLENGE state.

Definition at line 2759 of file state_machine.c.

Here is the call graph for this function:

◆ STATE_GUARD() [11/11]

STATE_GUARD ( sim_start )

◆ STATE_GUARD_NO_RESULT() [1/5]

STATE_GUARD_NO_RESULT ( aka_identity )

Enter the AKA-IDENTITY state.

Definition at line 3058 of file state_machine.c.

Here is the call graph for this function:

◆ STATE_GUARD_NO_RESULT() [2/5]

STATE_GUARD_NO_RESULT ( common_reauthentication )

Enter the REAUTHENTICATION state.

Definition at line 2118 of file state_machine.c.

Here is the call graph for this function:

◆ STATE_GUARD_NO_RESULT() [3/5]

STATE_GUARD_NO_RESULT ( common_success_notification )

Enter the SUCCESS-NOTIFICATION state.

Definition at line 1655 of file state_machine.c.

◆ STATE_GUARD_NO_RESULT() [4/5]

STATE_GUARD_NO_RESULT ( eap_success )

Enter EAP-SUCCESS state.

Definition at line 1544 of file state_machine.c.

◆ STATE_GUARD_NO_RESULT() [5/5]

STATE_GUARD_NO_RESULT ( sim_start )

Enter the SIM-START state.

Definition at line 3428 of file state_machine.c.

Here is the call graph for this function:

◆ STATE_NO_RESULT()

STATE_NO_RESULT ( common_success_notification )

SUCCESS-NOTIFICATION state - Continue the state machine after receiving a response to our EAP-Request/(AKA|SIM)-Notification.

Call 'recv Success-Notification-Ack { ... }'

Definition at line 1576 of file state_machine.c.

◆ state_set()

static void state_set	(	request_t *	request,
		eap_aka_sim_session_t *	eap_aka_sim_session,
		module_method_t	new_state
	)

inlinestatic

Print debugging information, and write new state to eap_aka_sim_session->state.

Definition at line 199 of file state_machine.c.

◆ switch()

switch ( subtype_vp-> vp_uint16 )

Definition at line 1310 of file state_machine.c.

Variable Documentation

◆ aka_challenge

aka_challenge

Initial value:

{

eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

eap_aka_sim_process_conf_t

Definition state_machine.h:190

AKA-CHALLENGE state - Continue the state machine after receiving a response to our EAP-Request/SIM-Challenge.

Continue based on received AT_SUBTYPE value:
- EAP-Response/AKA-Challenge - call 'recv Challenge-Response { ... }'.
- EAP-Response/AKA-Authentication-Reject - call 'recv Authentication-Reject { ... }' and after that send a EAP-Request/SIM-Notification indicating a General Failure.
- EAP-Response/AKA-Synchronization-Failure - call 'recv Synchronization-Failure { ... }'.
- EAP-Response/AKA-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/AKA-Notification indicating a General Failure.
- Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 97 of file state_machine.c.

◆ aka_identity

aka_identity

Initial value:

{

eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

AKA-IDENTITY state - Continue the state machine after receiving a response to our EAP-Request/AKA-Identity.

Continue based on received AT_SUBTYPE value:
- EAP-Response/AKA-Identity - call either 'recv Identity-Response { ... }' or if provided 'recv AKA-Identity-Response { ... }'. The idea here is that the EAP-Identity-Response is really the first round in identity negotiation and there's no real value distinguishing between the first round and subsequent rounds, but if users do want to run different logic, then give them a way of doing that.
- EAP-Response/AKA-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/SIM-Notification indicating a General Failure.
- Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 102 of file state_machine.c.

◆ aka_sim_state_table

fr_table_ptr_ordered_t const aka_sim_state_table[]

static

Initial value:

= {
        { L("INIT"),                    NULL                                            },
 
        { L("EAP-IDENTITY"),            (void *)state_init                              },
        { L("SIM-START"),               (void *)state_sim_start                         },
        { L("AKA-IDENTITY"),            (void *)state_aka_identity                      },
 
        { L("SIM-CHALLENGE"),           (void *)state_sim_challenge                     },
        { L("AKA-CHALLENGE"),           (void *)state_aka_challenge                     },
 
        { L("SUCCESS-NOTIFICATION"),    (void *)state_common_success_notification       },
        { L("FAILURE-NOTIFICATION"),    (void *)state_common_failure_notification       },
 
        { L("REAUTHENTICATION"),        (void *)state_common_reauthentication           },
 
        { L("EAP-SUCCESS"),             (void *)state_eap_success                       },
        { L("EAP-FAILURE"),             (void *)state_eap_failure                       }
}

Definition at line 109 of file state_machine.c.

◆ aka_sim_state_table_len

size_t aka_sim_state_table_len = NUM_ELEMENTS(aka_sim_state_table)

static

Definition at line 127 of file state_machine.c.

◆ common_failure_notification

common_failure_notification

Initial value:

{

eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

FAILURE-NOTIFICATION state - Continue the state machine after receiving a response to our EAP-Request/(AKA|SIM)-Notification.

Continue based on received AT_SUBTYPE value:
- EAP-Response/SIM-Client-Error - Call 'recv Failure-Notification-Ack { ... }'
- Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 89 of file state_machine.c.

◆ common_reauthentication

common_reauthentication

Initial value:

{

eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

REAUTHENTICATION state - Continue the state machine after receiving a response to our EAP-Request/SIM-Start.

Continue based on received AT_SUBTYPE value:
- EAP-Response/(SIM|AKA)-Reauthentication - call 'recv Reauthentication-Response { ... }'
- EAP-Response/(SIM|AKA)-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/(SIM|AKA)-Notification indicating a General Failure.
- Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 95 of file state_machine.c.

◆ common_success_notification

common_success_notification

Definition at line 93 of file state_machine.c.

◆ eap_aka_sim_session

eap_aka_sim_session_t * eap_aka_sim_session = talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t)

Definition at line 1304 of file state_machine.c.

◆ eap_failure

eap_failure

Initial value:

{

if (!fr_cond_assert(request && mctx && mctx->rctx)) RETURN_UNLANG_FAIL

fr_cond_assert

#define fr_cond_assert(_x)

Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.

Definition debug.h:139

RETURN_UNLANG_FAIL

Definition state_machine.c:1232

FAILURE state - State machine exit point after sending EAP-Failure.

Should never actually be called. Is just a placeholder function to represent the FAILURE termination state. Could equally be a NULL pointer, but then on a logic error we'd get a SEGV instead of a more friendly assert/failure rcode.

Definition at line 87 of file state_machine.c.

◆ eap_success

eap_success

Initial value:

{

eap_aka_sim_session_t *eap_aka_sim_session = talloc_get_type_abort(mctx->rctx, eap_aka_sim_session_t)

SUCCESS state - State machine exit point after sending EAP-Success.

Should never actually be called. Is just a placeholder function to represent the SUCCESS termination state. Could equally be a NULL pointer, but then on a logic error we'd get a SEGV instead of a more friendly assert/failure rcode.

Definition at line 91 of file state_machine.c.

◆ init

init

Initial value:

{

eap_session_t *eap_session = eap_session_get(request->parent)

eap_session_get

static eap_session_t * eap_session_get(request_t *request)

Definition session.h:83

eap_session_s

Tracks the progress of a single session of any EAP method.

Definition session.h:41

Enter the EAP-IDENTITY state.

Process the incoming EAP-Identity-Response
Start EAP-SIM/EAP-AKA/EAP-AKA' state machine optionally calling 'recv Identity-Response { ... }'

Definition at line 107 of file state_machine.c.

◆ inst

eap_aka_sim_process_conf_t* inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

Definition at line 3651 of file state_machine.c.

◆ RETURN_UNLANG_FAIL

RETURN_UNLANG_FAIL

Definition at line 1232 of file state_machine.c.

◆ sim_challenge

sim_challenge

Initial value:

{

eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

SIM-CHALLENGE state - Continue the state machine after receiving a response to our EAP-Request/SIM-Challenge.

Continue based on received AT_SUBTYPE value:
- EAP-Response/SIM-Challenge - call 'recv Challenge-Response { ... }'.
- EAP-Response/SIM-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/SIM-Notification indicating a General Failure.
- Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 99 of file state_machine.c.

◆ sim_start

sim_start

Initial value:

{

eap_aka_sim_process_conf_t *inst = talloc_get_type_abort(mctx->mi->data, eap_aka_sim_process_conf_t)

SIM-START state - Continue the state machine after receiving a response to our EAP-Request/SIM-Start.

Continue based on received AT_SUBTYPE value:
- EAP-Response/SIM-Start - call either 'recv Identity-Response { ... }' or if provided 'recv SIM-Start-Response { ... }'. The idea here is that the EAP-Identity-Response is really the first round in identity negotiation and there's no real value distinguishing between the first round and subsequent rounds, but if users do want to run different logic, then give them a way of doing that.
- EAP-Response/SIM-Client-Error - call 'recv Client-Error { ... }' and after that send a EAP-Request/SIM-Notification indicating a General Failure.
- Anything else, enter the FAILURE-NOTIFICATION state.

Definition at line 104 of file state_machine.c.

◆ subtype_vp

fr_pair_t * subtype_vp = NULL

Definition at line 1305 of file state_machine.c.

◆ type

identity_hint_pairs_add & type

Definition at line 3654 of file state_machine.c.

◆ vp

fr_pair_t * vp

Definition at line 2293 of file state_machine.c.

Macros

Functions

Variables

Detailed Description

Macro Definition Documentation

◆ CALL_SECTION

◆ EAP_TLS_MPPE_KEY_LEN

◆ RESUME

◆ RESUME_NO_RESULT

◆ SECTION_RCODE_IGNORED

◆ SECTION_RCODE_PROCESS

◆ STATE

◆ STATE_GUARD

◆ STATE_GUARD_NO_RESULT

◆ STATE_NO_RESULT

◆ STATE_SET

◆ STATE_TRANSITION

Function Documentation

◆ _eap_aka_sim_session_free()

◆ after_authentication()

◆ aka_challenge_request_send()

◆ CALL_SECTION()

◆ checkcode_validate()

◆ client_error_debug()

◆ common_crypto_export()

◆ common_reauthentication_request_compose()

◆ common_reauthentication_request_send()

◆ common_reply()

◆ crypto_identity_set() [1/2]

◆ crypto_identity_set() [2/2]

◆ eap_aka_sim_state_machine_process()

◆ fr_assert()

◆ fr_pair_value_bstrdup_buffer()

◆ identity_hint_pairs_add()

◆ identity_req_pairs_add()

◆ identity_req_set_by_user()

◆ identity_to_permanent_identity()

◆ if() [1/4]

◆ if() [2/4]

◆ if() [3/4]

◆ if() [4/4]

◆ mac_validate()

◆ MEM()

◆ mod_signal()

◆ RESUME() [1/26]

◆ RESUME() [2/26]

◆ RESUME() [3/26]

◆ RESUME() [4/26]

◆ RESUME() [5/26]

◆ RESUME() [6/26]

◆ RESUME() [7/26]

◆ RESUME() [8/26]

◆ RESUME() [9/26]

◆ RESUME() [10/26]

◆ RESUME() [11/26]

◆ RESUME() [12/26]

◆ RESUME() [13/26]

◆ RESUME() [14/26]

◆ RESUME() [15/26]

◆ RESUME() [16/26]

◆ RESUME() [17/26]

◆ RESUME() [18/26]

◆ RESUME() [19/26]

◆ RESUME() [20/26]

◆ RESUME() [21/26]

◆ RESUME() [22/26]

◆ RESUME() [23/26]

◆ RESUME() [24/26]

◆ RESUME() [25/26]

◆ RESUME() [26/26]

◆ session_and_pseudonym_clear()

◆ session_and_pseudonym_store()

◆ sim_challenge_request_send()

◆ sim_start_nonce_mt_check()

◆ sim_start_selected_version_check()

◆ STATE_GUARD() [1/11]

◆ STATE_GUARD() [2/11]

◆ STATE_GUARD() [3/11]

◆ STATE_GUARD() [4/11]

◆ STATE_GUARD() [5/11]