The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
state_machine.h
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 3a0e241a1ad2ebbeffbd682f8c8eca4f076585a7 $
19 * @file lib/eap_aka_sim/state_machine.h
20 * @brief Declarations for EAP-AKA
21 *
22 * @author Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 *
24 * @copyright 2016-2019 The FreeRADIUS server project
25 * @copyright 2016-2019 Network RADIUS SAS <legal.com>
26 */
27RCSIDH(lib_eap_aka_sim_state_machine_h, "$Id: 3a0e241a1ad2ebbeffbd682f8c8eca4f076585a7 $")
28
29#include <freeradius-devel/eap_aka_sim/base.h>
30
31#ifdef __cplusplus
32extern "C" {
33#endif
34
35typedef struct eap_aka_sim_session_s eap_aka_sim_session_t;
36
37struct eap_aka_sim_session_s {
38 /*
39 * State machine management
40 */
41 module_method_t state; //!< The process function to run when we
42 ///< receive the next round of EAP-SIM/AKA/AKA'.
43
44 module_method_t next; //!< Resumption function to call after
45 ///< executing common code.
46
47 eap_type_t type; //!< Either FR_TYPE_AKA, or FR_TYPE_AKA_PRIME.
48
49 bool challenge_success; //!< Whether we received the correct
50 ///< challenge response.
51 bool reauthentication_success; //!< Whether we got a valid reauthentication
52 ///< response.
53
54 bool allow_encrypted; //!< Whether we can send encrypted
55 ///< attributes at this phase of the attempt.
56
57 uint16_t failure_type; //!< One of the following values:
58 ///< - FR_NOTIFICATION_VALUE_GENERAL_FAILURE_AFTER_AUTHENTICATION
59 ///< - FR_NOTIFICATION_VALUE_TEMPORARILY_DENIED
60 ///< - FR_NOTIFICATION_VALUE_NOT_SUBSCRIBED
61 ///< - FR_NOTIFICATION_VALUE_GENERAL_FAILURE
62
63 /*
64 * Identity management
65 */
66 char *pseudonym_sent; //!< Pseudonym value we sent.
67 char *fastauth_sent; //!< Fastauth value we sent.
68
69 fr_aka_sim_id_req_type_t id_req; //!< The type of identity we're requesting
70 fr_aka_sim_id_req_type_t last_id_req; //!< The last identity request we sent.
71
72 /*
73 * Per-session configuration
74 */
75
76 bool send_result_ind; //!< Say that we would like to use protected
77 ///< result indications
78 ///< (AKA-Notification-Success).
79
80 bool prev_recv_sync_failure; //!< We only allow one sync failure per
81 ///< session for sanity.
82
83
84 fr_aka_sim_keys_t keys; //!< Various EAP-AKA/AKA'/SIMkeys.
85
86
87 uint16_t kdf; //!< The key derivation function used to derive
88 ///< session keys.
89
90 EVP_MD const *mac_md; //!< HMAC-MD we use to generate the MAC.
91 ///< EVP_sha1() for EAP-AKA, EVP_sha256()
92 ///< for EAP-AKA'.
93};
94
95/** Cache sections to call on various protocol events
96 *
97 */
98typedef struct {
99 union {
100 /** @name EAP-AKA specific sections
101 *
102 * @{
103 */
104 struct {
105 CONF_SECTION *send_aka_identity_request; //!< Called when we're about to request a
106 ///< different identity.
107 CONF_SECTION *recv_aka_identity_response; //!< Called when we receive a new identity.
108
109 CONF_SECTION *recv_aka_authentication_reject;//!< Called if the supplicant rejects the
110 ///< authentication attempt.
111 CONF_SECTION *recv_aka_synchronization_failure;//!< Called if the supplicant determines
112 ///< the AUTN value is invalid.
113 ///< Usually used for resyncing with the HLR.
114
115 CONF_SECTION *send_aka_challenge_request; //!< Called when we're about to send a
116 ///< a challenge.
117 CONF_SECTION *recv_aka_challenge_response; //!< Called when we receive a response
118 ///< to a previous challenge.
119 };
120 /** @} */
121
122 /** @name EAP-SIM specific sections
123 *
124 * @{
125 */
126 struct {
127 CONF_SECTION *send_sim_challenge_request; //!< Called when we're about to send a
128 ///< a challenge.
129 CONF_SECTION *recv_sim_challenge_response; //!< Called when we receive a response
130 ///< to a previous challenge.
131
132 CONF_SECTION *send_sim_start_request; //!< Called when we're about to request a
133 ///< different identity.
134 CONF_SECTION *recv_sim_start_response; //!< Called when we receive a new identity.
135 };
136 /** @} */
137 };
138
139 /** @name Common protocol sections for all methods
140 *
141 * @{
142 */
143 CONF_SECTION *send_common_identity_request; //!< Called when we're about to request a
144 ///< different identity.
145 CONF_SECTION *recv_common_identity_response; //!< Called when we receive a new identity.
146
147 CONF_SECTION *recv_common_client_error; //!< Called if the supplicant experiences
148 ///< an error of some kind.
149
150 CONF_SECTION *send_common_reauthentication_request; //!< Challenge the supplicant with an MK
151 ///< from an existing session.
152
153 CONF_SECTION *recv_common_reauthentication_response; //!< Process the reauthentication response
154 ///< from the supplicant.
155
156 CONF_SECTION *recv_common_failure_notification_ack; //!< Called when the supplicant ACKs our
157 ///< failure notification.
158
159 CONF_SECTION *send_common_failure_notification; //!< Called when we're about to send a
160 ///< failure notification.
161
162 CONF_SECTION *recv_common_success_notification_ack; //!< Called when the supplicant ACKs our
163 ///< success notification.
164
165 CONF_SECTION *send_common_success_notification; //!< Called when we're about to send a
166 ///< success notification.
167
168
169 CONF_SECTION *send_eap_success; //!< Called when we send an EAP-Success message.
170 CONF_SECTION *send_eap_failure; //!< Called when we send an EAP-Failure message.
171 /** @} */
172
173 /** @name Internal sections for caching
174 *
175 * @{
176 */
177 CONF_SECTION *load_pseudonym; //!< Resolve a pseudonym to a permanent ID.
178 CONF_SECTION *store_pseudonym; //!< Store a permanent ID to pseudonym mapping.
179 CONF_SECTION *clear_pseudonym; //!< Clear pseudonym to permanent ID mapping.
180
181 CONF_SECTION *load_session; //!< Load cached authentication vectors.
182 CONF_SECTION *store_session; //!< Store authentication vectors.
183 CONF_SECTION *clear_session; //!< Clear authentication vectors.
184 /** @} */
185} eap_aka_sim_actions_t;
186
187typedef struct {
188 eap_type_t type; //!< The preferred EAP-Type of this instance
189 ///< of the EAP-SIM/AKA/AKA' state machine.
190
191 char const *network_name; //!< Network ID as described by RFC 5448.
192 fr_aka_sim_id_req_type_t request_identity; //!< Whether we always request the identity of
193 ///< the subscriber.
194 size_t ephemeral_id_length; //!< The length of any identities we're
195 ///< generating.
196
197 bool protected_success; //!< Send a success notification as well as
198 ///< and EAP-Success packet.
199
200 bool strip_permanent_identity_hint; //!< Control whether the hint byte is stripped
201 ///< when populating Permanent-Identity.
202
203 EVP_MD const *hmac_md; //!< The hmac used for validating packets.
204 ///< EVP_sha1() for EAP-AKA, EVP_sha256()
205 ///< for EAP-AKA'.
206
207 eap_aka_sim_actions_t actions; //!< Pre-compiled virtual server sections.
208} eap_aka_sim_process_conf_t;
209
210unlang_action_t eap_aka_sim_state_machine_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request);
211
212#ifdef __cplusplus
213}
214#endif
215
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
RCSIDH
#define RCSIDH(h, id)
Definition build.h:486
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
eap_type_t
enum eap_type eap_type_t
fr_aka_sim_keys_t
Master key state struct for all SIMlike EAP protocols.
Definition base.h:148
fr_aka_sim_id_req_type_t
fr_aka_sim_id_req_type_t
Identity request types.
Definition id.h:77
uint16_t
unsigned short uint16_t
Definition merged_model.c:31
request_t
Definition merged_model.c:210
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
module_method_t
unlang_action_t(* module_method_t)(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Module section callback.
Definition module.h:68
eap_aka_sim_actions_t::recv_common_identity_response
CONF_SECTION * recv_common_identity_response
Called when we receive a new identity.
Definition state_machine.h:145
eap_aka_sim_process_conf_t::protected_success
bool protected_success
Send a success notification as well as and EAP-Success packet.
Definition state_machine.h:197
eap_aka_sim_session_s::mac_md
EVP_MD const * mac_md
HMAC-MD we use to generate the MAC.
Definition state_machine.h:90
eap_aka_sim_actions_t::recv_common_client_error
CONF_SECTION * recv_common_client_error
Called if the supplicant experiences an error of some kind.
Definition state_machine.h:147
eap_aka_sim_process_conf_t::hmac_md
EVP_MD const * hmac_md
The hmac used for validating packets.
Definition state_machine.h:203
eap_aka_sim_process_conf_t::actions
eap_aka_sim_actions_t actions
Pre-compiled virtual server sections.
Definition state_machine.h:207
eap_aka_sim_session_s::id_req
fr_aka_sim_id_req_type_t id_req
The type of identity we're requesting.
Definition state_machine.h:69
eap_aka_sim_actions_t::load_session
CONF_SECTION * load_session
Load cached authentication vectors.
Definition state_machine.h:181
eap_aka_sim_actions_t::clear_session
CONF_SECTION * clear_session
Clear authentication vectors.
Definition state_machine.h:183
eap_aka_sim_session_s::challenge_success
bool challenge_success
Whether we received the correct challenge response.
Definition state_machine.h:49
eap_aka_sim_actions_t::clear_pseudonym
CONF_SECTION * clear_pseudonym
Clear pseudonym to permanent ID mapping.
Definition state_machine.h:179
eap_aka_sim_process_conf_t::ephemeral_id_length
size_t ephemeral_id_length
The length of any identities we're generating.
Definition state_machine.h:194
eap_aka_sim_process_conf_t::type
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Definition state_machine.h:188
eap_aka_sim_session_s::keys
fr_aka_sim_keys_t keys
Various EAP-AKA/AKA'/SIMkeys.
Definition state_machine.h:84
eap_aka_sim_session_s::last_id_req
fr_aka_sim_id_req_type_t last_id_req
The last identity request we sent.
Definition state_machine.h:70
eap_aka_sim_actions_t::send_common_failure_notification
CONF_SECTION * send_common_failure_notification
Called when we're about to send a failure notification.
Definition state_machine.h:159
eap_aka_sim_session_s::state
module_method_t state
The process function to run when we receive the next round of EAP-SIM/AKA/AKA'.
Definition state_machine.h:41
eap_aka_sim_actions_t::send_eap_failure
CONF_SECTION * send_eap_failure
Called when we send an EAP-Failure message.
Definition state_machine.h:170
eap_aka_sim_actions_t::store_pseudonym
CONF_SECTION * store_pseudonym
Store a permanent ID to pseudonym mapping.
Definition state_machine.h:178
eap_aka_sim_session_s::next
module_method_t next
Resumption function to call after executing common code.
Definition state_machine.h:44
eap_aka_sim_actions_t::recv_common_failure_notification_ack
CONF_SECTION * recv_common_failure_notification_ack
Called when the supplicant ACKs our failure notification.
Definition state_machine.h:156
eap_aka_sim_session_s::failure_type
uint16_t failure_type
One of the following values:
Definition state_machine.h:57
eap_aka_sim_process_conf_t::network_name
char const * network_name
Network ID as described by RFC 5448.
Definition state_machine.h:191
eap_aka_sim_actions_t::send_common_reauthentication_request
CONF_SECTION * send_common_reauthentication_request
Challenge the supplicant with an MK from an existing session.
Definition state_machine.h:150
eap_aka_sim_session_s::allow_encrypted
bool allow_encrypted
Whether we can send encrypted attributes at this phase of the attempt.
Definition state_machine.h:54
eap_aka_sim_session_s::send_result_ind
bool send_result_ind
Say that we would like to use protected result indications (AKA-Notification-Success).
Definition state_machine.h:76
eap_aka_sim_session_s::pseudonym_sent
char * pseudonym_sent
Pseudonym value we sent.
Definition state_machine.h:66
eap_aka_sim_actions_t::recv_common_reauthentication_response
CONF_SECTION * recv_common_reauthentication_response
Process the reauthentication response from the supplicant.
Definition state_machine.h:153
eap_aka_sim_actions_t::recv_common_success_notification_ack
CONF_SECTION * recv_common_success_notification_ack
Called when the supplicant ACKs our success notification.
Definition state_machine.h:162
eap_aka_sim_process_conf_t::strip_permanent_identity_hint
bool strip_permanent_identity_hint
Control whether the hint byte is stripped when populating Permanent-Identity.
Definition state_machine.h:200
eap_aka_sim_actions_t::store_session
CONF_SECTION * store_session
Store authentication vectors.
Definition state_machine.h:182
eap_aka_sim_session_s::reauthentication_success
bool reauthentication_success
Whether we got a valid reauthentication response.
Definition state_machine.h:51
eap_aka_sim_session_s::fastauth_sent
char * fastauth_sent
Fastauth value we sent.
Definition state_machine.h:67
eap_aka_sim_session_s::prev_recv_sync_failure
bool prev_recv_sync_failure
We only allow one sync failure per session for sanity.
Definition state_machine.h:80
eap_aka_sim_session_s::type
eap_type_t type
Either FR_TYPE_AKA, or FR_TYPE_AKA_PRIME.
Definition state_machine.h:47
eap_aka_sim_actions_t::send_eap_success
CONF_SECTION * send_eap_success
Called when we send an EAP-Success message.
Definition state_machine.h:169
eap_aka_sim_actions_t::send_common_success_notification
CONF_SECTION * send_common_success_notification
Called when we're about to send a success notification.
Definition state_machine.h:165
eap_aka_sim_state_machine_process
unlang_action_t eap_aka_sim_state_machine_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Resumes the state machine when receiving a new response packet.
Definition state_machine.c:3677
eap_aka_sim_session_s::kdf
uint16_t kdf
The key derivation function used to derive session keys.
Definition state_machine.h:87
eap_aka_sim_process_conf_t::request_identity
fr_aka_sim_id_req_type_t request_identity
Whether we always request the identity of the subscriber.
Definition state_machine.h:192
eap_aka_sim_actions_t::load_pseudonym
CONF_SECTION * load_pseudonym
Resolve a pseudonym to a permanent ID.
Definition state_machine.h:177
eap_aka_sim_actions_t::send_common_identity_request
CONF_SECTION * send_common_identity_request
Called when we're about to request a different identity.
Definition state_machine.h:143
eap_aka_sim_actions_t
Cache sections to call on various protocol events.
Definition state_machine.h:98
eap_aka_sim_process_conf_t
Definition state_machine.h:187
eap_aka_sim_session_s
Definition state_machine.h:37
Generated by   doxygen 1.9.8