The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
state_machine.h
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 8e48990c1c74d102a71ee51ffbb2fbddcb8e6578 $
19 * @file lib/eap_aka_sim/state_machine.h
20 * @brief Declarations for EAP-AKA
21 *
22 * @author Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 *
24 * @copyright 2016-2019 The FreeRADIUS server project
25 * @copyright 2016-2019 Network RADIUS SAS <legal.com>
26 */
27RCSIDH(lib_eap_aka_sim_state_machine_h, "$Id: 8e48990c1c74d102a71ee51ffbb2fbddcb8e6578 $")
28
29#include <freeradius-devel/eap_aka_sim/base.h>
30#include <freeradius-devel/unlang/interpret.h>
31
32#ifdef __cplusplus
33extern "C" {
34#endif
35
37
39 /*
40 * State machine management
41 */
42 module_method_t state; //!< The process function to run when we
43 ///< receive the next round of EAP-SIM/AKA/AKA'.
44
45 module_method_t next; //!< Resumption function to call after
46 ///< executing common code.
47
48 unlang_result_t result; //!< The result of the last unlang section we evaluted.
49
50 eap_type_t type; //!< Either FR_TYPE_AKA, or FR_TYPE_AKA_PRIME.
51
52 bool challenge_success; //!< Whether we received the correct
53 ///< challenge response.
54 bool reauthentication_success; //!< Whether we got a valid reauthentication
55 ///< response.
56
57 bool allow_encrypted; //!< Whether we can send encrypted
58 ///< attributes at this phase of the attempt.
59
60 uint16_t failure_type; //!< One of the following values:
61 ///< - FR_NOTIFICATION_VALUE_GENERAL_FAILURE_AFTER_AUTHENTICATION
62 ///< - FR_NOTIFICATION_VALUE_TEMPORARILY_DENIED
63 ///< - FR_NOTIFICATION_VALUE_NOT_SUBSCRIBED
64 ///< - FR_NOTIFICATION_VALUE_GENERAL_FAILURE
65
66 /*
67 * Identity management
68 */
69 char *pseudonym_sent; //!< Pseudonym value we sent.
70 char *fastauth_sent; //!< Fastauth value we sent.
71
72 fr_aka_sim_id_req_type_t id_req; //!< The type of identity we're requesting
73 fr_aka_sim_id_req_type_t last_id_req; //!< The last identity request we sent.
74
75 /*
76 * Per-session configuration
77 */
78
79 bool send_result_ind; //!< Say that we would like to use protected
80 ///< result indications
81 ///< (AKA-Notification-Success).
82
83 bool prev_recv_sync_failure; //!< We only allow one sync failure per
84 ///< session for sanity.
85
86
87 fr_aka_sim_keys_t keys; //!< Various EAP-AKA/AKA'/SIMkeys.
88
89
90 uint16_t kdf; //!< The key derivation function used to derive
91 ///< session keys.
92
93 EVP_MD const *mac_md; //!< HMAC-MD we use to generate the MAC.
94 ///< EVP_sha1() for EAP-AKA, EVP_sha256()
95 ///< for EAP-AKA'.
96};
97
98/** Cache sections to call on various protocol events
99 *
100 */
101typedef struct {
102 union {
103 /** @name EAP-AKA specific sections
104 *
105 * @{
106 */
107 struct {
108 CONF_SECTION *send_aka_identity_request; //!< Called when we're about to request a
109 ///< different identity.
110 CONF_SECTION *recv_aka_identity_response; //!< Called when we receive a new identity.
111
112 CONF_SECTION *recv_aka_authentication_reject;//!< Called if the supplicant rejects the
113 ///< authentication attempt.
114 CONF_SECTION *recv_aka_synchronization_failure;//!< Called if the supplicant determines
115 ///< the AUTN value is invalid.
116 ///< Usually used for resyncing with the HLR.
117
118 CONF_SECTION *send_aka_challenge_request; //!< Called when we're about to send a
119 ///< a challenge.
120 CONF_SECTION *recv_aka_challenge_response; //!< Called when we receive a response
121 ///< to a previous challenge.
122 };
123 /** @} */
124
125 /** @name EAP-SIM specific sections
126 *
127 * @{
128 */
129 struct {
130 CONF_SECTION *send_sim_challenge_request; //!< Called when we're about to send a
131 ///< a challenge.
132 CONF_SECTION *recv_sim_challenge_response; //!< Called when we receive a response
133 ///< to a previous challenge.
134
135 CONF_SECTION *send_sim_start_request; //!< Called when we're about to request a
136 ///< different identity.
137 CONF_SECTION *recv_sim_start_response; //!< Called when we receive a new identity.
138 };
139 /** @} */
140 };
141
142 /** @name Common protocol sections for all methods
143 *
144 * @{
145 */
146 CONF_SECTION *send_common_identity_request; //!< Called when we're about to request a
147 ///< different identity.
148 CONF_SECTION *recv_common_identity_response; //!< Called when we receive a new identity.
149
150 CONF_SECTION *recv_common_client_error; //!< Called if the supplicant experiences
151 ///< an error of some kind.
152
153 CONF_SECTION *send_common_reauthentication_request; //!< Challenge the supplicant with an MK
154 ///< from an existing session.
155
156 CONF_SECTION *recv_common_reauthentication_response; //!< Process the reauthentication response
157 ///< from the supplicant.
158
159 CONF_SECTION *recv_common_failure_notification_ack; //!< Called when the supplicant ACKs our
160 ///< failure notification.
161
162 CONF_SECTION *send_common_failure_notification; //!< Called when we're about to send a
163 ///< failure notification.
164
165 CONF_SECTION *recv_common_success_notification_ack; //!< Called when the supplicant ACKs our
166 ///< success notification.
167
168 CONF_SECTION *send_common_success_notification; //!< Called when we're about to send a
169 ///< success notification.
170
171
172 CONF_SECTION *send_eap_success; //!< Called when we send an EAP-Success message.
173 CONF_SECTION *send_eap_failure; //!< Called when we send an EAP-Failure message.
174 /** @} */
175
176 /** @name Internal sections for caching
177 *
178 * @{
179 */
180 CONF_SECTION *load_pseudonym; //!< Resolve a pseudonym to a permanent ID.
181 CONF_SECTION *store_pseudonym; //!< Store a permanent ID to pseudonym mapping.
182 CONF_SECTION *clear_pseudonym; //!< Clear pseudonym to permanent ID mapping.
183
184 CONF_SECTION *load_session; //!< Load cached authentication vectors.
185 CONF_SECTION *store_session; //!< Store authentication vectors.
186 CONF_SECTION *clear_session; //!< Clear authentication vectors.
187 /** @} */
189
190typedef struct {
191 eap_type_t type; //!< The preferred EAP-Type of this instance
192 ///< of the EAP-SIM/AKA/AKA' state machine.
193
194 char const *network_name; //!< Network ID as described by RFC 5448.
195 fr_aka_sim_id_req_type_t request_identity; //!< Whether we always request the identity of
196 ///< the subscriber.
197 size_t ephemeral_id_length; //!< The length of any identities we're
198 ///< generating.
199
200 bool protected_success; //!< Send a success notification as well as
201 ///< and EAP-Success packet.
202
203 bool strip_permanent_identity_hint; //!< Control whether the hint byte is stripped
204 ///< when populating Permanent-Identity.
205
206 EVP_MD const *hmac_md; //!< The hmac used for validating packets.
207 ///< EVP_sha1() for EAP-AKA, EVP_sha256()
208 ///< for EAP-AKA'.
209
210 eap_aka_sim_actions_t actions; //!< Pre-compiled virtual server sections.
212
214
215#ifdef __cplusplus
216}
217#endif
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
#define RCSIDH(h, id)
Definition build.h:486
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
enum eap_type eap_type_t
Master key state struct for all SIMlike EAP protocols.
Definition base.h:148
fr_aka_sim_id_req_type_t
Identity request types.
Definition id.h:77
unsigned short uint16_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
unlang_action_t(* module_method_t)(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Module section callback.
Definition module.h:69
unlang_result_t result
The result of the last unlang section we evaluted.
CONF_SECTION * recv_common_identity_response
Called when we receive a new identity.
bool protected_success
Send a success notification as well as and EAP-Success packet.
EVP_MD const * mac_md
HMAC-MD we use to generate the MAC.
CONF_SECTION * recv_common_client_error
Called if the supplicant experiences an error of some kind.
EVP_MD const * hmac_md
The hmac used for validating packets.
eap_aka_sim_actions_t actions
Pre-compiled virtual server sections.
fr_aka_sim_id_req_type_t id_req
The type of identity we're requesting.
CONF_SECTION * load_session
Load cached authentication vectors.
CONF_SECTION * clear_session
Clear authentication vectors.
bool challenge_success
Whether we received the correct challenge response.
CONF_SECTION * clear_pseudonym
Clear pseudonym to permanent ID mapping.
size_t ephemeral_id_length
The length of any identities we're generating.
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
fr_aka_sim_keys_t keys
Various EAP-AKA/AKA'/SIMkeys.
fr_aka_sim_id_req_type_t last_id_req
The last identity request we sent.
unlang_action_t eap_aka_sim_state_machine_process(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Resumes the state machine when receiving a new response packet.
CONF_SECTION * send_common_failure_notification
Called when we're about to send a failure notification.
module_method_t state
The process function to run when we receive the next round of EAP-SIM/AKA/AKA'.
CONF_SECTION * send_eap_failure
Called when we send an EAP-Failure message.
CONF_SECTION * store_pseudonym
Store a permanent ID to pseudonym mapping.
module_method_t next
Resumption function to call after executing common code.
CONF_SECTION * recv_common_failure_notification_ack
Called when the supplicant ACKs our failure notification.
uint16_t failure_type
One of the following values:
char const * network_name
Network ID as described by RFC 5448.
CONF_SECTION * send_common_reauthentication_request
Challenge the supplicant with an MK from an existing session.
bool allow_encrypted
Whether we can send encrypted attributes at this phase of the attempt.
bool send_result_ind
Say that we would like to use protected result indications (AKA-Notification-Success).
char * pseudonym_sent
Pseudonym value we sent.
CONF_SECTION * recv_common_reauthentication_response
Process the reauthentication response from the supplicant.
CONF_SECTION * recv_common_success_notification_ack
Called when the supplicant ACKs our success notification.
bool strip_permanent_identity_hint
Control whether the hint byte is stripped when populating Permanent-Identity.
CONF_SECTION * store_session
Store authentication vectors.
bool reauthentication_success
Whether we got a valid reauthentication response.
char * fastauth_sent
Fastauth value we sent.
bool prev_recv_sync_failure
We only allow one sync failure per session for sanity.
eap_type_t type
Either FR_TYPE_AKA, or FR_TYPE_AKA_PRIME.
CONF_SECTION * send_eap_success
Called when we send an EAP-Success message.
CONF_SECTION * send_common_success_notification
Called when we're about to send a success notification.
uint16_t kdf
The key derivation function used to derive session keys.
fr_aka_sim_id_req_type_t request_identity
Whether we always request the identity of the subscriber.
CONF_SECTION * load_pseudonym
Resolve a pseudonym to a permanent ID.
CONF_SECTION * send_common_identity_request
Called when we're about to request a different identity.
Cache sections to call on various protocol events.