/** Set the filename of a #CONF_ITEM
*
* @param[in] ci to set filename on.
* @param[in] filename to set.
*/
void _cf_filename_set(CONF_ITEM *ci, char const *filename)
{
talloc_const_free(ci->filename);
ci->filename = talloc_typed_strdup(ci, filename);
}
/** Process an EAP-Sim/Response/Start
*
* Verify that client chose a version, and provided a NONCE_MT,
* and if so, then change states to challenge, and send the new
* challenge, else, resend the Request/Start.
*/
static int process_eap_sim_start(eap_session_t *eap_session, VALUE_PAIR *vps)
{
REQUEST *request = eap_session->request;
VALUE_PAIR *nonce_vp, *selected_version_vp;
eap_sim_session_t *eap_sim_session;
uint16_t eap_sim_version;
VALUE_PAIR *id;
fr_sim_id_type_t type = SIM_ID_TYPE_UNKNOWN;
fr_sim_method_hint_t method = SIM_METHOD_HINT_UNKNOWN;
eap_sim_session = talloc_get_type_abort(eap_session->opaque, eap_sim_session_t);
/*
* For fullauth We require both the NONCE_MT
* and SELECTED_VERSION from the peer, else
* the packet is invalid.
*/
nonce_vp = fr_pair_find_by_da(vps, attr_eap_sim_nonce_mt, TAG_ANY);
selected_version_vp = fr_pair_find_by_da(vps, attr_eap_sim_selected_version, TAG_ANY);
if (!nonce_vp || !selected_version_vp) {
REDEBUG2("Client did not select a version and send a NONCE");
return -1;
}
eap_sim_version = selected_version_vp->vp_uint16;
if (eap_sim_version != EAP_SIM_VERSION) {
REDEBUG2("EAP-SIM-Version %i is unknown", eap_sim_version);
return -1;
}
/*
* Record it for later keying
*/
eap_sim_version = htons(eap_sim_version);
memcpy(eap_sim_session->keys.gsm.version_select,
&eap_sim_version, sizeof(eap_sim_session->keys.gsm.version_select));
/*
* Double check the nonce size.
*/
if (nonce_vp->vp_length != 16) {
REDEBUG("EAP-SIM nonce_mt must be 16 bytes, not %zu bytes", nonce_vp->vp_length);
return -1;
}
memcpy(eap_sim_session->keys.gsm.nonce_mt, nonce_vp->vp_octets, 16);
/*
* See if we got an AT_IDENTITY
*/
id = fr_pair_find_by_da(vps, attr_eap_sim_identity, TAG_ANY);
if (id) {
if (fr_sim_id_type(&type, &method,
eap_session->identity, talloc_array_length(eap_session->identity) - 1) < 0) {
RPWDEBUG2("Failed parsing identity");
}
/*
* Update cryptographic identity
*/
talloc_const_free(eap_sim_session->keys.identity);
eap_sim_session->keys.identity_len = id->vp_length;
MEM(eap_sim_session->keys.identity = talloc_memdup(eap_sim_session, id->vp_strvalue, id->vp_length));
}
/*
* @TODO Run a virtual server to see if we can use the
* identity we just acquired, or whether we need to
* negotiate the next permissive ID.
*/
/*
* Negotiate the next permissive form
* if identity, or fail.
*/
switch (eap_sim_session->id_req) {
case SIM_ANY_ID_REQ:
eap_sim_session->id_req = SIM_FULLAUTH_ID_REQ;
eap_sim_state_enter(eap_session, EAP_SIM_SERVER_START);
break;
case SIM_FULLAUTH_ID_REQ:
eap_sim_session->id_req = SIM_PERMANENT_ID_REQ;
eap_sim_state_enter(eap_session, EAP_SIM_SERVER_START);
break;
case SIM_NO_ID_REQ:
case SIM_PERMANENT_ID_REQ:
eap_sim_state_enter(eap_session, EAP_SIM_SERVER_CHALLENGE);
// REDEBUG2("Failed to negotiate a usable identity");
// eap_sim_state_enter(eap_session, eap_sim_session, EAP_SIM_SERVER_FAILURE_NOTIFICATION);
break;
}
return 0;
}
static int process_eap_aka_identity(eap_session_t *eap_session, VALUE_PAIR *vps)
{
REQUEST *request = eap_session->request;
eap_aka_session_t *eap_aka_session = talloc_get_type_abort(eap_session->opaque, eap_aka_session_t);
VALUE_PAIR *id;
fr_sim_id_type_t type = SIM_ID_TYPE_UNKNOWN;
fr_sim_method_hint_t method = SIM_METHOD_HINT_UNKNOWN;
/*
* Digest the identity response
*/
if (fr_sim_crypto_update_checkcode(eap_aka_session->checkcode_state, eap_session->this_round->response) < 0) {
RPEDEBUG("Failed updating checkcode");
return -1;
}
/*
* See if we got an AT_IDENTITY
*/
id = fr_pair_find_by_da(vps, attr_eap_aka_identity, TAG_ANY);
if (id) {
if (fr_sim_id_type(&type, &method,
eap_session->identity, talloc_array_length(eap_session->identity) - 1) < 0) {
RPWDEBUG2("Failed parsing identity");
}
/*
* Update cryptographic identity
*/
talloc_const_free(eap_aka_session->keys.identity);
eap_aka_session->keys.identity_len = id->vp_length;
MEM(eap_aka_session->keys.identity = talloc_memdup(eap_aka_session, id->vp_strvalue, id->vp_length));
}
/*
* @TODO Run a virtual server to see if we can use the
* identity we just acquired, or whether we need to
* negotiate the next permissive ID.
*/
/*
* Negotiate the next permissive form
* if identity, or fail.
*/
switch (eap_aka_session->id_req) {
case SIM_ANY_ID_REQ:
eap_aka_session->id_req = SIM_FULLAUTH_ID_REQ;
eap_aka_state_enter(eap_session, EAP_AKA_SERVER_IDENTITY);
break;
case SIM_FULLAUTH_ID_REQ:
eap_aka_session->id_req = SIM_PERMANENT_ID_REQ;
eap_aka_state_enter(eap_session, EAP_AKA_SERVER_IDENTITY);
break;
case SIM_PERMANENT_ID_REQ:
eap_aka_state_enter(eap_session, EAP_AKA_SERVER_CHALLENGE);
// REDEBUG2("Failed to negotiate a usable identity");
// eap_aka_state_enter(eap_session, eap_aka_session, EAP_AKA_SERVER_FAILURE_NOTIFICATION);
break;
case SIM_NO_ID_REQ:
rad_assert(0);
return -1;
}
return 0;
}