<div class="gmail_extra"><div class="gmail_extra">Hi,Martin</div><div class="gmail_extra"><br></div><div class="gmail_extra"><span class="Apple-tab-span" style="white-space:pre"> </span> After the migration ,I used the wireshark to get the packets before the AAA service ,I found that the RES( e.g. </div>
<div class="gmail_extra"><br></div><div class="gmail_extra">RES1 ) in the wireshark is not equal to the RES( e.g. RES2 ) which is calculated by the milenage function. It means that the RES </div><div class="gmail_extra">
<br></div><div class="gmail_extra">which before sent out is not the same as the RES after sent out .And the first eight bytes of RES1 is the same as the the </div><div class="gmail_extra"><br></div><div class="gmail_extra">
first eight bytes of RES2 .But the later eight bytes of RES1 is different with the the later eight bytes of RES2 absolutely.Is there a </div><div class="gmail_extra"><br></div><div class="gmail_extra">bug in the strongswan ? The version of strongswan I used is the strongswan-4.6.1.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Best regards !</div><div class="gmail_extra"> kenxin</div>
<br><div class="gmail_quote">2012/4/24 Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Kenxin,<br>
<div class="im"><br>
> Question 1 : Can I add the milenage algoritm by modifying the USIM API<br>
> card_get_quintuplet( ) in the file simaka_manager.c ? Would it check<br>
> wether there is one USIM as default ?<br>
<br>
</div>Our eap-aka-3gpp2 plugin implements S.S0055 from the 3GPP2 specs.<br>
Milenage from 3GPP has the same purpose, but is a little different in<br>
the implementation.<br>
<br>
If you need a software implementation of Milenage, you can create your<br>
own plugin based on on eap-aka-3gpp2 and implement the fx() functions<br>
accordingly.<br>
<br>
If you want to use a real USIM, you might have a look at the<br>
eap-sim-pcsc plugin as starting point. It uses PCSC to get SIM triplets.<br>
<div class="im"><br>
> Question 2 : Can I add the milenage algoritm by modifying the<br>
> algorithm function in eap-aka-3gpp2 ? I haved finished the<br>
> migration ,but when I tested it as client with the radius<br>
> service ,AAA , it failed to work ,the radius service and AAA had send<br>
> "chanllge accept " to the client, but the client report with "unable<br>
> to use EAP-SIM, missing algorithms".<br>
<br>
</div>It just means that, you're missing one of the required crypto<br>
algorithms, maybe the fips-prf.<br>
<div class="im"><br>
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509<br>
> revocation hmac xcbc stroke kernel-netlink socket-default fips-prf<br>
</div>> eap-aka eap-aka-3gpp2 eap-identity updown<br>
<br>
We recommend to remove an explicit load statement, unless you exactly<br>
know what you do. The ./configure script takes care of load order and<br>
some dependencies, this might solve your issues.<br>
<div class="im"><br>
> Question 3 : I aslo will use a USIM card of 3GPP to achieve the<br>
</div>> EAP-AKA, would I need to modify the code of strongswan ? Or I just<br>
<div class="im">> use the USIM API card_get_quintuplet( ) in the file<br>
> simaka_manager.c ? Is there any API which I must use to connect to the<br>
> USIM driver ?<br>
<br>
</div>You'd basically have to map the get_quintuplet() function in your own<br>
plugin to your cards driver, reading quintuplets. We don't have any<br>
supporting API to do this, but the eap-sim-pcsc plugin might give you an<br>
idea how this could work.<br>
<br>
Most eap-sim/aka development has been done as sponsored work. Let me<br>
know if you're interested in our professional development services.<br>
<br>
Kind Regards<br>
<span class="HOEnZb"><font color="#888888">Martin<br>
<br>
<br>
</font></span></blockquote></div><br></div>