eap_aka.c revision f21452aea786ac056eb01f1cbba4f553bd502747
1/* 2 * EAP peer method: EAP-AKA (RFC 4187) and EAP-AKA' (RFC 5448) 3 * Copyright (c) 2004-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "pcsc_funcs.h" 13#include "crypto/crypto.h" 14#include "crypto/sha1.h" 15#include "crypto/sha256.h" 16#include "crypto/milenage.h" 17#include "eap_common/eap_sim_common.h" 18#include "eap_config.h" 19#include "eap_i.h" 20 21 22struct eap_aka_data { 23 u8 ik[EAP_AKA_IK_LEN], ck[EAP_AKA_CK_LEN], res[EAP_AKA_RES_MAX_LEN]; 24 size_t res_len; 25 u8 nonce_s[EAP_SIM_NONCE_S_LEN]; 26 u8 mk[EAP_SIM_MK_LEN]; 27 u8 k_aut[EAP_AKA_PRIME_K_AUT_LEN]; 28 u8 k_encr[EAP_SIM_K_ENCR_LEN]; 29 u8 k_re[EAP_AKA_PRIME_K_RE_LEN]; /* EAP-AKA' only */ 30 u8 msk[EAP_SIM_KEYING_DATA_LEN]; 31 u8 emsk[EAP_EMSK_LEN]; 32 u8 rand[EAP_AKA_RAND_LEN], autn[EAP_AKA_AUTN_LEN]; 33 u8 auts[EAP_AKA_AUTS_LEN]; 34 35 int num_id_req, num_notification; 36 u8 *pseudonym; 37 size_t pseudonym_len; 38 u8 *reauth_id; 39 size_t reauth_id_len; 40 int reauth; 41 unsigned int counter, counter_too_small; 42 u8 *last_eap_identity; 43 size_t last_eap_identity_len; 44 enum { 45 CONTINUE, RESULT_SUCCESS, RESULT_FAILURE, SUCCESS, FAILURE 46 } state; 47 48 struct wpabuf *id_msgs; 49 int prev_id; 50 int result_ind, use_result_ind; 51 u8 eap_method; 52 u8 *network_name; 53 size_t network_name_len; 54 u16 kdf; 55 int kdf_negotiation; 56}; 57 58 59#ifndef CONFIG_NO_STDOUT_DEBUG 60static const char * eap_aka_state_txt(int state) 61{ 62 switch (state) { 63 case CONTINUE: 64 return "CONTINUE"; 65 case RESULT_SUCCESS: 66 return "RESULT_SUCCESS"; 67 case RESULT_FAILURE: 68 return "RESULT_FAILURE"; 69 case SUCCESS: 70 return "SUCCESS"; 71 case FAILURE: 72 return "FAILURE"; 73 default: 74 return "?"; 75 } 76} 77#endif /* CONFIG_NO_STDOUT_DEBUG */ 78 79 80static void eap_aka_state(struct eap_aka_data *data, int state) 81{ 82 wpa_printf(MSG_DEBUG, "EAP-AKA: %s -> %s", 83 eap_aka_state_txt(data->state), 84 eap_aka_state_txt(state)); 85 data->state = state; 86} 87 88 89static void * eap_aka_init(struct eap_sm *sm) 90{ 91 struct eap_aka_data *data; 92 const char *phase1 = eap_get_config_phase1(sm); 93 struct eap_peer_config *config = eap_get_config(sm); 94 95 data = os_zalloc(sizeof(*data)); 96 if (data == NULL) 97 return NULL; 98 99 data->eap_method = EAP_TYPE_AKA; 100 101 eap_aka_state(data, CONTINUE); 102 data->prev_id = -1; 103 104 data->result_ind = phase1 && os_strstr(phase1, "result_ind=1") != NULL; 105 106 if (config && config->anonymous_identity) { 107 data->pseudonym = os_malloc(config->anonymous_identity_len); 108 if (data->pseudonym) { 109 os_memcpy(data->pseudonym, config->anonymous_identity, 110 config->anonymous_identity_len); 111 data->pseudonym_len = config->anonymous_identity_len; 112 } 113 } 114 115 return data; 116} 117 118 119#ifdef EAP_AKA_PRIME 120static void * eap_aka_prime_init(struct eap_sm *sm) 121{ 122 struct eap_aka_data *data = eap_aka_init(sm); 123 if (data == NULL) 124 return NULL; 125 data->eap_method = EAP_TYPE_AKA_PRIME; 126 return data; 127} 128#endif /* EAP_AKA_PRIME */ 129 130 131static void eap_aka_deinit(struct eap_sm *sm, void *priv) 132{ 133 struct eap_aka_data *data = priv; 134 if (data) { 135 os_free(data->pseudonym); 136 os_free(data->reauth_id); 137 os_free(data->last_eap_identity); 138 wpabuf_free(data->id_msgs); 139 os_free(data->network_name); 140 os_free(data); 141 } 142} 143 144 145static int eap_aka_ext_sim_req(struct eap_sm *sm, struct eap_aka_data *data) 146{ 147 char req[200], *pos, *end; 148 149 wpa_printf(MSG_DEBUG, "EAP-AKA: Use external USIM processing"); 150 pos = req; 151 end = pos + sizeof(req); 152 pos += os_snprintf(pos, end - pos, "UMTS-AUTH"); 153 pos += os_snprintf(pos, end - pos, ":"); 154 pos += wpa_snprintf_hex(pos, end - pos, data->rand, EAP_AKA_RAND_LEN); 155 pos += os_snprintf(pos, end - pos, ":"); 156 pos += wpa_snprintf_hex(pos, end - pos, data->autn, EAP_AKA_AUTN_LEN); 157 158 eap_sm_request_sim(sm, req); 159 return 1; 160} 161 162 163static int eap_aka_ext_sim_result(struct eap_sm *sm, struct eap_aka_data *data, 164 struct eap_peer_config *conf) 165{ 166 char *resp, *pos; 167 168 wpa_printf(MSG_DEBUG, 169 "EAP-AKA: Use result from external USIM processing"); 170 171 resp = conf->external_sim_resp; 172 conf->external_sim_resp = NULL; 173 174 if (os_strncmp(resp, "UMTS-AUTS:", 10) == 0) { 175 pos = resp + 10; 176 if (hexstr2bin(pos, data->auts, EAP_AKA_AUTS_LEN) < 0) 177 goto invalid; 178 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: AUTS", data->auts, 179 EAP_AKA_AUTS_LEN); 180 os_free(resp); 181 return -2; 182 } 183 184 if (os_strncmp(resp, "UMTS-AUTH:", 10) != 0) { 185 wpa_printf(MSG_DEBUG, "EAP-AKA: Unrecognized external USIM processing response"); 186 os_free(resp); 187 return -1; 188 } 189 190 pos = resp + 10; 191 wpa_hexdump(MSG_DEBUG, "EAP-AKA: RAND", data->rand, EAP_AKA_RAND_LEN); 192 193 if (hexstr2bin(pos, data->ik, EAP_AKA_IK_LEN) < 0) 194 goto invalid; 195 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: IK", data->ik, EAP_AKA_IK_LEN); 196 pos += EAP_AKA_IK_LEN * 2; 197 if (*pos != ':') 198 goto invalid; 199 pos++; 200 201 if (hexstr2bin(pos, data->ck, EAP_AKA_CK_LEN) < 0) 202 goto invalid; 203 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: CK", data->ck, EAP_AKA_CK_LEN); 204 pos += EAP_AKA_CK_LEN * 2; 205 if (*pos != ':') 206 goto invalid; 207 pos++; 208 209 data->res_len = os_strlen(pos) / 2; 210 if (data->res_len > EAP_AKA_RES_MAX_LEN) { 211 data->res_len = 0; 212 goto invalid; 213 } 214 if (hexstr2bin(pos, data->res, data->res_len) < 0) 215 goto invalid; 216 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: RES", data->res, data->res_len); 217 218 os_free(resp); 219 return 0; 220 221invalid: 222 wpa_printf(MSG_DEBUG, "EAP-AKA: Invalid external USIM processing UMTS-AUTH response"); 223 os_free(resp); 224 return -1; 225} 226 227 228static int eap_aka_umts_auth(struct eap_sm *sm, struct eap_aka_data *data) 229{ 230 struct eap_peer_config *conf; 231 232 wpa_printf(MSG_DEBUG, "EAP-AKA: UMTS authentication algorithm"); 233 234 conf = eap_get_config(sm); 235 if (conf == NULL) 236 return -1; 237 238 if (sm->external_sim) { 239 if (conf->external_sim_resp) 240 return eap_aka_ext_sim_result(sm, data, conf); 241 else 242 return eap_aka_ext_sim_req(sm, data); 243 } 244 245 if (conf->pcsc) { 246 return scard_umts_auth(sm->scard_ctx, data->rand, 247 data->autn, data->res, &data->res_len, 248 data->ik, data->ck, data->auts); 249 } 250 251#ifdef CONFIG_USIM_SIMULATOR 252 if (conf->password) { 253 u8 opc[16], k[16], sqn[6]; 254 const char *pos; 255 wpa_printf(MSG_DEBUG, "EAP-AKA: Use internal Milenage " 256 "implementation for UMTS authentication"); 257 if (conf->password_len < 78) { 258 wpa_printf(MSG_DEBUG, "EAP-AKA: invalid Milenage " 259 "password"); 260 return -1; 261 } 262 pos = (const char *) conf->password; 263 if (hexstr2bin(pos, k, 16)) 264 return -1; 265 pos += 32; 266 if (*pos != ':') 267 return -1; 268 pos++; 269 270 if (hexstr2bin(pos, opc, 16)) 271 return -1; 272 pos += 32; 273 if (*pos != ':') 274 return -1; 275 pos++; 276 277 if (hexstr2bin(pos, sqn, 6)) 278 return -1; 279 280 return milenage_check(opc, k, sqn, data->rand, data->autn, 281 data->ik, data->ck, 282 data->res, &data->res_len, data->auts); 283 } 284#endif /* CONFIG_USIM_SIMULATOR */ 285 286#ifdef CONFIG_USIM_HARDCODED 287 wpa_printf(MSG_DEBUG, "EAP-AKA: Use hardcoded Kc and SRES values for " 288 "testing"); 289 290 /* These hardcoded Kc and SRES values are used for testing. 291 * Could consider making them configurable. */ 292 os_memset(data->res, '2', EAP_AKA_RES_MAX_LEN); 293 data->res_len = EAP_AKA_RES_MAX_LEN; 294 os_memset(data->ik, '3', EAP_AKA_IK_LEN); 295 os_memset(data->ck, '4', EAP_AKA_CK_LEN); 296 { 297 u8 autn[EAP_AKA_AUTN_LEN]; 298 os_memset(autn, '1', EAP_AKA_AUTN_LEN); 299 if (os_memcmp(autn, data->autn, EAP_AKA_AUTN_LEN) != 0) { 300 wpa_printf(MSG_WARNING, "EAP-AKA: AUTN did not match " 301 "with expected value"); 302 return -1; 303 } 304 } 305#if 0 306 { 307 static int test_resync = 1; 308 if (test_resync) { 309 /* Test Resynchronization */ 310 test_resync = 0; 311 return -2; 312 } 313 } 314#endif 315 return 0; 316 317#else /* CONFIG_USIM_HARDCODED */ 318 319 wpa_printf(MSG_DEBUG, "EAP-AKA: No UMTS authentication algorithm " 320 "enabled"); 321 return -1; 322 323#endif /* CONFIG_USIM_HARDCODED */ 324} 325 326 327#define CLEAR_PSEUDONYM 0x01 328#define CLEAR_REAUTH_ID 0x02 329#define CLEAR_EAP_ID 0x04 330 331static void eap_aka_clear_identities(struct eap_sm *sm, 332 struct eap_aka_data *data, int id) 333{ 334 if ((id & CLEAR_PSEUDONYM) && data->pseudonym) { 335 wpa_printf(MSG_DEBUG, "EAP-AKA: forgetting old pseudonym"); 336 os_free(data->pseudonym); 337 data->pseudonym = NULL; 338 data->pseudonym_len = 0; 339 eap_set_anon_id(sm, NULL, 0); 340 } 341 if ((id & CLEAR_REAUTH_ID) && data->reauth_id) { 342 wpa_printf(MSG_DEBUG, "EAP-AKA: forgetting old reauth_id"); 343 os_free(data->reauth_id); 344 data->reauth_id = NULL; 345 data->reauth_id_len = 0; 346 } 347 if ((id & CLEAR_EAP_ID) && data->last_eap_identity) { 348 wpa_printf(MSG_DEBUG, "EAP-AKA: forgetting old eap_id"); 349 os_free(data->last_eap_identity); 350 data->last_eap_identity = NULL; 351 data->last_eap_identity_len = 0; 352 } 353} 354 355 356static int eap_aka_learn_ids(struct eap_sm *sm, struct eap_aka_data *data, 357 struct eap_sim_attrs *attr) 358{ 359 if (attr->next_pseudonym) { 360 const u8 *identity = NULL; 361 size_t identity_len = 0; 362 const u8 *realm = NULL; 363 size_t realm_len = 0; 364 365 wpa_hexdump_ascii(MSG_DEBUG, 366 "EAP-AKA: (encr) AT_NEXT_PSEUDONYM", 367 attr->next_pseudonym, 368 attr->next_pseudonym_len); 369 os_free(data->pseudonym); 370 /* Look for the realm of the permanent identity */ 371 identity = eap_get_config_identity(sm, &identity_len); 372 if (identity) { 373 for (realm = identity, realm_len = identity_len; 374 realm_len > 0; realm_len--, realm++) { 375 if (*realm == '@') 376 break; 377 } 378 } 379 data->pseudonym = os_malloc(attr->next_pseudonym_len + 380 realm_len); 381 if (data->pseudonym == NULL) { 382 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for " 383 "next pseudonym"); 384 data->pseudonym_len = 0; 385 return -1; 386 } 387 os_memcpy(data->pseudonym, attr->next_pseudonym, 388 attr->next_pseudonym_len); 389 if (realm_len) { 390 os_memcpy(data->pseudonym + attr->next_pseudonym_len, 391 realm, realm_len); 392 } 393 data->pseudonym_len = attr->next_pseudonym_len + realm_len; 394 eap_set_anon_id(sm, data->pseudonym, data->pseudonym_len); 395 } 396 397 if (attr->next_reauth_id) { 398 os_free(data->reauth_id); 399 data->reauth_id = os_malloc(attr->next_reauth_id_len); 400 if (data->reauth_id == NULL) { 401 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for " 402 "next reauth_id"); 403 data->reauth_id_len = 0; 404 return -1; 405 } 406 os_memcpy(data->reauth_id, attr->next_reauth_id, 407 attr->next_reauth_id_len); 408 data->reauth_id_len = attr->next_reauth_id_len; 409 wpa_hexdump_ascii(MSG_DEBUG, 410 "EAP-AKA: (encr) AT_NEXT_REAUTH_ID", 411 data->reauth_id, 412 data->reauth_id_len); 413 } 414 415 return 0; 416} 417 418 419static int eap_aka_add_id_msg(struct eap_aka_data *data, 420 const struct wpabuf *msg) 421{ 422 if (msg == NULL) 423 return -1; 424 425 if (data->id_msgs == NULL) { 426 data->id_msgs = wpabuf_dup(msg); 427 return data->id_msgs == NULL ? -1 : 0; 428 } 429 430 if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0) 431 return -1; 432 wpabuf_put_buf(data->id_msgs, msg); 433 434 return 0; 435} 436 437 438static void eap_aka_add_checkcode(struct eap_aka_data *data, 439 struct eap_sim_msg *msg) 440{ 441 const u8 *addr; 442 size_t len; 443 u8 hash[SHA256_MAC_LEN]; 444 445 wpa_printf(MSG_DEBUG, " AT_CHECKCODE"); 446 447 if (data->id_msgs == NULL) { 448 /* 449 * No EAP-AKA/Identity packets were exchanged - send empty 450 * checkcode. 451 */ 452 eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, NULL, 0); 453 return; 454 } 455 456 /* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */ 457 addr = wpabuf_head(data->id_msgs); 458 len = wpabuf_len(data->id_msgs); 459 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len); 460#ifdef EAP_AKA_PRIME 461 if (data->eap_method == EAP_TYPE_AKA_PRIME) 462 sha256_vector(1, &addr, &len, hash); 463 else 464#endif /* EAP_AKA_PRIME */ 465 sha1_vector(1, &addr, &len, hash); 466 467 eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash, 468 data->eap_method == EAP_TYPE_AKA_PRIME ? 469 EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN); 470} 471 472 473static int eap_aka_verify_checkcode(struct eap_aka_data *data, 474 const u8 *checkcode, size_t checkcode_len) 475{ 476 const u8 *addr; 477 size_t len; 478 u8 hash[SHA256_MAC_LEN]; 479 size_t hash_len; 480 481 if (checkcode == NULL) 482 return -1; 483 484 if (data->id_msgs == NULL) { 485 if (checkcode_len != 0) { 486 wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server " 487 "indicates that AKA/Identity messages were " 488 "used, but they were not"); 489 return -1; 490 } 491 return 0; 492 } 493 494 hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ? 495 EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN; 496 497 if (checkcode_len != hash_len) { 498 wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server " 499 "indicates that AKA/Identity message were not " 500 "used, but they were"); 501 return -1; 502 } 503 504 /* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */ 505 addr = wpabuf_head(data->id_msgs); 506 len = wpabuf_len(data->id_msgs); 507#ifdef EAP_AKA_PRIME 508 if (data->eap_method == EAP_TYPE_AKA_PRIME) 509 sha256_vector(1, &addr, &len, hash); 510 else 511#endif /* EAP_AKA_PRIME */ 512 sha1_vector(1, &addr, &len, hash); 513 514 if (os_memcmp(hash, checkcode, hash_len) != 0) { 515 wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE"); 516 return -1; 517 } 518 519 return 0; 520} 521 522 523static struct wpabuf * eap_aka_client_error(struct eap_aka_data *data, u8 id, 524 int err) 525{ 526 struct eap_sim_msg *msg; 527 528 eap_aka_state(data, FAILURE); 529 data->num_id_req = 0; 530 data->num_notification = 0; 531 532 wpa_printf(MSG_DEBUG, "EAP-AKA: Send Client-Error (error code %d)", 533 err); 534 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 535 EAP_AKA_SUBTYPE_CLIENT_ERROR); 536 eap_sim_msg_add(msg, EAP_SIM_AT_CLIENT_ERROR_CODE, err, NULL, 0); 537 return eap_sim_msg_finish(msg, NULL, NULL, 0); 538} 539 540 541static struct wpabuf * eap_aka_authentication_reject(struct eap_aka_data *data, 542 u8 id) 543{ 544 struct eap_sim_msg *msg; 545 546 eap_aka_state(data, FAILURE); 547 data->num_id_req = 0; 548 data->num_notification = 0; 549 550 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Authentication-Reject " 551 "(id=%d)", id); 552 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 553 EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT); 554 return eap_sim_msg_finish(msg, NULL, NULL, 0); 555} 556 557 558static struct wpabuf * eap_aka_synchronization_failure( 559 struct eap_aka_data *data, u8 id) 560{ 561 struct eap_sim_msg *msg; 562 563 data->num_id_req = 0; 564 data->num_notification = 0; 565 566 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Synchronization-Failure " 567 "(id=%d)", id); 568 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 569 EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE); 570 wpa_printf(MSG_DEBUG, " AT_AUTS"); 571 eap_sim_msg_add_full(msg, EAP_SIM_AT_AUTS, data->auts, 572 EAP_AKA_AUTS_LEN); 573 return eap_sim_msg_finish(msg, NULL, NULL, 0); 574} 575 576 577static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm, 578 struct eap_aka_data *data, 579 u8 id, 580 enum eap_sim_id_req id_req) 581{ 582 const u8 *identity = NULL; 583 size_t identity_len = 0; 584 struct eap_sim_msg *msg; 585 586 data->reauth = 0; 587 if (id_req == ANY_ID && data->reauth_id) { 588 identity = data->reauth_id; 589 identity_len = data->reauth_id_len; 590 data->reauth = 1; 591 } else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) && 592 data->pseudonym) { 593 identity = data->pseudonym; 594 identity_len = data->pseudonym_len; 595 eap_aka_clear_identities(sm, data, CLEAR_REAUTH_ID); 596 } else if (id_req != NO_ID_REQ) { 597 identity = eap_get_config_identity(sm, &identity_len); 598 if (identity) { 599 eap_aka_clear_identities(sm, data, CLEAR_PSEUDONYM | 600 CLEAR_REAUTH_ID); 601 } 602 } 603 if (id_req != NO_ID_REQ) 604 eap_aka_clear_identities(sm, data, CLEAR_EAP_ID); 605 606 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Identity (id=%d)", id); 607 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 608 EAP_AKA_SUBTYPE_IDENTITY); 609 610 if (identity) { 611 wpa_hexdump_ascii(MSG_DEBUG, " AT_IDENTITY", 612 identity, identity_len); 613 eap_sim_msg_add(msg, EAP_SIM_AT_IDENTITY, identity_len, 614 identity, identity_len); 615 } 616 617 return eap_sim_msg_finish(msg, NULL, NULL, 0); 618} 619 620 621static struct wpabuf * eap_aka_response_challenge(struct eap_aka_data *data, 622 u8 id) 623{ 624 struct eap_sim_msg *msg; 625 626 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d)", id); 627 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 628 EAP_AKA_SUBTYPE_CHALLENGE); 629 wpa_printf(MSG_DEBUG, " AT_RES"); 630 eap_sim_msg_add(msg, EAP_SIM_AT_RES, data->res_len * 8, 631 data->res, data->res_len); 632 eap_aka_add_checkcode(data, msg); 633 if (data->use_result_ind) { 634 wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); 635 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); 636 } 637 wpa_printf(MSG_DEBUG, " AT_MAC"); 638 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 639 return eap_sim_msg_finish(msg, data->k_aut, (u8 *) "", 0); 640} 641 642 643static struct wpabuf * eap_aka_response_reauth(struct eap_aka_data *data, 644 u8 id, int counter_too_small, 645 const u8 *nonce_s) 646{ 647 struct eap_sim_msg *msg; 648 unsigned int counter; 649 650 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Reauthentication (id=%d)", 651 id); 652 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 653 EAP_AKA_SUBTYPE_REAUTHENTICATION); 654 wpa_printf(MSG_DEBUG, " AT_IV"); 655 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA"); 656 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA); 657 658 if (counter_too_small) { 659 wpa_printf(MSG_DEBUG, " *AT_COUNTER_TOO_SMALL"); 660 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER_TOO_SMALL, 0, NULL, 0); 661 counter = data->counter_too_small; 662 } else 663 counter = data->counter; 664 665 wpa_printf(MSG_DEBUG, " *AT_COUNTER %d", counter); 666 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0); 667 668 if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) { 669 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt " 670 "AT_ENCR_DATA"); 671 eap_sim_msg_free(msg); 672 return NULL; 673 } 674 eap_aka_add_checkcode(data, msg); 675 if (data->use_result_ind) { 676 wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); 677 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); 678 } 679 wpa_printf(MSG_DEBUG, " AT_MAC"); 680 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 681 return eap_sim_msg_finish(msg, data->k_aut, nonce_s, 682 EAP_SIM_NONCE_S_LEN); 683} 684 685 686static struct wpabuf * eap_aka_response_notification(struct eap_aka_data *data, 687 u8 id, u16 notification) 688{ 689 struct eap_sim_msg *msg; 690 u8 *k_aut = (notification & 0x4000) == 0 ? data->k_aut : NULL; 691 692 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Notification (id=%d)", id); 693 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 694 EAP_AKA_SUBTYPE_NOTIFICATION); 695 if (k_aut && data->reauth) { 696 wpa_printf(MSG_DEBUG, " AT_IV"); 697 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA"); 698 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, 699 EAP_SIM_AT_ENCR_DATA); 700 wpa_printf(MSG_DEBUG, " *AT_COUNTER %d", data->counter); 701 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter, 702 NULL, 0); 703 if (eap_sim_msg_add_encr_end(msg, data->k_encr, 704 EAP_SIM_AT_PADDING)) { 705 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt " 706 "AT_ENCR_DATA"); 707 eap_sim_msg_free(msg); 708 return NULL; 709 } 710 } 711 if (k_aut) { 712 wpa_printf(MSG_DEBUG, " AT_MAC"); 713 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 714 } 715 return eap_sim_msg_finish(msg, k_aut, (u8 *) "", 0); 716} 717 718 719static struct wpabuf * eap_aka_process_identity(struct eap_sm *sm, 720 struct eap_aka_data *data, 721 u8 id, 722 const struct wpabuf *reqData, 723 struct eap_sim_attrs *attr) 724{ 725 int id_error; 726 struct wpabuf *buf; 727 728 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Identity"); 729 730 id_error = 0; 731 switch (attr->id_req) { 732 case NO_ID_REQ: 733 break; 734 case ANY_ID: 735 if (data->num_id_req > 0) 736 id_error++; 737 data->num_id_req++; 738 break; 739 case FULLAUTH_ID: 740 if (data->num_id_req > 1) 741 id_error++; 742 data->num_id_req++; 743 break; 744 case PERMANENT_ID: 745 if (data->num_id_req > 2) 746 id_error++; 747 data->num_id_req++; 748 break; 749 } 750 if (id_error) { 751 wpa_printf(MSG_INFO, "EAP-AKA: Too many ID requests " 752 "used within one authentication"); 753 return eap_aka_client_error(data, id, 754 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 755 } 756 757 buf = eap_aka_response_identity(sm, data, id, attr->id_req); 758 759 if (data->prev_id != id) { 760 eap_aka_add_id_msg(data, reqData); 761 eap_aka_add_id_msg(data, buf); 762 data->prev_id = id; 763 } 764 765 return buf; 766} 767 768 769static int eap_aka_verify_mac(struct eap_aka_data *data, 770 const struct wpabuf *req, 771 const u8 *mac, const u8 *extra, 772 size_t extra_len) 773{ 774 if (data->eap_method == EAP_TYPE_AKA_PRIME) 775 return eap_sim_verify_mac_sha256(data->k_aut, req, mac, extra, 776 extra_len); 777 return eap_sim_verify_mac(data->k_aut, req, mac, extra, extra_len); 778} 779 780 781#ifdef EAP_AKA_PRIME 782static struct wpabuf * eap_aka_prime_kdf_select(struct eap_aka_data *data, 783 u8 id, u16 kdf) 784{ 785 struct eap_sim_msg *msg; 786 787 data->kdf_negotiation = 1; 788 data->kdf = kdf; 789 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d) (KDF " 790 "select)", id); 791 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 792 EAP_AKA_SUBTYPE_CHALLENGE); 793 wpa_printf(MSG_DEBUG, " AT_KDF"); 794 eap_sim_msg_add(msg, EAP_SIM_AT_KDF, kdf, NULL, 0); 795 return eap_sim_msg_finish(msg, NULL, NULL, 0); 796} 797 798 799static struct wpabuf * eap_aka_prime_kdf_neg(struct eap_aka_data *data, 800 u8 id, struct eap_sim_attrs *attr) 801{ 802 size_t i; 803 804 for (i = 0; i < attr->kdf_count; i++) { 805 if (attr->kdf[i] == EAP_AKA_PRIME_KDF) 806 return eap_aka_prime_kdf_select(data, id, 807 EAP_AKA_PRIME_KDF); 808 } 809 810 /* No matching KDF found - fail authentication as if AUTN had been 811 * incorrect */ 812 return eap_aka_authentication_reject(data, id); 813} 814 815 816static int eap_aka_prime_kdf_valid(struct eap_aka_data *data, 817 struct eap_sim_attrs *attr) 818{ 819 size_t i, j; 820 821 if (attr->kdf_count == 0) 822 return 0; 823 824 /* The only allowed (and required) duplication of a KDF is the addition 825 * of the selected KDF into the beginning of the list. */ 826 827 if (data->kdf_negotiation) { 828 if (attr->kdf[0] != data->kdf) { 829 wpa_printf(MSG_WARNING, "EAP-AKA': The server did not " 830 "accept the selected KDF"); 831 return 0; 832 } 833 834 for (i = 1; i < attr->kdf_count; i++) { 835 if (attr->kdf[i] == data->kdf) 836 break; 837 } 838 if (i == attr->kdf_count && 839 attr->kdf_count < EAP_AKA_PRIME_KDF_MAX) { 840 wpa_printf(MSG_WARNING, "EAP-AKA': The server did not " 841 "duplicate the selected KDF"); 842 return 0; 843 } 844 845 /* TODO: should check that the list is identical to the one 846 * used in the previous Challenge message apart from the added 847 * entry in the beginning. */ 848 } 849 850 for (i = data->kdf ? 1 : 0; i < attr->kdf_count; i++) { 851 for (j = i + 1; j < attr->kdf_count; j++) { 852 if (attr->kdf[i] == attr->kdf[j]) { 853 wpa_printf(MSG_WARNING, "EAP-AKA': The server " 854 "included a duplicated KDF"); 855 return 0; 856 } 857 } 858 } 859 860 return 1; 861} 862#endif /* EAP_AKA_PRIME */ 863 864 865static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm, 866 struct eap_aka_data *data, 867 u8 id, 868 const struct wpabuf *reqData, 869 struct eap_sim_attrs *attr) 870{ 871 const u8 *identity; 872 size_t identity_len; 873 int res; 874 struct eap_sim_attrs eattr; 875 876 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Challenge"); 877 878 if (attr->checkcode && 879 eap_aka_verify_checkcode(data, attr->checkcode, 880 attr->checkcode_len)) { 881 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the " 882 "message"); 883 return eap_aka_client_error(data, id, 884 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 885 } 886 887#ifdef EAP_AKA_PRIME 888 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 889 if (!attr->kdf_input || attr->kdf_input_len == 0) { 890 wpa_printf(MSG_WARNING, "EAP-AKA': Challenge message " 891 "did not include non-empty AT_KDF_INPUT"); 892 /* Fail authentication as if AUTN had been incorrect */ 893 return eap_aka_authentication_reject(data, id); 894 } 895 os_free(data->network_name); 896 data->network_name = os_malloc(attr->kdf_input_len); 897 if (data->network_name == NULL) { 898 wpa_printf(MSG_WARNING, "EAP-AKA': No memory for " 899 "storing Network Name"); 900 return eap_aka_authentication_reject(data, id); 901 } 902 os_memcpy(data->network_name, attr->kdf_input, 903 attr->kdf_input_len); 904 data->network_name_len = attr->kdf_input_len; 905 wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA': Network Name " 906 "(AT_KDF_INPUT)", 907 data->network_name, data->network_name_len); 908 /* TODO: check Network Name per 3GPP.33.402 */ 909 910 if (!eap_aka_prime_kdf_valid(data, attr)) 911 return eap_aka_authentication_reject(data, id); 912 913 if (attr->kdf[0] != EAP_AKA_PRIME_KDF) 914 return eap_aka_prime_kdf_neg(data, id, attr); 915 916 data->kdf = EAP_AKA_PRIME_KDF; 917 wpa_printf(MSG_DEBUG, "EAP-AKA': KDF %d selected", data->kdf); 918 } 919 920 if (data->eap_method == EAP_TYPE_AKA && attr->bidding) { 921 u16 flags = WPA_GET_BE16(attr->bidding); 922 if ((flags & EAP_AKA_BIDDING_FLAG_D) && 923 eap_allowed_method(sm, EAP_VENDOR_IETF, 924 EAP_TYPE_AKA_PRIME)) { 925 wpa_printf(MSG_WARNING, "EAP-AKA: Bidding down from " 926 "AKA' to AKA detected"); 927 /* Fail authentication as if AUTN had been incorrect */ 928 return eap_aka_authentication_reject(data, id); 929 } 930 } 931#endif /* EAP_AKA_PRIME */ 932 933 data->reauth = 0; 934 if (!attr->mac || !attr->rand || !attr->autn) { 935 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message " 936 "did not include%s%s%s", 937 !attr->mac ? " AT_MAC" : "", 938 !attr->rand ? " AT_RAND" : "", 939 !attr->autn ? " AT_AUTN" : ""); 940 return eap_aka_client_error(data, id, 941 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 942 } 943 os_memcpy(data->rand, attr->rand, EAP_AKA_RAND_LEN); 944 os_memcpy(data->autn, attr->autn, EAP_AKA_AUTN_LEN); 945 946 res = eap_aka_umts_auth(sm, data); 947 if (res == -1) { 948 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication " 949 "failed (AUTN)"); 950 return eap_aka_authentication_reject(data, id); 951 } else if (res == -2) { 952 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication " 953 "failed (AUTN seq# -> AUTS)"); 954 return eap_aka_synchronization_failure(data, id); 955 } else if (res > 0) { 956 wpa_printf(MSG_DEBUG, "EAP-AKA: Wait for external USIM processing"); 957 return NULL; 958 } else if (res) { 959 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication failed"); 960 return eap_aka_client_error(data, id, 961 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 962 } 963#ifdef EAP_AKA_PRIME 964 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 965 /* Note: AUTN = (SQN ^ AK) || AMF || MAC which gives us the 966 * needed 6-octet SQN ^ AK for CK',IK' derivation */ 967 u16 amf = WPA_GET_BE16(data->autn + 6); 968 if (!(amf & 0x8000)) { 969 wpa_printf(MSG_WARNING, "EAP-AKA': AMF separation bit " 970 "not set (AMF=0x%4x)", amf); 971 return eap_aka_authentication_reject(data, id); 972 } 973 eap_aka_prime_derive_ck_ik_prime(data->ck, data->ik, 974 data->autn, 975 data->network_name, 976 data->network_name_len); 977 } 978#endif /* EAP_AKA_PRIME */ 979 if (data->last_eap_identity) { 980 identity = data->last_eap_identity; 981 identity_len = data->last_eap_identity_len; 982 } else if (data->pseudonym) { 983 identity = data->pseudonym; 984 identity_len = data->pseudonym_len; 985 } else 986 identity = eap_get_config_identity(sm, &identity_len); 987 wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Selected identity for MK " 988 "derivation", identity, identity_len); 989 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 990 eap_aka_prime_derive_keys(identity, identity_len, data->ik, 991 data->ck, data->k_encr, data->k_aut, 992 data->k_re, data->msk, data->emsk); 993 } else { 994 eap_aka_derive_mk(identity, identity_len, data->ik, data->ck, 995 data->mk); 996 eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, 997 data->msk, data->emsk); 998 } 999 if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { 1000 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message " 1001 "used invalid AT_MAC"); 1002 return eap_aka_client_error(data, id, 1003 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1004 } 1005 1006 /* Old reauthentication identity must not be used anymore. In 1007 * other words, if no new identities are received, full 1008 * authentication will be used on next reauthentication (using 1009 * pseudonym identity or permanent identity). */ 1010 eap_aka_clear_identities(sm, data, CLEAR_REAUTH_ID | CLEAR_EAP_ID); 1011 1012 if (attr->encr_data) { 1013 u8 *decrypted; 1014 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 1015 attr->encr_data_len, attr->iv, 1016 &eattr, 0); 1017 if (decrypted == NULL) { 1018 return eap_aka_client_error( 1019 data, id, EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1020 } 1021 eap_aka_learn_ids(sm, data, &eattr); 1022 os_free(decrypted); 1023 } 1024 1025 if (data->result_ind && attr->result_ind) 1026 data->use_result_ind = 1; 1027 1028 if (data->state != FAILURE && data->state != RESULT_FAILURE) { 1029 eap_aka_state(data, data->use_result_ind ? 1030 RESULT_SUCCESS : SUCCESS); 1031 } 1032 1033 data->num_id_req = 0; 1034 data->num_notification = 0; 1035 /* RFC 4187 specifies that counter is initialized to one after 1036 * fullauth, but initializing it to zero makes it easier to implement 1037 * reauth verification. */ 1038 data->counter = 0; 1039 return eap_aka_response_challenge(data, id); 1040} 1041 1042 1043static int eap_aka_process_notification_reauth(struct eap_aka_data *data, 1044 struct eap_sim_attrs *attr) 1045{ 1046 struct eap_sim_attrs eattr; 1047 u8 *decrypted; 1048 1049 if (attr->encr_data == NULL || attr->iv == NULL) { 1050 wpa_printf(MSG_WARNING, "EAP-AKA: Notification message after " 1051 "reauth did not include encrypted data"); 1052 return -1; 1053 } 1054 1055 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 1056 attr->encr_data_len, attr->iv, &eattr, 1057 0); 1058 if (decrypted == NULL) { 1059 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted " 1060 "data from notification message"); 1061 return -1; 1062 } 1063 1064 if (eattr.counter < 0 || (size_t) eattr.counter != data->counter) { 1065 wpa_printf(MSG_WARNING, "EAP-AKA: Counter in notification " 1066 "message does not match with counter in reauth " 1067 "message"); 1068 os_free(decrypted); 1069 return -1; 1070 } 1071 1072 os_free(decrypted); 1073 return 0; 1074} 1075 1076 1077static int eap_aka_process_notification_auth(struct eap_aka_data *data, 1078 const struct wpabuf *reqData, 1079 struct eap_sim_attrs *attr) 1080{ 1081 if (attr->mac == NULL) { 1082 wpa_printf(MSG_INFO, "EAP-AKA: no AT_MAC in after_auth " 1083 "Notification message"); 1084 return -1; 1085 } 1086 1087 if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { 1088 wpa_printf(MSG_WARNING, "EAP-AKA: Notification message " 1089 "used invalid AT_MAC"); 1090 return -1; 1091 } 1092 1093 if (data->reauth && 1094 eap_aka_process_notification_reauth(data, attr)) { 1095 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid notification " 1096 "message after reauth"); 1097 return -1; 1098 } 1099 1100 return 0; 1101} 1102 1103 1104static struct wpabuf * eap_aka_process_notification( 1105 struct eap_sm *sm, struct eap_aka_data *data, u8 id, 1106 const struct wpabuf *reqData, struct eap_sim_attrs *attr) 1107{ 1108 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Notification"); 1109 if (data->num_notification > 0) { 1110 wpa_printf(MSG_INFO, "EAP-AKA: too many notification " 1111 "rounds (only one allowed)"); 1112 return eap_aka_client_error(data, id, 1113 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1114 } 1115 data->num_notification++; 1116 if (attr->notification == -1) { 1117 wpa_printf(MSG_INFO, "EAP-AKA: no AT_NOTIFICATION in " 1118 "Notification message"); 1119 return eap_aka_client_error(data, id, 1120 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1121 } 1122 1123 if ((attr->notification & 0x4000) == 0 && 1124 eap_aka_process_notification_auth(data, reqData, attr)) { 1125 return eap_aka_client_error(data, id, 1126 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1127 } 1128 1129 eap_sim_report_notification(sm->msg_ctx, attr->notification, 1); 1130 if (attr->notification >= 0 && attr->notification < 32768) { 1131 eap_aka_state(data, FAILURE); 1132 } else if (attr->notification == EAP_SIM_SUCCESS && 1133 data->state == RESULT_SUCCESS) 1134 eap_aka_state(data, SUCCESS); 1135 return eap_aka_response_notification(data, id, attr->notification); 1136} 1137 1138 1139static struct wpabuf * eap_aka_process_reauthentication( 1140 struct eap_sm *sm, struct eap_aka_data *data, u8 id, 1141 const struct wpabuf *reqData, struct eap_sim_attrs *attr) 1142{ 1143 struct eap_sim_attrs eattr; 1144 u8 *decrypted; 1145 1146 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Reauthentication"); 1147 1148 if (attr->checkcode && 1149 eap_aka_verify_checkcode(data, attr->checkcode, 1150 attr->checkcode_len)) { 1151 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the " 1152 "message"); 1153 return eap_aka_client_error(data, id, 1154 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1155 } 1156 1157 if (data->reauth_id == NULL) { 1158 wpa_printf(MSG_WARNING, "EAP-AKA: Server is trying " 1159 "reauthentication, but no reauth_id available"); 1160 return eap_aka_client_error(data, id, 1161 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1162 } 1163 1164 data->reauth = 1; 1165 if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { 1166 wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication " 1167 "did not have valid AT_MAC"); 1168 return eap_aka_client_error(data, id, 1169 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1170 } 1171 1172 if (attr->encr_data == NULL || attr->iv == NULL) { 1173 wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication " 1174 "message did not include encrypted data"); 1175 return eap_aka_client_error(data, id, 1176 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1177 } 1178 1179 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 1180 attr->encr_data_len, attr->iv, &eattr, 1181 0); 1182 if (decrypted == NULL) { 1183 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted " 1184 "data from reauthentication message"); 1185 return eap_aka_client_error(data, id, 1186 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1187 } 1188 1189 if (eattr.nonce_s == NULL || eattr.counter < 0) { 1190 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No%s%s in reauth packet", 1191 !eattr.nonce_s ? " AT_NONCE_S" : "", 1192 eattr.counter < 0 ? " AT_COUNTER" : ""); 1193 os_free(decrypted); 1194 return eap_aka_client_error(data, id, 1195 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1196 } 1197 1198 if (eattr.counter < 0 || (size_t) eattr.counter <= data->counter) { 1199 struct wpabuf *res; 1200 wpa_printf(MSG_INFO, "EAP-AKA: (encr) Invalid counter " 1201 "(%d <= %d)", eattr.counter, data->counter); 1202 data->counter_too_small = eattr.counter; 1203 1204 /* Reply using Re-auth w/ AT_COUNTER_TOO_SMALL. The current 1205 * reauth_id must not be used to start a new reauthentication. 1206 * However, since it was used in the last EAP-Response-Identity 1207 * packet, it has to saved for the following fullauth to be 1208 * used in MK derivation. */ 1209 os_free(data->last_eap_identity); 1210 data->last_eap_identity = data->reauth_id; 1211 data->last_eap_identity_len = data->reauth_id_len; 1212 data->reauth_id = NULL; 1213 data->reauth_id_len = 0; 1214 1215 res = eap_aka_response_reauth(data, id, 1, eattr.nonce_s); 1216 os_free(decrypted); 1217 1218 return res; 1219 } 1220 data->counter = eattr.counter; 1221 1222 os_memcpy(data->nonce_s, eattr.nonce_s, EAP_SIM_NONCE_S_LEN); 1223 wpa_hexdump(MSG_DEBUG, "EAP-AKA: (encr) AT_NONCE_S", 1224 data->nonce_s, EAP_SIM_NONCE_S_LEN); 1225 1226 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 1227 eap_aka_prime_derive_keys_reauth(data->k_re, data->counter, 1228 data->reauth_id, 1229 data->reauth_id_len, 1230 data->nonce_s, 1231 data->msk, data->emsk); 1232 } else { 1233 eap_sim_derive_keys_reauth(data->counter, data->reauth_id, 1234 data->reauth_id_len, 1235 data->nonce_s, data->mk, 1236 data->msk, data->emsk); 1237 } 1238 eap_aka_clear_identities(sm, data, CLEAR_REAUTH_ID | CLEAR_EAP_ID); 1239 eap_aka_learn_ids(sm, data, &eattr); 1240 1241 if (data->result_ind && attr->result_ind) 1242 data->use_result_ind = 1; 1243 1244 if (data->state != FAILURE && data->state != RESULT_FAILURE) { 1245 eap_aka_state(data, data->use_result_ind ? 1246 RESULT_SUCCESS : SUCCESS); 1247 } 1248 1249 data->num_id_req = 0; 1250 data->num_notification = 0; 1251 if (data->counter > EAP_AKA_MAX_FAST_REAUTHS) { 1252 wpa_printf(MSG_DEBUG, "EAP-AKA: Maximum number of " 1253 "fast reauths performed - force fullauth"); 1254 eap_aka_clear_identities(sm, data, 1255 CLEAR_REAUTH_ID | CLEAR_EAP_ID); 1256 } 1257 os_free(decrypted); 1258 return eap_aka_response_reauth(data, id, 0, data->nonce_s); 1259} 1260 1261 1262static struct wpabuf * eap_aka_process(struct eap_sm *sm, void *priv, 1263 struct eap_method_ret *ret, 1264 const struct wpabuf *reqData) 1265{ 1266 struct eap_aka_data *data = priv; 1267 const struct eap_hdr *req; 1268 u8 subtype, id; 1269 struct wpabuf *res; 1270 const u8 *pos; 1271 struct eap_sim_attrs attr; 1272 size_t len; 1273 1274 wpa_hexdump_buf(MSG_DEBUG, "EAP-AKA: EAP data", reqData); 1275 if (eap_get_config_identity(sm, &len) == NULL) { 1276 wpa_printf(MSG_INFO, "EAP-AKA: Identity not configured"); 1277 eap_sm_request_identity(sm); 1278 ret->ignore = TRUE; 1279 return NULL; 1280 } 1281 1282 pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, reqData, 1283 &len); 1284 if (pos == NULL || len < 1) { 1285 ret->ignore = TRUE; 1286 return NULL; 1287 } 1288 req = wpabuf_head(reqData); 1289 id = req->identifier; 1290 len = be_to_host16(req->length); 1291 1292 ret->ignore = FALSE; 1293 ret->methodState = METHOD_MAY_CONT; 1294 ret->decision = DECISION_FAIL; 1295 ret->allowNotifications = TRUE; 1296 1297 subtype = *pos++; 1298 wpa_printf(MSG_DEBUG, "EAP-AKA: Subtype=%d", subtype); 1299 pos += 2; /* Reserved */ 1300 1301 if (eap_sim_parse_attr(pos, wpabuf_head_u8(reqData) + len, &attr, 1302 data->eap_method == EAP_TYPE_AKA_PRIME ? 2 : 1, 1303 0)) { 1304 res = eap_aka_client_error(data, id, 1305 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1306 goto done; 1307 } 1308 1309 switch (subtype) { 1310 case EAP_AKA_SUBTYPE_IDENTITY: 1311 res = eap_aka_process_identity(sm, data, id, reqData, &attr); 1312 break; 1313 case EAP_AKA_SUBTYPE_CHALLENGE: 1314 res = eap_aka_process_challenge(sm, data, id, reqData, &attr); 1315 break; 1316 case EAP_AKA_SUBTYPE_NOTIFICATION: 1317 res = eap_aka_process_notification(sm, data, id, reqData, 1318 &attr); 1319 break; 1320 case EAP_AKA_SUBTYPE_REAUTHENTICATION: 1321 res = eap_aka_process_reauthentication(sm, data, id, reqData, 1322 &attr); 1323 break; 1324 case EAP_AKA_SUBTYPE_CLIENT_ERROR: 1325 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Client-Error"); 1326 res = eap_aka_client_error(data, id, 1327 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1328 break; 1329 default: 1330 wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown subtype=%d", subtype); 1331 res = eap_aka_client_error(data, id, 1332 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1333 break; 1334 } 1335 1336done: 1337 if (data->state == FAILURE) { 1338 ret->decision = DECISION_FAIL; 1339 ret->methodState = METHOD_DONE; 1340 } else if (data->state == SUCCESS) { 1341 ret->decision = data->use_result_ind ? 1342 DECISION_UNCOND_SUCC : DECISION_COND_SUCC; 1343 /* 1344 * It is possible for the server to reply with AKA 1345 * Notification, so we must allow the method to continue and 1346 * not only accept EAP-Success at this point. 1347 */ 1348 ret->methodState = data->use_result_ind ? 1349 METHOD_DONE : METHOD_MAY_CONT; 1350 } else if (data->state == RESULT_FAILURE) 1351 ret->methodState = METHOD_CONT; 1352 else if (data->state == RESULT_SUCCESS) 1353 ret->methodState = METHOD_CONT; 1354 1355 if (ret->methodState == METHOD_DONE) { 1356 ret->allowNotifications = FALSE; 1357 } 1358 1359 return res; 1360} 1361 1362 1363static Boolean eap_aka_has_reauth_data(struct eap_sm *sm, void *priv) 1364{ 1365 struct eap_aka_data *data = priv; 1366 return data->pseudonym || data->reauth_id; 1367} 1368 1369 1370static void eap_aka_deinit_for_reauth(struct eap_sm *sm, void *priv) 1371{ 1372 struct eap_aka_data *data = priv; 1373 eap_aka_clear_identities(sm, data, CLEAR_EAP_ID); 1374 data->prev_id = -1; 1375 wpabuf_free(data->id_msgs); 1376 data->id_msgs = NULL; 1377 data->use_result_ind = 0; 1378 data->kdf_negotiation = 0; 1379} 1380 1381 1382static void * eap_aka_init_for_reauth(struct eap_sm *sm, void *priv) 1383{ 1384 struct eap_aka_data *data = priv; 1385 data->num_id_req = 0; 1386 data->num_notification = 0; 1387 eap_aka_state(data, CONTINUE); 1388 return priv; 1389} 1390 1391 1392static const u8 * eap_aka_get_identity(struct eap_sm *sm, void *priv, 1393 size_t *len) 1394{ 1395 struct eap_aka_data *data = priv; 1396 1397 if (data->reauth_id) { 1398 *len = data->reauth_id_len; 1399 return data->reauth_id; 1400 } 1401 1402 if (data->pseudonym) { 1403 *len = data->pseudonym_len; 1404 return data->pseudonym; 1405 } 1406 1407 return NULL; 1408} 1409 1410 1411static Boolean eap_aka_isKeyAvailable(struct eap_sm *sm, void *priv) 1412{ 1413 struct eap_aka_data *data = priv; 1414 return data->state == SUCCESS; 1415} 1416 1417 1418static u8 * eap_aka_getKey(struct eap_sm *sm, void *priv, size_t *len) 1419{ 1420 struct eap_aka_data *data = priv; 1421 u8 *key; 1422 1423 if (data->state != SUCCESS) 1424 return NULL; 1425 1426 key = os_malloc(EAP_SIM_KEYING_DATA_LEN); 1427 if (key == NULL) 1428 return NULL; 1429 1430 *len = EAP_SIM_KEYING_DATA_LEN; 1431 os_memcpy(key, data->msk, EAP_SIM_KEYING_DATA_LEN); 1432 1433 return key; 1434} 1435 1436 1437static u8 * eap_aka_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 1438{ 1439 struct eap_aka_data *data = priv; 1440 u8 *id; 1441 1442 if (data->state != SUCCESS) 1443 return NULL; 1444 1445 *len = 1 + EAP_AKA_RAND_LEN + EAP_AKA_AUTN_LEN; 1446 id = os_malloc(*len); 1447 if (id == NULL) 1448 return NULL; 1449 1450 id[0] = data->eap_method; 1451 os_memcpy(id + 1, data->rand, EAP_AKA_RAND_LEN); 1452 os_memcpy(id + 1 + EAP_AKA_RAND_LEN, data->autn, EAP_AKA_AUTN_LEN); 1453 wpa_hexdump(MSG_DEBUG, "EAP-AKA: Derived Session-Id", id, *len); 1454 1455 return id; 1456} 1457 1458 1459static u8 * eap_aka_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1460{ 1461 struct eap_aka_data *data = priv; 1462 u8 *key; 1463 1464 if (data->state != SUCCESS) 1465 return NULL; 1466 1467 key = os_malloc(EAP_EMSK_LEN); 1468 if (key == NULL) 1469 return NULL; 1470 1471 *len = EAP_EMSK_LEN; 1472 os_memcpy(key, data->emsk, EAP_EMSK_LEN); 1473 1474 return key; 1475} 1476 1477 1478int eap_peer_aka_register(void) 1479{ 1480 struct eap_method *eap; 1481 int ret; 1482 1483 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1484 EAP_VENDOR_IETF, EAP_TYPE_AKA, "AKA"); 1485 if (eap == NULL) 1486 return -1; 1487 1488 eap->init = eap_aka_init; 1489 eap->deinit = eap_aka_deinit; 1490 eap->process = eap_aka_process; 1491 eap->isKeyAvailable = eap_aka_isKeyAvailable; 1492 eap->getKey = eap_aka_getKey; 1493 eap->getSessionId = eap_aka_get_session_id; 1494 eap->has_reauth_data = eap_aka_has_reauth_data; 1495 eap->deinit_for_reauth = eap_aka_deinit_for_reauth; 1496 eap->init_for_reauth = eap_aka_init_for_reauth; 1497 eap->get_identity = eap_aka_get_identity; 1498 eap->get_emsk = eap_aka_get_emsk; 1499 1500 ret = eap_peer_method_register(eap); 1501 if (ret) 1502 eap_peer_method_free(eap); 1503 return ret; 1504} 1505 1506 1507#ifdef EAP_AKA_PRIME 1508int eap_peer_aka_prime_register(void) 1509{ 1510 struct eap_method *eap; 1511 int ret; 1512 1513 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1514 EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME, 1515 "AKA'"); 1516 if (eap == NULL) 1517 return -1; 1518 1519 eap->init = eap_aka_prime_init; 1520 eap->deinit = eap_aka_deinit; 1521 eap->process = eap_aka_process; 1522 eap->isKeyAvailable = eap_aka_isKeyAvailable; 1523 eap->getKey = eap_aka_getKey; 1524 eap->getSessionId = eap_aka_get_session_id; 1525 eap->has_reauth_data = eap_aka_has_reauth_data; 1526 eap->deinit_for_reauth = eap_aka_deinit_for_reauth; 1527 eap->init_for_reauth = eap_aka_init_for_reauth; 1528 eap->get_identity = eap_aka_get_identity; 1529 eap->get_emsk = eap_aka_get_emsk; 1530 1531 ret = eap_peer_method_register(eap); 1532 if (ret) 1533 eap_peer_method_free(eap); 1534 1535 return ret; 1536} 1537#endif /* EAP_AKA_PRIME */ 1538