xref: /freebsd/contrib/wpa/src/eap_common/eap_sim_common.c (revision fcb560670601b2a4d87bb31d7531c8dcc37ee71b)
1 /*
2  * EAP peer/server: EAP-SIM/AKA/AKA' shared routines
3  * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "wpabuf.h"
13 #include "crypto/aes_wrap.h"
14 #include "crypto/crypto.h"
15 #include "crypto/sha1.h"
16 #include "crypto/sha256.h"
17 #include "crypto/random.h"
18 #include "eap_common/eap_defs.h"
19 #include "eap_common/eap_sim_common.h"
20 
21 
22 static int eap_sim_prf(const u8 *key, u8 *x, size_t xlen)
23 {
24 	return fips186_2_prf(key, EAP_SIM_MK_LEN, x, xlen);
25 }
26 
27 
28 void eap_sim_derive_mk(const u8 *identity, size_t identity_len,
29 		       const u8 *nonce_mt, u16 selected_version,
30 		       const u8 *ver_list, size_t ver_list_len,
31 		       int num_chal, const u8 *kc, u8 *mk)
32 {
33 	u8 sel_ver[2];
34 	const unsigned char *addr[5];
35 	size_t len[5];
36 
37 	addr[0] = identity;
38 	len[0] = identity_len;
39 	addr[1] = kc;
40 	len[1] = num_chal * EAP_SIM_KC_LEN;
41 	addr[2] = nonce_mt;
42 	len[2] = EAP_SIM_NONCE_MT_LEN;
43 	addr[3] = ver_list;
44 	len[3] = ver_list_len;
45 	addr[4] = sel_ver;
46 	len[4] = 2;
47 
48 	WPA_PUT_BE16(sel_ver, selected_version);
49 
50 	/* MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */
51 	sha1_vector(5, addr, len, mk);
52 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);
53 }
54 
55 
56 void eap_aka_derive_mk(const u8 *identity, size_t identity_len,
57 		       const u8 *ik, const u8 *ck, u8 *mk)
58 {
59 	const u8 *addr[3];
60 	size_t len[3];
61 
62 	addr[0] = identity;
63 	len[0] = identity_len;
64 	addr[1] = ik;
65 	len[1] = EAP_AKA_IK_LEN;
66 	addr[2] = ck;
67 	len[2] = EAP_AKA_CK_LEN;
68 
69 	/* MK = SHA1(Identity|IK|CK) */
70 	sha1_vector(3, addr, len, mk);
71 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: IK", ik, EAP_AKA_IK_LEN);
72 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: CK", ck, EAP_AKA_CK_LEN);
73 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: MK", mk, EAP_SIM_MK_LEN);
74 }
75 
76 
77 int eap_sim_derive_keys(const u8 *mk, u8 *k_encr, u8 *k_aut, u8 *msk, u8 *emsk)
78 {
79 	u8 buf[EAP_SIM_K_ENCR_LEN + EAP_SIM_K_AUT_LEN +
80 	       EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN], *pos;
81 	if (eap_sim_prf(mk, buf, sizeof(buf)) < 0) {
82 		wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");
83 		return -1;
84 	}
85 	pos = buf;
86 	os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);
87 	pos += EAP_SIM_K_ENCR_LEN;
88 	os_memcpy(k_aut, pos, EAP_SIM_K_AUT_LEN);
89 	pos += EAP_SIM_K_AUT_LEN;
90 	os_memcpy(msk, pos, EAP_SIM_KEYING_DATA_LEN);
91 	pos += EAP_SIM_KEYING_DATA_LEN;
92 	os_memcpy(emsk, pos, EAP_EMSK_LEN);
93 
94 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_encr",
95 			k_encr, EAP_SIM_K_ENCR_LEN);
96 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_aut",
97 			k_aut, EAP_SIM_K_AUT_LEN);
98 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: keying material (MSK)",
99 			msk, EAP_SIM_KEYING_DATA_LEN);
100 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);
101 	os_memset(buf, 0, sizeof(buf));
102 
103 	return 0;
104 }
105 
106 
107 int eap_sim_derive_keys_reauth(u16 _counter,
108 			       const u8 *identity, size_t identity_len,
109 			       const u8 *nonce_s, const u8 *mk, u8 *msk,
110 			       u8 *emsk)
111 {
112 	u8 xkey[SHA1_MAC_LEN];
113 	u8 buf[EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN + 32];
114 	u8 counter[2];
115 	const u8 *addr[4];
116 	size_t len[4];
117 
118 	while (identity_len > 0 && identity[identity_len - 1] == 0) {
119 		wpa_printf(MSG_DEBUG, "EAP-SIM: Workaround - drop null "
120 			   "character from the end of identity");
121 		identity_len--;
122 	}
123 	addr[0] = identity;
124 	len[0] = identity_len;
125 	addr[1] = counter;
126 	len[1] = 2;
127 	addr[2] = nonce_s;
128 	len[2] = EAP_SIM_NONCE_S_LEN;
129 	addr[3] = mk;
130 	len[3] = EAP_SIM_MK_LEN;
131 
132 	WPA_PUT_BE16(counter, _counter);
133 
134 	wpa_printf(MSG_DEBUG, "EAP-SIM: Deriving keying data from reauth");
135 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity",
136 			  identity, identity_len);
137 	wpa_hexdump(MSG_DEBUG, "EAP-SIM: counter", counter, 2);
138 	wpa_hexdump(MSG_DEBUG, "EAP-SIM: NONCE_S", nonce_s,
139 		    EAP_SIM_NONCE_S_LEN);
140 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);
141 
142 	/* XKEY' = SHA1(Identity|counter|NONCE_S|MK) */
143 	sha1_vector(4, addr, len, xkey);
144 	wpa_hexdump(MSG_DEBUG, "EAP-SIM: XKEY'", xkey, SHA1_MAC_LEN);
145 
146 	if (eap_sim_prf(xkey, buf, sizeof(buf)) < 0) {
147 		wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");
148 		return -1;
149 	}
150 	if (msk) {
151 		os_memcpy(msk, buf, EAP_SIM_KEYING_DATA_LEN);
152 		wpa_hexdump(MSG_DEBUG, "EAP-SIM: keying material (MSK)",
153 			    msk, EAP_SIM_KEYING_DATA_LEN);
154 	}
155 	if (emsk) {
156 		os_memcpy(emsk, buf + EAP_SIM_KEYING_DATA_LEN, EAP_EMSK_LEN);
157 		wpa_hexdump(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);
158 	}
159 	os_memset(buf, 0, sizeof(buf));
160 
161 	return 0;
162 }
163 
164 
165 int eap_sim_verify_mac(const u8 *k_aut, const struct wpabuf *req,
166 		       const u8 *mac, const u8 *extra, size_t extra_len)
167 {
168 	unsigned char hmac[SHA1_MAC_LEN];
169 	const u8 *addr[2];
170 	size_t len[2];
171 	u8 *tmp;
172 
173 	if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||
174 	    mac < wpabuf_head_u8(req) ||
175 	    mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)
176 		return -1;
177 
178 	tmp = os_malloc(wpabuf_len(req));
179 	if (tmp == NULL)
180 		return -1;
181 
182 	addr[0] = tmp;
183 	len[0] = wpabuf_len(req);
184 	addr[1] = extra;
185 	len[1] = extra_len;
186 
187 	/* HMAC-SHA1-128 */
188 	os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));
189 	os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);
190 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - msg",
191 		    tmp, wpabuf_len(req));
192 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - extra data",
193 		    extra, extra_len);
194 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Verify MAC - K_aut",
195 			k_aut, EAP_SIM_K_AUT_LEN);
196 	hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);
197 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC: MAC",
198 		    hmac, EAP_SIM_MAC_LEN);
199 	os_free(tmp);
200 
201 	return (os_memcmp(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;
202 }
203 
204 
205 void eap_sim_add_mac(const u8 *k_aut, const u8 *msg, size_t msg_len, u8 *mac,
206 		     const u8 *extra, size_t extra_len)
207 {
208 	unsigned char hmac[SHA1_MAC_LEN];
209 	const u8 *addr[2];
210 	size_t len[2];
211 
212 	addr[0] = msg;
213 	len[0] = msg_len;
214 	addr[1] = extra;
215 	len[1] = extra_len;
216 
217 	/* HMAC-SHA1-128 */
218 	os_memset(mac, 0, EAP_SIM_MAC_LEN);
219 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - msg", msg, msg_len);
220 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - extra data",
221 		    extra, extra_len);
222 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Add MAC - K_aut",
223 			k_aut, EAP_SIM_K_AUT_LEN);
224 	hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);
225 	os_memcpy(mac, hmac, EAP_SIM_MAC_LEN);
226 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC: MAC",
227 		    mac, EAP_SIM_MAC_LEN);
228 }
229 
230 
231 #if defined(EAP_AKA_PRIME) || defined(EAP_SERVER_AKA_PRIME)
232 static void prf_prime(const u8 *k, const char *seed1,
233 		      const u8 *seed2, size_t seed2_len,
234 		      const u8 *seed3, size_t seed3_len,
235 		      u8 *res, size_t res_len)
236 {
237 	const u8 *addr[5];
238 	size_t len[5];
239 	u8 hash[SHA256_MAC_LEN];
240 	u8 iter;
241 
242 	/*
243 	 * PRF'(K,S) = T1 | T2 | T3 | T4 | ...
244 	 * T1 = HMAC-SHA-256 (K, S | 0x01)
245 	 * T2 = HMAC-SHA-256 (K, T1 | S | 0x02)
246 	 * T3 = HMAC-SHA-256 (K, T2 | S | 0x03)
247 	 * T4 = HMAC-SHA-256 (K, T3 | S | 0x04)
248 	 * ...
249 	 */
250 
251 	addr[0] = hash;
252 	len[0] = 0;
253 	addr[1] = (const u8 *) seed1;
254 	len[1] = os_strlen(seed1);
255 	addr[2] = seed2;
256 	len[2] = seed2_len;
257 	addr[3] = seed3;
258 	len[3] = seed3_len;
259 	addr[4] = &iter;
260 	len[4] = 1;
261 
262 	iter = 0;
263 	while (res_len) {
264 		size_t hlen;
265 		iter++;
266 		hmac_sha256_vector(k, 32, 5, addr, len, hash);
267 		len[0] = SHA256_MAC_LEN;
268 		hlen = res_len > SHA256_MAC_LEN ? SHA256_MAC_LEN : res_len;
269 		os_memcpy(res, hash, hlen);
270 		res += hlen;
271 		res_len -= hlen;
272 	}
273 }
274 
275 
276 void eap_aka_prime_derive_keys(const u8 *identity, size_t identity_len,
277 			       const u8 *ik, const u8 *ck, u8 *k_encr,
278 			       u8 *k_aut, u8 *k_re, u8 *msk, u8 *emsk)
279 {
280 	u8 key[EAP_AKA_IK_LEN + EAP_AKA_CK_LEN];
281 	u8 keys[EAP_SIM_K_ENCR_LEN + EAP_AKA_PRIME_K_AUT_LEN +
282 		EAP_AKA_PRIME_K_RE_LEN + EAP_MSK_LEN + EAP_EMSK_LEN];
283 	u8 *pos;
284 
285 	/*
286 	 * MK = PRF'(IK'|CK',"EAP-AKA'"|Identity)
287 	 * K_encr = MK[0..127]
288 	 * K_aut  = MK[128..383]
289 	 * K_re   = MK[384..639]
290 	 * MSK    = MK[640..1151]
291 	 * EMSK   = MK[1152..1663]
292 	 */
293 
294 	os_memcpy(key, ik, EAP_AKA_IK_LEN);
295 	os_memcpy(key + EAP_AKA_IK_LEN, ck, EAP_AKA_CK_LEN);
296 
297 	prf_prime(key, "EAP-AKA'", identity, identity_len, NULL, 0,
298 		  keys, sizeof(keys));
299 
300 	pos = keys;
301 	os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);
302 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_encr",
303 			k_encr, EAP_SIM_K_ENCR_LEN);
304 	pos += EAP_SIM_K_ENCR_LEN;
305 
306 	os_memcpy(k_aut, pos, EAP_AKA_PRIME_K_AUT_LEN);
307 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_aut",
308 			k_aut, EAP_AKA_PRIME_K_AUT_LEN);
309 	pos += EAP_AKA_PRIME_K_AUT_LEN;
310 
311 	os_memcpy(k_re, pos, EAP_AKA_PRIME_K_RE_LEN);
312 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_re",
313 			k_re, EAP_AKA_PRIME_K_RE_LEN);
314 	pos += EAP_AKA_PRIME_K_RE_LEN;
315 
316 	os_memcpy(msk, pos, EAP_MSK_LEN);
317 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);
318 	pos += EAP_MSK_LEN;
319 
320 	os_memcpy(emsk, pos, EAP_EMSK_LEN);
321 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);
322 }
323 
324 
325 int eap_aka_prime_derive_keys_reauth(const u8 *k_re, u16 counter,
326 				     const u8 *identity, size_t identity_len,
327 				     const u8 *nonce_s, u8 *msk, u8 *emsk)
328 {
329 	u8 seed3[2 + EAP_SIM_NONCE_S_LEN];
330 	u8 keys[EAP_MSK_LEN + EAP_EMSK_LEN];
331 	u8 *pos;
332 
333 	/*
334 	 * MK = PRF'(K_re,"EAP-AKA' re-auth"|Identity|counter|NONCE_S)
335 	 * MSK  = MK[0..511]
336 	 * EMSK = MK[512..1023]
337 	 */
338 
339 	WPA_PUT_BE16(seed3, counter);
340 	os_memcpy(seed3 + 2, nonce_s, EAP_SIM_NONCE_S_LEN);
341 
342 	prf_prime(k_re, "EAP-AKA' re-auth", identity, identity_len,
343 		  seed3, sizeof(seed3),
344 		  keys, sizeof(keys));
345 
346 	pos = keys;
347 	os_memcpy(msk, pos, EAP_MSK_LEN);
348 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);
349 	pos += EAP_MSK_LEN;
350 
351 	os_memcpy(emsk, pos, EAP_EMSK_LEN);
352 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);
353 
354 	os_memset(keys, 0, sizeof(keys));
355 
356 	return 0;
357 }
358 
359 
360 int eap_sim_verify_mac_sha256(const u8 *k_aut, const struct wpabuf *req,
361 			      const u8 *mac, const u8 *extra, size_t extra_len)
362 {
363 	unsigned char hmac[SHA256_MAC_LEN];
364 	const u8 *addr[2];
365 	size_t len[2];
366 	u8 *tmp;
367 
368 	if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||
369 	    mac < wpabuf_head_u8(req) ||
370 	    mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)
371 		return -1;
372 
373 	tmp = os_malloc(wpabuf_len(req));
374 	if (tmp == NULL)
375 		return -1;
376 
377 	addr[0] = tmp;
378 	len[0] = wpabuf_len(req);
379 	addr[1] = extra;
380 	len[1] = extra_len;
381 
382 	/* HMAC-SHA-256-128 */
383 	os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));
384 	os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);
385 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - msg",
386 		    tmp, wpabuf_len(req));
387 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - extra data",
388 		    extra, extra_len);
389 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Verify MAC - K_aut",
390 			k_aut, EAP_AKA_PRIME_K_AUT_LEN);
391 	hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);
392 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC: MAC",
393 		    hmac, EAP_SIM_MAC_LEN);
394 	os_free(tmp);
395 
396 	return (os_memcmp(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;
397 }
398 
399 
400 void eap_sim_add_mac_sha256(const u8 *k_aut, const u8 *msg, size_t msg_len,
401 			    u8 *mac, const u8 *extra, size_t extra_len)
402 {
403 	unsigned char hmac[SHA256_MAC_LEN];
404 	const u8 *addr[2];
405 	size_t len[2];
406 
407 	addr[0] = msg;
408 	len[0] = msg_len;
409 	addr[1] = extra;
410 	len[1] = extra_len;
411 
412 	/* HMAC-SHA-256-128 */
413 	os_memset(mac, 0, EAP_SIM_MAC_LEN);
414 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC - msg", msg, msg_len);
415 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC - extra data",
416 		    extra, extra_len);
417 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Add MAC - K_aut",
418 			k_aut, EAP_AKA_PRIME_K_AUT_LEN);
419 	hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);
420 	os_memcpy(mac, hmac, EAP_SIM_MAC_LEN);
421 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC: MAC",
422 		    mac, EAP_SIM_MAC_LEN);
423 }
424 
425 
426 void eap_aka_prime_derive_ck_ik_prime(u8 *ck, u8 *ik, const u8 *sqn_ak,
427 				      const u8 *network_name,
428 				      size_t network_name_len)
429 {
430 	u8 key[EAP_AKA_CK_LEN + EAP_AKA_IK_LEN];
431 	u8 hash[SHA256_MAC_LEN];
432 	const u8 *addr[5];
433 	size_t len[5];
434 	u8 fc;
435 	u8 l0[2], l1[2];
436 
437 	/* 3GPP TS 33.402 V8.0.0
438 	 * (CK', IK') = F(CK, IK, <access network identity>)
439 	 */
440 	/* TODO: CK', IK' generation should really be moved into the actual
441 	 * AKA procedure with network name passed in there and option to use
442 	 * AMF separation bit = 1 (3GPP TS 33.401). */
443 
444 	/* Change Request 33.402 CR 0033 to version 8.1.1 from
445 	 * 3GPP TSG-SA WG3 Meeting #53 in September 2008:
446 	 *
447 	 * CK' || IK' = HMAC-SHA-256(Key, S)
448 	 * S = FC || P0 || L0 || P1 || L1 || ... || Pn || Ln
449 	 * Key = CK || IK
450 	 * FC = 0x20
451 	 * P0 = access network identity (3GPP TS 24.302)
452 	 * L0 = length of acceess network identity (2 octets, big endian)
453 	 * P1 = SQN xor AK (if AK is not used, AK is treaded as 000..0
454 	 * L1 = 0x00 0x06
455 	 */
456 
457 	fc = 0x20;
458 
459 	wpa_printf(MSG_DEBUG, "EAP-AKA': Derive (CK',IK') from (CK,IK)");
460 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': CK", ck, EAP_AKA_CK_LEN);
461 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': IK", ik, EAP_AKA_IK_LEN);
462 	wpa_printf(MSG_DEBUG, "EAP-AKA': FC = 0x%x", fc);
463 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA': P0 = Access network identity",
464 			  network_name, network_name_len);
465 	wpa_hexdump(MSG_DEBUG, "EAP-AKA': P1 = SQN xor AK", sqn_ak, 6);
466 
467 	os_memcpy(key, ck, EAP_AKA_CK_LEN);
468 	os_memcpy(key + EAP_AKA_CK_LEN, ik, EAP_AKA_IK_LEN);
469 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': Key = CK || IK",
470 			key, sizeof(key));
471 
472 	addr[0] = &fc;
473 	len[0] = 1;
474 	addr[1] = network_name;
475 	len[1] = network_name_len;
476 	WPA_PUT_BE16(l0, network_name_len);
477 	addr[2] = l0;
478 	len[2] = 2;
479 	addr[3] = sqn_ak;
480 	len[3] = 6;
481 	WPA_PUT_BE16(l1, 6);
482 	addr[4] = l1;
483 	len[4] = 2;
484 
485 	hmac_sha256_vector(key, sizeof(key), 5, addr, len, hash);
486 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': KDF output (CK' || IK')",
487 			hash, sizeof(hash));
488 
489 	os_memcpy(ck, hash, EAP_AKA_CK_LEN);
490 	os_memcpy(ik, hash + EAP_AKA_CK_LEN, EAP_AKA_IK_LEN);
491 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': CK'", ck, EAP_AKA_CK_LEN);
492 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': IK'", ik, EAP_AKA_IK_LEN);
493 }
494 #endif /* EAP_AKA_PRIME || EAP_SERVER_AKA_PRIME */
495 
496 
497 int eap_sim_parse_attr(const u8 *start, const u8 *end,
498 		       struct eap_sim_attrs *attr, int aka, int encr)
499 {
500 	const u8 *pos = start, *apos;
501 	size_t alen, plen, i, list_len;
502 
503 	os_memset(attr, 0, sizeof(*attr));
504 	attr->id_req = NO_ID_REQ;
505 	attr->notification = -1;
506 	attr->counter = -1;
507 	attr->selected_version = -1;
508 	attr->client_error_code = -1;
509 
510 	while (pos < end) {
511 		if (pos + 2 > end) {
512 			wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow(1)");
513 			return -1;
514 		}
515 		wpa_printf(MSG_MSGDUMP, "EAP-SIM: Attribute: Type=%d Len=%d",
516 			   pos[0], pos[1] * 4);
517 		if (pos + pos[1] * 4 > end) {
518 			wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow "
519 				   "(pos=%p len=%d end=%p)",
520 				   pos, pos[1] * 4, end);
521 			return -1;
522 		}
523 		if (pos[1] == 0) {
524 			wpa_printf(MSG_INFO, "EAP-SIM: Attribute underflow");
525 			return -1;
526 		}
527 		apos = pos + 2;
528 		alen = pos[1] * 4 - 2;
529 		wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Attribute data",
530 			    apos, alen);
531 
532 		switch (pos[0]) {
533 		case EAP_SIM_AT_RAND:
534 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RAND");
535 			apos += 2;
536 			alen -= 2;
537 			if ((!aka && (alen % GSM_RAND_LEN)) ||
538 			    (aka && alen != EAP_AKA_RAND_LEN)) {
539 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_RAND"
540 					   " (len %lu)",
541 					   (unsigned long) alen);
542 				return -1;
543 			}
544 			attr->rand = apos;
545 			attr->num_chal = alen / GSM_RAND_LEN;
546 			break;
547 		case EAP_SIM_AT_AUTN:
548 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_AUTN");
549 			if (!aka) {
550 				wpa_printf(MSG_DEBUG, "EAP-SIM: "
551 					   "Unexpected AT_AUTN");
552 				return -1;
553 			}
554 			apos += 2;
555 			alen -= 2;
556 			if (alen != EAP_AKA_AUTN_LEN) {
557 				wpa_printf(MSG_INFO, "EAP-AKA: Invalid AT_AUTN"
558 					   " (len %lu)",
559 					   (unsigned long) alen);
560 				return -1;
561 			}
562 			attr->autn = apos;
563 			break;
564 		case EAP_SIM_AT_PADDING:
565 			if (!encr) {
566 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
567 					   "AT_PADDING");
568 				return -1;
569 			}
570 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_PADDING");
571 			for (i = 2; i < alen; i++) {
572 				if (apos[i] != 0) {
573 					wpa_printf(MSG_INFO, "EAP-SIM: (encr) "
574 						   "AT_PADDING used a non-zero"
575 						   " padding byte");
576 					wpa_hexdump(MSG_DEBUG, "EAP-SIM: "
577 						    "(encr) padding bytes",
578 						    apos + 2, alen - 2);
579 					return -1;
580 				}
581 			}
582 			break;
583 		case EAP_SIM_AT_NONCE_MT:
584 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NONCE_MT");
585 			if (alen != 2 + EAP_SIM_NONCE_MT_LEN) {
586 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
587 					   "AT_NONCE_MT length");
588 				return -1;
589 			}
590 			attr->nonce_mt = apos + 2;
591 			break;
592 		case EAP_SIM_AT_PERMANENT_ID_REQ:
593 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_PERMANENT_ID_REQ");
594 			attr->id_req = PERMANENT_ID;
595 			break;
596 		case EAP_SIM_AT_MAC:
597 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_MAC");
598 			if (alen != 2 + EAP_SIM_MAC_LEN) {
599 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_MAC "
600 					   "length");
601 				return -1;
602 			}
603 			attr->mac = apos + 2;
604 			break;
605 		case EAP_SIM_AT_NOTIFICATION:
606 			if (alen != 2) {
607 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
608 					   "AT_NOTIFICATION length %lu",
609 					   (unsigned long) alen);
610 				return -1;
611 			}
612 			attr->notification = apos[0] * 256 + apos[1];
613 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NOTIFICATION %d",
614 				   attr->notification);
615 			break;
616 		case EAP_SIM_AT_ANY_ID_REQ:
617 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_ANY_ID_REQ");
618 			attr->id_req = ANY_ID;
619 			break;
620 		case EAP_SIM_AT_IDENTITY:
621 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IDENTITY");
622 			plen = WPA_GET_BE16(apos);
623 			apos += 2;
624 			alen -= 2;
625 			if (plen > alen) {
626 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
627 					   "AT_IDENTITY (Actual Length %lu, "
628 					   "remaining length %lu)",
629 					   (unsigned long) plen,
630 					   (unsigned long) alen);
631 				return -1;
632 			}
633 
634 			attr->identity = apos;
635 			attr->identity_len = plen;
636 			break;
637 		case EAP_SIM_AT_VERSION_LIST:
638 			if (aka) {
639 				wpa_printf(MSG_DEBUG, "EAP-AKA: "
640 					   "Unexpected AT_VERSION_LIST");
641 				return -1;
642 			}
643 			list_len = apos[0] * 256 + apos[1];
644 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_VERSION_LIST");
645 			if (list_len < 2 || list_len > alen - 2) {
646 				wpa_printf(MSG_WARNING, "EAP-SIM: Invalid "
647 					   "AT_VERSION_LIST (list_len=%lu "
648 					   "attr_len=%lu)",
649 					   (unsigned long) list_len,
650 					   (unsigned long) alen);
651 				return -1;
652 			}
653 			attr->version_list = apos + 2;
654 			attr->version_list_len = list_len;
655 			break;
656 		case EAP_SIM_AT_SELECTED_VERSION:
657 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION");
658 			if (alen != 2) {
659 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
660 					   "AT_SELECTED_VERSION length %lu",
661 					   (unsigned long) alen);
662 				return -1;
663 			}
664 			attr->selected_version = apos[0] * 256 + apos[1];
665 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION "
666 				   "%d", attr->selected_version);
667 			break;
668 		case EAP_SIM_AT_FULLAUTH_ID_REQ:
669 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_FULLAUTH_ID_REQ");
670 			attr->id_req = FULLAUTH_ID;
671 			break;
672 		case EAP_SIM_AT_COUNTER:
673 			if (!encr) {
674 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
675 					   "AT_COUNTER");
676 				return -1;
677 			}
678 			if (alen != 2) {
679 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
680 					   "AT_COUNTER (alen=%lu)",
681 					   (unsigned long) alen);
682 				return -1;
683 			}
684 			attr->counter = apos[0] * 256 + apos[1];
685 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_COUNTER %d",
686 				   attr->counter);
687 			break;
688 		case EAP_SIM_AT_COUNTER_TOO_SMALL:
689 			if (!encr) {
690 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
691 					   "AT_COUNTER_TOO_SMALL");
692 				return -1;
693 			}
694 			if (alen != 2) {
695 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
696 					   "AT_COUNTER_TOO_SMALL (alen=%lu)",
697 					   (unsigned long) alen);
698 				return -1;
699 			}
700 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
701 				   "AT_COUNTER_TOO_SMALL");
702 			attr->counter_too_small = 1;
703 			break;
704 		case EAP_SIM_AT_NONCE_S:
705 			if (!encr) {
706 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
707 					   "AT_NONCE_S");
708 				return -1;
709 			}
710 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
711 				   "AT_NONCE_S");
712 			if (alen != 2 + EAP_SIM_NONCE_S_LEN) {
713 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
714 					   "AT_NONCE_S (alen=%lu)",
715 					   (unsigned long) alen);
716 				return -1;
717 			}
718 			attr->nonce_s = apos + 2;
719 			break;
720 		case EAP_SIM_AT_CLIENT_ERROR_CODE:
721 			if (alen != 2) {
722 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
723 					   "AT_CLIENT_ERROR_CODE length %lu",
724 					   (unsigned long) alen);
725 				return -1;
726 			}
727 			attr->client_error_code = apos[0] * 256 + apos[1];
728 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_CLIENT_ERROR_CODE "
729 				   "%d", attr->client_error_code);
730 			break;
731 		case EAP_SIM_AT_IV:
732 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IV");
733 			if (alen != 2 + EAP_SIM_MAC_LEN) {
734 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_IV "
735 					   "length %lu", (unsigned long) alen);
736 				return -1;
737 			}
738 			attr->iv = apos + 2;
739 			break;
740 		case EAP_SIM_AT_ENCR_DATA:
741 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_ENCR_DATA");
742 			attr->encr_data = apos + 2;
743 			attr->encr_data_len = alen - 2;
744 			if (attr->encr_data_len % 16) {
745 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
746 					   "AT_ENCR_DATA length %lu",
747 					   (unsigned long)
748 					   attr->encr_data_len);
749 				return -1;
750 			}
751 			break;
752 		case EAP_SIM_AT_NEXT_PSEUDONYM:
753 			if (!encr) {
754 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
755 					   "AT_NEXT_PSEUDONYM");
756 				return -1;
757 			}
758 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
759 				   "AT_NEXT_PSEUDONYM");
760 			plen = apos[0] * 256 + apos[1];
761 			if (plen > alen - 2) {
762 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid"
763 					   " AT_NEXT_PSEUDONYM (actual"
764 					   " len %lu, attr len %lu)",
765 					   (unsigned long) plen,
766 					   (unsigned long) alen);
767 				return -1;
768 			}
769 			attr->next_pseudonym = pos + 4;
770 			attr->next_pseudonym_len = plen;
771 			break;
772 		case EAP_SIM_AT_NEXT_REAUTH_ID:
773 			if (!encr) {
774 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
775 					   "AT_NEXT_REAUTH_ID");
776 				return -1;
777 			}
778 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
779 				   "AT_NEXT_REAUTH_ID");
780 			plen = apos[0] * 256 + apos[1];
781 			if (plen > alen - 2) {
782 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid"
783 					   " AT_NEXT_REAUTH_ID (actual"
784 					   " len %lu, attr len %lu)",
785 					   (unsigned long) plen,
786 					   (unsigned long) alen);
787 				return -1;
788 			}
789 			attr->next_reauth_id = pos + 4;
790 			attr->next_reauth_id_len = plen;
791 			break;
792 		case EAP_SIM_AT_RES:
793 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RES");
794 			attr->res_len_bits = WPA_GET_BE16(apos);
795 			apos += 2;
796 			alen -= 2;
797 			if (!aka || alen < EAP_AKA_MIN_RES_LEN ||
798 			    alen > EAP_AKA_MAX_RES_LEN) {
799 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_RES "
800 					   "(len %lu)",
801 					   (unsigned long) alen);
802 				return -1;
803 			}
804 			attr->res = apos;
805 			attr->res_len = alen;
806 			break;
807 		case EAP_SIM_AT_AUTS:
808 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_AUTS");
809 			if (!aka) {
810 				wpa_printf(MSG_DEBUG, "EAP-SIM: "
811 					   "Unexpected AT_AUTS");
812 				return -1;
813 			}
814 			if (alen != EAP_AKA_AUTS_LEN) {
815 				wpa_printf(MSG_INFO, "EAP-AKA: Invalid AT_AUTS"
816 					   " (len %lu)",
817 					   (unsigned long) alen);
818 				return -1;
819 			}
820 			attr->auts = apos;
821 			break;
822 		case EAP_SIM_AT_CHECKCODE:
823 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_CHECKCODE");
824 			if (!aka) {
825 				wpa_printf(MSG_DEBUG, "EAP-SIM: "
826 					   "Unexpected AT_CHECKCODE");
827 				return -1;
828 			}
829 			apos += 2;
830 			alen -= 2;
831 			if (alen != 0 && alen != EAP_AKA_CHECKCODE_LEN &&
832 			    alen != EAP_AKA_PRIME_CHECKCODE_LEN) {
833 				wpa_printf(MSG_INFO, "EAP-AKA: Invalid "
834 					   "AT_CHECKCODE (len %lu)",
835 					   (unsigned long) alen);
836 				return -1;
837 			}
838 			attr->checkcode = apos;
839 			attr->checkcode_len = alen;
840 			break;
841 		case EAP_SIM_AT_RESULT_IND:
842 			if (encr) {
843 				wpa_printf(MSG_ERROR, "EAP-SIM: Encrypted "
844 					   "AT_RESULT_IND");
845 				return -1;
846 			}
847 			if (alen != 2) {
848 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
849 					   "AT_RESULT_IND (alen=%lu)",
850 					   (unsigned long) alen);
851 				return -1;
852 			}
853 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RESULT_IND");
854 			attr->result_ind = 1;
855 			break;
856 #if defined(EAP_AKA_PRIME) || defined(EAP_SERVER_AKA_PRIME)
857 		case EAP_SIM_AT_KDF_INPUT:
858 			if (aka != 2) {
859 				wpa_printf(MSG_INFO, "EAP-AKA: Unexpected "
860 					   "AT_KDF_INPUT");
861 				return -1;
862 			}
863 
864 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_KDF_INPUT");
865 			plen = WPA_GET_BE16(apos);
866 			apos += 2;
867 			alen -= 2;
868 			if (plen > alen) {
869 				wpa_printf(MSG_INFO, "EAP-AKA': Invalid "
870 					   "AT_KDF_INPUT (Actual Length %lu, "
871 					   "remaining length %lu)",
872 					   (unsigned long) plen,
873 					   (unsigned long) alen);
874 				return -1;
875 			}
876 			attr->kdf_input = apos;
877 			attr->kdf_input_len = plen;
878 			break;
879 		case EAP_SIM_AT_KDF:
880 			if (aka != 2) {
881 				wpa_printf(MSG_INFO, "EAP-AKA: Unexpected "
882 					   "AT_KDF");
883 				return -1;
884 			}
885 
886 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_KDF");
887 			if (alen != 2) {
888 				wpa_printf(MSG_INFO, "EAP-AKA': Invalid "
889 					   "AT_KDF (len %lu)",
890 					   (unsigned long) alen);
891 				return -1;
892 			}
893 			if (attr->kdf_count == EAP_AKA_PRIME_KDF_MAX) {
894 				wpa_printf(MSG_DEBUG, "EAP-AKA': Too many "
895 					   "AT_KDF attributes - ignore this");
896 				continue;
897 			}
898 			attr->kdf[attr->kdf_count] = WPA_GET_BE16(apos);
899 			attr->kdf_count++;
900 			break;
901 		case EAP_SIM_AT_BIDDING:
902 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_BIDDING");
903 			if (alen != 2) {
904 				wpa_printf(MSG_INFO, "EAP-AKA: Invalid "
905 					   "AT_BIDDING (len %lu)",
906 					   (unsigned long) alen);
907 				return -1;
908 			}
909 			attr->bidding = apos;
910 			break;
911 #endif /* EAP_AKA_PRIME || EAP_SERVER_AKA_PRIME */
912 		default:
913 			if (pos[0] < 128) {
914 				wpa_printf(MSG_INFO, "EAP-SIM: Unrecognized "
915 					   "non-skippable attribute %d",
916 					   pos[0]);
917 				return -1;
918 			}
919 
920 			wpa_printf(MSG_DEBUG, "EAP-SIM: Unrecognized skippable"
921 				   " attribute %d ignored", pos[0]);
922 			break;
923 		}
924 
925 		pos += pos[1] * 4;
926 	}
927 
928 	wpa_printf(MSG_DEBUG, "EAP-SIM: Attributes parsed successfully "
929 		   "(aka=%d encr=%d)", aka, encr);
930 
931 	return 0;
932 }
933 
934 
935 u8 * eap_sim_parse_encr(const u8 *k_encr, const u8 *encr_data,
936 			size_t encr_data_len, const u8 *iv,
937 			struct eap_sim_attrs *attr, int aka)
938 {
939 	u8 *decrypted;
940 
941 	if (!iv) {
942 		wpa_printf(MSG_INFO, "EAP-SIM: Encrypted data, but no IV");
943 		return NULL;
944 	}
945 
946 	decrypted = os_malloc(encr_data_len);
947 	if (decrypted == NULL)
948 		return NULL;
949 	os_memcpy(decrypted, encr_data, encr_data_len);
950 
951 	if (aes_128_cbc_decrypt(k_encr, iv, decrypted, encr_data_len)) {
952 		os_free(decrypted);
953 		return NULL;
954 	}
955 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Decrypted AT_ENCR_DATA",
956 		    decrypted, encr_data_len);
957 
958 	if (eap_sim_parse_attr(decrypted, decrypted + encr_data_len, attr,
959 			       aka, 1)) {
960 		wpa_printf(MSG_INFO, "EAP-SIM: (encr) Failed to parse "
961 			   "decrypted AT_ENCR_DATA");
962 		os_free(decrypted);
963 		return NULL;
964 	}
965 
966 	return decrypted;
967 }
968 
969 
970 #define EAP_SIM_INIT_LEN 128
971 
972 struct eap_sim_msg {
973 	struct wpabuf *buf;
974 	size_t mac, iv, encr; /* index from buf */
975 	int type;
976 };
977 
978 
979 struct eap_sim_msg * eap_sim_msg_init(int code, int id, int type, int subtype)
980 {
981 	struct eap_sim_msg *msg;
982 	struct eap_hdr *eap;
983 	u8 *pos;
984 
985 	msg = os_zalloc(sizeof(*msg));
986 	if (msg == NULL)
987 		return NULL;
988 
989 	msg->type = type;
990 	msg->buf = wpabuf_alloc(EAP_SIM_INIT_LEN);
991 	if (msg->buf == NULL) {
992 		os_free(msg);
993 		return NULL;
994 	}
995 	eap = wpabuf_put(msg->buf, sizeof(*eap));
996 	eap->code = code;
997 	eap->identifier = id;
998 
999 	pos = wpabuf_put(msg->buf, 4);
1000 	*pos++ = type;
1001 	*pos++ = subtype;
1002 	*pos++ = 0; /* Reserved */
1003 	*pos++ = 0; /* Reserved */
1004 
1005 	return msg;
1006 }
1007 
1008 
1009 struct wpabuf * eap_sim_msg_finish(struct eap_sim_msg *msg, const u8 *k_aut,
1010 				   const u8 *extra, size_t extra_len)
1011 {
1012 	struct eap_hdr *eap;
1013 	struct wpabuf *buf;
1014 
1015 	if (msg == NULL)
1016 		return NULL;
1017 
1018 	eap = wpabuf_mhead(msg->buf);
1019 	eap->length = host_to_be16(wpabuf_len(msg->buf));
1020 
1021 #if defined(EAP_AKA_PRIME) || defined(EAP_SERVER_AKA_PRIME)
1022 	if (k_aut && msg->mac && msg->type == EAP_TYPE_AKA_PRIME) {
1023 		eap_sim_add_mac_sha256(k_aut, (u8 *) wpabuf_head(msg->buf),
1024 				       wpabuf_len(msg->buf),
1025 				       (u8 *) wpabuf_mhead(msg->buf) +
1026 				       msg->mac, extra, extra_len);
1027 	} else
1028 #endif /* EAP_AKA_PRIME || EAP_SERVER_AKA_PRIME */
1029 	if (k_aut && msg->mac) {
1030 		eap_sim_add_mac(k_aut, (u8 *) wpabuf_head(msg->buf),
1031 				wpabuf_len(msg->buf),
1032 				(u8 *) wpabuf_mhead(msg->buf) + msg->mac,
1033 				extra, extra_len);
1034 	}
1035 
1036 	buf = msg->buf;
1037 	os_free(msg);
1038 	return buf;
1039 }
1040 
1041 
1042 void eap_sim_msg_free(struct eap_sim_msg *msg)
1043 {
1044 	if (msg) {
1045 		wpabuf_free(msg->buf);
1046 		os_free(msg);
1047 	}
1048 }
1049 
1050 
1051 u8 * eap_sim_msg_add_full(struct eap_sim_msg *msg, u8 attr,
1052 			  const u8 *data, size_t len)
1053 {
1054 	int attr_len = 2 + len;
1055 	int pad_len;
1056 	u8 *start;
1057 
1058 	if (msg == NULL)
1059 		return NULL;
1060 
1061 	pad_len = (4 - attr_len % 4) % 4;
1062 	attr_len += pad_len;
1063 	if (wpabuf_resize(&msg->buf, attr_len))
1064 		return NULL;
1065 	start = wpabuf_put(msg->buf, 0);
1066 	wpabuf_put_u8(msg->buf, attr);
1067 	wpabuf_put_u8(msg->buf, attr_len / 4);
1068 	wpabuf_put_data(msg->buf, data, len);
1069 	if (pad_len)
1070 		os_memset(wpabuf_put(msg->buf, pad_len), 0, pad_len);
1071 	return start;
1072 }
1073 
1074 
1075 u8 * eap_sim_msg_add(struct eap_sim_msg *msg, u8 attr, u16 value,
1076 		     const u8 *data, size_t len)
1077 {
1078 	int attr_len = 4 + len;
1079 	int pad_len;
1080 	u8 *start;
1081 
1082 	if (msg == NULL)
1083 		return NULL;
1084 
1085 	pad_len = (4 - attr_len % 4) % 4;
1086 	attr_len += pad_len;
1087 	if (wpabuf_resize(&msg->buf, attr_len))
1088 		return NULL;
1089 	start = wpabuf_put(msg->buf, 0);
1090 	wpabuf_put_u8(msg->buf, attr);
1091 	wpabuf_put_u8(msg->buf, attr_len / 4);
1092 	wpabuf_put_be16(msg->buf, value);
1093 	if (data)
1094 		wpabuf_put_data(msg->buf, data, len);
1095 	else
1096 		wpabuf_put(msg->buf, len);
1097 	if (pad_len)
1098 		os_memset(wpabuf_put(msg->buf, pad_len), 0, pad_len);
1099 	return start;
1100 }
1101 
1102 
1103 u8 * eap_sim_msg_add_mac(struct eap_sim_msg *msg, u8 attr)
1104 {
1105 	u8 *pos = eap_sim_msg_add(msg, attr, 0, NULL, EAP_SIM_MAC_LEN);
1106 	if (pos)
1107 		msg->mac = (pos - wpabuf_head_u8(msg->buf)) + 4;
1108 	return pos;
1109 }
1110 
1111 
1112 int eap_sim_msg_add_encr_start(struct eap_sim_msg *msg, u8 attr_iv,
1113 			       u8 attr_encr)
1114 {
1115 	u8 *pos = eap_sim_msg_add(msg, attr_iv, 0, NULL, EAP_SIM_IV_LEN);
1116 	if (pos == NULL)
1117 		return -1;
1118 	msg->iv = (pos - wpabuf_head_u8(msg->buf)) + 4;
1119 	if (random_get_bytes(wpabuf_mhead_u8(msg->buf) + msg->iv,
1120 			     EAP_SIM_IV_LEN)) {
1121 		msg->iv = 0;
1122 		return -1;
1123 	}
1124 
1125 	pos = eap_sim_msg_add(msg, attr_encr, 0, NULL, 0);
1126 	if (pos == NULL) {
1127 		msg->iv = 0;
1128 		return -1;
1129 	}
1130 	msg->encr = pos - wpabuf_head_u8(msg->buf);
1131 
1132 	return 0;
1133 }
1134 
1135 
1136 int eap_sim_msg_add_encr_end(struct eap_sim_msg *msg, u8 *k_encr, int attr_pad)
1137 {
1138 	size_t encr_len;
1139 
1140 	if (msg == NULL || k_encr == NULL || msg->iv == 0 || msg->encr == 0)
1141 		return -1;
1142 
1143 	encr_len = wpabuf_len(msg->buf) - msg->encr - 4;
1144 	if (encr_len % 16) {
1145 		u8 *pos;
1146 		int pad_len = 16 - (encr_len % 16);
1147 		if (pad_len < 4) {
1148 			wpa_printf(MSG_WARNING, "EAP-SIM: "
1149 				   "eap_sim_msg_add_encr_end - invalid pad_len"
1150 				   " %d", pad_len);
1151 			return -1;
1152 		}
1153 		wpa_printf(MSG_DEBUG, "   *AT_PADDING");
1154 		pos = eap_sim_msg_add(msg, attr_pad, 0, NULL, pad_len - 4);
1155 		if (pos == NULL)
1156 			return -1;
1157 		os_memset(pos + 4, 0, pad_len - 4);
1158 		encr_len += pad_len;
1159 	}
1160 	wpa_printf(MSG_DEBUG, "   (AT_ENCR_DATA data len %lu)",
1161 		   (unsigned long) encr_len);
1162 	wpabuf_mhead_u8(msg->buf)[msg->encr + 1] = encr_len / 4 + 1;
1163 	return aes_128_cbc_encrypt(k_encr, wpabuf_head_u8(msg->buf) + msg->iv,
1164 				   wpabuf_mhead_u8(msg->buf) + msg->encr + 4,
1165 				   encr_len);
1166 }
1167 
1168 
1169 void eap_sim_report_notification(void *msg_ctx, int notification, int aka)
1170 {
1171 #ifndef CONFIG_NO_STDOUT_DEBUG
1172 	const char *type = aka ? "AKA" : "SIM";
1173 #endif /* CONFIG_NO_STDOUT_DEBUG */
1174 
1175 	switch (notification) {
1176 	case EAP_SIM_GENERAL_FAILURE_AFTER_AUTH:
1177 		wpa_printf(MSG_WARNING, "EAP-%s: General failure "
1178 			   "notification (after authentication)", type);
1179 		break;
1180 	case EAP_SIM_TEMPORARILY_DENIED:
1181 		wpa_printf(MSG_WARNING, "EAP-%s: Failure notification: "
1182 			   "User has been temporarily denied access to the "
1183 			   "requested service", type);
1184 		break;
1185 	case EAP_SIM_NOT_SUBSCRIBED:
1186 		wpa_printf(MSG_WARNING, "EAP-%s: Failure notification: "
1187 			   "User has not subscribed to the requested service",
1188 			   type);
1189 		break;
1190 	case EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH:
1191 		wpa_printf(MSG_WARNING, "EAP-%s: General failure "
1192 			   "notification (before authentication)", type);
1193 		break;
1194 	case EAP_SIM_SUCCESS:
1195 		wpa_printf(MSG_INFO, "EAP-%s: Successful authentication "
1196 			   "notification", type);
1197 		break;
1198 	default:
1199 		if (notification >= 32768) {
1200 			wpa_printf(MSG_INFO, "EAP-%s: Unrecognized "
1201 				   "non-failure notification %d",
1202 				   type, notification);
1203 		} else {
1204 			wpa_printf(MSG_WARNING, "EAP-%s: Unrecognized "
1205 				   "failure notification %d",
1206 				   type, notification);
1207 		}
1208 	}
1209 }
1210