1 /* 2 * EAP peer method: EAP-AKA (RFC 4187) and EAP-AKA' (draft-arkko-eap-aka-kdf) 3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "eap_peer/eap_i.h" 19 #include "pcsc_funcs.h" 20 #include "eap_common/eap_sim_common.h" 21 #include "sha1.h" 22 #include "sha256.h" 23 #include "crypto.h" 24 #include "eap_peer/eap_config.h" 25 #ifdef CONFIG_USIM_SIMULATOR 26 #include "hlr_auc_gw/milenage.h" 27 #endif /* CONFIG_USIM_SIMULATOR */ 28 29 30 struct eap_aka_data { 31 u8 ik[EAP_AKA_IK_LEN], ck[EAP_AKA_CK_LEN], res[EAP_AKA_RES_MAX_LEN]; 32 size_t res_len; 33 u8 nonce_s[EAP_SIM_NONCE_S_LEN]; 34 u8 mk[EAP_SIM_MK_LEN]; 35 u8 k_aut[EAP_AKA_PRIME_K_AUT_LEN]; 36 u8 k_encr[EAP_SIM_K_ENCR_LEN]; 37 u8 k_re[EAP_AKA_PRIME_K_RE_LEN]; /* EAP-AKA' only */ 38 u8 msk[EAP_SIM_KEYING_DATA_LEN]; 39 u8 emsk[EAP_EMSK_LEN]; 40 u8 rand[EAP_AKA_RAND_LEN], autn[EAP_AKA_AUTN_LEN]; 41 u8 auts[EAP_AKA_AUTS_LEN]; 42 43 int num_id_req, num_notification; 44 u8 *pseudonym; 45 size_t pseudonym_len; 46 u8 *reauth_id; 47 size_t reauth_id_len; 48 int reauth; 49 unsigned int counter, counter_too_small; 50 u8 *last_eap_identity; 51 size_t last_eap_identity_len; 52 enum { 53 CONTINUE, RESULT_SUCCESS, RESULT_FAILURE, SUCCESS, FAILURE 54 } state; 55 56 struct wpabuf *id_msgs; 57 int prev_id; 58 int result_ind, use_result_ind; 59 u8 eap_method; 60 u8 *network_name; 61 size_t network_name_len; 62 u16 kdf; 63 int kdf_negotiation; 64 }; 65 66 67 #ifndef CONFIG_NO_STDOUT_DEBUG 68 static const char * eap_aka_state_txt(int state) 69 { 70 switch (state) { 71 case CONTINUE: 72 return "CONTINUE"; 73 case RESULT_SUCCESS: 74 return "RESULT_SUCCESS"; 75 case RESULT_FAILURE: 76 return "RESULT_FAILURE"; 77 case SUCCESS: 78 return "SUCCESS"; 79 case FAILURE: 80 return "FAILURE"; 81 default: 82 return "?"; 83 } 84 } 85 #endif /* CONFIG_NO_STDOUT_DEBUG */ 86 87 88 static void eap_aka_state(struct eap_aka_data *data, int state) 89 { 90 wpa_printf(MSG_DEBUG, "EAP-AKA: %s -> %s", 91 eap_aka_state_txt(data->state), 92 eap_aka_state_txt(state)); 93 data->state = state; 94 } 95 96 97 static void * eap_aka_init(struct eap_sm *sm) 98 { 99 struct eap_aka_data *data; 100 const char *phase1 = eap_get_config_phase1(sm); 101 102 data = os_zalloc(sizeof(*data)); 103 if (data == NULL) 104 return NULL; 105 106 data->eap_method = EAP_TYPE_AKA; 107 108 eap_aka_state(data, CONTINUE); 109 data->prev_id = -1; 110 111 data->result_ind = phase1 && os_strstr(phase1, "result_ind=1") != NULL; 112 113 return data; 114 } 115 116 117 #ifdef EAP_AKA_PRIME 118 static void * eap_aka_prime_init(struct eap_sm *sm) 119 { 120 struct eap_aka_data *data = eap_aka_init(sm); 121 if (data == NULL) 122 return NULL; 123 data->eap_method = EAP_TYPE_AKA_PRIME; 124 return data; 125 } 126 #endif /* EAP_AKA_PRIME */ 127 128 129 static void eap_aka_deinit(struct eap_sm *sm, void *priv) 130 { 131 struct eap_aka_data *data = priv; 132 if (data) { 133 os_free(data->pseudonym); 134 os_free(data->reauth_id); 135 os_free(data->last_eap_identity); 136 wpabuf_free(data->id_msgs); 137 os_free(data->network_name); 138 os_free(data); 139 } 140 } 141 142 143 static int eap_aka_umts_auth(struct eap_sm *sm, struct eap_aka_data *data) 144 { 145 struct eap_peer_config *conf; 146 147 wpa_printf(MSG_DEBUG, "EAP-AKA: UMTS authentication algorithm"); 148 149 conf = eap_get_config(sm); 150 if (conf == NULL) 151 return -1; 152 if (conf->pcsc) { 153 return scard_umts_auth(sm->scard_ctx, data->rand, 154 data->autn, data->res, &data->res_len, 155 data->ik, data->ck, data->auts); 156 } 157 158 #ifdef CONFIG_USIM_SIMULATOR 159 if (conf->password) { 160 u8 opc[16], k[16], sqn[6]; 161 const char *pos; 162 wpa_printf(MSG_DEBUG, "EAP-AKA: Use internal Milenage " 163 "implementation for UMTS authentication"); 164 if (conf->password_len < 78) { 165 wpa_printf(MSG_DEBUG, "EAP-AKA: invalid Milenage " 166 "password"); 167 return -1; 168 } 169 pos = (const char *) conf->password; 170 if (hexstr2bin(pos, k, 16)) 171 return -1; 172 pos += 32; 173 if (*pos != ':') 174 return -1; 175 pos++; 176 177 if (hexstr2bin(pos, opc, 16)) 178 return -1; 179 pos += 32; 180 if (*pos != ':') 181 return -1; 182 pos++; 183 184 if (hexstr2bin(pos, sqn, 6)) 185 return -1; 186 187 return milenage_check(opc, k, sqn, data->rand, data->autn, 188 data->ik, data->ck, 189 data->res, &data->res_len, data->auts); 190 } 191 #endif /* CONFIG_USIM_SIMULATOR */ 192 193 #ifdef CONFIG_USIM_HARDCODED 194 wpa_printf(MSG_DEBUG, "EAP-AKA: Use hardcoded Kc and SRES values for " 195 "testing"); 196 197 /* These hardcoded Kc and SRES values are used for testing. 198 * Could consider making them configurable. */ 199 os_memset(data->res, '2', EAP_AKA_RES_MAX_LEN); 200 data->res_len = EAP_AKA_RES_MAX_LEN; 201 os_memset(data->ik, '3', EAP_AKA_IK_LEN); 202 os_memset(data->ck, '4', EAP_AKA_CK_LEN); 203 { 204 u8 autn[EAP_AKA_AUTN_LEN]; 205 os_memset(autn, '1', EAP_AKA_AUTN_LEN); 206 if (os_memcmp(autn, data->autn, EAP_AKA_AUTN_LEN) != 0) { 207 wpa_printf(MSG_WARNING, "EAP-AKA: AUTN did not match " 208 "with expected value"); 209 return -1; 210 } 211 } 212 #if 0 213 { 214 static int test_resync = 1; 215 if (test_resync) { 216 /* Test Resynchronization */ 217 test_resync = 0; 218 return -2; 219 } 220 } 221 #endif 222 return 0; 223 224 #else /* CONFIG_USIM_HARDCODED */ 225 226 wpa_printf(MSG_DEBUG, "EAP-AKA: No UMTS authentication algorith " 227 "enabled"); 228 return -1; 229 230 #endif /* CONFIG_USIM_HARDCODED */ 231 } 232 233 234 #define CLEAR_PSEUDONYM 0x01 235 #define CLEAR_REAUTH_ID 0x02 236 #define CLEAR_EAP_ID 0x04 237 238 static void eap_aka_clear_identities(struct eap_aka_data *data, int id) 239 { 240 wpa_printf(MSG_DEBUG, "EAP-AKA: forgetting old%s%s%s", 241 id & CLEAR_PSEUDONYM ? " pseudonym" : "", 242 id & CLEAR_REAUTH_ID ? " reauth_id" : "", 243 id & CLEAR_EAP_ID ? " eap_id" : ""); 244 if (id & CLEAR_PSEUDONYM) { 245 os_free(data->pseudonym); 246 data->pseudonym = NULL; 247 data->pseudonym_len = 0; 248 } 249 if (id & CLEAR_REAUTH_ID) { 250 os_free(data->reauth_id); 251 data->reauth_id = NULL; 252 data->reauth_id_len = 0; 253 } 254 if (id & CLEAR_EAP_ID) { 255 os_free(data->last_eap_identity); 256 data->last_eap_identity = NULL; 257 data->last_eap_identity_len = 0; 258 } 259 } 260 261 262 static int eap_aka_learn_ids(struct eap_aka_data *data, 263 struct eap_sim_attrs *attr) 264 { 265 if (attr->next_pseudonym) { 266 os_free(data->pseudonym); 267 data->pseudonym = os_malloc(attr->next_pseudonym_len); 268 if (data->pseudonym == NULL) { 269 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for " 270 "next pseudonym"); 271 return -1; 272 } 273 os_memcpy(data->pseudonym, attr->next_pseudonym, 274 attr->next_pseudonym_len); 275 data->pseudonym_len = attr->next_pseudonym_len; 276 wpa_hexdump_ascii(MSG_DEBUG, 277 "EAP-AKA: (encr) AT_NEXT_PSEUDONYM", 278 data->pseudonym, 279 data->pseudonym_len); 280 } 281 282 if (attr->next_reauth_id) { 283 os_free(data->reauth_id); 284 data->reauth_id = os_malloc(attr->next_reauth_id_len); 285 if (data->reauth_id == NULL) { 286 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for " 287 "next reauth_id"); 288 return -1; 289 } 290 os_memcpy(data->reauth_id, attr->next_reauth_id, 291 attr->next_reauth_id_len); 292 data->reauth_id_len = attr->next_reauth_id_len; 293 wpa_hexdump_ascii(MSG_DEBUG, 294 "EAP-AKA: (encr) AT_NEXT_REAUTH_ID", 295 data->reauth_id, 296 data->reauth_id_len); 297 } 298 299 return 0; 300 } 301 302 303 static int eap_aka_add_id_msg(struct eap_aka_data *data, 304 const struct wpabuf *msg) 305 { 306 if (msg == NULL) 307 return -1; 308 309 if (data->id_msgs == NULL) { 310 data->id_msgs = wpabuf_dup(msg); 311 return data->id_msgs == NULL ? -1 : 0; 312 } 313 314 if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0) 315 return -1; 316 wpabuf_put_buf(data->id_msgs, msg); 317 318 return 0; 319 } 320 321 322 static void eap_aka_add_checkcode(struct eap_aka_data *data, 323 struct eap_sim_msg *msg) 324 { 325 const u8 *addr; 326 size_t len; 327 u8 hash[SHA256_MAC_LEN]; 328 329 wpa_printf(MSG_DEBUG, " AT_CHECKCODE"); 330 331 if (data->id_msgs == NULL) { 332 /* 333 * No EAP-AKA/Identity packets were exchanged - send empty 334 * checkcode. 335 */ 336 eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, NULL, 0); 337 return; 338 } 339 340 /* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */ 341 addr = wpabuf_head(data->id_msgs); 342 len = wpabuf_len(data->id_msgs); 343 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len); 344 #ifdef EAP_AKA_PRIME 345 if (data->eap_method == EAP_TYPE_AKA_PRIME) 346 sha256_vector(1, &addr, &len, hash); 347 else 348 #endif /* EAP_AKA_PRIME */ 349 sha1_vector(1, &addr, &len, hash); 350 351 eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash, 352 data->eap_method == EAP_TYPE_AKA_PRIME ? 353 EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN); 354 } 355 356 357 static int eap_aka_verify_checkcode(struct eap_aka_data *data, 358 const u8 *checkcode, size_t checkcode_len) 359 { 360 const u8 *addr; 361 size_t len; 362 u8 hash[SHA256_MAC_LEN]; 363 size_t hash_len; 364 365 if (checkcode == NULL) 366 return -1; 367 368 if (data->id_msgs == NULL) { 369 if (checkcode_len != 0) { 370 wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server " 371 "indicates that AKA/Identity messages were " 372 "used, but they were not"); 373 return -1; 374 } 375 return 0; 376 } 377 378 hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ? 379 EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN; 380 381 if (checkcode_len != hash_len) { 382 wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server " 383 "indicates that AKA/Identity message were not " 384 "used, but they were"); 385 return -1; 386 } 387 388 /* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */ 389 addr = wpabuf_head(data->id_msgs); 390 len = wpabuf_len(data->id_msgs); 391 #ifdef EAP_AKA_PRIME 392 if (data->eap_method == EAP_TYPE_AKA_PRIME) 393 sha256_vector(1, &addr, &len, hash); 394 else 395 #endif /* EAP_AKA_PRIME */ 396 sha1_vector(1, &addr, &len, hash); 397 398 if (os_memcmp(hash, checkcode, hash_len) != 0) { 399 wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE"); 400 return -1; 401 } 402 403 return 0; 404 } 405 406 407 static struct wpabuf * eap_aka_client_error(struct eap_aka_data *data, u8 id, 408 int err) 409 { 410 struct eap_sim_msg *msg; 411 412 eap_aka_state(data, FAILURE); 413 data->num_id_req = 0; 414 data->num_notification = 0; 415 416 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 417 EAP_AKA_SUBTYPE_CLIENT_ERROR); 418 eap_sim_msg_add(msg, EAP_SIM_AT_CLIENT_ERROR_CODE, err, NULL, 0); 419 return eap_sim_msg_finish(msg, NULL, NULL, 0); 420 } 421 422 423 static struct wpabuf * eap_aka_authentication_reject(struct eap_aka_data *data, 424 u8 id) 425 { 426 struct eap_sim_msg *msg; 427 428 eap_aka_state(data, FAILURE); 429 data->num_id_req = 0; 430 data->num_notification = 0; 431 432 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Authentication-Reject " 433 "(id=%d)", id); 434 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 435 EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT); 436 return eap_sim_msg_finish(msg, NULL, NULL, 0); 437 } 438 439 440 static struct wpabuf * eap_aka_synchronization_failure( 441 struct eap_aka_data *data, u8 id) 442 { 443 struct eap_sim_msg *msg; 444 445 data->num_id_req = 0; 446 data->num_notification = 0; 447 448 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Synchronization-Failure " 449 "(id=%d)", id); 450 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 451 EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE); 452 wpa_printf(MSG_DEBUG, " AT_AUTS"); 453 eap_sim_msg_add_full(msg, EAP_SIM_AT_AUTS, data->auts, 454 EAP_AKA_AUTS_LEN); 455 return eap_sim_msg_finish(msg, NULL, NULL, 0); 456 } 457 458 459 static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm, 460 struct eap_aka_data *data, 461 u8 id, 462 enum eap_sim_id_req id_req) 463 { 464 const u8 *identity = NULL; 465 size_t identity_len = 0; 466 struct eap_sim_msg *msg; 467 468 data->reauth = 0; 469 if (id_req == ANY_ID && data->reauth_id) { 470 identity = data->reauth_id; 471 identity_len = data->reauth_id_len; 472 data->reauth = 1; 473 } else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) && 474 data->pseudonym) { 475 identity = data->pseudonym; 476 identity_len = data->pseudonym_len; 477 eap_aka_clear_identities(data, CLEAR_REAUTH_ID); 478 } else if (id_req != NO_ID_REQ) { 479 identity = eap_get_config_identity(sm, &identity_len); 480 if (identity) { 481 eap_aka_clear_identities(data, CLEAR_PSEUDONYM | 482 CLEAR_REAUTH_ID); 483 } 484 } 485 if (id_req != NO_ID_REQ) 486 eap_aka_clear_identities(data, CLEAR_EAP_ID); 487 488 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Identity (id=%d)", id); 489 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 490 EAP_AKA_SUBTYPE_IDENTITY); 491 492 if (identity) { 493 wpa_hexdump_ascii(MSG_DEBUG, " AT_IDENTITY", 494 identity, identity_len); 495 eap_sim_msg_add(msg, EAP_SIM_AT_IDENTITY, identity_len, 496 identity, identity_len); 497 } 498 499 return eap_sim_msg_finish(msg, NULL, NULL, 0); 500 } 501 502 503 static struct wpabuf * eap_aka_response_challenge(struct eap_aka_data *data, 504 u8 id) 505 { 506 struct eap_sim_msg *msg; 507 508 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d)", id); 509 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 510 EAP_AKA_SUBTYPE_CHALLENGE); 511 wpa_printf(MSG_DEBUG, " AT_RES"); 512 eap_sim_msg_add(msg, EAP_SIM_AT_RES, data->res_len * 8, 513 data->res, data->res_len); 514 eap_aka_add_checkcode(data, msg); 515 if (data->use_result_ind) { 516 wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); 517 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); 518 } 519 wpa_printf(MSG_DEBUG, " AT_MAC"); 520 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 521 return eap_sim_msg_finish(msg, data->k_aut, (u8 *) "", 0); 522 } 523 524 525 static struct wpabuf * eap_aka_response_reauth(struct eap_aka_data *data, 526 u8 id, int counter_too_small, 527 const u8 *nonce_s) 528 { 529 struct eap_sim_msg *msg; 530 unsigned int counter; 531 532 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Reauthentication (id=%d)", 533 id); 534 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 535 EAP_AKA_SUBTYPE_REAUTHENTICATION); 536 wpa_printf(MSG_DEBUG, " AT_IV"); 537 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA"); 538 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA); 539 540 if (counter_too_small) { 541 wpa_printf(MSG_DEBUG, " *AT_COUNTER_TOO_SMALL"); 542 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER_TOO_SMALL, 0, NULL, 0); 543 counter = data->counter_too_small; 544 } else 545 counter = data->counter; 546 547 wpa_printf(MSG_DEBUG, " *AT_COUNTER %d", counter); 548 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0); 549 550 if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) { 551 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt " 552 "AT_ENCR_DATA"); 553 eap_sim_msg_free(msg); 554 return NULL; 555 } 556 eap_aka_add_checkcode(data, msg); 557 if (data->use_result_ind) { 558 wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); 559 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); 560 } 561 wpa_printf(MSG_DEBUG, " AT_MAC"); 562 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 563 return eap_sim_msg_finish(msg, data->k_aut, nonce_s, 564 EAP_SIM_NONCE_S_LEN); 565 } 566 567 568 static struct wpabuf * eap_aka_response_notification(struct eap_aka_data *data, 569 u8 id, u16 notification) 570 { 571 struct eap_sim_msg *msg; 572 u8 *k_aut = (notification & 0x4000) == 0 ? data->k_aut : NULL; 573 574 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Notification (id=%d)", id); 575 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 576 EAP_AKA_SUBTYPE_NOTIFICATION); 577 if (k_aut && data->reauth) { 578 wpa_printf(MSG_DEBUG, " AT_IV"); 579 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA"); 580 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, 581 EAP_SIM_AT_ENCR_DATA); 582 wpa_printf(MSG_DEBUG, " *AT_COUNTER %d", data->counter); 583 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter, 584 NULL, 0); 585 if (eap_sim_msg_add_encr_end(msg, data->k_encr, 586 EAP_SIM_AT_PADDING)) { 587 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt " 588 "AT_ENCR_DATA"); 589 eap_sim_msg_free(msg); 590 return NULL; 591 } 592 } 593 if (k_aut) { 594 wpa_printf(MSG_DEBUG, " AT_MAC"); 595 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 596 } 597 return eap_sim_msg_finish(msg, k_aut, (u8 *) "", 0); 598 } 599 600 601 static struct wpabuf * eap_aka_process_identity(struct eap_sm *sm, 602 struct eap_aka_data *data, 603 u8 id, 604 const struct wpabuf *reqData, 605 struct eap_sim_attrs *attr) 606 { 607 int id_error; 608 struct wpabuf *buf; 609 610 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Identity"); 611 612 id_error = 0; 613 switch (attr->id_req) { 614 case NO_ID_REQ: 615 break; 616 case ANY_ID: 617 if (data->num_id_req > 0) 618 id_error++; 619 data->num_id_req++; 620 break; 621 case FULLAUTH_ID: 622 if (data->num_id_req > 1) 623 id_error++; 624 data->num_id_req++; 625 break; 626 case PERMANENT_ID: 627 if (data->num_id_req > 2) 628 id_error++; 629 data->num_id_req++; 630 break; 631 } 632 if (id_error) { 633 wpa_printf(MSG_INFO, "EAP-AKA: Too many ID requests " 634 "used within one authentication"); 635 return eap_aka_client_error(data, id, 636 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 637 } 638 639 buf = eap_aka_response_identity(sm, data, id, attr->id_req); 640 641 if (data->prev_id != id) { 642 eap_aka_add_id_msg(data, reqData); 643 eap_aka_add_id_msg(data, buf); 644 data->prev_id = id; 645 } 646 647 return buf; 648 } 649 650 651 static int eap_aka_verify_mac(struct eap_aka_data *data, 652 const struct wpabuf *req, 653 const u8 *mac, const u8 *extra, 654 size_t extra_len) 655 { 656 if (data->eap_method == EAP_TYPE_AKA_PRIME) 657 return eap_sim_verify_mac_sha256(data->k_aut, req, mac, extra, 658 extra_len); 659 return eap_sim_verify_mac(data->k_aut, req, mac, extra, extra_len); 660 } 661 662 663 #ifdef EAP_AKA_PRIME 664 static struct wpabuf * eap_aka_prime_kdf_select(struct eap_aka_data *data, 665 u8 id, u16 kdf) 666 { 667 struct eap_sim_msg *msg; 668 669 data->kdf_negotiation = 1; 670 data->kdf = kdf; 671 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d) (KDF " 672 "select)", id); 673 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 674 EAP_AKA_SUBTYPE_CHALLENGE); 675 wpa_printf(MSG_DEBUG, " AT_KDF"); 676 eap_sim_msg_add(msg, EAP_SIM_AT_KDF, kdf, NULL, 0); 677 return eap_sim_msg_finish(msg, NULL, NULL, 0); 678 } 679 680 681 static struct wpabuf * eap_aka_prime_kdf_neg(struct eap_aka_data *data, 682 u8 id, struct eap_sim_attrs *attr) 683 { 684 size_t i; 685 686 for (i = 0; i < attr->kdf_count; i++) { 687 if (attr->kdf[i] == EAP_AKA_PRIME_KDF) 688 return eap_aka_prime_kdf_select(data, id, 689 EAP_AKA_PRIME_KDF); 690 } 691 692 /* No matching KDF found - fail authentication as if AUTN had been 693 * incorrect */ 694 return eap_aka_authentication_reject(data, id); 695 } 696 697 698 static int eap_aka_prime_kdf_valid(struct eap_aka_data *data, 699 struct eap_sim_attrs *attr) 700 { 701 size_t i, j; 702 703 if (attr->kdf_count == 0) 704 return 0; 705 706 /* The only allowed (and required) duplication of a KDF is the addition 707 * of the selected KDF into the beginning of the list. */ 708 709 if (data->kdf_negotiation) { 710 if (attr->kdf[0] != data->kdf) { 711 wpa_printf(MSG_WARNING, "EAP-AKA': The server did not " 712 "accept the selected KDF"); 713 return 0; 714 } 715 716 for (i = 1; i < attr->kdf_count; i++) { 717 if (attr->kdf[i] == data->kdf) 718 break; 719 } 720 if (i == attr->kdf_count && 721 attr->kdf_count < EAP_AKA_PRIME_KDF_MAX) { 722 wpa_printf(MSG_WARNING, "EAP-AKA': The server did not " 723 "duplicate the selected KDF"); 724 return 0; 725 } 726 727 /* TODO: should check that the list is identical to the one 728 * used in the previous Challenge message apart from the added 729 * entry in the beginning. */ 730 } 731 732 for (i = data->kdf ? 1 : 0; i < attr->kdf_count; i++) { 733 for (j = i + 1; j < attr->kdf_count; j++) { 734 if (attr->kdf[i] == attr->kdf[j]) { 735 wpa_printf(MSG_WARNING, "EAP-AKA': The server " 736 "included a duplicated KDF"); 737 return 0; 738 } 739 } 740 } 741 742 return 1; 743 } 744 #endif /* EAP_AKA_PRIME */ 745 746 747 static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm, 748 struct eap_aka_data *data, 749 u8 id, 750 const struct wpabuf *reqData, 751 struct eap_sim_attrs *attr) 752 { 753 const u8 *identity; 754 size_t identity_len; 755 int res; 756 struct eap_sim_attrs eattr; 757 758 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Challenge"); 759 760 if (attr->checkcode && 761 eap_aka_verify_checkcode(data, attr->checkcode, 762 attr->checkcode_len)) { 763 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the " 764 "message"); 765 return eap_aka_client_error(data, id, 766 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 767 } 768 769 #ifdef EAP_AKA_PRIME 770 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 771 if (!attr->kdf_input || attr->kdf_input_len == 0) { 772 wpa_printf(MSG_WARNING, "EAP-AKA': Challenge message " 773 "did not include non-empty AT_KDF_INPUT"); 774 /* Fail authentication as if AUTN had been incorrect */ 775 return eap_aka_authentication_reject(data, id); 776 } 777 os_free(data->network_name); 778 data->network_name = os_malloc(attr->kdf_input_len); 779 if (data->network_name == NULL) { 780 wpa_printf(MSG_WARNING, "EAP-AKA': No memory for " 781 "storing Network Name"); 782 return eap_aka_authentication_reject(data, id); 783 } 784 os_memcpy(data->network_name, attr->kdf_input, 785 attr->kdf_input_len); 786 data->network_name_len = attr->kdf_input_len; 787 wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA': Network Name " 788 "(AT_KDF_INPUT)", 789 data->network_name, data->network_name_len); 790 /* TODO: check Network Name per 3GPP.33.402 */ 791 792 if (!eap_aka_prime_kdf_valid(data, attr)) 793 return eap_aka_authentication_reject(data, id); 794 795 if (attr->kdf[0] != EAP_AKA_PRIME_KDF) 796 return eap_aka_prime_kdf_neg(data, id, attr); 797 798 data->kdf = EAP_AKA_PRIME_KDF; 799 wpa_printf(MSG_DEBUG, "EAP-AKA': KDF %d selected", data->kdf); 800 } 801 802 if (data->eap_method == EAP_TYPE_AKA && attr->bidding) { 803 u16 flags = WPA_GET_BE16(attr->bidding); 804 if ((flags & EAP_AKA_BIDDING_FLAG_D) && 805 eap_allowed_method(sm, EAP_VENDOR_IETF, 806 EAP_TYPE_AKA_PRIME)) { 807 wpa_printf(MSG_WARNING, "EAP-AKA: Bidding down from " 808 "AKA' to AKA detected"); 809 /* Fail authentication as if AUTN had been incorrect */ 810 return eap_aka_authentication_reject(data, id); 811 } 812 } 813 #endif /* EAP_AKA_PRIME */ 814 815 data->reauth = 0; 816 if (!attr->mac || !attr->rand || !attr->autn) { 817 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message " 818 "did not include%s%s%s", 819 !attr->mac ? " AT_MAC" : "", 820 !attr->rand ? " AT_RAND" : "", 821 !attr->autn ? " AT_AUTN" : ""); 822 return eap_aka_client_error(data, id, 823 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 824 } 825 os_memcpy(data->rand, attr->rand, EAP_AKA_RAND_LEN); 826 os_memcpy(data->autn, attr->autn, EAP_AKA_AUTN_LEN); 827 828 res = eap_aka_umts_auth(sm, data); 829 if (res == -1) { 830 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication " 831 "failed (AUTN)"); 832 return eap_aka_authentication_reject(data, id); 833 } else if (res == -2) { 834 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication " 835 "failed (AUTN seq# -> AUTS)"); 836 return eap_aka_synchronization_failure(data, id); 837 } else if (res) { 838 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication failed"); 839 return eap_aka_client_error(data, id, 840 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 841 } 842 #ifdef EAP_AKA_PRIME 843 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 844 /* Note: AUTN = (SQN ^ AK) || AMF || MAC which gives us the 845 * needed 6-octet SQN ^ AK for CK',IK' derivation */ 846 u16 amf = WPA_GET_BE16(data->autn + 6); 847 if (!(amf & 0x8000)) { 848 wpa_printf(MSG_WARNING, "EAP-AKA': AMF separation bit " 849 "not set (AMF=0x%4x)", amf); 850 return eap_aka_authentication_reject(data, id); 851 } 852 eap_aka_prime_derive_ck_ik_prime(data->ck, data->ik, 853 data->autn, 854 data->network_name, 855 data->network_name_len); 856 } 857 #endif /* EAP_AKA_PRIME */ 858 if (data->last_eap_identity) { 859 identity = data->last_eap_identity; 860 identity_len = data->last_eap_identity_len; 861 } else if (data->pseudonym) { 862 identity = data->pseudonym; 863 identity_len = data->pseudonym_len; 864 } else 865 identity = eap_get_config_identity(sm, &identity_len); 866 wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Selected identity for MK " 867 "derivation", identity, identity_len); 868 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 869 eap_aka_prime_derive_keys(identity, identity_len, data->ik, 870 data->ck, data->k_encr, data->k_aut, 871 data->k_re, data->msk, data->emsk); 872 } else { 873 eap_aka_derive_mk(identity, identity_len, data->ik, data->ck, 874 data->mk); 875 eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, 876 data->msk, data->emsk); 877 } 878 if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { 879 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message " 880 "used invalid AT_MAC"); 881 return eap_aka_client_error(data, id, 882 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 883 } 884 885 /* Old reauthentication and pseudonym identities must not be used 886 * anymore. In other words, if no new identities are received, full 887 * authentication will be used on next reauthentication. */ 888 eap_aka_clear_identities(data, CLEAR_PSEUDONYM | CLEAR_REAUTH_ID | 889 CLEAR_EAP_ID); 890 891 if (attr->encr_data) { 892 u8 *decrypted; 893 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 894 attr->encr_data_len, attr->iv, 895 &eattr, 0); 896 if (decrypted == NULL) { 897 return eap_aka_client_error( 898 data, id, EAP_AKA_UNABLE_TO_PROCESS_PACKET); 899 } 900 eap_aka_learn_ids(data, &eattr); 901 os_free(decrypted); 902 } 903 904 if (data->result_ind && attr->result_ind) 905 data->use_result_ind = 1; 906 907 if (data->state != FAILURE && data->state != RESULT_FAILURE) { 908 eap_aka_state(data, data->use_result_ind ? 909 RESULT_SUCCESS : SUCCESS); 910 } 911 912 data->num_id_req = 0; 913 data->num_notification = 0; 914 /* RFC 4187 specifies that counter is initialized to one after 915 * fullauth, but initializing it to zero makes it easier to implement 916 * reauth verification. */ 917 data->counter = 0; 918 return eap_aka_response_challenge(data, id); 919 } 920 921 922 static int eap_aka_process_notification_reauth(struct eap_aka_data *data, 923 struct eap_sim_attrs *attr) 924 { 925 struct eap_sim_attrs eattr; 926 u8 *decrypted; 927 928 if (attr->encr_data == NULL || attr->iv == NULL) { 929 wpa_printf(MSG_WARNING, "EAP-AKA: Notification message after " 930 "reauth did not include encrypted data"); 931 return -1; 932 } 933 934 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 935 attr->encr_data_len, attr->iv, &eattr, 936 0); 937 if (decrypted == NULL) { 938 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted " 939 "data from notification message"); 940 return -1; 941 } 942 943 if (eattr.counter < 0 || (size_t) eattr.counter != data->counter) { 944 wpa_printf(MSG_WARNING, "EAP-AKA: Counter in notification " 945 "message does not match with counter in reauth " 946 "message"); 947 os_free(decrypted); 948 return -1; 949 } 950 951 os_free(decrypted); 952 return 0; 953 } 954 955 956 static int eap_aka_process_notification_auth(struct eap_aka_data *data, 957 const struct wpabuf *reqData, 958 struct eap_sim_attrs *attr) 959 { 960 if (attr->mac == NULL) { 961 wpa_printf(MSG_INFO, "EAP-AKA: no AT_MAC in after_auth " 962 "Notification message"); 963 return -1; 964 } 965 966 if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { 967 wpa_printf(MSG_WARNING, "EAP-AKA: Notification message " 968 "used invalid AT_MAC"); 969 return -1; 970 } 971 972 if (data->reauth && 973 eap_aka_process_notification_reauth(data, attr)) { 974 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid notification " 975 "message after reauth"); 976 return -1; 977 } 978 979 return 0; 980 } 981 982 983 static struct wpabuf * eap_aka_process_notification( 984 struct eap_sm *sm, struct eap_aka_data *data, u8 id, 985 const struct wpabuf *reqData, struct eap_sim_attrs *attr) 986 { 987 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Notification"); 988 if (data->num_notification > 0) { 989 wpa_printf(MSG_INFO, "EAP-AKA: too many notification " 990 "rounds (only one allowed)"); 991 return eap_aka_client_error(data, id, 992 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 993 } 994 data->num_notification++; 995 if (attr->notification == -1) { 996 wpa_printf(MSG_INFO, "EAP-AKA: no AT_NOTIFICATION in " 997 "Notification message"); 998 return eap_aka_client_error(data, id, 999 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1000 } 1001 1002 if ((attr->notification & 0x4000) == 0 && 1003 eap_aka_process_notification_auth(data, reqData, attr)) { 1004 return eap_aka_client_error(data, id, 1005 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1006 } 1007 1008 eap_sim_report_notification(sm->msg_ctx, attr->notification, 1); 1009 if (attr->notification >= 0 && attr->notification < 32768) { 1010 eap_aka_state(data, FAILURE); 1011 } else if (attr->notification == EAP_SIM_SUCCESS && 1012 data->state == RESULT_SUCCESS) 1013 eap_aka_state(data, SUCCESS); 1014 return eap_aka_response_notification(data, id, attr->notification); 1015 } 1016 1017 1018 static struct wpabuf * eap_aka_process_reauthentication( 1019 struct eap_sm *sm, struct eap_aka_data *data, u8 id, 1020 const struct wpabuf *reqData, struct eap_sim_attrs *attr) 1021 { 1022 struct eap_sim_attrs eattr; 1023 u8 *decrypted; 1024 1025 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Reauthentication"); 1026 1027 if (attr->checkcode && 1028 eap_aka_verify_checkcode(data, attr->checkcode, 1029 attr->checkcode_len)) { 1030 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the " 1031 "message"); 1032 return eap_aka_client_error(data, id, 1033 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1034 } 1035 1036 if (data->reauth_id == NULL) { 1037 wpa_printf(MSG_WARNING, "EAP-AKA: Server is trying " 1038 "reauthentication, but no reauth_id available"); 1039 return eap_aka_client_error(data, id, 1040 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1041 } 1042 1043 data->reauth = 1; 1044 if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { 1045 wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication " 1046 "did not have valid AT_MAC"); 1047 return eap_aka_client_error(data, id, 1048 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1049 } 1050 1051 if (attr->encr_data == NULL || attr->iv == NULL) { 1052 wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication " 1053 "message did not include encrypted data"); 1054 return eap_aka_client_error(data, id, 1055 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1056 } 1057 1058 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 1059 attr->encr_data_len, attr->iv, &eattr, 1060 0); 1061 if (decrypted == NULL) { 1062 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted " 1063 "data from reauthentication message"); 1064 return eap_aka_client_error(data, id, 1065 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1066 } 1067 1068 if (eattr.nonce_s == NULL || eattr.counter < 0) { 1069 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No%s%s in reauth packet", 1070 !eattr.nonce_s ? " AT_NONCE_S" : "", 1071 eattr.counter < 0 ? " AT_COUNTER" : ""); 1072 os_free(decrypted); 1073 return eap_aka_client_error(data, id, 1074 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1075 } 1076 1077 if (eattr.counter < 0 || (size_t) eattr.counter <= data->counter) { 1078 struct wpabuf *res; 1079 wpa_printf(MSG_INFO, "EAP-AKA: (encr) Invalid counter " 1080 "(%d <= %d)", eattr.counter, data->counter); 1081 data->counter_too_small = eattr.counter; 1082 1083 /* Reply using Re-auth w/ AT_COUNTER_TOO_SMALL. The current 1084 * reauth_id must not be used to start a new reauthentication. 1085 * However, since it was used in the last EAP-Response-Identity 1086 * packet, it has to saved for the following fullauth to be 1087 * used in MK derivation. */ 1088 os_free(data->last_eap_identity); 1089 data->last_eap_identity = data->reauth_id; 1090 data->last_eap_identity_len = data->reauth_id_len; 1091 data->reauth_id = NULL; 1092 data->reauth_id_len = 0; 1093 1094 res = eap_aka_response_reauth(data, id, 1, eattr.nonce_s); 1095 os_free(decrypted); 1096 1097 return res; 1098 } 1099 data->counter = eattr.counter; 1100 1101 os_memcpy(data->nonce_s, eattr.nonce_s, EAP_SIM_NONCE_S_LEN); 1102 wpa_hexdump(MSG_DEBUG, "EAP-AKA: (encr) AT_NONCE_S", 1103 data->nonce_s, EAP_SIM_NONCE_S_LEN); 1104 1105 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 1106 eap_aka_prime_derive_keys_reauth(data->k_re, data->counter, 1107 data->reauth_id, 1108 data->reauth_id_len, 1109 data->nonce_s, 1110 data->msk, data->emsk); 1111 } else { 1112 eap_sim_derive_keys_reauth(data->counter, data->reauth_id, 1113 data->reauth_id_len, 1114 data->nonce_s, data->mk, 1115 data->msk, data->emsk); 1116 } 1117 eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID); 1118 eap_aka_learn_ids(data, &eattr); 1119 1120 if (data->result_ind && attr->result_ind) 1121 data->use_result_ind = 1; 1122 1123 if (data->state != FAILURE && data->state != RESULT_FAILURE) { 1124 eap_aka_state(data, data->use_result_ind ? 1125 RESULT_SUCCESS : SUCCESS); 1126 } 1127 1128 data->num_id_req = 0; 1129 data->num_notification = 0; 1130 if (data->counter > EAP_AKA_MAX_FAST_REAUTHS) { 1131 wpa_printf(MSG_DEBUG, "EAP-AKA: Maximum number of " 1132 "fast reauths performed - force fullauth"); 1133 eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID); 1134 } 1135 os_free(decrypted); 1136 return eap_aka_response_reauth(data, id, 0, data->nonce_s); 1137 } 1138 1139 1140 static struct wpabuf * eap_aka_process(struct eap_sm *sm, void *priv, 1141 struct eap_method_ret *ret, 1142 const struct wpabuf *reqData) 1143 { 1144 struct eap_aka_data *data = priv; 1145 const struct eap_hdr *req; 1146 u8 subtype, id; 1147 struct wpabuf *res; 1148 const u8 *pos; 1149 struct eap_sim_attrs attr; 1150 size_t len; 1151 1152 wpa_hexdump_buf(MSG_DEBUG, "EAP-AKA: EAP data", reqData); 1153 if (eap_get_config_identity(sm, &len) == NULL) { 1154 wpa_printf(MSG_INFO, "EAP-AKA: Identity not configured"); 1155 eap_sm_request_identity(sm); 1156 ret->ignore = TRUE; 1157 return NULL; 1158 } 1159 1160 pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, reqData, 1161 &len); 1162 if (pos == NULL || len < 1) { 1163 ret->ignore = TRUE; 1164 return NULL; 1165 } 1166 req = wpabuf_head(reqData); 1167 id = req->identifier; 1168 len = be_to_host16(req->length); 1169 1170 ret->ignore = FALSE; 1171 ret->methodState = METHOD_MAY_CONT; 1172 ret->decision = DECISION_FAIL; 1173 ret->allowNotifications = TRUE; 1174 1175 subtype = *pos++; 1176 wpa_printf(MSG_DEBUG, "EAP-AKA: Subtype=%d", subtype); 1177 pos += 2; /* Reserved */ 1178 1179 if (eap_sim_parse_attr(pos, wpabuf_head_u8(reqData) + len, &attr, 1180 data->eap_method == EAP_TYPE_AKA_PRIME ? 2 : 1, 1181 0)) { 1182 res = eap_aka_client_error(data, id, 1183 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1184 goto done; 1185 } 1186 1187 switch (subtype) { 1188 case EAP_AKA_SUBTYPE_IDENTITY: 1189 res = eap_aka_process_identity(sm, data, id, reqData, &attr); 1190 break; 1191 case EAP_AKA_SUBTYPE_CHALLENGE: 1192 res = eap_aka_process_challenge(sm, data, id, reqData, &attr); 1193 break; 1194 case EAP_AKA_SUBTYPE_NOTIFICATION: 1195 res = eap_aka_process_notification(sm, data, id, reqData, 1196 &attr); 1197 break; 1198 case EAP_AKA_SUBTYPE_REAUTHENTICATION: 1199 res = eap_aka_process_reauthentication(sm, data, id, reqData, 1200 &attr); 1201 break; 1202 case EAP_AKA_SUBTYPE_CLIENT_ERROR: 1203 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Client-Error"); 1204 res = eap_aka_client_error(data, id, 1205 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1206 break; 1207 default: 1208 wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown subtype=%d", subtype); 1209 res = eap_aka_client_error(data, id, 1210 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1211 break; 1212 } 1213 1214 done: 1215 if (data->state == FAILURE) { 1216 ret->decision = DECISION_FAIL; 1217 ret->methodState = METHOD_DONE; 1218 } else if (data->state == SUCCESS) { 1219 ret->decision = data->use_result_ind ? 1220 DECISION_UNCOND_SUCC : DECISION_COND_SUCC; 1221 /* 1222 * It is possible for the server to reply with AKA 1223 * Notification, so we must allow the method to continue and 1224 * not only accept EAP-Success at this point. 1225 */ 1226 ret->methodState = data->use_result_ind ? 1227 METHOD_DONE : METHOD_MAY_CONT; 1228 } else if (data->state == RESULT_FAILURE) 1229 ret->methodState = METHOD_CONT; 1230 else if (data->state == RESULT_SUCCESS) 1231 ret->methodState = METHOD_CONT; 1232 1233 if (ret->methodState == METHOD_DONE) { 1234 ret->allowNotifications = FALSE; 1235 } 1236 1237 return res; 1238 } 1239 1240 1241 static Boolean eap_aka_has_reauth_data(struct eap_sm *sm, void *priv) 1242 { 1243 struct eap_aka_data *data = priv; 1244 return data->pseudonym || data->reauth_id; 1245 } 1246 1247 1248 static void eap_aka_deinit_for_reauth(struct eap_sm *sm, void *priv) 1249 { 1250 struct eap_aka_data *data = priv; 1251 eap_aka_clear_identities(data, CLEAR_EAP_ID); 1252 data->prev_id = -1; 1253 wpabuf_free(data->id_msgs); 1254 data->id_msgs = NULL; 1255 data->use_result_ind = 0; 1256 data->kdf_negotiation = 0; 1257 } 1258 1259 1260 static void * eap_aka_init_for_reauth(struct eap_sm *sm, void *priv) 1261 { 1262 struct eap_aka_data *data = priv; 1263 data->num_id_req = 0; 1264 data->num_notification = 0; 1265 eap_aka_state(data, CONTINUE); 1266 return priv; 1267 } 1268 1269 1270 static const u8 * eap_aka_get_identity(struct eap_sm *sm, void *priv, 1271 size_t *len) 1272 { 1273 struct eap_aka_data *data = priv; 1274 1275 if (data->reauth_id) { 1276 *len = data->reauth_id_len; 1277 return data->reauth_id; 1278 } 1279 1280 if (data->pseudonym) { 1281 *len = data->pseudonym_len; 1282 return data->pseudonym; 1283 } 1284 1285 return NULL; 1286 } 1287 1288 1289 static Boolean eap_aka_isKeyAvailable(struct eap_sm *sm, void *priv) 1290 { 1291 struct eap_aka_data *data = priv; 1292 return data->state == SUCCESS; 1293 } 1294 1295 1296 static u8 * eap_aka_getKey(struct eap_sm *sm, void *priv, size_t *len) 1297 { 1298 struct eap_aka_data *data = priv; 1299 u8 *key; 1300 1301 if (data->state != SUCCESS) 1302 return NULL; 1303 1304 key = os_malloc(EAP_SIM_KEYING_DATA_LEN); 1305 if (key == NULL) 1306 return NULL; 1307 1308 *len = EAP_SIM_KEYING_DATA_LEN; 1309 os_memcpy(key, data->msk, EAP_SIM_KEYING_DATA_LEN); 1310 1311 return key; 1312 } 1313 1314 1315 static u8 * eap_aka_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1316 { 1317 struct eap_aka_data *data = priv; 1318 u8 *key; 1319 1320 if (data->state != SUCCESS) 1321 return NULL; 1322 1323 key = os_malloc(EAP_EMSK_LEN); 1324 if (key == NULL) 1325 return NULL; 1326 1327 *len = EAP_EMSK_LEN; 1328 os_memcpy(key, data->emsk, EAP_EMSK_LEN); 1329 1330 return key; 1331 } 1332 1333 1334 int eap_peer_aka_register(void) 1335 { 1336 struct eap_method *eap; 1337 int ret; 1338 1339 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1340 EAP_VENDOR_IETF, EAP_TYPE_AKA, "AKA"); 1341 if (eap == NULL) 1342 return -1; 1343 1344 eap->init = eap_aka_init; 1345 eap->deinit = eap_aka_deinit; 1346 eap->process = eap_aka_process; 1347 eap->isKeyAvailable = eap_aka_isKeyAvailable; 1348 eap->getKey = eap_aka_getKey; 1349 eap->has_reauth_data = eap_aka_has_reauth_data; 1350 eap->deinit_for_reauth = eap_aka_deinit_for_reauth; 1351 eap->init_for_reauth = eap_aka_init_for_reauth; 1352 eap->get_identity = eap_aka_get_identity; 1353 eap->get_emsk = eap_aka_get_emsk; 1354 1355 ret = eap_peer_method_register(eap); 1356 if (ret) 1357 eap_peer_method_free(eap); 1358 return ret; 1359 } 1360 1361 1362 #ifdef EAP_AKA_PRIME 1363 int eap_peer_aka_prime_register(void) 1364 { 1365 struct eap_method *eap; 1366 int ret; 1367 1368 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1369 EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME, 1370 "AKA'"); 1371 if (eap == NULL) 1372 return -1; 1373 1374 eap->init = eap_aka_prime_init; 1375 eap->deinit = eap_aka_deinit; 1376 eap->process = eap_aka_process; 1377 eap->isKeyAvailable = eap_aka_isKeyAvailable; 1378 eap->getKey = eap_aka_getKey; 1379 eap->has_reauth_data = eap_aka_has_reauth_data; 1380 eap->deinit_for_reauth = eap_aka_deinit_for_reauth; 1381 eap->init_for_reauth = eap_aka_init_for_reauth; 1382 eap->get_identity = eap_aka_get_identity; 1383 eap->get_emsk = eap_aka_get_emsk; 1384 1385 ret = eap_peer_method_register(eap); 1386 if (ret) 1387 eap_peer_method_free(eap); 1388 1389 return ret; 1390 } 1391 #endif /* EAP_AKA_PRIME */ 1392