xref: /freebsd/contrib/wpa/src/eap_peer/eap_aka.c (revision bb15ca603fa442c72dde3f3cb8b46db6970e3950)
1 /*
2  * EAP peer method: EAP-AKA (RFC 4187) and EAP-AKA' (draft-arkko-eap-aka-kdf)
3  * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "pcsc_funcs.h"
19 #include "crypto/crypto.h"
20 #include "crypto/sha1.h"
21 #include "crypto/sha256.h"
22 #include "crypto/milenage.h"
23 #include "eap_common/eap_sim_common.h"
24 #include "eap_config.h"
25 #include "eap_i.h"
26 
27 
28 struct eap_aka_data {
29 	u8 ik[EAP_AKA_IK_LEN], ck[EAP_AKA_CK_LEN], res[EAP_AKA_RES_MAX_LEN];
30 	size_t res_len;
31 	u8 nonce_s[EAP_SIM_NONCE_S_LEN];
32 	u8 mk[EAP_SIM_MK_LEN];
33 	u8 k_aut[EAP_AKA_PRIME_K_AUT_LEN];
34 	u8 k_encr[EAP_SIM_K_ENCR_LEN];
35 	u8 k_re[EAP_AKA_PRIME_K_RE_LEN]; /* EAP-AKA' only */
36 	u8 msk[EAP_SIM_KEYING_DATA_LEN];
37 	u8 emsk[EAP_EMSK_LEN];
38 	u8 rand[EAP_AKA_RAND_LEN], autn[EAP_AKA_AUTN_LEN];
39 	u8 auts[EAP_AKA_AUTS_LEN];
40 
41 	int num_id_req, num_notification;
42 	u8 *pseudonym;
43 	size_t pseudonym_len;
44 	u8 *reauth_id;
45 	size_t reauth_id_len;
46 	int reauth;
47 	unsigned int counter, counter_too_small;
48 	u8 *last_eap_identity;
49 	size_t last_eap_identity_len;
50 	enum {
51 		CONTINUE, RESULT_SUCCESS, RESULT_FAILURE, SUCCESS, FAILURE
52 	} state;
53 
54 	struct wpabuf *id_msgs;
55 	int prev_id;
56 	int result_ind, use_result_ind;
57 	u8 eap_method;
58 	u8 *network_name;
59 	size_t network_name_len;
60 	u16 kdf;
61 	int kdf_negotiation;
62 };
63 
64 
65 #ifndef CONFIG_NO_STDOUT_DEBUG
66 static const char * eap_aka_state_txt(int state)
67 {
68 	switch (state) {
69 	case CONTINUE:
70 		return "CONTINUE";
71 	case RESULT_SUCCESS:
72 		return "RESULT_SUCCESS";
73 	case RESULT_FAILURE:
74 		return "RESULT_FAILURE";
75 	case SUCCESS:
76 		return "SUCCESS";
77 	case FAILURE:
78 		return "FAILURE";
79 	default:
80 		return "?";
81 	}
82 }
83 #endif /* CONFIG_NO_STDOUT_DEBUG */
84 
85 
86 static void eap_aka_state(struct eap_aka_data *data, int state)
87 {
88 	wpa_printf(MSG_DEBUG, "EAP-AKA: %s -> %s",
89 		   eap_aka_state_txt(data->state),
90 		   eap_aka_state_txt(state));
91 	data->state = state;
92 }
93 
94 
95 static void * eap_aka_init(struct eap_sm *sm)
96 {
97 	struct eap_aka_data *data;
98 	const char *phase1 = eap_get_config_phase1(sm);
99 
100 	data = os_zalloc(sizeof(*data));
101 	if (data == NULL)
102 		return NULL;
103 
104 	data->eap_method = EAP_TYPE_AKA;
105 
106 	eap_aka_state(data, CONTINUE);
107 	data->prev_id = -1;
108 
109 	data->result_ind = phase1 && os_strstr(phase1, "result_ind=1") != NULL;
110 
111 	return data;
112 }
113 
114 
115 #ifdef EAP_AKA_PRIME
116 static void * eap_aka_prime_init(struct eap_sm *sm)
117 {
118 	struct eap_aka_data *data = eap_aka_init(sm);
119 	if (data == NULL)
120 		return NULL;
121 	data->eap_method = EAP_TYPE_AKA_PRIME;
122 	return data;
123 }
124 #endif /* EAP_AKA_PRIME */
125 
126 
127 static void eap_aka_deinit(struct eap_sm *sm, void *priv)
128 {
129 	struct eap_aka_data *data = priv;
130 	if (data) {
131 		os_free(data->pseudonym);
132 		os_free(data->reauth_id);
133 		os_free(data->last_eap_identity);
134 		wpabuf_free(data->id_msgs);
135 		os_free(data->network_name);
136 		os_free(data);
137 	}
138 }
139 
140 
141 static int eap_aka_umts_auth(struct eap_sm *sm, struct eap_aka_data *data)
142 {
143 	struct eap_peer_config *conf;
144 
145 	wpa_printf(MSG_DEBUG, "EAP-AKA: UMTS authentication algorithm");
146 
147 	conf = eap_get_config(sm);
148 	if (conf == NULL)
149 		return -1;
150 	if (conf->pcsc) {
151 		return scard_umts_auth(sm->scard_ctx, data->rand,
152 				       data->autn, data->res, &data->res_len,
153 				       data->ik, data->ck, data->auts);
154 	}
155 
156 #ifdef CONFIG_USIM_SIMULATOR
157 	if (conf->password) {
158 		u8 opc[16], k[16], sqn[6];
159 		const char *pos;
160 		wpa_printf(MSG_DEBUG, "EAP-AKA: Use internal Milenage "
161 			   "implementation for UMTS authentication");
162 		if (conf->password_len < 78) {
163 			wpa_printf(MSG_DEBUG, "EAP-AKA: invalid Milenage "
164 				   "password");
165 			return -1;
166 		}
167 		pos = (const char *) conf->password;
168 		if (hexstr2bin(pos, k, 16))
169 			return -1;
170 		pos += 32;
171 		if (*pos != ':')
172 			return -1;
173 		pos++;
174 
175 		if (hexstr2bin(pos, opc, 16))
176 			return -1;
177 		pos += 32;
178 		if (*pos != ':')
179 			return -1;
180 		pos++;
181 
182 		if (hexstr2bin(pos, sqn, 6))
183 			return -1;
184 
185 		return milenage_check(opc, k, sqn, data->rand, data->autn,
186 				      data->ik, data->ck,
187 				      data->res, &data->res_len, data->auts);
188 	}
189 #endif /* CONFIG_USIM_SIMULATOR */
190 
191 #ifdef CONFIG_USIM_HARDCODED
192 	wpa_printf(MSG_DEBUG, "EAP-AKA: Use hardcoded Kc and SRES values for "
193 		   "testing");
194 
195 	/* These hardcoded Kc and SRES values are used for testing.
196 	 * Could consider making them configurable. */
197 	os_memset(data->res, '2', EAP_AKA_RES_MAX_LEN);
198 	data->res_len = EAP_AKA_RES_MAX_LEN;
199 	os_memset(data->ik, '3', EAP_AKA_IK_LEN);
200 	os_memset(data->ck, '4', EAP_AKA_CK_LEN);
201 	{
202 		u8 autn[EAP_AKA_AUTN_LEN];
203 		os_memset(autn, '1', EAP_AKA_AUTN_LEN);
204 		if (os_memcmp(autn, data->autn, EAP_AKA_AUTN_LEN) != 0) {
205 			wpa_printf(MSG_WARNING, "EAP-AKA: AUTN did not match "
206 				   "with expected value");
207 			return -1;
208 		}
209 	}
210 #if 0
211 	{
212 		static int test_resync = 1;
213 		if (test_resync) {
214 			/* Test Resynchronization */
215 			test_resync = 0;
216 			return -2;
217 		}
218 	}
219 #endif
220 	return 0;
221 
222 #else /* CONFIG_USIM_HARDCODED */
223 
224 	wpa_printf(MSG_DEBUG, "EAP-AKA: No UMTS authentication algorith "
225 		   "enabled");
226 	return -1;
227 
228 #endif /* CONFIG_USIM_HARDCODED */
229 }
230 
231 
232 #define CLEAR_PSEUDONYM	0x01
233 #define CLEAR_REAUTH_ID	0x02
234 #define CLEAR_EAP_ID	0x04
235 
236 static void eap_aka_clear_identities(struct eap_aka_data *data, int id)
237 {
238 	wpa_printf(MSG_DEBUG, "EAP-AKA: forgetting old%s%s%s",
239 		   id & CLEAR_PSEUDONYM ? " pseudonym" : "",
240 		   id & CLEAR_REAUTH_ID ? " reauth_id" : "",
241 		   id & CLEAR_EAP_ID ? " eap_id" : "");
242 	if (id & CLEAR_PSEUDONYM) {
243 		os_free(data->pseudonym);
244 		data->pseudonym = NULL;
245 		data->pseudonym_len = 0;
246 	}
247 	if (id & CLEAR_REAUTH_ID) {
248 		os_free(data->reauth_id);
249 		data->reauth_id = NULL;
250 		data->reauth_id_len = 0;
251 	}
252 	if (id & CLEAR_EAP_ID) {
253 		os_free(data->last_eap_identity);
254 		data->last_eap_identity = NULL;
255 		data->last_eap_identity_len = 0;
256 	}
257 }
258 
259 
260 static int eap_aka_learn_ids(struct eap_aka_data *data,
261 			     struct eap_sim_attrs *attr)
262 {
263 	if (attr->next_pseudonym) {
264 		os_free(data->pseudonym);
265 		data->pseudonym = os_malloc(attr->next_pseudonym_len);
266 		if (data->pseudonym == NULL) {
267 			wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for "
268 				   "next pseudonym");
269 			return -1;
270 		}
271 		os_memcpy(data->pseudonym, attr->next_pseudonym,
272 			  attr->next_pseudonym_len);
273 		data->pseudonym_len = attr->next_pseudonym_len;
274 		wpa_hexdump_ascii(MSG_DEBUG,
275 				  "EAP-AKA: (encr) AT_NEXT_PSEUDONYM",
276 				  data->pseudonym,
277 				  data->pseudonym_len);
278 	}
279 
280 	if (attr->next_reauth_id) {
281 		os_free(data->reauth_id);
282 		data->reauth_id = os_malloc(attr->next_reauth_id_len);
283 		if (data->reauth_id == NULL) {
284 			wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for "
285 				   "next reauth_id");
286 			return -1;
287 		}
288 		os_memcpy(data->reauth_id, attr->next_reauth_id,
289 			  attr->next_reauth_id_len);
290 		data->reauth_id_len = attr->next_reauth_id_len;
291 		wpa_hexdump_ascii(MSG_DEBUG,
292 				  "EAP-AKA: (encr) AT_NEXT_REAUTH_ID",
293 				  data->reauth_id,
294 				  data->reauth_id_len);
295 	}
296 
297 	return 0;
298 }
299 
300 
301 static int eap_aka_add_id_msg(struct eap_aka_data *data,
302 			      const struct wpabuf *msg)
303 {
304 	if (msg == NULL)
305 		return -1;
306 
307 	if (data->id_msgs == NULL) {
308 		data->id_msgs = wpabuf_dup(msg);
309 		return data->id_msgs == NULL ? -1 : 0;
310 	}
311 
312 	if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0)
313 		return -1;
314 	wpabuf_put_buf(data->id_msgs, msg);
315 
316 	return 0;
317 }
318 
319 
320 static void eap_aka_add_checkcode(struct eap_aka_data *data,
321 				  struct eap_sim_msg *msg)
322 {
323 	const u8 *addr;
324 	size_t len;
325 	u8 hash[SHA256_MAC_LEN];
326 
327 	wpa_printf(MSG_DEBUG, "   AT_CHECKCODE");
328 
329 	if (data->id_msgs == NULL) {
330 		/*
331 		 * No EAP-AKA/Identity packets were exchanged - send empty
332 		 * checkcode.
333 		 */
334 		eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, NULL, 0);
335 		return;
336 	}
337 
338 	/* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */
339 	addr = wpabuf_head(data->id_msgs);
340 	len = wpabuf_len(data->id_msgs);
341 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len);
342 #ifdef EAP_AKA_PRIME
343 	if (data->eap_method == EAP_TYPE_AKA_PRIME)
344 		sha256_vector(1, &addr, &len, hash);
345 	else
346 #endif /* EAP_AKA_PRIME */
347 		sha1_vector(1, &addr, &len, hash);
348 
349 	eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash,
350 			data->eap_method == EAP_TYPE_AKA_PRIME ?
351 			EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN);
352 }
353 
354 
355 static int eap_aka_verify_checkcode(struct eap_aka_data *data,
356 				    const u8 *checkcode, size_t checkcode_len)
357 {
358 	const u8 *addr;
359 	size_t len;
360 	u8 hash[SHA256_MAC_LEN];
361 	size_t hash_len;
362 
363 	if (checkcode == NULL)
364 		return -1;
365 
366 	if (data->id_msgs == NULL) {
367 		if (checkcode_len != 0) {
368 			wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server "
369 				   "indicates that AKA/Identity messages were "
370 				   "used, but they were not");
371 			return -1;
372 		}
373 		return 0;
374 	}
375 
376 	hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ?
377 		EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN;
378 
379 	if (checkcode_len != hash_len) {
380 		wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server "
381 			   "indicates that AKA/Identity message were not "
382 			   "used, but they were");
383 		return -1;
384 	}
385 
386 	/* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */
387 	addr = wpabuf_head(data->id_msgs);
388 	len = wpabuf_len(data->id_msgs);
389 #ifdef EAP_AKA_PRIME
390 	if (data->eap_method == EAP_TYPE_AKA_PRIME)
391 		sha256_vector(1, &addr, &len, hash);
392 	else
393 #endif /* EAP_AKA_PRIME */
394 		sha1_vector(1, &addr, &len, hash);
395 
396 	if (os_memcmp(hash, checkcode, hash_len) != 0) {
397 		wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE");
398 		return -1;
399 	}
400 
401 	return 0;
402 }
403 
404 
405 static struct wpabuf * eap_aka_client_error(struct eap_aka_data *data, u8 id,
406 					    int err)
407 {
408 	struct eap_sim_msg *msg;
409 
410 	eap_aka_state(data, FAILURE);
411 	data->num_id_req = 0;
412 	data->num_notification = 0;
413 
414 	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,
415 			       EAP_AKA_SUBTYPE_CLIENT_ERROR);
416 	eap_sim_msg_add(msg, EAP_SIM_AT_CLIENT_ERROR_CODE, err, NULL, 0);
417 	return eap_sim_msg_finish(msg, NULL, NULL, 0);
418 }
419 
420 
421 static struct wpabuf * eap_aka_authentication_reject(struct eap_aka_data *data,
422 						     u8 id)
423 {
424 	struct eap_sim_msg *msg;
425 
426 	eap_aka_state(data, FAILURE);
427 	data->num_id_req = 0;
428 	data->num_notification = 0;
429 
430 	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Authentication-Reject "
431 		   "(id=%d)", id);
432 	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,
433 			       EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT);
434 	return eap_sim_msg_finish(msg, NULL, NULL, 0);
435 }
436 
437 
438 static struct wpabuf * eap_aka_synchronization_failure(
439 	struct eap_aka_data *data, u8 id)
440 {
441 	struct eap_sim_msg *msg;
442 
443 	data->num_id_req = 0;
444 	data->num_notification = 0;
445 
446 	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Synchronization-Failure "
447 		   "(id=%d)", id);
448 	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,
449 			       EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE);
450 	wpa_printf(MSG_DEBUG, "   AT_AUTS");
451 	eap_sim_msg_add_full(msg, EAP_SIM_AT_AUTS, data->auts,
452 			     EAP_AKA_AUTS_LEN);
453 	return eap_sim_msg_finish(msg, NULL, NULL, 0);
454 }
455 
456 
457 static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm,
458 						 struct eap_aka_data *data,
459 						 u8 id,
460 						 enum eap_sim_id_req id_req)
461 {
462 	const u8 *identity = NULL;
463 	size_t identity_len = 0;
464 	struct eap_sim_msg *msg;
465 
466 	data->reauth = 0;
467 	if (id_req == ANY_ID && data->reauth_id) {
468 		identity = data->reauth_id;
469 		identity_len = data->reauth_id_len;
470 		data->reauth = 1;
471 	} else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) &&
472 		   data->pseudonym) {
473 		identity = data->pseudonym;
474 		identity_len = data->pseudonym_len;
475 		eap_aka_clear_identities(data, CLEAR_REAUTH_ID);
476 	} else if (id_req != NO_ID_REQ) {
477 		identity = eap_get_config_identity(sm, &identity_len);
478 		if (identity) {
479 			eap_aka_clear_identities(data, CLEAR_PSEUDONYM |
480 						 CLEAR_REAUTH_ID);
481 		}
482 	}
483 	if (id_req != NO_ID_REQ)
484 		eap_aka_clear_identities(data, CLEAR_EAP_ID);
485 
486 	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Identity (id=%d)", id);
487 	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,
488 			       EAP_AKA_SUBTYPE_IDENTITY);
489 
490 	if (identity) {
491 		wpa_hexdump_ascii(MSG_DEBUG, "   AT_IDENTITY",
492 				  identity, identity_len);
493 		eap_sim_msg_add(msg, EAP_SIM_AT_IDENTITY, identity_len,
494 				identity, identity_len);
495 	}
496 
497 	return eap_sim_msg_finish(msg, NULL, NULL, 0);
498 }
499 
500 
501 static struct wpabuf * eap_aka_response_challenge(struct eap_aka_data *data,
502 						  u8 id)
503 {
504 	struct eap_sim_msg *msg;
505 
506 	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d)", id);
507 	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,
508 			       EAP_AKA_SUBTYPE_CHALLENGE);
509 	wpa_printf(MSG_DEBUG, "   AT_RES");
510 	eap_sim_msg_add(msg, EAP_SIM_AT_RES, data->res_len * 8,
511 			data->res, data->res_len);
512 	eap_aka_add_checkcode(data, msg);
513 	if (data->use_result_ind) {
514 		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
515 		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
516 	}
517 	wpa_printf(MSG_DEBUG, "   AT_MAC");
518 	eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
519 	return eap_sim_msg_finish(msg, data->k_aut, (u8 *) "", 0);
520 }
521 
522 
523 static struct wpabuf * eap_aka_response_reauth(struct eap_aka_data *data,
524 					       u8 id, int counter_too_small,
525 					       const u8 *nonce_s)
526 {
527 	struct eap_sim_msg *msg;
528 	unsigned int counter;
529 
530 	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Reauthentication (id=%d)",
531 		   id);
532 	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,
533 			       EAP_AKA_SUBTYPE_REAUTHENTICATION);
534 	wpa_printf(MSG_DEBUG, "   AT_IV");
535 	wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
536 	eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA);
537 
538 	if (counter_too_small) {
539 		wpa_printf(MSG_DEBUG, "   *AT_COUNTER_TOO_SMALL");
540 		eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER_TOO_SMALL, 0, NULL, 0);
541 		counter = data->counter_too_small;
542 	} else
543 		counter = data->counter;
544 
545 	wpa_printf(MSG_DEBUG, "   *AT_COUNTER %d", counter);
546 	eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0);
547 
548 	if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) {
549 		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt "
550 			   "AT_ENCR_DATA");
551 		eap_sim_msg_free(msg);
552 		return NULL;
553 	}
554 	eap_aka_add_checkcode(data, msg);
555 	if (data->use_result_ind) {
556 		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
557 		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
558 	}
559 	wpa_printf(MSG_DEBUG, "   AT_MAC");
560 	eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
561 	return eap_sim_msg_finish(msg, data->k_aut, nonce_s,
562 				  EAP_SIM_NONCE_S_LEN);
563 }
564 
565 
566 static struct wpabuf * eap_aka_response_notification(struct eap_aka_data *data,
567 						     u8 id, u16 notification)
568 {
569 	struct eap_sim_msg *msg;
570 	u8 *k_aut = (notification & 0x4000) == 0 ? data->k_aut : NULL;
571 
572 	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Notification (id=%d)", id);
573 	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,
574 			       EAP_AKA_SUBTYPE_NOTIFICATION);
575 	if (k_aut && data->reauth) {
576 		wpa_printf(MSG_DEBUG, "   AT_IV");
577 		wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
578 		eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV,
579 					   EAP_SIM_AT_ENCR_DATA);
580 		wpa_printf(MSG_DEBUG, "   *AT_COUNTER %d", data->counter);
581 		eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter,
582 				NULL, 0);
583 		if (eap_sim_msg_add_encr_end(msg, data->k_encr,
584 					     EAP_SIM_AT_PADDING)) {
585 			wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt "
586 				   "AT_ENCR_DATA");
587 			eap_sim_msg_free(msg);
588 			return NULL;
589 		}
590 	}
591 	if (k_aut) {
592 		wpa_printf(MSG_DEBUG, "   AT_MAC");
593 		eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
594 	}
595 	return eap_sim_msg_finish(msg, k_aut, (u8 *) "", 0);
596 }
597 
598 
599 static struct wpabuf * eap_aka_process_identity(struct eap_sm *sm,
600 						struct eap_aka_data *data,
601 						u8 id,
602 						const struct wpabuf *reqData,
603 						struct eap_sim_attrs *attr)
604 {
605 	int id_error;
606 	struct wpabuf *buf;
607 
608 	wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Identity");
609 
610 	id_error = 0;
611 	switch (attr->id_req) {
612 	case NO_ID_REQ:
613 		break;
614 	case ANY_ID:
615 		if (data->num_id_req > 0)
616 			id_error++;
617 		data->num_id_req++;
618 		break;
619 	case FULLAUTH_ID:
620 		if (data->num_id_req > 1)
621 			id_error++;
622 		data->num_id_req++;
623 		break;
624 	case PERMANENT_ID:
625 		if (data->num_id_req > 2)
626 			id_error++;
627 		data->num_id_req++;
628 		break;
629 	}
630 	if (id_error) {
631 		wpa_printf(MSG_INFO, "EAP-AKA: Too many ID requests "
632 			   "used within one authentication");
633 		return eap_aka_client_error(data, id,
634 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
635 	}
636 
637 	buf = eap_aka_response_identity(sm, data, id, attr->id_req);
638 
639 	if (data->prev_id != id) {
640 		eap_aka_add_id_msg(data, reqData);
641 		eap_aka_add_id_msg(data, buf);
642 		data->prev_id = id;
643 	}
644 
645 	return buf;
646 }
647 
648 
649 static int eap_aka_verify_mac(struct eap_aka_data *data,
650 			      const struct wpabuf *req,
651 			      const u8 *mac, const u8 *extra,
652 			      size_t extra_len)
653 {
654 	if (data->eap_method == EAP_TYPE_AKA_PRIME)
655 		return eap_sim_verify_mac_sha256(data->k_aut, req, mac, extra,
656 						 extra_len);
657 	return eap_sim_verify_mac(data->k_aut, req, mac, extra, extra_len);
658 }
659 
660 
661 #ifdef EAP_AKA_PRIME
662 static struct wpabuf * eap_aka_prime_kdf_select(struct eap_aka_data *data,
663 						u8 id, u16 kdf)
664 {
665 	struct eap_sim_msg *msg;
666 
667 	data->kdf_negotiation = 1;
668 	data->kdf = kdf;
669 	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d) (KDF "
670 		   "select)", id);
671 	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,
672 			       EAP_AKA_SUBTYPE_CHALLENGE);
673 	wpa_printf(MSG_DEBUG, "   AT_KDF");
674 	eap_sim_msg_add(msg, EAP_SIM_AT_KDF, kdf, NULL, 0);
675 	return eap_sim_msg_finish(msg, NULL, NULL, 0);
676 }
677 
678 
679 static struct wpabuf * eap_aka_prime_kdf_neg(struct eap_aka_data *data,
680 					     u8 id, struct eap_sim_attrs *attr)
681 {
682 	size_t i;
683 
684 	for (i = 0; i < attr->kdf_count; i++) {
685 		if (attr->kdf[i] == EAP_AKA_PRIME_KDF)
686 			return eap_aka_prime_kdf_select(data, id,
687 							EAP_AKA_PRIME_KDF);
688 	}
689 
690 	/* No matching KDF found - fail authentication as if AUTN had been
691 	 * incorrect */
692 	return eap_aka_authentication_reject(data, id);
693 }
694 
695 
696 static int eap_aka_prime_kdf_valid(struct eap_aka_data *data,
697 				   struct eap_sim_attrs *attr)
698 {
699 	size_t i, j;
700 
701 	if (attr->kdf_count == 0)
702 		return 0;
703 
704 	/* The only allowed (and required) duplication of a KDF is the addition
705 	 * of the selected KDF into the beginning of the list. */
706 
707 	if (data->kdf_negotiation) {
708 		if (attr->kdf[0] != data->kdf) {
709 			wpa_printf(MSG_WARNING, "EAP-AKA': The server did not "
710 				   "accept the selected KDF");
711 			return 0;
712 		}
713 
714 		for (i = 1; i < attr->kdf_count; i++) {
715 			if (attr->kdf[i] == data->kdf)
716 				break;
717 		}
718 		if (i == attr->kdf_count &&
719 		    attr->kdf_count < EAP_AKA_PRIME_KDF_MAX) {
720 			wpa_printf(MSG_WARNING, "EAP-AKA': The server did not "
721 				   "duplicate the selected KDF");
722 			return 0;
723 		}
724 
725 		/* TODO: should check that the list is identical to the one
726 		 * used in the previous Challenge message apart from the added
727 		 * entry in the beginning. */
728 	}
729 
730 	for (i = data->kdf ? 1 : 0; i < attr->kdf_count; i++) {
731 		for (j = i + 1; j < attr->kdf_count; j++) {
732 			if (attr->kdf[i] == attr->kdf[j]) {
733 				wpa_printf(MSG_WARNING, "EAP-AKA': The server "
734 					   "included a duplicated KDF");
735 				return 0;
736 			}
737 		}
738 	}
739 
740 	return 1;
741 }
742 #endif /* EAP_AKA_PRIME */
743 
744 
745 static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
746 						 struct eap_aka_data *data,
747 						 u8 id,
748 						 const struct wpabuf *reqData,
749 						 struct eap_sim_attrs *attr)
750 {
751 	const u8 *identity;
752 	size_t identity_len;
753 	int res;
754 	struct eap_sim_attrs eattr;
755 
756 	wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Challenge");
757 
758 	if (attr->checkcode &&
759 	    eap_aka_verify_checkcode(data, attr->checkcode,
760 				     attr->checkcode_len)) {
761 		wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the "
762 			   "message");
763 		return eap_aka_client_error(data, id,
764 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
765 	}
766 
767 #ifdef EAP_AKA_PRIME
768 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
769 		if (!attr->kdf_input || attr->kdf_input_len == 0) {
770 			wpa_printf(MSG_WARNING, "EAP-AKA': Challenge message "
771 				   "did not include non-empty AT_KDF_INPUT");
772 			/* Fail authentication as if AUTN had been incorrect */
773 			return eap_aka_authentication_reject(data, id);
774 		}
775 		os_free(data->network_name);
776 		data->network_name = os_malloc(attr->kdf_input_len);
777 		if (data->network_name == NULL) {
778 			wpa_printf(MSG_WARNING, "EAP-AKA': No memory for "
779 				   "storing Network Name");
780 			return eap_aka_authentication_reject(data, id);
781 		}
782 		os_memcpy(data->network_name, attr->kdf_input,
783 			  attr->kdf_input_len);
784 		data->network_name_len = attr->kdf_input_len;
785 		wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA': Network Name "
786 				  "(AT_KDF_INPUT)",
787 				  data->network_name, data->network_name_len);
788 		/* TODO: check Network Name per 3GPP.33.402 */
789 
790 		if (!eap_aka_prime_kdf_valid(data, attr))
791 			return eap_aka_authentication_reject(data, id);
792 
793 		if (attr->kdf[0] != EAP_AKA_PRIME_KDF)
794 			return eap_aka_prime_kdf_neg(data, id, attr);
795 
796 		data->kdf = EAP_AKA_PRIME_KDF;
797 		wpa_printf(MSG_DEBUG, "EAP-AKA': KDF %d selected", data->kdf);
798 	}
799 
800 	if (data->eap_method == EAP_TYPE_AKA && attr->bidding) {
801 		u16 flags = WPA_GET_BE16(attr->bidding);
802 		if ((flags & EAP_AKA_BIDDING_FLAG_D) &&
803 		    eap_allowed_method(sm, EAP_VENDOR_IETF,
804 				       EAP_TYPE_AKA_PRIME)) {
805 			wpa_printf(MSG_WARNING, "EAP-AKA: Bidding down from "
806 				   "AKA' to AKA detected");
807 			/* Fail authentication as if AUTN had been incorrect */
808 			return eap_aka_authentication_reject(data, id);
809 		}
810 	}
811 #endif /* EAP_AKA_PRIME */
812 
813 	data->reauth = 0;
814 	if (!attr->mac || !attr->rand || !attr->autn) {
815 		wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
816 			   "did not include%s%s%s",
817 			   !attr->mac ? " AT_MAC" : "",
818 			   !attr->rand ? " AT_RAND" : "",
819 			   !attr->autn ? " AT_AUTN" : "");
820 		return eap_aka_client_error(data, id,
821 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
822 	}
823 	os_memcpy(data->rand, attr->rand, EAP_AKA_RAND_LEN);
824 	os_memcpy(data->autn, attr->autn, EAP_AKA_AUTN_LEN);
825 
826 	res = eap_aka_umts_auth(sm, data);
827 	if (res == -1) {
828 		wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication "
829 			   "failed (AUTN)");
830 		return eap_aka_authentication_reject(data, id);
831 	} else if (res == -2) {
832 		wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication "
833 			   "failed (AUTN seq# -> AUTS)");
834 		return eap_aka_synchronization_failure(data, id);
835 	} else if (res) {
836 		wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication failed");
837 		return eap_aka_client_error(data, id,
838 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
839 	}
840 #ifdef EAP_AKA_PRIME
841 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
842 		/* Note: AUTN = (SQN ^ AK) || AMF || MAC which gives us the
843 		 * needed 6-octet SQN ^ AK for CK',IK' derivation */
844 		u16 amf = WPA_GET_BE16(data->autn + 6);
845 		if (!(amf & 0x8000)) {
846 			wpa_printf(MSG_WARNING, "EAP-AKA': AMF separation bit "
847 				   "not set (AMF=0x%4x)", amf);
848 			return eap_aka_authentication_reject(data, id);
849 		}
850 		eap_aka_prime_derive_ck_ik_prime(data->ck, data->ik,
851 						 data->autn,
852 						 data->network_name,
853 						 data->network_name_len);
854 	}
855 #endif /* EAP_AKA_PRIME */
856 	if (data->last_eap_identity) {
857 		identity = data->last_eap_identity;
858 		identity_len = data->last_eap_identity_len;
859 	} else if (data->pseudonym) {
860 		identity = data->pseudonym;
861 		identity_len = data->pseudonym_len;
862 	} else
863 		identity = eap_get_config_identity(sm, &identity_len);
864 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Selected identity for MK "
865 			  "derivation", identity, identity_len);
866 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
867 		eap_aka_prime_derive_keys(identity, identity_len, data->ik,
868 					  data->ck, data->k_encr, data->k_aut,
869 					  data->k_re, data->msk, data->emsk);
870 	} else {
871 		eap_aka_derive_mk(identity, identity_len, data->ik, data->ck,
872 				  data->mk);
873 		eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut,
874 				    data->msk, data->emsk);
875 	}
876 	if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) {
877 		wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
878 			   "used invalid AT_MAC");
879 		return eap_aka_client_error(data, id,
880 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
881 	}
882 
883 	/* Old reauthentication and pseudonym identities must not be used
884 	 * anymore. In other words, if no new identities are received, full
885 	 * authentication will be used on next reauthentication. */
886 	eap_aka_clear_identities(data, CLEAR_PSEUDONYM | CLEAR_REAUTH_ID |
887 				 CLEAR_EAP_ID);
888 
889 	if (attr->encr_data) {
890 		u8 *decrypted;
891 		decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
892 					       attr->encr_data_len, attr->iv,
893 					       &eattr, 0);
894 		if (decrypted == NULL) {
895 			return eap_aka_client_error(
896 				data, id, EAP_AKA_UNABLE_TO_PROCESS_PACKET);
897 		}
898 		eap_aka_learn_ids(data, &eattr);
899 		os_free(decrypted);
900 	}
901 
902 	if (data->result_ind && attr->result_ind)
903 		data->use_result_ind = 1;
904 
905 	if (data->state != FAILURE && data->state != RESULT_FAILURE) {
906 		eap_aka_state(data, data->use_result_ind ?
907 			      RESULT_SUCCESS : SUCCESS);
908 	}
909 
910 	data->num_id_req = 0;
911 	data->num_notification = 0;
912 	/* RFC 4187 specifies that counter is initialized to one after
913 	 * fullauth, but initializing it to zero makes it easier to implement
914 	 * reauth verification. */
915 	data->counter = 0;
916 	return eap_aka_response_challenge(data, id);
917 }
918 
919 
920 static int eap_aka_process_notification_reauth(struct eap_aka_data *data,
921 					       struct eap_sim_attrs *attr)
922 {
923 	struct eap_sim_attrs eattr;
924 	u8 *decrypted;
925 
926 	if (attr->encr_data == NULL || attr->iv == NULL) {
927 		wpa_printf(MSG_WARNING, "EAP-AKA: Notification message after "
928 			   "reauth did not include encrypted data");
929 		return -1;
930 	}
931 
932 	decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
933 				       attr->encr_data_len, attr->iv, &eattr,
934 				       0);
935 	if (decrypted == NULL) {
936 		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted "
937 			   "data from notification message");
938 		return -1;
939 	}
940 
941 	if (eattr.counter < 0 || (size_t) eattr.counter != data->counter) {
942 		wpa_printf(MSG_WARNING, "EAP-AKA: Counter in notification "
943 			   "message does not match with counter in reauth "
944 			   "message");
945 		os_free(decrypted);
946 		return -1;
947 	}
948 
949 	os_free(decrypted);
950 	return 0;
951 }
952 
953 
954 static int eap_aka_process_notification_auth(struct eap_aka_data *data,
955 					     const struct wpabuf *reqData,
956 					     struct eap_sim_attrs *attr)
957 {
958 	if (attr->mac == NULL) {
959 		wpa_printf(MSG_INFO, "EAP-AKA: no AT_MAC in after_auth "
960 			   "Notification message");
961 		return -1;
962 	}
963 
964 	if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) {
965 		wpa_printf(MSG_WARNING, "EAP-AKA: Notification message "
966 			   "used invalid AT_MAC");
967 		return -1;
968 	}
969 
970 	if (data->reauth &&
971 	    eap_aka_process_notification_reauth(data, attr)) {
972 		wpa_printf(MSG_WARNING, "EAP-AKA: Invalid notification "
973 			   "message after reauth");
974 		return -1;
975 	}
976 
977 	return 0;
978 }
979 
980 
981 static struct wpabuf * eap_aka_process_notification(
982 	struct eap_sm *sm, struct eap_aka_data *data, u8 id,
983 	const struct wpabuf *reqData, struct eap_sim_attrs *attr)
984 {
985 	wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Notification");
986 	if (data->num_notification > 0) {
987 		wpa_printf(MSG_INFO, "EAP-AKA: too many notification "
988 			   "rounds (only one allowed)");
989 		return eap_aka_client_error(data, id,
990 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
991 	}
992 	data->num_notification++;
993 	if (attr->notification == -1) {
994 		wpa_printf(MSG_INFO, "EAP-AKA: no AT_NOTIFICATION in "
995 			   "Notification message");
996 		return eap_aka_client_error(data, id,
997 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
998 	}
999 
1000 	if ((attr->notification & 0x4000) == 0 &&
1001 	    eap_aka_process_notification_auth(data, reqData, attr)) {
1002 		return eap_aka_client_error(data, id,
1003 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1004 	}
1005 
1006 	eap_sim_report_notification(sm->msg_ctx, attr->notification, 1);
1007 	if (attr->notification >= 0 && attr->notification < 32768) {
1008 		eap_aka_state(data, FAILURE);
1009 	} else if (attr->notification == EAP_SIM_SUCCESS &&
1010 		   data->state == RESULT_SUCCESS)
1011 		eap_aka_state(data, SUCCESS);
1012 	return eap_aka_response_notification(data, id, attr->notification);
1013 }
1014 
1015 
1016 static struct wpabuf * eap_aka_process_reauthentication(
1017 	struct eap_sm *sm, struct eap_aka_data *data, u8 id,
1018 	const struct wpabuf *reqData, struct eap_sim_attrs *attr)
1019 {
1020 	struct eap_sim_attrs eattr;
1021 	u8 *decrypted;
1022 
1023 	wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Reauthentication");
1024 
1025 	if (attr->checkcode &&
1026 	    eap_aka_verify_checkcode(data, attr->checkcode,
1027 				     attr->checkcode_len)) {
1028 		wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the "
1029 			   "message");
1030 		return eap_aka_client_error(data, id,
1031 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1032 	}
1033 
1034 	if (data->reauth_id == NULL) {
1035 		wpa_printf(MSG_WARNING, "EAP-AKA: Server is trying "
1036 			   "reauthentication, but no reauth_id available");
1037 		return eap_aka_client_error(data, id,
1038 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1039 	}
1040 
1041 	data->reauth = 1;
1042 	if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) {
1043 		wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication "
1044 			   "did not have valid AT_MAC");
1045 		return eap_aka_client_error(data, id,
1046 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1047 	}
1048 
1049 	if (attr->encr_data == NULL || attr->iv == NULL) {
1050 		wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication "
1051 			   "message did not include encrypted data");
1052 		return eap_aka_client_error(data, id,
1053 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1054 	}
1055 
1056 	decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
1057 				       attr->encr_data_len, attr->iv, &eattr,
1058 				       0);
1059 	if (decrypted == NULL) {
1060 		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted "
1061 			   "data from reauthentication message");
1062 		return eap_aka_client_error(data, id,
1063 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1064 	}
1065 
1066 	if (eattr.nonce_s == NULL || eattr.counter < 0) {
1067 		wpa_printf(MSG_INFO, "EAP-AKA: (encr) No%s%s in reauth packet",
1068 			   !eattr.nonce_s ? " AT_NONCE_S" : "",
1069 			   eattr.counter < 0 ? " AT_COUNTER" : "");
1070 		os_free(decrypted);
1071 		return eap_aka_client_error(data, id,
1072 					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1073 	}
1074 
1075 	if (eattr.counter < 0 || (size_t) eattr.counter <= data->counter) {
1076 		struct wpabuf *res;
1077 		wpa_printf(MSG_INFO, "EAP-AKA: (encr) Invalid counter "
1078 			   "(%d <= %d)", eattr.counter, data->counter);
1079 		data->counter_too_small = eattr.counter;
1080 
1081 		/* Reply using Re-auth w/ AT_COUNTER_TOO_SMALL. The current
1082 		 * reauth_id must not be used to start a new reauthentication.
1083 		 * However, since it was used in the last EAP-Response-Identity
1084 		 * packet, it has to saved for the following fullauth to be
1085 		 * used in MK derivation. */
1086 		os_free(data->last_eap_identity);
1087 		data->last_eap_identity = data->reauth_id;
1088 		data->last_eap_identity_len = data->reauth_id_len;
1089 		data->reauth_id = NULL;
1090 		data->reauth_id_len = 0;
1091 
1092 		res = eap_aka_response_reauth(data, id, 1, eattr.nonce_s);
1093 		os_free(decrypted);
1094 
1095 		return res;
1096 	}
1097 	data->counter = eattr.counter;
1098 
1099 	os_memcpy(data->nonce_s, eattr.nonce_s, EAP_SIM_NONCE_S_LEN);
1100 	wpa_hexdump(MSG_DEBUG, "EAP-AKA: (encr) AT_NONCE_S",
1101 		    data->nonce_s, EAP_SIM_NONCE_S_LEN);
1102 
1103 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
1104 		eap_aka_prime_derive_keys_reauth(data->k_re, data->counter,
1105 						 data->reauth_id,
1106 						 data->reauth_id_len,
1107 						 data->nonce_s,
1108 						 data->msk, data->emsk);
1109 	} else {
1110 		eap_sim_derive_keys_reauth(data->counter, data->reauth_id,
1111 					   data->reauth_id_len,
1112 					   data->nonce_s, data->mk,
1113 					   data->msk, data->emsk);
1114 	}
1115 	eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID);
1116 	eap_aka_learn_ids(data, &eattr);
1117 
1118 	if (data->result_ind && attr->result_ind)
1119 		data->use_result_ind = 1;
1120 
1121 	if (data->state != FAILURE && data->state != RESULT_FAILURE) {
1122 		eap_aka_state(data, data->use_result_ind ?
1123 			      RESULT_SUCCESS : SUCCESS);
1124 	}
1125 
1126 	data->num_id_req = 0;
1127 	data->num_notification = 0;
1128 	if (data->counter > EAP_AKA_MAX_FAST_REAUTHS) {
1129 		wpa_printf(MSG_DEBUG, "EAP-AKA: Maximum number of "
1130 			   "fast reauths performed - force fullauth");
1131 		eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID);
1132 	}
1133 	os_free(decrypted);
1134 	return eap_aka_response_reauth(data, id, 0, data->nonce_s);
1135 }
1136 
1137 
1138 static struct wpabuf * eap_aka_process(struct eap_sm *sm, void *priv,
1139 				       struct eap_method_ret *ret,
1140 				       const struct wpabuf *reqData)
1141 {
1142 	struct eap_aka_data *data = priv;
1143 	const struct eap_hdr *req;
1144 	u8 subtype, id;
1145 	struct wpabuf *res;
1146 	const u8 *pos;
1147 	struct eap_sim_attrs attr;
1148 	size_t len;
1149 
1150 	wpa_hexdump_buf(MSG_DEBUG, "EAP-AKA: EAP data", reqData);
1151 	if (eap_get_config_identity(sm, &len) == NULL) {
1152 		wpa_printf(MSG_INFO, "EAP-AKA: Identity not configured");
1153 		eap_sm_request_identity(sm);
1154 		ret->ignore = TRUE;
1155 		return NULL;
1156 	}
1157 
1158 	pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, reqData,
1159 			       &len);
1160 	if (pos == NULL || len < 1) {
1161 		ret->ignore = TRUE;
1162 		return NULL;
1163 	}
1164 	req = wpabuf_head(reqData);
1165 	id = req->identifier;
1166 	len = be_to_host16(req->length);
1167 
1168 	ret->ignore = FALSE;
1169 	ret->methodState = METHOD_MAY_CONT;
1170 	ret->decision = DECISION_FAIL;
1171 	ret->allowNotifications = TRUE;
1172 
1173 	subtype = *pos++;
1174 	wpa_printf(MSG_DEBUG, "EAP-AKA: Subtype=%d", subtype);
1175 	pos += 2; /* Reserved */
1176 
1177 	if (eap_sim_parse_attr(pos, wpabuf_head_u8(reqData) + len, &attr,
1178 			       data->eap_method == EAP_TYPE_AKA_PRIME ? 2 : 1,
1179 			       0)) {
1180 		res = eap_aka_client_error(data, id,
1181 					   EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1182 		goto done;
1183 	}
1184 
1185 	switch (subtype) {
1186 	case EAP_AKA_SUBTYPE_IDENTITY:
1187 		res = eap_aka_process_identity(sm, data, id, reqData, &attr);
1188 		break;
1189 	case EAP_AKA_SUBTYPE_CHALLENGE:
1190 		res = eap_aka_process_challenge(sm, data, id, reqData, &attr);
1191 		break;
1192 	case EAP_AKA_SUBTYPE_NOTIFICATION:
1193 		res = eap_aka_process_notification(sm, data, id, reqData,
1194 						   &attr);
1195 		break;
1196 	case EAP_AKA_SUBTYPE_REAUTHENTICATION:
1197 		res = eap_aka_process_reauthentication(sm, data, id, reqData,
1198 						       &attr);
1199 		break;
1200 	case EAP_AKA_SUBTYPE_CLIENT_ERROR:
1201 		wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Client-Error");
1202 		res = eap_aka_client_error(data, id,
1203 					   EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1204 		break;
1205 	default:
1206 		wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown subtype=%d", subtype);
1207 		res = eap_aka_client_error(data, id,
1208 					   EAP_AKA_UNABLE_TO_PROCESS_PACKET);
1209 		break;
1210 	}
1211 
1212 done:
1213 	if (data->state == FAILURE) {
1214 		ret->decision = DECISION_FAIL;
1215 		ret->methodState = METHOD_DONE;
1216 	} else if (data->state == SUCCESS) {
1217 		ret->decision = data->use_result_ind ?
1218 			DECISION_UNCOND_SUCC : DECISION_COND_SUCC;
1219 		/*
1220 		 * It is possible for the server to reply with AKA
1221 		 * Notification, so we must allow the method to continue and
1222 		 * not only accept EAP-Success at this point.
1223 		 */
1224 		ret->methodState = data->use_result_ind ?
1225 			METHOD_DONE : METHOD_MAY_CONT;
1226 	} else if (data->state == RESULT_FAILURE)
1227 		ret->methodState = METHOD_CONT;
1228 	else if (data->state == RESULT_SUCCESS)
1229 		ret->methodState = METHOD_CONT;
1230 
1231 	if (ret->methodState == METHOD_DONE) {
1232 		ret->allowNotifications = FALSE;
1233 	}
1234 
1235 	return res;
1236 }
1237 
1238 
1239 static Boolean eap_aka_has_reauth_data(struct eap_sm *sm, void *priv)
1240 {
1241 	struct eap_aka_data *data = priv;
1242 	return data->pseudonym || data->reauth_id;
1243 }
1244 
1245 
1246 static void eap_aka_deinit_for_reauth(struct eap_sm *sm, void *priv)
1247 {
1248 	struct eap_aka_data *data = priv;
1249 	eap_aka_clear_identities(data, CLEAR_EAP_ID);
1250 	data->prev_id = -1;
1251 	wpabuf_free(data->id_msgs);
1252 	data->id_msgs = NULL;
1253 	data->use_result_ind = 0;
1254 	data->kdf_negotiation = 0;
1255 }
1256 
1257 
1258 static void * eap_aka_init_for_reauth(struct eap_sm *sm, void *priv)
1259 {
1260 	struct eap_aka_data *data = priv;
1261 	data->num_id_req = 0;
1262 	data->num_notification = 0;
1263 	eap_aka_state(data, CONTINUE);
1264 	return priv;
1265 }
1266 
1267 
1268 static const u8 * eap_aka_get_identity(struct eap_sm *sm, void *priv,
1269 				       size_t *len)
1270 {
1271 	struct eap_aka_data *data = priv;
1272 
1273 	if (data->reauth_id) {
1274 		*len = data->reauth_id_len;
1275 		return data->reauth_id;
1276 	}
1277 
1278 	if (data->pseudonym) {
1279 		*len = data->pseudonym_len;
1280 		return data->pseudonym;
1281 	}
1282 
1283 	return NULL;
1284 }
1285 
1286 
1287 static Boolean eap_aka_isKeyAvailable(struct eap_sm *sm, void *priv)
1288 {
1289 	struct eap_aka_data *data = priv;
1290 	return data->state == SUCCESS;
1291 }
1292 
1293 
1294 static u8 * eap_aka_getKey(struct eap_sm *sm, void *priv, size_t *len)
1295 {
1296 	struct eap_aka_data *data = priv;
1297 	u8 *key;
1298 
1299 	if (data->state != SUCCESS)
1300 		return NULL;
1301 
1302 	key = os_malloc(EAP_SIM_KEYING_DATA_LEN);
1303 	if (key == NULL)
1304 		return NULL;
1305 
1306 	*len = EAP_SIM_KEYING_DATA_LEN;
1307 	os_memcpy(key, data->msk, EAP_SIM_KEYING_DATA_LEN);
1308 
1309 	return key;
1310 }
1311 
1312 
1313 static u8 * eap_aka_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1314 {
1315 	struct eap_aka_data *data = priv;
1316 	u8 *key;
1317 
1318 	if (data->state != SUCCESS)
1319 		return NULL;
1320 
1321 	key = os_malloc(EAP_EMSK_LEN);
1322 	if (key == NULL)
1323 		return NULL;
1324 
1325 	*len = EAP_EMSK_LEN;
1326 	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
1327 
1328 	return key;
1329 }
1330 
1331 
1332 int eap_peer_aka_register(void)
1333 {
1334 	struct eap_method *eap;
1335 	int ret;
1336 
1337 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1338 				    EAP_VENDOR_IETF, EAP_TYPE_AKA, "AKA");
1339 	if (eap == NULL)
1340 		return -1;
1341 
1342 	eap->init = eap_aka_init;
1343 	eap->deinit = eap_aka_deinit;
1344 	eap->process = eap_aka_process;
1345 	eap->isKeyAvailable = eap_aka_isKeyAvailable;
1346 	eap->getKey = eap_aka_getKey;
1347 	eap->has_reauth_data = eap_aka_has_reauth_data;
1348 	eap->deinit_for_reauth = eap_aka_deinit_for_reauth;
1349 	eap->init_for_reauth = eap_aka_init_for_reauth;
1350 	eap->get_identity = eap_aka_get_identity;
1351 	eap->get_emsk = eap_aka_get_emsk;
1352 
1353 	ret = eap_peer_method_register(eap);
1354 	if (ret)
1355 		eap_peer_method_free(eap);
1356 	return ret;
1357 }
1358 
1359 
1360 #ifdef EAP_AKA_PRIME
1361 int eap_peer_aka_prime_register(void)
1362 {
1363 	struct eap_method *eap;
1364 	int ret;
1365 
1366 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1367 				    EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME,
1368 				    "AKA'");
1369 	if (eap == NULL)
1370 		return -1;
1371 
1372 	eap->init = eap_aka_prime_init;
1373 	eap->deinit = eap_aka_deinit;
1374 	eap->process = eap_aka_process;
1375 	eap->isKeyAvailable = eap_aka_isKeyAvailable;
1376 	eap->getKey = eap_aka_getKey;
1377 	eap->has_reauth_data = eap_aka_has_reauth_data;
1378 	eap->deinit_for_reauth = eap_aka_deinit_for_reauth;
1379 	eap->init_for_reauth = eap_aka_init_for_reauth;
1380 	eap->get_identity = eap_aka_get_identity;
1381 	eap->get_emsk = eap_aka_get_emsk;
1382 
1383 	ret = eap_peer_method_register(eap);
1384 	if (ret)
1385 		eap_peer_method_free(eap);
1386 
1387 	return ret;
1388 }
1389 #endif /* EAP_AKA_PRIME */
1390