1 /* 2 * hostapd / EAP-SIM (RFC 4186) 3 * Copyright (c) 2005-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/random.h" 13 #include "eap_server/eap_i.h" 14 #include "eap_common/eap_sim_common.h" 15 #include "eap_server/eap_sim_db.h" 16 17 18 struct eap_sim_data { 19 u8 mk[EAP_SIM_MK_LEN]; 20 u8 nonce_mt[EAP_SIM_NONCE_MT_LEN]; 21 u8 nonce_s[EAP_SIM_NONCE_S_LEN]; 22 u8 k_aut[EAP_SIM_K_AUT_LEN]; 23 u8 k_encr[EAP_SIM_K_ENCR_LEN]; 24 u8 msk[EAP_SIM_KEYING_DATA_LEN]; 25 u8 emsk[EAP_EMSK_LEN]; 26 u8 kc[EAP_SIM_MAX_CHAL][EAP_SIM_KC_LEN]; 27 u8 sres[EAP_SIM_MAX_CHAL][EAP_SIM_SRES_LEN]; 28 u8 rand[EAP_SIM_MAX_CHAL][GSM_RAND_LEN]; 29 int num_chal; 30 enum { 31 START, CHALLENGE, REAUTH, NOTIFICATION, SUCCESS, FAILURE 32 } state; 33 char *next_pseudonym; 34 char *next_reauth_id; 35 u16 counter; 36 struct eap_sim_reauth *reauth; 37 u16 notification; 38 int use_result_ind; 39 int start_round; 40 char permanent[20]; /* Permanent username */ 41 }; 42 43 44 static const char * eap_sim_state_txt(int state) 45 { 46 switch (state) { 47 case START: 48 return "START"; 49 case CHALLENGE: 50 return "CHALLENGE"; 51 case REAUTH: 52 return "REAUTH"; 53 case SUCCESS: 54 return "SUCCESS"; 55 case FAILURE: 56 return "FAILURE"; 57 case NOTIFICATION: 58 return "NOTIFICATION"; 59 default: 60 return "Unknown?!"; 61 } 62 } 63 64 65 static void eap_sim_state(struct eap_sim_data *data, int state) 66 { 67 wpa_printf(MSG_DEBUG, "EAP-SIM: %s -> %s", 68 eap_sim_state_txt(data->state), 69 eap_sim_state_txt(state)); 70 data->state = state; 71 } 72 73 74 static void * eap_sim_init(struct eap_sm *sm) 75 { 76 struct eap_sim_data *data; 77 78 if (sm->eap_sim_db_priv == NULL) { 79 wpa_printf(MSG_WARNING, "EAP-SIM: eap_sim_db not configured"); 80 return NULL; 81 } 82 83 data = os_zalloc(sizeof(*data)); 84 if (data == NULL) 85 return NULL; 86 data->state = START; 87 88 return data; 89 } 90 91 92 static void eap_sim_reset(struct eap_sm *sm, void *priv) 93 { 94 struct eap_sim_data *data = priv; 95 os_free(data->next_pseudonym); 96 os_free(data->next_reauth_id); 97 os_free(data); 98 } 99 100 101 static struct wpabuf * eap_sim_build_start(struct eap_sm *sm, 102 struct eap_sim_data *data, u8 id) 103 { 104 struct eap_sim_msg *msg; 105 u8 ver[2]; 106 107 wpa_printf(MSG_DEBUG, "EAP-SIM: Generating Start"); 108 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, EAP_TYPE_SIM, 109 EAP_SIM_SUBTYPE_START); 110 data->start_round++; 111 if (data->start_round == 1) { 112 /* 113 * RFC 4186, Chap. 4.2.4 recommends that identity from EAP is 114 * ignored and the SIM/Start is used to request the identity. 115 */ 116 wpa_printf(MSG_DEBUG, " AT_ANY_ID_REQ"); 117 eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0); 118 } else if (data->start_round > 3) { 119 /* Cannot use more than three rounds of Start messages */ 120 eap_sim_msg_free(msg); 121 return NULL; 122 } else if (data->start_round == 0) { 123 /* 124 * This is a special case that is used to recover from 125 * AT_COUNTER_TOO_SMALL during re-authentication. Since we 126 * already know the identity of the peer, there is no need to 127 * request any identity in this case. 128 */ 129 } else if (sm->identity && sm->identity_len > 0 && 130 sm->identity[0] == EAP_SIM_REAUTH_ID_PREFIX) { 131 /* Reauth id may have expired - try fullauth */ 132 wpa_printf(MSG_DEBUG, " AT_FULLAUTH_ID_REQ"); 133 eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0, NULL, 0); 134 } else { 135 wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ"); 136 eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0); 137 } 138 wpa_printf(MSG_DEBUG, " AT_VERSION_LIST"); 139 ver[0] = 0; 140 ver[1] = EAP_SIM_VERSION; 141 eap_sim_msg_add(msg, EAP_SIM_AT_VERSION_LIST, sizeof(ver), 142 ver, sizeof(ver)); 143 return eap_sim_msg_finish(msg, NULL, NULL, 0); 144 } 145 146 147 static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data, 148 struct eap_sim_msg *msg, u16 counter, 149 const u8 *nonce_s) 150 { 151 os_free(data->next_pseudonym); 152 if (nonce_s == NULL) { 153 data->next_pseudonym = 154 eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, 155 EAP_SIM_DB_SIM); 156 } else { 157 /* Do not update pseudonym during re-authentication */ 158 data->next_pseudonym = NULL; 159 } 160 os_free(data->next_reauth_id); 161 if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) { 162 data->next_reauth_id = 163 eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv, 164 EAP_SIM_DB_SIM); 165 } else { 166 wpa_printf(MSG_DEBUG, "EAP-SIM: Max fast re-authentication " 167 "count exceeded - force full authentication"); 168 data->next_reauth_id = NULL; 169 } 170 171 if (data->next_pseudonym == NULL && data->next_reauth_id == NULL && 172 counter == 0 && nonce_s == NULL) 173 return 0; 174 175 wpa_printf(MSG_DEBUG, " AT_IV"); 176 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA"); 177 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA); 178 179 if (counter > 0) { 180 wpa_printf(MSG_DEBUG, " *AT_COUNTER (%u)", counter); 181 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0); 182 } 183 184 if (nonce_s) { 185 wpa_printf(MSG_DEBUG, " *AT_NONCE_S"); 186 eap_sim_msg_add(msg, EAP_SIM_AT_NONCE_S, 0, nonce_s, 187 EAP_SIM_NONCE_S_LEN); 188 } 189 190 if (data->next_pseudonym) { 191 wpa_printf(MSG_DEBUG, " *AT_NEXT_PSEUDONYM (%s)", 192 data->next_pseudonym); 193 eap_sim_msg_add(msg, EAP_SIM_AT_NEXT_PSEUDONYM, 194 os_strlen(data->next_pseudonym), 195 (u8 *) data->next_pseudonym, 196 os_strlen(data->next_pseudonym)); 197 } 198 199 if (data->next_reauth_id) { 200 wpa_printf(MSG_DEBUG, " *AT_NEXT_REAUTH_ID (%s)", 201 data->next_reauth_id); 202 eap_sim_msg_add(msg, EAP_SIM_AT_NEXT_REAUTH_ID, 203 os_strlen(data->next_reauth_id), 204 (u8 *) data->next_reauth_id, 205 os_strlen(data->next_reauth_id)); 206 } 207 208 if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) { 209 wpa_printf(MSG_WARNING, "EAP-SIM: Failed to encrypt " 210 "AT_ENCR_DATA"); 211 return -1; 212 } 213 214 return 0; 215 } 216 217 218 static struct wpabuf * eap_sim_build_challenge(struct eap_sm *sm, 219 struct eap_sim_data *data, 220 u8 id) 221 { 222 struct eap_sim_msg *msg; 223 224 wpa_printf(MSG_DEBUG, "EAP-SIM: Generating Challenge"); 225 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, EAP_TYPE_SIM, 226 EAP_SIM_SUBTYPE_CHALLENGE); 227 wpa_printf(MSG_DEBUG, " AT_RAND"); 228 eap_sim_msg_add(msg, EAP_SIM_AT_RAND, 0, (u8 *) data->rand, 229 data->num_chal * GSM_RAND_LEN); 230 231 if (eap_sim_build_encr(sm, data, msg, 0, NULL)) { 232 eap_sim_msg_free(msg); 233 return NULL; 234 } 235 236 if (sm->eap_sim_aka_result_ind) { 237 wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); 238 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); 239 } 240 241 wpa_printf(MSG_DEBUG, " AT_MAC"); 242 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 243 return eap_sim_msg_finish(msg, data->k_aut, data->nonce_mt, 244 EAP_SIM_NONCE_MT_LEN); 245 } 246 247 248 static struct wpabuf * eap_sim_build_reauth(struct eap_sm *sm, 249 struct eap_sim_data *data, u8 id) 250 { 251 struct eap_sim_msg *msg; 252 253 wpa_printf(MSG_DEBUG, "EAP-SIM: Generating Re-authentication"); 254 255 if (random_get_bytes(data->nonce_s, EAP_SIM_NONCE_S_LEN)) 256 return NULL; 257 wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: NONCE_S", 258 data->nonce_s, EAP_SIM_NONCE_S_LEN); 259 260 eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk, 261 data->emsk); 262 eap_sim_derive_keys_reauth(data->counter, sm->identity, 263 sm->identity_len, data->nonce_s, data->mk, 264 data->msk, data->emsk); 265 266 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, EAP_TYPE_SIM, 267 EAP_SIM_SUBTYPE_REAUTHENTICATION); 268 269 if (eap_sim_build_encr(sm, data, msg, data->counter, data->nonce_s)) { 270 eap_sim_msg_free(msg); 271 return NULL; 272 } 273 274 if (sm->eap_sim_aka_result_ind) { 275 wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); 276 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); 277 } 278 279 wpa_printf(MSG_DEBUG, " AT_MAC"); 280 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 281 return eap_sim_msg_finish(msg, data->k_aut, NULL, 0); 282 } 283 284 285 static struct wpabuf * eap_sim_build_notification(struct eap_sm *sm, 286 struct eap_sim_data *data, 287 u8 id) 288 { 289 struct eap_sim_msg *msg; 290 291 wpa_printf(MSG_DEBUG, "EAP-SIM: Generating Notification"); 292 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, EAP_TYPE_SIM, 293 EAP_SIM_SUBTYPE_NOTIFICATION); 294 wpa_printf(MSG_DEBUG, " AT_NOTIFICATION (%d)", data->notification); 295 eap_sim_msg_add(msg, EAP_SIM_AT_NOTIFICATION, data->notification, 296 NULL, 0); 297 if (data->use_result_ind) { 298 if (data->reauth) { 299 wpa_printf(MSG_DEBUG, " AT_IV"); 300 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA"); 301 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, 302 EAP_SIM_AT_ENCR_DATA); 303 wpa_printf(MSG_DEBUG, " *AT_COUNTER (%u)", 304 data->counter); 305 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter, 306 NULL, 0); 307 308 if (eap_sim_msg_add_encr_end(msg, data->k_encr, 309 EAP_SIM_AT_PADDING)) { 310 wpa_printf(MSG_WARNING, "EAP-SIM: Failed to " 311 "encrypt AT_ENCR_DATA"); 312 eap_sim_msg_free(msg); 313 return NULL; 314 } 315 } 316 317 wpa_printf(MSG_DEBUG, " AT_MAC"); 318 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 319 } 320 return eap_sim_msg_finish(msg, data->k_aut, NULL, 0); 321 } 322 323 324 static struct wpabuf * eap_sim_buildReq(struct eap_sm *sm, void *priv, u8 id) 325 { 326 struct eap_sim_data *data = priv; 327 328 switch (data->state) { 329 case START: 330 return eap_sim_build_start(sm, data, id); 331 case CHALLENGE: 332 return eap_sim_build_challenge(sm, data, id); 333 case REAUTH: 334 return eap_sim_build_reauth(sm, data, id); 335 case NOTIFICATION: 336 return eap_sim_build_notification(sm, data, id); 337 default: 338 wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown state %d in " 339 "buildReq", data->state); 340 break; 341 } 342 return NULL; 343 } 344 345 346 static Boolean eap_sim_check(struct eap_sm *sm, void *priv, 347 struct wpabuf *respData) 348 { 349 const u8 *pos; 350 size_t len; 351 352 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SIM, respData, &len); 353 if (pos == NULL || len < 3) { 354 wpa_printf(MSG_INFO, "EAP-SIM: Invalid frame"); 355 return TRUE; 356 } 357 358 return FALSE; 359 } 360 361 362 static Boolean eap_sim_unexpected_subtype(struct eap_sim_data *data, 363 u8 subtype) 364 { 365 if (subtype == EAP_SIM_SUBTYPE_CLIENT_ERROR) 366 return FALSE; 367 368 switch (data->state) { 369 case START: 370 if (subtype != EAP_SIM_SUBTYPE_START) { 371 wpa_printf(MSG_INFO, "EAP-SIM: Unexpected response " 372 "subtype %d", subtype); 373 return TRUE; 374 } 375 break; 376 case CHALLENGE: 377 if (subtype != EAP_SIM_SUBTYPE_CHALLENGE) { 378 wpa_printf(MSG_INFO, "EAP-SIM: Unexpected response " 379 "subtype %d", subtype); 380 return TRUE; 381 } 382 break; 383 case REAUTH: 384 if (subtype != EAP_SIM_SUBTYPE_REAUTHENTICATION) { 385 wpa_printf(MSG_INFO, "EAP-SIM: Unexpected response " 386 "subtype %d", subtype); 387 return TRUE; 388 } 389 break; 390 case NOTIFICATION: 391 if (subtype != EAP_SIM_SUBTYPE_NOTIFICATION) { 392 wpa_printf(MSG_INFO, "EAP-SIM: Unexpected response " 393 "subtype %d", subtype); 394 return TRUE; 395 } 396 break; 397 default: 398 wpa_printf(MSG_INFO, "EAP-SIM: Unexpected state (%d) for " 399 "processing a response", data->state); 400 return TRUE; 401 } 402 403 return FALSE; 404 } 405 406 407 static int eap_sim_supported_ver(struct eap_sim_data *data, int version) 408 { 409 return version == EAP_SIM_VERSION; 410 } 411 412 413 static void eap_sim_process_start(struct eap_sm *sm, 414 struct eap_sim_data *data, 415 struct wpabuf *respData, 416 struct eap_sim_attrs *attr) 417 { 418 size_t identity_len; 419 u8 ver_list[2]; 420 u8 *new_identity; 421 char *username; 422 423 wpa_printf(MSG_DEBUG, "EAP-SIM: Receive start response"); 424 425 if (data->start_round == 0) { 426 /* 427 * Special case for AT_COUNTER_TOO_SMALL recovery - no identity 428 * was requested since we already know it. 429 */ 430 goto skip_id_update; 431 } 432 433 /* 434 * We always request identity in SIM/Start, so the peer is required to 435 * have replied with one. 436 */ 437 if (!attr->identity || attr->identity_len == 0) { 438 wpa_printf(MSG_DEBUG, "EAP-SIM: Peer did not provide any " 439 "identity"); 440 goto failed; 441 } 442 443 new_identity = os_malloc(attr->identity_len); 444 if (new_identity == NULL) 445 goto failed; 446 os_free(sm->identity); 447 sm->identity = new_identity; 448 os_memcpy(sm->identity, attr->identity, attr->identity_len); 449 sm->identity_len = attr->identity_len; 450 451 wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity", 452 sm->identity, sm->identity_len); 453 username = sim_get_username(sm->identity, sm->identity_len); 454 if (username == NULL) 455 goto failed; 456 457 if (username[0] == EAP_SIM_REAUTH_ID_PREFIX) { 458 wpa_printf(MSG_DEBUG, "EAP-SIM: Reauth username '%s'", 459 username); 460 data->reauth = eap_sim_db_get_reauth_entry( 461 sm->eap_sim_db_priv, username); 462 os_free(username); 463 if (data->reauth == NULL) { 464 wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown reauth " 465 "identity - request full auth identity"); 466 /* Remain in START state for another round */ 467 return; 468 } 469 wpa_printf(MSG_DEBUG, "EAP-SIM: Using fast re-authentication"); 470 os_strlcpy(data->permanent, data->reauth->permanent, 471 sizeof(data->permanent)); 472 data->counter = data->reauth->counter; 473 os_memcpy(data->mk, data->reauth->mk, EAP_SIM_MK_LEN); 474 eap_sim_state(data, REAUTH); 475 return; 476 } 477 478 if (username[0] == EAP_SIM_PSEUDONYM_PREFIX) { 479 const char *permanent; 480 wpa_printf(MSG_DEBUG, "EAP-SIM: Pseudonym username '%s'", 481 username); 482 permanent = eap_sim_db_get_permanent( 483 sm->eap_sim_db_priv, username); 484 os_free(username); 485 if (permanent == NULL) { 486 wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown pseudonym " 487 "identity - request permanent identity"); 488 /* Remain in START state for another round */ 489 return; 490 } 491 os_strlcpy(data->permanent, permanent, 492 sizeof(data->permanent)); 493 } else if (username[0] == EAP_SIM_PERMANENT_PREFIX) { 494 wpa_printf(MSG_DEBUG, "EAP-SIM: Permanent username '%s'", 495 username); 496 os_strlcpy(data->permanent, username, sizeof(data->permanent)); 497 os_free(username); 498 } else { 499 wpa_printf(MSG_DEBUG, "EAP-SIM: Unrecognized username '%s'", 500 username); 501 os_free(username); 502 goto failed; 503 } 504 505 skip_id_update: 506 /* Full authentication */ 507 508 if (attr->nonce_mt == NULL || attr->selected_version < 0) { 509 wpa_printf(MSG_DEBUG, "EAP-SIM: Start/Response missing " 510 "required attributes"); 511 goto failed; 512 } 513 514 if (!eap_sim_supported_ver(data, attr->selected_version)) { 515 wpa_printf(MSG_DEBUG, "EAP-SIM: Peer selected unsupported " 516 "version %d", attr->selected_version); 517 goto failed; 518 } 519 520 data->counter = 0; /* reset re-auth counter since this is full auth */ 521 data->reauth = NULL; 522 523 data->num_chal = eap_sim_db_get_gsm_triplets( 524 sm->eap_sim_db_priv, data->permanent, EAP_SIM_MAX_CHAL, 525 (u8 *) data->rand, (u8 *) data->kc, (u8 *) data->sres, sm); 526 if (data->num_chal == EAP_SIM_DB_PENDING) { 527 wpa_printf(MSG_DEBUG, "EAP-SIM: GSM authentication triplets " 528 "not yet available - pending request"); 529 sm->method_pending = METHOD_PENDING_WAIT; 530 return; 531 } 532 if (data->num_chal < 2) { 533 wpa_printf(MSG_INFO, "EAP-SIM: Failed to get GSM " 534 "authentication triplets for the peer"); 535 goto failed; 536 } 537 538 identity_len = sm->identity_len; 539 while (identity_len > 0 && sm->identity[identity_len - 1] == '\0') { 540 wpa_printf(MSG_DEBUG, "EAP-SIM: Workaround - drop last null " 541 "character from identity"); 542 identity_len--; 543 } 544 wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity for MK derivation", 545 sm->identity, identity_len); 546 547 os_memcpy(data->nonce_mt, attr->nonce_mt, EAP_SIM_NONCE_MT_LEN); 548 WPA_PUT_BE16(ver_list, EAP_SIM_VERSION); 549 eap_sim_derive_mk(sm->identity, identity_len, attr->nonce_mt, 550 attr->selected_version, ver_list, sizeof(ver_list), 551 data->num_chal, (const u8 *) data->kc, data->mk); 552 eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk, 553 data->emsk); 554 555 eap_sim_state(data, CHALLENGE); 556 return; 557 558 failed: 559 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH; 560 eap_sim_state(data, NOTIFICATION); 561 } 562 563 564 static void eap_sim_process_challenge(struct eap_sm *sm, 565 struct eap_sim_data *data, 566 struct wpabuf *respData, 567 struct eap_sim_attrs *attr) 568 { 569 if (attr->mac == NULL || 570 eap_sim_verify_mac(data->k_aut, respData, attr->mac, 571 (u8 *) data->sres, 572 data->num_chal * EAP_SIM_SRES_LEN)) { 573 wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message " 574 "did not include valid AT_MAC"); 575 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH; 576 eap_sim_state(data, NOTIFICATION); 577 return; 578 } 579 580 wpa_printf(MSG_DEBUG, "EAP-SIM: Challenge response includes the " 581 "correct AT_MAC"); 582 if (sm->eap_sim_aka_result_ind && attr->result_ind) { 583 data->use_result_ind = 1; 584 data->notification = EAP_SIM_SUCCESS; 585 eap_sim_state(data, NOTIFICATION); 586 } else 587 eap_sim_state(data, SUCCESS); 588 589 if (data->next_pseudonym) { 590 eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent, 591 data->next_pseudonym); 592 data->next_pseudonym = NULL; 593 } 594 if (data->next_reauth_id) { 595 eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent, 596 data->next_reauth_id, data->counter + 1, 597 data->mk); 598 data->next_reauth_id = NULL; 599 } 600 } 601 602 603 static void eap_sim_process_reauth(struct eap_sm *sm, 604 struct eap_sim_data *data, 605 struct wpabuf *respData, 606 struct eap_sim_attrs *attr) 607 { 608 struct eap_sim_attrs eattr; 609 u8 *decrypted = NULL; 610 611 if (attr->mac == NULL || 612 eap_sim_verify_mac(data->k_aut, respData, attr->mac, data->nonce_s, 613 EAP_SIM_NONCE_S_LEN)) { 614 wpa_printf(MSG_WARNING, "EAP-SIM: Re-authentication message " 615 "did not include valid AT_MAC"); 616 goto fail; 617 } 618 619 if (attr->encr_data == NULL || attr->iv == NULL) { 620 wpa_printf(MSG_WARNING, "EAP-SIM: Reauthentication " 621 "message did not include encrypted data"); 622 goto fail; 623 } 624 625 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 626 attr->encr_data_len, attr->iv, &eattr, 627 0); 628 if (decrypted == NULL) { 629 wpa_printf(MSG_WARNING, "EAP-SIM: Failed to parse encrypted " 630 "data from reauthentication message"); 631 goto fail; 632 } 633 634 if (eattr.counter != data->counter) { 635 wpa_printf(MSG_WARNING, "EAP-SIM: Re-authentication message " 636 "used incorrect counter %u, expected %u", 637 eattr.counter, data->counter); 638 goto fail; 639 } 640 os_free(decrypted); 641 decrypted = NULL; 642 643 wpa_printf(MSG_DEBUG, "EAP-SIM: Re-authentication response includes " 644 "the correct AT_MAC"); 645 646 if (eattr.counter_too_small) { 647 wpa_printf(MSG_DEBUG, "EAP-AKA: Re-authentication response " 648 "included AT_COUNTER_TOO_SMALL - starting full " 649 "authentication"); 650 data->start_round = -1; 651 eap_sim_state(data, START); 652 return; 653 } 654 655 if (sm->eap_sim_aka_result_ind && attr->result_ind) { 656 data->use_result_ind = 1; 657 data->notification = EAP_SIM_SUCCESS; 658 eap_sim_state(data, NOTIFICATION); 659 } else 660 eap_sim_state(data, SUCCESS); 661 662 if (data->next_reauth_id) { 663 eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent, 664 data->next_reauth_id, 665 data->counter + 1, data->mk); 666 data->next_reauth_id = NULL; 667 } else { 668 eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth); 669 data->reauth = NULL; 670 } 671 672 return; 673 674 fail: 675 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH; 676 eap_sim_state(data, NOTIFICATION); 677 eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth); 678 data->reauth = NULL; 679 os_free(decrypted); 680 } 681 682 683 static void eap_sim_process_client_error(struct eap_sm *sm, 684 struct eap_sim_data *data, 685 struct wpabuf *respData, 686 struct eap_sim_attrs *attr) 687 { 688 wpa_printf(MSG_DEBUG, "EAP-SIM: Client reported error %d", 689 attr->client_error_code); 690 if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind) 691 eap_sim_state(data, SUCCESS); 692 else 693 eap_sim_state(data, FAILURE); 694 } 695 696 697 static void eap_sim_process_notification(struct eap_sm *sm, 698 struct eap_sim_data *data, 699 struct wpabuf *respData, 700 struct eap_sim_attrs *attr) 701 { 702 wpa_printf(MSG_DEBUG, "EAP-SIM: Client replied to notification"); 703 if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind) 704 eap_sim_state(data, SUCCESS); 705 else 706 eap_sim_state(data, FAILURE); 707 } 708 709 710 static void eap_sim_process(struct eap_sm *sm, void *priv, 711 struct wpabuf *respData) 712 { 713 struct eap_sim_data *data = priv; 714 const u8 *pos, *end; 715 u8 subtype; 716 size_t len; 717 struct eap_sim_attrs attr; 718 719 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SIM, respData, &len); 720 if (pos == NULL || len < 3) 721 return; 722 723 end = pos + len; 724 subtype = *pos; 725 pos += 3; 726 727 if (eap_sim_unexpected_subtype(data, subtype)) { 728 wpa_printf(MSG_DEBUG, "EAP-SIM: Unrecognized or unexpected " 729 "EAP-SIM Subtype in EAP Response"); 730 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH; 731 eap_sim_state(data, NOTIFICATION); 732 return; 733 } 734 735 if (eap_sim_parse_attr(pos, end, &attr, 0, 0)) { 736 wpa_printf(MSG_DEBUG, "EAP-SIM: Failed to parse attributes"); 737 if (subtype != EAP_SIM_SUBTYPE_CLIENT_ERROR && 738 (data->state == START || data->state == CHALLENGE || 739 data->state == REAUTH)) { 740 data->notification = 741 EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH; 742 eap_sim_state(data, NOTIFICATION); 743 return; 744 } 745 eap_sim_state(data, FAILURE); 746 return; 747 } 748 749 if (subtype == EAP_SIM_SUBTYPE_CLIENT_ERROR) { 750 eap_sim_process_client_error(sm, data, respData, &attr); 751 return; 752 } 753 754 switch (data->state) { 755 case START: 756 eap_sim_process_start(sm, data, respData, &attr); 757 break; 758 case CHALLENGE: 759 eap_sim_process_challenge(sm, data, respData, &attr); 760 break; 761 case REAUTH: 762 eap_sim_process_reauth(sm, data, respData, &attr); 763 break; 764 case NOTIFICATION: 765 eap_sim_process_notification(sm, data, respData, &attr); 766 break; 767 default: 768 wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown state %d in " 769 "process", data->state); 770 break; 771 } 772 } 773 774 775 static Boolean eap_sim_isDone(struct eap_sm *sm, void *priv) 776 { 777 struct eap_sim_data *data = priv; 778 return data->state == SUCCESS || data->state == FAILURE; 779 } 780 781 782 static u8 * eap_sim_getKey(struct eap_sm *sm, void *priv, size_t *len) 783 { 784 struct eap_sim_data *data = priv; 785 u8 *key; 786 787 if (data->state != SUCCESS) 788 return NULL; 789 790 key = os_malloc(EAP_SIM_KEYING_DATA_LEN); 791 if (key == NULL) 792 return NULL; 793 os_memcpy(key, data->msk, EAP_SIM_KEYING_DATA_LEN); 794 *len = EAP_SIM_KEYING_DATA_LEN; 795 return key; 796 } 797 798 799 static u8 * eap_sim_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 800 { 801 struct eap_sim_data *data = priv; 802 u8 *key; 803 804 if (data->state != SUCCESS) 805 return NULL; 806 807 key = os_malloc(EAP_EMSK_LEN); 808 if (key == NULL) 809 return NULL; 810 os_memcpy(key, data->emsk, EAP_EMSK_LEN); 811 *len = EAP_EMSK_LEN; 812 return key; 813 } 814 815 816 static Boolean eap_sim_isSuccess(struct eap_sm *sm, void *priv) 817 { 818 struct eap_sim_data *data = priv; 819 return data->state == SUCCESS; 820 } 821 822 823 int eap_server_sim_register(void) 824 { 825 struct eap_method *eap; 826 int ret; 827 828 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 829 EAP_VENDOR_IETF, EAP_TYPE_SIM, "SIM"); 830 if (eap == NULL) 831 return -1; 832 833 eap->init = eap_sim_init; 834 eap->reset = eap_sim_reset; 835 eap->buildReq = eap_sim_buildReq; 836 eap->check = eap_sim_check; 837 eap->process = eap_sim_process; 838 eap->isDone = eap_sim_isDone; 839 eap->getKey = eap_sim_getKey; 840 eap->isSuccess = eap_sim_isSuccess; 841 eap->get_emsk = eap_sim_get_emsk; 842 843 ret = eap_server_method_register(eap); 844 if (ret) 845 eap_server_method_free(eap); 846 return ret; 847 } 848