1 /*
2 * hostapd / EAP-AKA (RFC 4187) and EAP-AKA' (RFC 5448)
3 * Copyright (c) 2005-2012, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/sha256.h"
13 #include "crypto/crypto.h"
14 #include "crypto/random.h"
15 #include "eap_common/eap_sim_common.h"
16 #include "eap_server/eap_i.h"
17 #include "eap_server/eap_sim_db.h"
18
19
20 struct eap_aka_data {
21 u8 mk[EAP_SIM_MK_LEN];
22 u8 nonce_s[EAP_SIM_NONCE_S_LEN];
23 u8 k_aut[EAP_AKA_PRIME_K_AUT_LEN];
24 u8 k_encr[EAP_SIM_K_ENCR_LEN];
25 u8 k_re[EAP_AKA_PRIME_K_RE_LEN]; /* EAP-AKA' only */
26 u8 msk[EAP_SIM_KEYING_DATA_LEN];
27 u8 emsk[EAP_EMSK_LEN];
28 u8 rand[EAP_AKA_RAND_LEN];
29 u8 autn[EAP_AKA_AUTN_LEN];
30 u8 ck[EAP_AKA_CK_LEN];
31 u8 ik[EAP_AKA_IK_LEN];
32 u8 res[EAP_AKA_RES_MAX_LEN];
33 u8 reauth_mac[EAP_SIM_MAC_LEN];
34 size_t res_len;
35 enum {
36 IDENTITY, CHALLENGE, REAUTH, NOTIFICATION, SUCCESS, FAILURE
37 } state;
38 char *next_pseudonym;
39 char *next_reauth_id;
40 u16 counter;
41 struct eap_sim_reauth *reauth;
42 int auts_reported; /* whether the current AUTS has been reported to the
43 * eap_sim_db */
44 u16 notification;
45 int use_result_ind;
46
47 struct wpabuf *id_msgs;
48 int pending_id;
49 u8 eap_method;
50 u8 *network_name;
51 size_t network_name_len;
52 u16 kdf;
53 int identity_round;
54 char permanent[20]; /* Permanent username */
55 };
56
57
58 static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data);
59
60
eap_aka_state_txt(int state)61 static const char * eap_aka_state_txt(int state)
62 {
63 switch (state) {
64 case IDENTITY:
65 return "IDENTITY";
66 case CHALLENGE:
67 return "CHALLENGE";
68 case REAUTH:
69 return "REAUTH";
70 case SUCCESS:
71 return "SUCCESS";
72 case FAILURE:
73 return "FAILURE";
74 case NOTIFICATION:
75 return "NOTIFICATION";
76 default:
77 return "Unknown?!";
78 }
79 }
80
81
eap_aka_state(struct eap_aka_data * data,int state)82 static void eap_aka_state(struct eap_aka_data *data, int state)
83 {
84 wpa_printf(MSG_DEBUG, "EAP-AKA: %s -> %s",
85 eap_aka_state_txt(data->state),
86 eap_aka_state_txt(state));
87 data->state = state;
88 }
89
90
eap_aka_check_identity_reauth(struct eap_sm * sm,struct eap_aka_data * data,const char * username)91 static int eap_aka_check_identity_reauth(struct eap_sm *sm,
92 struct eap_aka_data *data,
93 const char *username)
94 {
95 if (data->eap_method == EAP_TYPE_AKA_PRIME &&
96 username[0] != EAP_AKA_PRIME_REAUTH_ID_PREFIX)
97 return 0;
98 if (data->eap_method == EAP_TYPE_AKA &&
99 username[0] != EAP_AKA_REAUTH_ID_PREFIX)
100 return 0;
101
102 wpa_printf(MSG_DEBUG, "EAP-AKA: Reauth username '%s'", username);
103 data->reauth = eap_sim_db_get_reauth_entry(sm->eap_sim_db_priv,
104 username);
105 if (data->reauth == NULL) {
106 wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown reauth identity - "
107 "request full auth identity");
108 /* Remain in IDENTITY state for another round */
109 return 0;
110 }
111
112 wpa_printf(MSG_DEBUG, "EAP-AKA: Using fast re-authentication");
113 os_strlcpy(data->permanent, data->reauth->permanent,
114 sizeof(data->permanent));
115 data->counter = data->reauth->counter;
116 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
117 os_memcpy(data->k_encr, data->reauth->k_encr,
118 EAP_SIM_K_ENCR_LEN);
119 os_memcpy(data->k_aut, data->reauth->k_aut,
120 EAP_AKA_PRIME_K_AUT_LEN);
121 os_memcpy(data->k_re, data->reauth->k_re,
122 EAP_AKA_PRIME_K_RE_LEN);
123 } else {
124 os_memcpy(data->mk, data->reauth->mk, EAP_SIM_MK_LEN);
125 }
126
127 eap_aka_state(data, REAUTH);
128 return 1;
129 }
130
131
eap_aka_check_identity(struct eap_sm * sm,struct eap_aka_data * data)132 static void eap_aka_check_identity(struct eap_sm *sm,
133 struct eap_aka_data *data)
134 {
135 char *username;
136
137 /* Check if we already know the identity from EAP-Response/Identity */
138
139 username = sim_get_username(sm->identity, sm->identity_len);
140 if (username == NULL)
141 return;
142
143 if (eap_aka_check_identity_reauth(sm, data, username) > 0) {
144 os_free(username);
145 /*
146 * Since re-auth username was recognized, skip AKA/Identity
147 * exchange.
148 */
149 return;
150 }
151
152 if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
153 username[0] == EAP_AKA_PRIME_PSEUDONYM_PREFIX) ||
154 (data->eap_method == EAP_TYPE_AKA &&
155 username[0] == EAP_AKA_PSEUDONYM_PREFIX)) {
156 const char *permanent;
157 wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
158 username);
159 permanent = eap_sim_db_get_permanent(
160 sm->eap_sim_db_priv, username);
161 if (permanent == NULL) {
162 os_free(username);
163 wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
164 "identity - request permanent identity");
165 /* Remain in IDENTITY state for another round */
166 return;
167 }
168 os_strlcpy(data->permanent, permanent,
169 sizeof(data->permanent));
170 /*
171 * Since pseudonym username was recognized, skip AKA/Identity
172 * exchange.
173 */
174 eap_aka_fullauth(sm, data);
175 }
176
177 os_free(username);
178 }
179
180
eap_aka_init(struct eap_sm * sm)181 static void * eap_aka_init(struct eap_sm *sm)
182 {
183 struct eap_aka_data *data;
184
185 if (sm->eap_sim_db_priv == NULL) {
186 wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
187 return NULL;
188 }
189
190 data = os_zalloc(sizeof(*data));
191 if (data == NULL)
192 return NULL;
193
194 data->eap_method = EAP_TYPE_AKA;
195
196 data->state = IDENTITY;
197 data->pending_id = -1;
198 eap_aka_check_identity(sm, data);
199
200 return data;
201 }
202
203
204 #ifdef EAP_SERVER_AKA_PRIME
eap_aka_prime_init(struct eap_sm * sm)205 static void * eap_aka_prime_init(struct eap_sm *sm)
206 {
207 struct eap_aka_data *data;
208 /* TODO: make ANID configurable; see 3GPP TS 24.302 */
209 char *network_name = "WLAN";
210
211 if (sm->eap_sim_db_priv == NULL) {
212 wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
213 return NULL;
214 }
215
216 data = os_zalloc(sizeof(*data));
217 if (data == NULL)
218 return NULL;
219
220 data->eap_method = EAP_TYPE_AKA_PRIME;
221 data->network_name = (u8 *) os_strdup(network_name);
222 if (data->network_name == NULL) {
223 os_free(data);
224 return NULL;
225 }
226
227 data->network_name_len = os_strlen(network_name);
228
229 data->state = IDENTITY;
230 data->pending_id = -1;
231 eap_aka_check_identity(sm, data);
232
233 return data;
234 }
235 #endif /* EAP_SERVER_AKA_PRIME */
236
237
eap_aka_reset(struct eap_sm * sm,void * priv)238 static void eap_aka_reset(struct eap_sm *sm, void *priv)
239 {
240 struct eap_aka_data *data = priv;
241 os_free(data->next_pseudonym);
242 os_free(data->next_reauth_id);
243 wpabuf_free(data->id_msgs);
244 os_free(data->network_name);
245 bin_clear_free(data, sizeof(*data));
246 }
247
248
eap_aka_add_id_msg(struct eap_aka_data * data,const struct wpabuf * msg)249 static int eap_aka_add_id_msg(struct eap_aka_data *data,
250 const struct wpabuf *msg)
251 {
252 if (msg == NULL)
253 return -1;
254
255 if (data->id_msgs == NULL) {
256 data->id_msgs = wpabuf_dup(msg);
257 return data->id_msgs == NULL ? -1 : 0;
258 }
259
260 if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0)
261 return -1;
262 wpabuf_put_buf(data->id_msgs, msg);
263
264 return 0;
265 }
266
267
eap_aka_add_checkcode(struct eap_aka_data * data,struct eap_sim_msg * msg)268 static void eap_aka_add_checkcode(struct eap_aka_data *data,
269 struct eap_sim_msg *msg)
270 {
271 const u8 *addr;
272 size_t len;
273 u8 hash[SHA256_MAC_LEN];
274
275 wpa_printf(MSG_DEBUG, " AT_CHECKCODE");
276
277 if (data->id_msgs == NULL) {
278 /*
279 * No EAP-AKA/Identity packets were exchanged - send empty
280 * checkcode.
281 */
282 eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, NULL, 0);
283 return;
284 }
285
286 /* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
287 addr = wpabuf_head(data->id_msgs);
288 len = wpabuf_len(data->id_msgs);
289 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len);
290 if (data->eap_method == EAP_TYPE_AKA_PRIME)
291 sha256_vector(1, &addr, &len, hash);
292 else
293 sha1_vector(1, &addr, &len, hash);
294
295 eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash,
296 data->eap_method == EAP_TYPE_AKA_PRIME ?
297 EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN);
298 }
299
300
eap_aka_verify_checkcode(struct eap_aka_data * data,const u8 * checkcode,size_t checkcode_len)301 static int eap_aka_verify_checkcode(struct eap_aka_data *data,
302 const u8 *checkcode, size_t checkcode_len)
303 {
304 const u8 *addr;
305 size_t len;
306 u8 hash[SHA256_MAC_LEN];
307 size_t hash_len;
308
309 if (checkcode == NULL)
310 return -1;
311
312 if (data->id_msgs == NULL) {
313 if (checkcode_len != 0) {
314 wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from peer "
315 "indicates that AKA/Identity messages were "
316 "used, but they were not");
317 return -1;
318 }
319 return 0;
320 }
321
322 hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ?
323 EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN;
324
325 if (checkcode_len != hash_len) {
326 wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from peer indicates "
327 "that AKA/Identity message were not used, but they "
328 "were");
329 return -1;
330 }
331
332 /* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
333 addr = wpabuf_head(data->id_msgs);
334 len = wpabuf_len(data->id_msgs);
335 if (data->eap_method == EAP_TYPE_AKA_PRIME)
336 sha256_vector(1, &addr, &len, hash);
337 else
338 sha1_vector(1, &addr, &len, hash);
339
340 if (os_memcmp_const(hash, checkcode, hash_len) != 0) {
341 wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE");
342 return -1;
343 }
344
345 return 0;
346 }
347
348
eap_aka_build_identity(struct eap_sm * sm,struct eap_aka_data * data,u8 id)349 static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm,
350 struct eap_aka_data *data, u8 id)
351 {
352 struct eap_sim_msg *msg;
353 struct wpabuf *buf;
354
355 wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Identity");
356 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
357 EAP_AKA_SUBTYPE_IDENTITY);
358 data->identity_round++;
359 if (data->identity_round == 1) {
360 /*
361 * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is
362 * ignored and the AKA/Identity is used to request the
363 * identity.
364 */
365 wpa_printf(MSG_DEBUG, " AT_ANY_ID_REQ");
366 eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0);
367 } else if (data->identity_round > 3) {
368 /* Cannot use more than three rounds of Identity messages */
369 eap_sim_msg_free(msg);
370 return NULL;
371 } else if (sm->identity && sm->identity_len > 0 &&
372 (sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX ||
373 sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) {
374 /* Reauth id may have expired - try fullauth */
375 wpa_printf(MSG_DEBUG, " AT_FULLAUTH_ID_REQ");
376 eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0, NULL, 0);
377 } else {
378 wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ");
379 eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
380 }
381 buf = eap_sim_msg_finish(msg, data->eap_method, NULL, NULL, 0);
382 if (eap_aka_add_id_msg(data, buf) < 0) {
383 wpabuf_free(buf);
384 return NULL;
385 }
386 data->pending_id = id;
387 return buf;
388 }
389
390
eap_aka_build_encr(struct eap_sm * sm,struct eap_aka_data * data,struct eap_sim_msg * msg,u16 counter,const u8 * nonce_s)391 static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
392 struct eap_sim_msg *msg, u16 counter,
393 const u8 *nonce_s)
394 {
395 os_free(data->next_pseudonym);
396 if (!(sm->eap_sim_id & 0x01)) {
397 /* Use of pseudonyms disabled in configuration */
398 data->next_pseudonym = NULL;
399 } else if (!nonce_s) {
400 data->next_pseudonym =
401 eap_sim_db_get_next_pseudonym(
402 sm->eap_sim_db_priv,
403 data->eap_method == EAP_TYPE_AKA_PRIME ?
404 EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
405 } else {
406 /* Do not update pseudonym during re-authentication */
407 data->next_pseudonym = NULL;
408 }
409 os_free(data->next_reauth_id);
410 if (!(sm->eap_sim_id & 0x02)) {
411 /* Use of fast reauth disabled in configuration */
412 data->next_reauth_id = NULL;
413 } else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
414 data->next_reauth_id =
415 eap_sim_db_get_next_reauth_id(
416 sm->eap_sim_db_priv,
417 data->eap_method == EAP_TYPE_AKA_PRIME ?
418 EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
419 } else {
420 wpa_printf(MSG_DEBUG, "EAP-AKA: Max fast re-authentication "
421 "count exceeded - force full authentication");
422 data->next_reauth_id = NULL;
423 }
424
425 if (data->next_pseudonym == NULL && data->next_reauth_id == NULL &&
426 counter == 0 && nonce_s == NULL)
427 return 0;
428
429 wpa_printf(MSG_DEBUG, " AT_IV");
430 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA");
431 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA);
432
433 if (counter > 0) {
434 wpa_printf(MSG_DEBUG, " *AT_COUNTER (%u)", counter);
435 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0);
436 }
437
438 if (nonce_s) {
439 wpa_printf(MSG_DEBUG, " *AT_NONCE_S");
440 eap_sim_msg_add(msg, EAP_SIM_AT_NONCE_S, 0, nonce_s,
441 EAP_SIM_NONCE_S_LEN);
442 }
443
444 if (data->next_pseudonym) {
445 wpa_printf(MSG_DEBUG, " *AT_NEXT_PSEUDONYM (%s)",
446 data->next_pseudonym);
447 eap_sim_msg_add(msg, EAP_SIM_AT_NEXT_PSEUDONYM,
448 os_strlen(data->next_pseudonym),
449 (u8 *) data->next_pseudonym,
450 os_strlen(data->next_pseudonym));
451 }
452
453 if (data->next_reauth_id) {
454 wpa_printf(MSG_DEBUG, " *AT_NEXT_REAUTH_ID (%s)",
455 data->next_reauth_id);
456 eap_sim_msg_add(msg, EAP_SIM_AT_NEXT_REAUTH_ID,
457 os_strlen(data->next_reauth_id),
458 (u8 *) data->next_reauth_id,
459 os_strlen(data->next_reauth_id));
460 }
461
462 if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) {
463 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt "
464 "AT_ENCR_DATA");
465 return -1;
466 }
467
468 return 0;
469 }
470
471
eap_aka_build_challenge(struct eap_sm * sm,struct eap_aka_data * data,u8 id)472 static struct wpabuf * eap_aka_build_challenge(struct eap_sm *sm,
473 struct eap_aka_data *data,
474 u8 id)
475 {
476 struct eap_sim_msg *msg;
477
478 wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Challenge");
479 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
480 EAP_AKA_SUBTYPE_CHALLENGE);
481 wpa_printf(MSG_DEBUG, " AT_RAND");
482 eap_sim_msg_add(msg, EAP_SIM_AT_RAND, 0, data->rand, EAP_AKA_RAND_LEN);
483 wpa_printf(MSG_DEBUG, " AT_AUTN");
484 eap_sim_msg_add(msg, EAP_SIM_AT_AUTN, 0, data->autn, EAP_AKA_AUTN_LEN);
485 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
486 if (data->kdf) {
487 /* Add the selected KDF into the beginning */
488 wpa_printf(MSG_DEBUG, " AT_KDF");
489 eap_sim_msg_add(msg, EAP_SIM_AT_KDF, data->kdf,
490 NULL, 0);
491 }
492 wpa_printf(MSG_DEBUG, " AT_KDF");
493 eap_sim_msg_add(msg, EAP_SIM_AT_KDF, EAP_AKA_PRIME_KDF,
494 NULL, 0);
495 wpa_printf(MSG_DEBUG, " AT_KDF_INPUT");
496 eap_sim_msg_add(msg, EAP_SIM_AT_KDF_INPUT,
497 data->network_name_len,
498 data->network_name, data->network_name_len);
499 }
500
501 if (eap_aka_build_encr(sm, data, msg, 0, NULL)) {
502 eap_sim_msg_free(msg);
503 return NULL;
504 }
505
506 eap_aka_add_checkcode(data, msg);
507
508 if (sm->eap_sim_aka_result_ind) {
509 wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
510 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
511 }
512
513 #ifdef EAP_SERVER_AKA_PRIME
514 if (data->eap_method == EAP_TYPE_AKA) {
515 u16 flags = 0;
516 int i;
517 int aka_prime_preferred = 0;
518
519 i = 0;
520 while (sm->user && i < EAP_MAX_METHODS &&
521 (sm->user->methods[i].vendor != EAP_VENDOR_IETF ||
522 sm->user->methods[i].method != EAP_TYPE_NONE)) {
523 if (sm->user->methods[i].vendor == EAP_VENDOR_IETF) {
524 if (sm->user->methods[i].method ==
525 EAP_TYPE_AKA)
526 break;
527 if (sm->user->methods[i].method ==
528 EAP_TYPE_AKA_PRIME) {
529 aka_prime_preferred = 1;
530 break;
531 }
532 }
533 i++;
534 }
535
536 if (aka_prime_preferred)
537 flags |= EAP_AKA_BIDDING_FLAG_D;
538 eap_sim_msg_add(msg, EAP_SIM_AT_BIDDING, flags, NULL, 0);
539 }
540 #endif /* EAP_SERVER_AKA_PRIME */
541
542 wpa_printf(MSG_DEBUG, " AT_MAC");
543 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
544 return eap_sim_msg_finish(msg, data->eap_method, data->k_aut, NULL, 0);
545 }
546
547
eap_aka_build_reauth(struct eap_sm * sm,struct eap_aka_data * data,u8 id)548 static struct wpabuf * eap_aka_build_reauth(struct eap_sm *sm,
549 struct eap_aka_data *data, u8 id)
550 {
551 struct eap_sim_msg *msg;
552 struct wpabuf *buf;
553
554 wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Re-authentication");
555
556 if (random_get_bytes(data->nonce_s, EAP_SIM_NONCE_S_LEN))
557 return NULL;
558 wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA: NONCE_S",
559 data->nonce_s, EAP_SIM_NONCE_S_LEN);
560
561 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
562 eap_aka_prime_derive_keys_reauth(data->k_re, data->counter,
563 sm->identity,
564 sm->identity_len,
565 data->nonce_s,
566 data->msk, data->emsk);
567 } else {
568 eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut,
569 data->msk, data->emsk);
570 eap_sim_derive_keys_reauth(data->counter, sm->identity,
571 sm->identity_len, data->nonce_s,
572 data->mk, data->msk, data->emsk);
573 }
574
575 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
576 EAP_AKA_SUBTYPE_REAUTHENTICATION);
577
578 if (eap_aka_build_encr(sm, data, msg, data->counter, data->nonce_s)) {
579 eap_sim_msg_free(msg);
580 return NULL;
581 }
582
583 eap_aka_add_checkcode(data, msg);
584
585 if (sm->eap_sim_aka_result_ind) {
586 wpa_printf(MSG_DEBUG, " AT_RESULT_IND");
587 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
588 }
589
590 wpa_printf(MSG_DEBUG, " AT_MAC");
591 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
592 buf = eap_sim_msg_finish(msg, data->eap_method, data->k_aut, NULL, 0);
593
594 /* Remember this MAC before sending it to the peer. This MAC is used for
595 * Session-Id calculation after receiving response from the peer and
596 * after all other checks pass. */
597 os_memcpy(data->reauth_mac,
598 wpabuf_head_u8(buf) + wpabuf_len(buf) - EAP_SIM_MAC_LEN,
599 EAP_SIM_MAC_LEN);
600
601 return buf;
602 }
603
604
eap_aka_build_notification(struct eap_sm * sm,struct eap_aka_data * data,u8 id)605 static struct wpabuf * eap_aka_build_notification(struct eap_sm *sm,
606 struct eap_aka_data *data,
607 u8 id)
608 {
609 struct eap_sim_msg *msg;
610
611 wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Notification");
612 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
613 EAP_AKA_SUBTYPE_NOTIFICATION);
614 wpa_printf(MSG_DEBUG, " AT_NOTIFICATION (%d)", data->notification);
615 eap_sim_msg_add(msg, EAP_SIM_AT_NOTIFICATION, data->notification,
616 NULL, 0);
617 if (data->use_result_ind) {
618 if (data->reauth) {
619 wpa_printf(MSG_DEBUG, " AT_IV");
620 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA");
621 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV,
622 EAP_SIM_AT_ENCR_DATA);
623 wpa_printf(MSG_DEBUG, " *AT_COUNTER (%u)",
624 data->counter);
625 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter,
626 NULL, 0);
627
628 if (eap_sim_msg_add_encr_end(msg, data->k_encr,
629 EAP_SIM_AT_PADDING)) {
630 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to "
631 "encrypt AT_ENCR_DATA");
632 eap_sim_msg_free(msg);
633 return NULL;
634 }
635 }
636
637 wpa_printf(MSG_DEBUG, " AT_MAC");
638 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
639 }
640 return eap_sim_msg_finish(msg, data->eap_method, data->k_aut, NULL, 0);
641 }
642
643
eap_aka_buildReq(struct eap_sm * sm,void * priv,u8 id)644 static struct wpabuf * eap_aka_buildReq(struct eap_sm *sm, void *priv, u8 id)
645 {
646 struct eap_aka_data *data = priv;
647
648 data->auts_reported = 0;
649 switch (data->state) {
650 case IDENTITY:
651 return eap_aka_build_identity(sm, data, id);
652 case CHALLENGE:
653 return eap_aka_build_challenge(sm, data, id);
654 case REAUTH:
655 return eap_aka_build_reauth(sm, data, id);
656 case NOTIFICATION:
657 return eap_aka_build_notification(sm, data, id);
658 default:
659 wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown state %d in "
660 "buildReq", data->state);
661 break;
662 }
663 return NULL;
664 }
665
666
eap_aka_check(struct eap_sm * sm,void * priv,struct wpabuf * respData)667 static Boolean eap_aka_check(struct eap_sm *sm, void *priv,
668 struct wpabuf *respData)
669 {
670 struct eap_aka_data *data = priv;
671 const u8 *pos;
672 size_t len;
673
674 pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, respData,
675 &len);
676 if (pos == NULL || len < 3) {
677 wpa_printf(MSG_INFO, "EAP-AKA: Invalid frame");
678 return TRUE;
679 }
680
681 return FALSE;
682 }
683
684
eap_aka_subtype_ok(struct eap_aka_data * data,u8 subtype)685 static Boolean eap_aka_subtype_ok(struct eap_aka_data *data, u8 subtype)
686 {
687 if (subtype == EAP_AKA_SUBTYPE_CLIENT_ERROR ||
688 subtype == EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT)
689 return FALSE;
690
691 switch (data->state) {
692 case IDENTITY:
693 if (subtype != EAP_AKA_SUBTYPE_IDENTITY) {
694 wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
695 "subtype %d", subtype);
696 return TRUE;
697 }
698 break;
699 case CHALLENGE:
700 if (subtype != EAP_AKA_SUBTYPE_CHALLENGE &&
701 subtype != EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE) {
702 wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
703 "subtype %d", subtype);
704 return TRUE;
705 }
706 break;
707 case REAUTH:
708 if (subtype != EAP_AKA_SUBTYPE_REAUTHENTICATION) {
709 wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
710 "subtype %d", subtype);
711 return TRUE;
712 }
713 break;
714 case NOTIFICATION:
715 if (subtype != EAP_AKA_SUBTYPE_NOTIFICATION) {
716 wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
717 "subtype %d", subtype);
718 return TRUE;
719 }
720 break;
721 default:
722 wpa_printf(MSG_INFO, "EAP-AKA: Unexpected state (%d) for "
723 "processing a response", data->state);
724 return TRUE;
725 }
726
727 return FALSE;
728 }
729
730
eap_aka_determine_identity(struct eap_sm * sm,struct eap_aka_data * data)731 static void eap_aka_determine_identity(struct eap_sm *sm,
732 struct eap_aka_data *data)
733 {
734 char *username;
735
736 wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Identity",
737 sm->identity, sm->identity_len);
738
739 username = sim_get_username(sm->identity, sm->identity_len);
740 if (username == NULL) {
741 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
742 eap_aka_state(data, NOTIFICATION);
743 return;
744 }
745
746 if (eap_aka_check_identity_reauth(sm, data, username) > 0) {
747 os_free(username);
748 return;
749 }
750
751 if (((data->eap_method == EAP_TYPE_AKA_PRIME &&
752 username[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX) ||
753 (data->eap_method == EAP_TYPE_AKA &&
754 username[0] == EAP_AKA_REAUTH_ID_PREFIX)) &&
755 data->identity_round == 1) {
756 /* Remain in IDENTITY state for another round to request full
757 * auth identity since we did not recognize reauth id */
758 os_free(username);
759 return;
760 }
761
762 if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
763 username[0] == EAP_AKA_PRIME_PSEUDONYM_PREFIX) ||
764 (data->eap_method == EAP_TYPE_AKA &&
765 username[0] == EAP_AKA_PSEUDONYM_PREFIX)) {
766 const char *permanent;
767 wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
768 username);
769 permanent = eap_sim_db_get_permanent(
770 sm->eap_sim_db_priv, username);
771 os_free(username);
772 if (permanent == NULL) {
773 wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
774 "identity - request permanent identity");
775 /* Remain in IDENTITY state for another round */
776 return;
777 }
778 os_strlcpy(data->permanent, permanent,
779 sizeof(data->permanent));
780 } else if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
781 username[0] == EAP_AKA_PRIME_PERMANENT_PREFIX) ||
782 (data->eap_method == EAP_TYPE_AKA &&
783 username[0] == EAP_AKA_PERMANENT_PREFIX)) {
784 wpa_printf(MSG_DEBUG, "EAP-AKA: Permanent username '%s'",
785 username);
786 os_strlcpy(data->permanent, username, sizeof(data->permanent));
787 os_free(username);
788 } else {
789 wpa_printf(MSG_DEBUG, "EAP-AKA: Unrecognized username '%s'",
790 username);
791 os_free(username);
792 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
793 eap_aka_state(data, NOTIFICATION);
794 return;
795 }
796
797 eap_aka_fullauth(sm, data);
798 }
799
800
eap_aka_fullauth(struct eap_sm * sm,struct eap_aka_data * data)801 static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data)
802 {
803 size_t identity_len;
804 int res;
805
806 res = eap_sim_db_get_aka_auth(sm->eap_sim_db_priv, data->permanent,
807 data->rand, data->autn, data->ik,
808 data->ck, data->res, &data->res_len, sm);
809 if (res == EAP_SIM_DB_PENDING) {
810 wpa_printf(MSG_DEBUG, "EAP-AKA: AKA authentication data "
811 "not yet available - pending request");
812 sm->method_pending = METHOD_PENDING_WAIT;
813 return;
814 }
815
816 if (data->permanent[0] == EAP_AKA_PERMANENT_PREFIX ||
817 data->permanent[0] == EAP_AKA_PRIME_PERMANENT_PREFIX)
818 os_strlcpy(sm->imsi, &data->permanent[1], sizeof(sm->imsi));
819
820 #ifdef EAP_SERVER_AKA_PRIME
821 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
822 /* Note: AUTN = (SQN ^ AK) || AMF || MAC which gives us the
823 * needed 6-octet SQN ^AK for CK',IK' derivation */
824 eap_aka_prime_derive_ck_ik_prime(data->ck, data->ik,
825 data->autn,
826 data->network_name,
827 data->network_name_len);
828 }
829 #endif /* EAP_SERVER_AKA_PRIME */
830
831 data->reauth = NULL;
832 data->counter = 0; /* reset re-auth counter since this is full auth */
833
834 if (res != 0) {
835 wpa_printf(MSG_INFO, "EAP-AKA: Failed to get AKA "
836 "authentication data for the peer");
837 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
838 eap_aka_state(data, NOTIFICATION);
839 return;
840 }
841 if (sm->method_pending == METHOD_PENDING_WAIT) {
842 wpa_printf(MSG_DEBUG, "EAP-AKA: AKA authentication data "
843 "available - abort pending wait");
844 sm->method_pending = METHOD_PENDING_NONE;
845 }
846
847 identity_len = sm->identity_len;
848 while (identity_len > 0 && sm->identity[identity_len - 1] == '\0') {
849 wpa_printf(MSG_DEBUG, "EAP-AKA: Workaround - drop last null "
850 "character from identity");
851 identity_len--;
852 }
853 wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Identity for MK derivation",
854 sm->identity, identity_len);
855
856 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
857 eap_aka_prime_derive_keys(sm->identity, identity_len, data->ik,
858 data->ck, data->k_encr, data->k_aut,
859 data->k_re, data->msk, data->emsk);
860 } else {
861 eap_aka_derive_mk(sm->identity, identity_len, data->ik,
862 data->ck, data->mk);
863 eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut,
864 data->msk, data->emsk);
865 }
866
867 eap_aka_state(data, CHALLENGE);
868 }
869
870
eap_aka_process_identity(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)871 static void eap_aka_process_identity(struct eap_sm *sm,
872 struct eap_aka_data *data,
873 struct wpabuf *respData,
874 struct eap_sim_attrs *attr)
875 {
876 u8 *new_identity;
877
878 wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Identity");
879
880 if (attr->mac || attr->iv || attr->encr_data) {
881 wpa_printf(MSG_WARNING, "EAP-AKA: Unexpected attribute "
882 "received in EAP-Response/AKA-Identity");
883 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
884 eap_aka_state(data, NOTIFICATION);
885 return;
886 }
887
888 /*
889 * We always request identity with AKA/Identity, so the peer is
890 * required to have replied with one.
891 */
892 if (!attr->identity || attr->identity_len == 0) {
893 wpa_printf(MSG_DEBUG, "EAP-AKA: Peer did not provide any "
894 "identity");
895 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
896 eap_aka_state(data, NOTIFICATION);
897 return;
898 }
899
900 new_identity = os_malloc(attr->identity_len);
901 if (new_identity == NULL) {
902 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
903 eap_aka_state(data, NOTIFICATION);
904 return;
905 }
906 os_free(sm->identity);
907 sm->identity = new_identity;
908 os_memcpy(sm->identity, attr->identity, attr->identity_len);
909 sm->identity_len = attr->identity_len;
910
911 eap_aka_determine_identity(sm, data);
912 if (eap_get_id(respData) == data->pending_id) {
913 data->pending_id = -1;
914 eap_aka_add_id_msg(data, respData);
915 }
916 }
917
918
eap_aka_verify_mac(struct eap_aka_data * data,const struct wpabuf * req,const u8 * mac,const u8 * extra,size_t extra_len)919 static int eap_aka_verify_mac(struct eap_aka_data *data,
920 const struct wpabuf *req,
921 const u8 *mac, const u8 *extra,
922 size_t extra_len)
923 {
924 if (data->eap_method == EAP_TYPE_AKA_PRIME)
925 return eap_sim_verify_mac_sha256(data->k_aut, req, mac, extra,
926 extra_len);
927 return eap_sim_verify_mac(data->k_aut, req, mac, extra, extra_len);
928 }
929
930
eap_aka_process_challenge(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)931 static void eap_aka_process_challenge(struct eap_sm *sm,
932 struct eap_aka_data *data,
933 struct wpabuf *respData,
934 struct eap_sim_attrs *attr)
935 {
936 wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Challenge");
937
938 #ifdef EAP_SERVER_AKA_PRIME
939 #if 0
940 /* KDF negotiation; to be enabled only after more than one KDF is
941 * supported */
942 if (data->eap_method == EAP_TYPE_AKA_PRIME &&
943 attr->kdf_count == 1 && attr->mac == NULL) {
944 if (attr->kdf[0] != EAP_AKA_PRIME_KDF) {
945 wpa_printf(MSG_WARNING, "EAP-AKA': Peer selected "
946 "unknown KDF");
947 data->notification =
948 EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
949 eap_aka_state(data, NOTIFICATION);
950 return;
951 }
952
953 data->kdf = attr->kdf[0];
954
955 /* Allow negotiation to continue with the selected KDF by
956 * sending another Challenge message */
957 wpa_printf(MSG_DEBUG, "EAP-AKA': KDF %d selected", data->kdf);
958 return;
959 }
960 #endif
961 #endif /* EAP_SERVER_AKA_PRIME */
962
963 if (attr->checkcode &&
964 eap_aka_verify_checkcode(data, attr->checkcode,
965 attr->checkcode_len)) {
966 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the "
967 "message");
968 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
969 eap_aka_state(data, NOTIFICATION);
970 return;
971 }
972 if (attr->mac == NULL ||
973 eap_aka_verify_mac(data, respData, attr->mac, NULL, 0)) {
974 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
975 "did not include valid AT_MAC");
976 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
977 eap_aka_state(data, NOTIFICATION);
978 return;
979 }
980
981 /*
982 * AT_RES is padded, so verify that there is enough room for RES and
983 * that the RES length in bits matches with the expected RES.
984 */
985 if (attr->res == NULL || attr->res_len < data->res_len ||
986 attr->res_len_bits != data->res_len * 8 ||
987 os_memcmp_const(attr->res, data->res, data->res_len) != 0) {
988 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message did not "
989 "include valid AT_RES (attr len=%lu, res len=%lu "
990 "bits, expected %lu bits)",
991 (unsigned long) attr->res_len,
992 (unsigned long) attr->res_len_bits,
993 (unsigned long) data->res_len * 8);
994 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
995 eap_aka_state(data, NOTIFICATION);
996 return;
997 }
998
999 wpa_printf(MSG_DEBUG, "EAP-AKA: Challenge response includes the "
1000 "correct AT_MAC");
1001 if (sm->eap_sim_aka_result_ind && attr->result_ind) {
1002 data->use_result_ind = 1;
1003 data->notification = EAP_SIM_SUCCESS;
1004 eap_aka_state(data, NOTIFICATION);
1005 } else
1006 eap_aka_state(data, SUCCESS);
1007
1008 if (data->next_pseudonym) {
1009 eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent,
1010 data->next_pseudonym);
1011 data->next_pseudonym = NULL;
1012 }
1013 if (data->next_reauth_id) {
1014 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
1015 #ifdef EAP_SERVER_AKA_PRIME
1016 eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
1017 data->permanent,
1018 data->next_reauth_id,
1019 data->counter + 1,
1020 data->k_encr, data->k_aut,
1021 data->k_re);
1022 #endif /* EAP_SERVER_AKA_PRIME */
1023 } else {
1024 eap_sim_db_add_reauth(sm->eap_sim_db_priv,
1025 data->permanent,
1026 data->next_reauth_id,
1027 data->counter + 1,
1028 data->mk);
1029 }
1030 data->next_reauth_id = NULL;
1031 }
1032 }
1033
1034
eap_aka_process_sync_failure(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1035 static void eap_aka_process_sync_failure(struct eap_sm *sm,
1036 struct eap_aka_data *data,
1037 struct wpabuf *respData,
1038 struct eap_sim_attrs *attr)
1039 {
1040 wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Synchronization-Failure");
1041
1042 if (attr->auts == NULL) {
1043 wpa_printf(MSG_WARNING, "EAP-AKA: Synchronization-Failure "
1044 "message did not include valid AT_AUTS");
1045 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1046 eap_aka_state(data, NOTIFICATION);
1047 return;
1048 }
1049
1050 /* Avoid re-reporting AUTS when processing pending EAP packet by
1051 * maintaining a local flag stating whether this AUTS has already been
1052 * reported. */
1053 if (!data->auts_reported &&
1054 eap_sim_db_resynchronize(sm->eap_sim_db_priv, data->permanent,
1055 attr->auts, data->rand)) {
1056 wpa_printf(MSG_WARNING, "EAP-AKA: Resynchronization failed");
1057 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1058 eap_aka_state(data, NOTIFICATION);
1059 return;
1060 }
1061 data->auts_reported = 1;
1062
1063 /* Remain in CHALLENGE state to re-try after resynchronization */
1064 eap_aka_fullauth(sm, data);
1065 }
1066
1067
eap_aka_process_reauth(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1068 static void eap_aka_process_reauth(struct eap_sm *sm,
1069 struct eap_aka_data *data,
1070 struct wpabuf *respData,
1071 struct eap_sim_attrs *attr)
1072 {
1073 struct eap_sim_attrs eattr;
1074 u8 *decrypted = NULL;
1075
1076 wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Reauthentication");
1077
1078 if (attr->mac == NULL ||
1079 eap_aka_verify_mac(data, respData, attr->mac, data->nonce_s,
1080 EAP_SIM_NONCE_S_LEN)) {
1081 wpa_printf(MSG_WARNING, "EAP-AKA: Re-authentication message "
1082 "did not include valid AT_MAC");
1083 goto fail;
1084 }
1085
1086 if (attr->encr_data == NULL || attr->iv == NULL) {
1087 wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication "
1088 "message did not include encrypted data");
1089 goto fail;
1090 }
1091
1092 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
1093 attr->encr_data_len, attr->iv, &eattr,
1094 0);
1095 if (decrypted == NULL) {
1096 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted "
1097 "data from reauthentication message");
1098 goto fail;
1099 }
1100
1101 if (eattr.counter != data->counter) {
1102 wpa_printf(MSG_WARNING, "EAP-AKA: Re-authentication message "
1103 "used incorrect counter %u, expected %u",
1104 eattr.counter, data->counter);
1105 goto fail;
1106 }
1107 os_free(decrypted);
1108 decrypted = NULL;
1109
1110 wpa_printf(MSG_DEBUG, "EAP-AKA: Re-authentication response includes "
1111 "the correct AT_MAC");
1112
1113 if (eattr.counter_too_small) {
1114 wpa_printf(MSG_DEBUG, "EAP-AKA: Re-authentication response "
1115 "included AT_COUNTER_TOO_SMALL - starting full "
1116 "authentication");
1117 eap_aka_fullauth(sm, data);
1118 return;
1119 }
1120
1121 if (sm->eap_sim_aka_result_ind && attr->result_ind) {
1122 data->use_result_ind = 1;
1123 data->notification = EAP_SIM_SUCCESS;
1124 eap_aka_state(data, NOTIFICATION);
1125 } else
1126 eap_aka_state(data, SUCCESS);
1127
1128 if (data->next_reauth_id) {
1129 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
1130 #ifdef EAP_SERVER_AKA_PRIME
1131 eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
1132 data->permanent,
1133 data->next_reauth_id,
1134 data->counter + 1,
1135 data->k_encr, data->k_aut,
1136 data->k_re);
1137 #endif /* EAP_SERVER_AKA_PRIME */
1138 } else {
1139 eap_sim_db_add_reauth(sm->eap_sim_db_priv,
1140 data->permanent,
1141 data->next_reauth_id,
1142 data->counter + 1,
1143 data->mk);
1144 }
1145 data->next_reauth_id = NULL;
1146 } else {
1147 eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
1148 data->reauth = NULL;
1149 }
1150
1151 return;
1152
1153 fail:
1154 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1155 eap_aka_state(data, NOTIFICATION);
1156 eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
1157 data->reauth = NULL;
1158 os_free(decrypted);
1159 }
1160
1161
eap_aka_process_client_error(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1162 static void eap_aka_process_client_error(struct eap_sm *sm,
1163 struct eap_aka_data *data,
1164 struct wpabuf *respData,
1165 struct eap_sim_attrs *attr)
1166 {
1167 wpa_printf(MSG_DEBUG, "EAP-AKA: Client reported error %d",
1168 attr->client_error_code);
1169 if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind)
1170 eap_aka_state(data, SUCCESS);
1171 else
1172 eap_aka_state(data, FAILURE);
1173 }
1174
1175
eap_aka_process_authentication_reject(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1176 static void eap_aka_process_authentication_reject(
1177 struct eap_sm *sm, struct eap_aka_data *data,
1178 struct wpabuf *respData, struct eap_sim_attrs *attr)
1179 {
1180 wpa_printf(MSG_DEBUG, "EAP-AKA: Client rejected authentication");
1181 eap_aka_state(data, FAILURE);
1182 }
1183
1184
eap_aka_process_notification(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1185 static void eap_aka_process_notification(struct eap_sm *sm,
1186 struct eap_aka_data *data,
1187 struct wpabuf *respData,
1188 struct eap_sim_attrs *attr)
1189 {
1190 wpa_printf(MSG_DEBUG, "EAP-AKA: Client replied to notification");
1191 if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind)
1192 eap_aka_state(data, SUCCESS);
1193 else
1194 eap_aka_state(data, FAILURE);
1195 }
1196
1197
eap_aka_process(struct eap_sm * sm,void * priv,struct wpabuf * respData)1198 static void eap_aka_process(struct eap_sm *sm, void *priv,
1199 struct wpabuf *respData)
1200 {
1201 struct eap_aka_data *data = priv;
1202 const u8 *pos, *end;
1203 u8 subtype;
1204 size_t len;
1205 struct eap_sim_attrs attr;
1206
1207 pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, respData,
1208 &len);
1209 if (pos == NULL || len < 3)
1210 return;
1211
1212 end = pos + len;
1213 subtype = *pos;
1214 pos += 3;
1215
1216 if (eap_aka_subtype_ok(data, subtype)) {
1217 wpa_printf(MSG_DEBUG, "EAP-AKA: Unrecognized or unexpected "
1218 "EAP-AKA Subtype in EAP Response");
1219 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1220 eap_aka_state(data, NOTIFICATION);
1221 return;
1222 }
1223
1224 if (eap_sim_parse_attr(pos, end, &attr,
1225 data->eap_method == EAP_TYPE_AKA_PRIME ? 2 : 1,
1226 0)) {
1227 wpa_printf(MSG_DEBUG, "EAP-AKA: Failed to parse attributes");
1228 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1229 eap_aka_state(data, NOTIFICATION);
1230 return;
1231 }
1232
1233 if (subtype == EAP_AKA_SUBTYPE_CLIENT_ERROR) {
1234 eap_aka_process_client_error(sm, data, respData, &attr);
1235 return;
1236 }
1237
1238 if (subtype == EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT) {
1239 eap_aka_process_authentication_reject(sm, data, respData,
1240 &attr);
1241 return;
1242 }
1243
1244 switch (data->state) {
1245 case IDENTITY:
1246 eap_aka_process_identity(sm, data, respData, &attr);
1247 break;
1248 case CHALLENGE:
1249 if (subtype == EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE) {
1250 eap_aka_process_sync_failure(sm, data, respData,
1251 &attr);
1252 } else {
1253 eap_aka_process_challenge(sm, data, respData, &attr);
1254 }
1255 break;
1256 case REAUTH:
1257 eap_aka_process_reauth(sm, data, respData, &attr);
1258 break;
1259 case NOTIFICATION:
1260 eap_aka_process_notification(sm, data, respData, &attr);
1261 break;
1262 default:
1263 wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown state %d in "
1264 "process", data->state);
1265 break;
1266 }
1267 }
1268
1269
eap_aka_isDone(struct eap_sm * sm,void * priv)1270 static Boolean eap_aka_isDone(struct eap_sm *sm, void *priv)
1271 {
1272 struct eap_aka_data *data = priv;
1273 return data->state == SUCCESS || data->state == FAILURE;
1274 }
1275
1276
eap_aka_getKey(struct eap_sm * sm,void * priv,size_t * len)1277 static u8 * eap_aka_getKey(struct eap_sm *sm, void *priv, size_t *len)
1278 {
1279 struct eap_aka_data *data = priv;
1280 u8 *key;
1281
1282 if (data->state != SUCCESS)
1283 return NULL;
1284
1285 key = os_memdup(data->msk, EAP_SIM_KEYING_DATA_LEN);
1286 if (key == NULL)
1287 return NULL;
1288 *len = EAP_SIM_KEYING_DATA_LEN;
1289 return key;
1290 }
1291
1292
eap_aka_get_emsk(struct eap_sm * sm,void * priv,size_t * len)1293 static u8 * eap_aka_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1294 {
1295 struct eap_aka_data *data = priv;
1296 u8 *key;
1297
1298 if (data->state != SUCCESS)
1299 return NULL;
1300
1301 key = os_memdup(data->emsk, EAP_EMSK_LEN);
1302 if (key == NULL)
1303 return NULL;
1304 *len = EAP_EMSK_LEN;
1305 return key;
1306 }
1307
1308
eap_aka_isSuccess(struct eap_sm * sm,void * priv)1309 static Boolean eap_aka_isSuccess(struct eap_sm *sm, void *priv)
1310 {
1311 struct eap_aka_data *data = priv;
1312 return data->state == SUCCESS;
1313 }
1314
1315
eap_aka_get_session_id(struct eap_sm * sm,void * priv,size_t * len)1316 static u8 * eap_aka_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1317 {
1318 struct eap_aka_data *data = priv;
1319 u8 *id;
1320
1321 if (data->state != SUCCESS)
1322 return NULL;
1323
1324 if (!data->reauth)
1325 *len = 1 + EAP_AKA_RAND_LEN + EAP_AKA_AUTN_LEN;
1326 else
1327 *len = 1 + EAP_SIM_NONCE_S_LEN + EAP_SIM_MAC_LEN;
1328 id = os_malloc(*len);
1329 if (id == NULL)
1330 return NULL;
1331
1332 id[0] = data->eap_method;
1333 if (!data->reauth) {
1334 os_memcpy(id + 1, data->rand, EAP_AKA_RAND_LEN);
1335 os_memcpy(id + 1 + EAP_AKA_RAND_LEN, data->autn,
1336 EAP_AKA_AUTN_LEN);
1337 } else {
1338 os_memcpy(id + 1, data->nonce_s, EAP_SIM_NONCE_S_LEN);
1339 os_memcpy(id + 1 + EAP_SIM_NONCE_S_LEN, data->reauth_mac,
1340 EAP_SIM_MAC_LEN);
1341 }
1342 wpa_hexdump(MSG_DEBUG, "EAP-AKA: Derived Session-Id", id, *len);
1343
1344 return id;
1345 }
1346
1347
eap_server_aka_register(void)1348 int eap_server_aka_register(void)
1349 {
1350 struct eap_method *eap;
1351
1352 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1353 EAP_VENDOR_IETF, EAP_TYPE_AKA, "AKA");
1354 if (eap == NULL)
1355 return -1;
1356
1357 eap->init = eap_aka_init;
1358 eap->reset = eap_aka_reset;
1359 eap->buildReq = eap_aka_buildReq;
1360 eap->check = eap_aka_check;
1361 eap->process = eap_aka_process;
1362 eap->isDone = eap_aka_isDone;
1363 eap->getKey = eap_aka_getKey;
1364 eap->isSuccess = eap_aka_isSuccess;
1365 eap->get_emsk = eap_aka_get_emsk;
1366 eap->getSessionId = eap_aka_get_session_id;
1367
1368 return eap_server_method_register(eap);
1369 }
1370
1371
1372 #ifdef EAP_SERVER_AKA_PRIME
eap_server_aka_prime_register(void)1373 int eap_server_aka_prime_register(void)
1374 {
1375 struct eap_method *eap;
1376
1377 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1378 EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME,
1379 "AKA'");
1380 if (eap == NULL)
1381 return -1;
1382
1383 eap->init = eap_aka_prime_init;
1384 eap->reset = eap_aka_reset;
1385 eap->buildReq = eap_aka_buildReq;
1386 eap->check = eap_aka_check;
1387 eap->process = eap_aka_process;
1388 eap->isDone = eap_aka_isDone;
1389 eap->getKey = eap_aka_getKey;
1390 eap->isSuccess = eap_aka_isSuccess;
1391 eap->get_emsk = eap_aka_get_emsk;
1392 eap->getSessionId = eap_aka_get_session_id;
1393
1394 return eap_server_method_register(eap);
1395 }
1396 #endif /* EAP_SERVER_AKA_PRIME */
1397