1 /*
2  * hostapd / EAP-AKA (RFC 4187) and EAP-AKA' (RFC 5448)
3  * Copyright (c) 2005-2012, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/sha256.h"
13 #include "crypto/crypto.h"
14 #include "crypto/random.h"
15 #include "eap_common/eap_sim_common.h"
16 #include "eap_server/eap_i.h"
17 #include "eap_server/eap_sim_db.h"
18 
19 
20 struct eap_aka_data {
21 	u8 mk[EAP_SIM_MK_LEN];
22 	u8 nonce_s[EAP_SIM_NONCE_S_LEN];
23 	u8 k_aut[EAP_AKA_PRIME_K_AUT_LEN];
24 	u8 k_encr[EAP_SIM_K_ENCR_LEN];
25 	u8 k_re[EAP_AKA_PRIME_K_RE_LEN]; /* EAP-AKA' only */
26 	u8 msk[EAP_SIM_KEYING_DATA_LEN];
27 	u8 emsk[EAP_EMSK_LEN];
28 	u8 rand[EAP_AKA_RAND_LEN];
29 	u8 autn[EAP_AKA_AUTN_LEN];
30 	u8 ck[EAP_AKA_CK_LEN];
31 	u8 ik[EAP_AKA_IK_LEN];
32 	u8 res[EAP_AKA_RES_MAX_LEN];
33 	u8 reauth_mac[EAP_SIM_MAC_LEN];
34 	size_t res_len;
35 	enum {
36 		IDENTITY, CHALLENGE, REAUTH, NOTIFICATION, SUCCESS, FAILURE
37 	} state;
38 	char *next_pseudonym;
39 	char *next_reauth_id;
40 	u16 counter;
41 	struct eap_sim_reauth *reauth;
42 	int auts_reported; /* whether the current AUTS has been reported to the
43 			    * eap_sim_db */
44 	u16 notification;
45 	int use_result_ind;
46 
47 	struct wpabuf *id_msgs;
48 	int pending_id;
49 	u8 eap_method;
50 	u8 *network_name;
51 	size_t network_name_len;
52 	u16 kdf;
53 	int identity_round;
54 	char permanent[20]; /* Permanent username */
55 };
56 
57 
58 static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data);
59 
60 
eap_aka_state_txt(int state)61 static const char * eap_aka_state_txt(int state)
62 {
63 	switch (state) {
64 	case IDENTITY:
65 		return "IDENTITY";
66 	case CHALLENGE:
67 		return "CHALLENGE";
68 	case REAUTH:
69 		return "REAUTH";
70 	case SUCCESS:
71 		return "SUCCESS";
72 	case FAILURE:
73 		return "FAILURE";
74 	case NOTIFICATION:
75 		return "NOTIFICATION";
76 	default:
77 		return "Unknown?!";
78 	}
79 }
80 
81 
eap_aka_state(struct eap_aka_data * data,int state)82 static void eap_aka_state(struct eap_aka_data *data, int state)
83 {
84 	wpa_printf(MSG_DEBUG, "EAP-AKA: %s -> %s",
85 		   eap_aka_state_txt(data->state),
86 		   eap_aka_state_txt(state));
87 	data->state = state;
88 }
89 
90 
eap_aka_check_identity_reauth(struct eap_sm * sm,struct eap_aka_data * data,const char * username)91 static int eap_aka_check_identity_reauth(struct eap_sm *sm,
92 					 struct eap_aka_data *data,
93 					 const char *username)
94 {
95 	if (data->eap_method == EAP_TYPE_AKA_PRIME &&
96 	    username[0] != EAP_AKA_PRIME_REAUTH_ID_PREFIX)
97 		return 0;
98 	if (data->eap_method == EAP_TYPE_AKA &&
99 	    username[0] != EAP_AKA_REAUTH_ID_PREFIX)
100 		return 0;
101 
102 	wpa_printf(MSG_DEBUG, "EAP-AKA: Reauth username '%s'", username);
103 	data->reauth = eap_sim_db_get_reauth_entry(sm->eap_sim_db_priv,
104 						   username);
105 	if (data->reauth == NULL) {
106 		wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown reauth identity - "
107 			   "request full auth identity");
108 		/* Remain in IDENTITY state for another round */
109 		return 0;
110 	}
111 
112 	wpa_printf(MSG_DEBUG, "EAP-AKA: Using fast re-authentication");
113 	os_strlcpy(data->permanent, data->reauth->permanent,
114 		   sizeof(data->permanent));
115 	data->counter = data->reauth->counter;
116 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
117 		os_memcpy(data->k_encr, data->reauth->k_encr,
118 			  EAP_SIM_K_ENCR_LEN);
119 		os_memcpy(data->k_aut, data->reauth->k_aut,
120 			  EAP_AKA_PRIME_K_AUT_LEN);
121 		os_memcpy(data->k_re, data->reauth->k_re,
122 			  EAP_AKA_PRIME_K_RE_LEN);
123 	} else {
124 		os_memcpy(data->mk, data->reauth->mk, EAP_SIM_MK_LEN);
125 	}
126 
127 	eap_aka_state(data, REAUTH);
128 	return 1;
129 }
130 
131 
eap_aka_check_identity(struct eap_sm * sm,struct eap_aka_data * data)132 static void eap_aka_check_identity(struct eap_sm *sm,
133 				   struct eap_aka_data *data)
134 {
135 	char *username;
136 
137 	/* Check if we already know the identity from EAP-Response/Identity */
138 
139 	username = sim_get_username(sm->identity, sm->identity_len);
140 	if (username == NULL)
141 		return;
142 
143 	if (eap_aka_check_identity_reauth(sm, data, username) > 0) {
144 		os_free(username);
145 		/*
146 		 * Since re-auth username was recognized, skip AKA/Identity
147 		 * exchange.
148 		 */
149 		return;
150 	}
151 
152 	if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
153 	     username[0] == EAP_AKA_PRIME_PSEUDONYM_PREFIX) ||
154 	    (data->eap_method == EAP_TYPE_AKA &&
155 	     username[0] == EAP_AKA_PSEUDONYM_PREFIX)) {
156 		const char *permanent;
157 		wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
158 			   username);
159 		permanent = eap_sim_db_get_permanent(
160 			sm->eap_sim_db_priv, username);
161 		if (permanent == NULL) {
162 			os_free(username);
163 			wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
164 				   "identity - request permanent identity");
165 			/* Remain in IDENTITY state for another round */
166 			return;
167 		}
168 		os_strlcpy(data->permanent, permanent,
169 			   sizeof(data->permanent));
170 		/*
171 		 * Since pseudonym username was recognized, skip AKA/Identity
172 		 * exchange.
173 		 */
174 		eap_aka_fullauth(sm, data);
175 	}
176 
177 	os_free(username);
178 }
179 
180 
eap_aka_init(struct eap_sm * sm)181 static void * eap_aka_init(struct eap_sm *sm)
182 {
183 	struct eap_aka_data *data;
184 
185 	if (sm->eap_sim_db_priv == NULL) {
186 		wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
187 		return NULL;
188 	}
189 
190 	data = os_zalloc(sizeof(*data));
191 	if (data == NULL)
192 		return NULL;
193 
194 	data->eap_method = EAP_TYPE_AKA;
195 
196 	data->state = IDENTITY;
197 	data->pending_id = -1;
198 	eap_aka_check_identity(sm, data);
199 
200 	return data;
201 }
202 
203 
204 #ifdef EAP_SERVER_AKA_PRIME
eap_aka_prime_init(struct eap_sm * sm)205 static void * eap_aka_prime_init(struct eap_sm *sm)
206 {
207 	struct eap_aka_data *data;
208 	/* TODO: make ANID configurable; see 3GPP TS 24.302 */
209 	char *network_name = "WLAN";
210 
211 	if (sm->eap_sim_db_priv == NULL) {
212 		wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
213 		return NULL;
214 	}
215 
216 	data = os_zalloc(sizeof(*data));
217 	if (data == NULL)
218 		return NULL;
219 
220 	data->eap_method = EAP_TYPE_AKA_PRIME;
221 	data->network_name = (u8 *) os_strdup(network_name);
222 	if (data->network_name == NULL) {
223 		os_free(data);
224 		return NULL;
225 	}
226 
227 	data->network_name_len = os_strlen(network_name);
228 
229 	data->state = IDENTITY;
230 	data->pending_id = -1;
231 	eap_aka_check_identity(sm, data);
232 
233 	return data;
234 }
235 #endif /* EAP_SERVER_AKA_PRIME */
236 
237 
eap_aka_reset(struct eap_sm * sm,void * priv)238 static void eap_aka_reset(struct eap_sm *sm, void *priv)
239 {
240 	struct eap_aka_data *data = priv;
241 	os_free(data->next_pseudonym);
242 	os_free(data->next_reauth_id);
243 	wpabuf_free(data->id_msgs);
244 	os_free(data->network_name);
245 	bin_clear_free(data, sizeof(*data));
246 }
247 
248 
eap_aka_add_id_msg(struct eap_aka_data * data,const struct wpabuf * msg)249 static int eap_aka_add_id_msg(struct eap_aka_data *data,
250 			      const struct wpabuf *msg)
251 {
252 	if (msg == NULL)
253 		return -1;
254 
255 	if (data->id_msgs == NULL) {
256 		data->id_msgs = wpabuf_dup(msg);
257 		return data->id_msgs == NULL ? -1 : 0;
258 	}
259 
260 	if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0)
261 		return -1;
262 	wpabuf_put_buf(data->id_msgs, msg);
263 
264 	return 0;
265 }
266 
267 
eap_aka_add_checkcode(struct eap_aka_data * data,struct eap_sim_msg * msg)268 static void eap_aka_add_checkcode(struct eap_aka_data *data,
269 				  struct eap_sim_msg *msg)
270 {
271 	const u8 *addr;
272 	size_t len;
273 	u8 hash[SHA256_MAC_LEN];
274 
275 	wpa_printf(MSG_DEBUG, "   AT_CHECKCODE");
276 
277 	if (data->id_msgs == NULL) {
278 		/*
279 		 * No EAP-AKA/Identity packets were exchanged - send empty
280 		 * checkcode.
281 		 */
282 		eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, NULL, 0);
283 		return;
284 	}
285 
286 	/* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
287 	addr = wpabuf_head(data->id_msgs);
288 	len = wpabuf_len(data->id_msgs);
289 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len);
290 	if (data->eap_method == EAP_TYPE_AKA_PRIME)
291 		sha256_vector(1, &addr, &len, hash);
292 	else
293 		sha1_vector(1, &addr, &len, hash);
294 
295 	eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash,
296 			data->eap_method == EAP_TYPE_AKA_PRIME ?
297 			EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN);
298 }
299 
300 
eap_aka_verify_checkcode(struct eap_aka_data * data,const u8 * checkcode,size_t checkcode_len)301 static int eap_aka_verify_checkcode(struct eap_aka_data *data,
302 				    const u8 *checkcode, size_t checkcode_len)
303 {
304 	const u8 *addr;
305 	size_t len;
306 	u8 hash[SHA256_MAC_LEN];
307 	size_t hash_len;
308 
309 	if (checkcode == NULL)
310 		return -1;
311 
312 	if (data->id_msgs == NULL) {
313 		if (checkcode_len != 0) {
314 			wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from peer "
315 				   "indicates that AKA/Identity messages were "
316 				   "used, but they were not");
317 			return -1;
318 		}
319 		return 0;
320 	}
321 
322 	hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ?
323 		EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN;
324 
325 	if (checkcode_len != hash_len) {
326 		wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from peer indicates "
327 			   "that AKA/Identity message were not used, but they "
328 			   "were");
329 		return -1;
330 	}
331 
332 	/* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
333 	addr = wpabuf_head(data->id_msgs);
334 	len = wpabuf_len(data->id_msgs);
335 	if (data->eap_method == EAP_TYPE_AKA_PRIME)
336 		sha256_vector(1, &addr, &len, hash);
337 	else
338 		sha1_vector(1, &addr, &len, hash);
339 
340 	if (os_memcmp_const(hash, checkcode, hash_len) != 0) {
341 		wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE");
342 		return -1;
343 	}
344 
345 	return 0;
346 }
347 
348 
eap_aka_build_identity(struct eap_sm * sm,struct eap_aka_data * data,u8 id)349 static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm,
350 					      struct eap_aka_data *data, u8 id)
351 {
352 	struct eap_sim_msg *msg;
353 	struct wpabuf *buf;
354 
355 	wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Identity");
356 	msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
357 			       EAP_AKA_SUBTYPE_IDENTITY);
358 	data->identity_round++;
359 	if (data->identity_round == 1) {
360 		/*
361 		 * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is
362 		 * ignored and the AKA/Identity is used to request the
363 		 * identity.
364 		 */
365 		wpa_printf(MSG_DEBUG, "   AT_ANY_ID_REQ");
366 		eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0);
367 	} else if (data->identity_round > 3) {
368 		/* Cannot use more than three rounds of Identity messages */
369 		eap_sim_msg_free(msg);
370 		return NULL;
371 	} else if (sm->identity && sm->identity_len > 0 &&
372 		   (sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX ||
373 		    sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) {
374 		/* Reauth id may have expired - try fullauth */
375 		wpa_printf(MSG_DEBUG, "   AT_FULLAUTH_ID_REQ");
376 		eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0, NULL, 0);
377 	} else {
378 		wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
379 		eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
380 	}
381 	buf = eap_sim_msg_finish(msg, data->eap_method, NULL, NULL, 0);
382 	if (eap_aka_add_id_msg(data, buf) < 0) {
383 		wpabuf_free(buf);
384 		return NULL;
385 	}
386 	data->pending_id = id;
387 	return buf;
388 }
389 
390 
eap_aka_build_encr(struct eap_sm * sm,struct eap_aka_data * data,struct eap_sim_msg * msg,u16 counter,const u8 * nonce_s)391 static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
392 			      struct eap_sim_msg *msg, u16 counter,
393 			      const u8 *nonce_s)
394 {
395 	os_free(data->next_pseudonym);
396 	if (!(sm->eap_sim_id & 0x01)) {
397 		/* Use of pseudonyms disabled in configuration */
398 		data->next_pseudonym = NULL;
399 	} else if (!nonce_s) {
400 		data->next_pseudonym =
401 			eap_sim_db_get_next_pseudonym(
402 				sm->eap_sim_db_priv,
403 				data->eap_method == EAP_TYPE_AKA_PRIME ?
404 				EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
405 	} else {
406 		/* Do not update pseudonym during re-authentication */
407 		data->next_pseudonym = NULL;
408 	}
409 	os_free(data->next_reauth_id);
410 	if (!(sm->eap_sim_id & 0x02)) {
411 		/* Use of fast reauth disabled in configuration */
412 		data->next_reauth_id = NULL;
413 	} else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
414 		data->next_reauth_id =
415 			eap_sim_db_get_next_reauth_id(
416 				sm->eap_sim_db_priv,
417 				data->eap_method == EAP_TYPE_AKA_PRIME ?
418 				EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
419 	} else {
420 		wpa_printf(MSG_DEBUG, "EAP-AKA: Max fast re-authentication "
421 			   "count exceeded - force full authentication");
422 		data->next_reauth_id = NULL;
423 	}
424 
425 	if (data->next_pseudonym == NULL && data->next_reauth_id == NULL &&
426 	    counter == 0 && nonce_s == NULL)
427 		return 0;
428 
429 	wpa_printf(MSG_DEBUG, "   AT_IV");
430 	wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
431 	eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA);
432 
433 	if (counter > 0) {
434 		wpa_printf(MSG_DEBUG, "   *AT_COUNTER (%u)", counter);
435 		eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0);
436 	}
437 
438 	if (nonce_s) {
439 		wpa_printf(MSG_DEBUG, "   *AT_NONCE_S");
440 		eap_sim_msg_add(msg, EAP_SIM_AT_NONCE_S, 0, nonce_s,
441 				EAP_SIM_NONCE_S_LEN);
442 	}
443 
444 	if (data->next_pseudonym) {
445 		wpa_printf(MSG_DEBUG, "   *AT_NEXT_PSEUDONYM (%s)",
446 			   data->next_pseudonym);
447 		eap_sim_msg_add(msg, EAP_SIM_AT_NEXT_PSEUDONYM,
448 				os_strlen(data->next_pseudonym),
449 				(u8 *) data->next_pseudonym,
450 				os_strlen(data->next_pseudonym));
451 	}
452 
453 	if (data->next_reauth_id) {
454 		wpa_printf(MSG_DEBUG, "   *AT_NEXT_REAUTH_ID (%s)",
455 			   data->next_reauth_id);
456 		eap_sim_msg_add(msg, EAP_SIM_AT_NEXT_REAUTH_ID,
457 				os_strlen(data->next_reauth_id),
458 				(u8 *) data->next_reauth_id,
459 				os_strlen(data->next_reauth_id));
460 	}
461 
462 	if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) {
463 		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt "
464 			   "AT_ENCR_DATA");
465 		return -1;
466 	}
467 
468 	return 0;
469 }
470 
471 
eap_aka_build_challenge(struct eap_sm * sm,struct eap_aka_data * data,u8 id)472 static struct wpabuf * eap_aka_build_challenge(struct eap_sm *sm,
473 					       struct eap_aka_data *data,
474 					       u8 id)
475 {
476 	struct eap_sim_msg *msg;
477 
478 	wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Challenge");
479 	msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
480 			       EAP_AKA_SUBTYPE_CHALLENGE);
481 	wpa_printf(MSG_DEBUG, "   AT_RAND");
482 	eap_sim_msg_add(msg, EAP_SIM_AT_RAND, 0, data->rand, EAP_AKA_RAND_LEN);
483 	wpa_printf(MSG_DEBUG, "   AT_AUTN");
484 	eap_sim_msg_add(msg, EAP_SIM_AT_AUTN, 0, data->autn, EAP_AKA_AUTN_LEN);
485 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
486 		if (data->kdf) {
487 			/* Add the selected KDF into the beginning */
488 			wpa_printf(MSG_DEBUG, "   AT_KDF");
489 			eap_sim_msg_add(msg, EAP_SIM_AT_KDF, data->kdf,
490 					NULL, 0);
491 		}
492 		wpa_printf(MSG_DEBUG, "   AT_KDF");
493 		eap_sim_msg_add(msg, EAP_SIM_AT_KDF, EAP_AKA_PRIME_KDF,
494 				NULL, 0);
495 		wpa_printf(MSG_DEBUG, "   AT_KDF_INPUT");
496 		eap_sim_msg_add(msg, EAP_SIM_AT_KDF_INPUT,
497 				data->network_name_len,
498 				data->network_name, data->network_name_len);
499 	}
500 
501 	if (eap_aka_build_encr(sm, data, msg, 0, NULL)) {
502 		eap_sim_msg_free(msg);
503 		return NULL;
504 	}
505 
506 	eap_aka_add_checkcode(data, msg);
507 
508 	if (sm->eap_sim_aka_result_ind) {
509 		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
510 		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
511 	}
512 
513 #ifdef EAP_SERVER_AKA_PRIME
514 	if (data->eap_method == EAP_TYPE_AKA) {
515 		u16 flags = 0;
516 		int i;
517 		int aka_prime_preferred = 0;
518 
519 		i = 0;
520 		while (sm->user && i < EAP_MAX_METHODS &&
521 		       (sm->user->methods[i].vendor != EAP_VENDOR_IETF ||
522 			sm->user->methods[i].method != EAP_TYPE_NONE)) {
523 			if (sm->user->methods[i].vendor == EAP_VENDOR_IETF) {
524 				if (sm->user->methods[i].method ==
525 				    EAP_TYPE_AKA)
526 					break;
527 				if (sm->user->methods[i].method ==
528 				    EAP_TYPE_AKA_PRIME) {
529 					aka_prime_preferred = 1;
530 					break;
531 				}
532 			}
533 			i++;
534 		}
535 
536 		if (aka_prime_preferred)
537 			flags |= EAP_AKA_BIDDING_FLAG_D;
538 		eap_sim_msg_add(msg, EAP_SIM_AT_BIDDING, flags, NULL, 0);
539 	}
540 #endif /* EAP_SERVER_AKA_PRIME */
541 
542 	wpa_printf(MSG_DEBUG, "   AT_MAC");
543 	eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
544 	return eap_sim_msg_finish(msg, data->eap_method, data->k_aut, NULL, 0);
545 }
546 
547 
eap_aka_build_reauth(struct eap_sm * sm,struct eap_aka_data * data,u8 id)548 static struct wpabuf * eap_aka_build_reauth(struct eap_sm *sm,
549 					    struct eap_aka_data *data, u8 id)
550 {
551 	struct eap_sim_msg *msg;
552 	struct wpabuf *buf;
553 
554 	wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Re-authentication");
555 
556 	if (random_get_bytes(data->nonce_s, EAP_SIM_NONCE_S_LEN))
557 		return NULL;
558 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA: NONCE_S",
559 			data->nonce_s, EAP_SIM_NONCE_S_LEN);
560 
561 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
562 		eap_aka_prime_derive_keys_reauth(data->k_re, data->counter,
563 						 sm->identity,
564 						 sm->identity_len,
565 						 data->nonce_s,
566 						 data->msk, data->emsk);
567 	} else {
568 		eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut,
569 				    data->msk, data->emsk);
570 		eap_sim_derive_keys_reauth(data->counter, sm->identity,
571 					   sm->identity_len, data->nonce_s,
572 					   data->mk, data->msk, data->emsk);
573 	}
574 
575 	msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
576 			       EAP_AKA_SUBTYPE_REAUTHENTICATION);
577 
578 	if (eap_aka_build_encr(sm, data, msg, data->counter, data->nonce_s)) {
579 		eap_sim_msg_free(msg);
580 		return NULL;
581 	}
582 
583 	eap_aka_add_checkcode(data, msg);
584 
585 	if (sm->eap_sim_aka_result_ind) {
586 		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
587 		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
588 	}
589 
590 	wpa_printf(MSG_DEBUG, "   AT_MAC");
591 	eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
592 	buf = eap_sim_msg_finish(msg, data->eap_method, data->k_aut, NULL, 0);
593 
594 	/* Remember this MAC before sending it to the peer. This MAC is used for
595 	 * Session-Id calculation after receiving response from the peer and
596 	 * after all other checks pass. */
597 	os_memcpy(data->reauth_mac,
598 		  wpabuf_head_u8(buf) + wpabuf_len(buf) - EAP_SIM_MAC_LEN,
599 		  EAP_SIM_MAC_LEN);
600 
601 	return buf;
602 }
603 
604 
eap_aka_build_notification(struct eap_sm * sm,struct eap_aka_data * data,u8 id)605 static struct wpabuf * eap_aka_build_notification(struct eap_sm *sm,
606 						  struct eap_aka_data *data,
607 						  u8 id)
608 {
609 	struct eap_sim_msg *msg;
610 
611 	wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Notification");
612 	msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
613 			       EAP_AKA_SUBTYPE_NOTIFICATION);
614 	wpa_printf(MSG_DEBUG, "   AT_NOTIFICATION (%d)", data->notification);
615 	eap_sim_msg_add(msg, EAP_SIM_AT_NOTIFICATION, data->notification,
616 			NULL, 0);
617 	if (data->use_result_ind) {
618 		if (data->reauth) {
619 			wpa_printf(MSG_DEBUG, "   AT_IV");
620 			wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
621 			eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV,
622 						   EAP_SIM_AT_ENCR_DATA);
623 			wpa_printf(MSG_DEBUG, "   *AT_COUNTER (%u)",
624 				   data->counter);
625 			eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter,
626 					NULL, 0);
627 
628 			if (eap_sim_msg_add_encr_end(msg, data->k_encr,
629 						     EAP_SIM_AT_PADDING)) {
630 				wpa_printf(MSG_WARNING, "EAP-AKA: Failed to "
631 					   "encrypt AT_ENCR_DATA");
632 				eap_sim_msg_free(msg);
633 				return NULL;
634 			}
635 		}
636 
637 		wpa_printf(MSG_DEBUG, "   AT_MAC");
638 		eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
639 	}
640 	return eap_sim_msg_finish(msg, data->eap_method, data->k_aut, NULL, 0);
641 }
642 
643 
eap_aka_buildReq(struct eap_sm * sm,void * priv,u8 id)644 static struct wpabuf * eap_aka_buildReq(struct eap_sm *sm, void *priv, u8 id)
645 {
646 	struct eap_aka_data *data = priv;
647 
648 	data->auts_reported = 0;
649 	switch (data->state) {
650 	case IDENTITY:
651 		return eap_aka_build_identity(sm, data, id);
652 	case CHALLENGE:
653 		return eap_aka_build_challenge(sm, data, id);
654 	case REAUTH:
655 		return eap_aka_build_reauth(sm, data, id);
656 	case NOTIFICATION:
657 		return eap_aka_build_notification(sm, data, id);
658 	default:
659 		wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown state %d in "
660 			   "buildReq", data->state);
661 		break;
662 	}
663 	return NULL;
664 }
665 
666 
eap_aka_check(struct eap_sm * sm,void * priv,struct wpabuf * respData)667 static Boolean eap_aka_check(struct eap_sm *sm, void *priv,
668 			     struct wpabuf *respData)
669 {
670 	struct eap_aka_data *data = priv;
671 	const u8 *pos;
672 	size_t len;
673 
674 	pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, respData,
675 			       &len);
676 	if (pos == NULL || len < 3) {
677 		wpa_printf(MSG_INFO, "EAP-AKA: Invalid frame");
678 		return TRUE;
679 	}
680 
681 	return FALSE;
682 }
683 
684 
eap_aka_subtype_ok(struct eap_aka_data * data,u8 subtype)685 static Boolean eap_aka_subtype_ok(struct eap_aka_data *data, u8 subtype)
686 {
687 	if (subtype == EAP_AKA_SUBTYPE_CLIENT_ERROR ||
688 	    subtype == EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT)
689 		return FALSE;
690 
691 	switch (data->state) {
692 	case IDENTITY:
693 		if (subtype != EAP_AKA_SUBTYPE_IDENTITY) {
694 			wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
695 				   "subtype %d", subtype);
696 			return TRUE;
697 		}
698 		break;
699 	case CHALLENGE:
700 		if (subtype != EAP_AKA_SUBTYPE_CHALLENGE &&
701 		    subtype != EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE) {
702 			wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
703 				   "subtype %d", subtype);
704 			return TRUE;
705 		}
706 		break;
707 	case REAUTH:
708 		if (subtype != EAP_AKA_SUBTYPE_REAUTHENTICATION) {
709 			wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
710 				   "subtype %d", subtype);
711 			return TRUE;
712 		}
713 		break;
714 	case NOTIFICATION:
715 		if (subtype != EAP_AKA_SUBTYPE_NOTIFICATION) {
716 			wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
717 				   "subtype %d", subtype);
718 			return TRUE;
719 		}
720 		break;
721 	default:
722 		wpa_printf(MSG_INFO, "EAP-AKA: Unexpected state (%d) for "
723 			   "processing a response", data->state);
724 		return TRUE;
725 	}
726 
727 	return FALSE;
728 }
729 
730 
eap_aka_determine_identity(struct eap_sm * sm,struct eap_aka_data * data)731 static void eap_aka_determine_identity(struct eap_sm *sm,
732 				       struct eap_aka_data *data)
733 {
734 	char *username;
735 
736 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Identity",
737 			  sm->identity, sm->identity_len);
738 
739 	username = sim_get_username(sm->identity, sm->identity_len);
740 	if (username == NULL) {
741 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
742 		eap_aka_state(data, NOTIFICATION);
743 		return;
744 	}
745 
746 	if (eap_aka_check_identity_reauth(sm, data, username) > 0) {
747 		os_free(username);
748 		return;
749 	}
750 
751 	if (((data->eap_method == EAP_TYPE_AKA_PRIME &&
752 	      username[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX) ||
753 	     (data->eap_method == EAP_TYPE_AKA &&
754 	      username[0] == EAP_AKA_REAUTH_ID_PREFIX)) &&
755 	    data->identity_round == 1) {
756 		/* Remain in IDENTITY state for another round to request full
757 		 * auth identity since we did not recognize reauth id */
758 		os_free(username);
759 		return;
760 	}
761 
762 	if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
763 	     username[0] == EAP_AKA_PRIME_PSEUDONYM_PREFIX) ||
764 	    (data->eap_method == EAP_TYPE_AKA &&
765 	     username[0] == EAP_AKA_PSEUDONYM_PREFIX)) {
766 		const char *permanent;
767 		wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
768 			   username);
769 		permanent = eap_sim_db_get_permanent(
770 			sm->eap_sim_db_priv, username);
771 		os_free(username);
772 		if (permanent == NULL) {
773 			wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
774 				   "identity - request permanent identity");
775 			/* Remain in IDENTITY state for another round */
776 			return;
777 		}
778 		os_strlcpy(data->permanent, permanent,
779 			   sizeof(data->permanent));
780 	} else if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
781 		    username[0] == EAP_AKA_PRIME_PERMANENT_PREFIX) ||
782 		   (data->eap_method == EAP_TYPE_AKA &&
783 		    username[0] == EAP_AKA_PERMANENT_PREFIX)) {
784 		wpa_printf(MSG_DEBUG, "EAP-AKA: Permanent username '%s'",
785 			   username);
786 		os_strlcpy(data->permanent, username, sizeof(data->permanent));
787 		os_free(username);
788 	} else {
789 		wpa_printf(MSG_DEBUG, "EAP-AKA: Unrecognized username '%s'",
790 			   username);
791 		os_free(username);
792 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
793 		eap_aka_state(data, NOTIFICATION);
794 		return;
795 	}
796 
797 	eap_aka_fullauth(sm, data);
798 }
799 
800 
eap_aka_fullauth(struct eap_sm * sm,struct eap_aka_data * data)801 static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data)
802 {
803 	size_t identity_len;
804 	int res;
805 
806 	res = eap_sim_db_get_aka_auth(sm->eap_sim_db_priv, data->permanent,
807 				      data->rand, data->autn, data->ik,
808 				      data->ck, data->res, &data->res_len, sm);
809 	if (res == EAP_SIM_DB_PENDING) {
810 		wpa_printf(MSG_DEBUG, "EAP-AKA: AKA authentication data "
811 			   "not yet available - pending request");
812 		sm->method_pending = METHOD_PENDING_WAIT;
813 		return;
814 	}
815 
816 	if (data->permanent[0] == EAP_AKA_PERMANENT_PREFIX ||
817 	    data->permanent[0] == EAP_AKA_PRIME_PERMANENT_PREFIX)
818 		os_strlcpy(sm->imsi, &data->permanent[1], sizeof(sm->imsi));
819 
820 #ifdef EAP_SERVER_AKA_PRIME
821 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
822 		/* Note: AUTN = (SQN ^ AK) || AMF || MAC which gives us the
823 		 * needed 6-octet SQN ^AK for CK',IK' derivation */
824 		eap_aka_prime_derive_ck_ik_prime(data->ck, data->ik,
825 						 data->autn,
826 						 data->network_name,
827 						 data->network_name_len);
828 	}
829 #endif /* EAP_SERVER_AKA_PRIME */
830 
831 	data->reauth = NULL;
832 	data->counter = 0; /* reset re-auth counter since this is full auth */
833 
834 	if (res != 0) {
835 		wpa_printf(MSG_INFO, "EAP-AKA: Failed to get AKA "
836 			   "authentication data for the peer");
837 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
838 		eap_aka_state(data, NOTIFICATION);
839 		return;
840 	}
841 	if (sm->method_pending == METHOD_PENDING_WAIT) {
842 		wpa_printf(MSG_DEBUG, "EAP-AKA: AKA authentication data "
843 			   "available - abort pending wait");
844 		sm->method_pending = METHOD_PENDING_NONE;
845 	}
846 
847 	identity_len = sm->identity_len;
848 	while (identity_len > 0 && sm->identity[identity_len - 1] == '\0') {
849 		wpa_printf(MSG_DEBUG, "EAP-AKA: Workaround - drop last null "
850 			   "character from identity");
851 		identity_len--;
852 	}
853 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Identity for MK derivation",
854 			  sm->identity, identity_len);
855 
856 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
857 		eap_aka_prime_derive_keys(sm->identity, identity_len, data->ik,
858 					  data->ck, data->k_encr, data->k_aut,
859 					  data->k_re, data->msk, data->emsk);
860 	} else {
861 		eap_aka_derive_mk(sm->identity, identity_len, data->ik,
862 				  data->ck, data->mk);
863 		eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut,
864 				    data->msk, data->emsk);
865 	}
866 
867 	eap_aka_state(data, CHALLENGE);
868 }
869 
870 
eap_aka_process_identity(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)871 static void eap_aka_process_identity(struct eap_sm *sm,
872 				     struct eap_aka_data *data,
873 				     struct wpabuf *respData,
874 				     struct eap_sim_attrs *attr)
875 {
876 	u8 *new_identity;
877 
878 	wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Identity");
879 
880 	if (attr->mac || attr->iv || attr->encr_data) {
881 		wpa_printf(MSG_WARNING, "EAP-AKA: Unexpected attribute "
882 			   "received in EAP-Response/AKA-Identity");
883 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
884 		eap_aka_state(data, NOTIFICATION);
885 		return;
886 	}
887 
888 	/*
889 	 * We always request identity with AKA/Identity, so the peer is
890 	 * required to have replied with one.
891 	 */
892 	if (!attr->identity || attr->identity_len == 0) {
893 		wpa_printf(MSG_DEBUG, "EAP-AKA: Peer did not provide any "
894 			   "identity");
895 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
896 		eap_aka_state(data, NOTIFICATION);
897 		return;
898 	}
899 
900 	new_identity = os_malloc(attr->identity_len);
901 	if (new_identity == NULL) {
902 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
903 		eap_aka_state(data, NOTIFICATION);
904 		return;
905 	}
906 	os_free(sm->identity);
907 	sm->identity = new_identity;
908 	os_memcpy(sm->identity, attr->identity, attr->identity_len);
909 	sm->identity_len = attr->identity_len;
910 
911 	eap_aka_determine_identity(sm, data);
912 	if (eap_get_id(respData) == data->pending_id) {
913 		data->pending_id = -1;
914 		eap_aka_add_id_msg(data, respData);
915 	}
916 }
917 
918 
eap_aka_verify_mac(struct eap_aka_data * data,const struct wpabuf * req,const u8 * mac,const u8 * extra,size_t extra_len)919 static int eap_aka_verify_mac(struct eap_aka_data *data,
920 			      const struct wpabuf *req,
921 			      const u8 *mac, const u8 *extra,
922 			      size_t extra_len)
923 {
924 	if (data->eap_method == EAP_TYPE_AKA_PRIME)
925 		return eap_sim_verify_mac_sha256(data->k_aut, req, mac, extra,
926 						 extra_len);
927 	return eap_sim_verify_mac(data->k_aut, req, mac, extra, extra_len);
928 }
929 
930 
eap_aka_process_challenge(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)931 static void eap_aka_process_challenge(struct eap_sm *sm,
932 				      struct eap_aka_data *data,
933 				      struct wpabuf *respData,
934 				      struct eap_sim_attrs *attr)
935 {
936 	wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Challenge");
937 
938 #ifdef EAP_SERVER_AKA_PRIME
939 #if 0
940 	/* KDF negotiation; to be enabled only after more than one KDF is
941 	 * supported */
942 	if (data->eap_method == EAP_TYPE_AKA_PRIME &&
943 	    attr->kdf_count == 1 && attr->mac == NULL) {
944 		if (attr->kdf[0] != EAP_AKA_PRIME_KDF) {
945 			wpa_printf(MSG_WARNING, "EAP-AKA': Peer selected "
946 				   "unknown KDF");
947 			data->notification =
948 				EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
949 			eap_aka_state(data, NOTIFICATION);
950 			return;
951 		}
952 
953 		data->kdf = attr->kdf[0];
954 
955 		/* Allow negotiation to continue with the selected KDF by
956 		 * sending another Challenge message */
957 		wpa_printf(MSG_DEBUG, "EAP-AKA': KDF %d selected", data->kdf);
958 		return;
959 	}
960 #endif
961 #endif /* EAP_SERVER_AKA_PRIME */
962 
963 	if (attr->checkcode &&
964 	    eap_aka_verify_checkcode(data, attr->checkcode,
965 				     attr->checkcode_len)) {
966 		wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the "
967 			   "message");
968 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
969 		eap_aka_state(data, NOTIFICATION);
970 		return;
971 	}
972 	if (attr->mac == NULL ||
973 	    eap_aka_verify_mac(data, respData, attr->mac, NULL, 0)) {
974 		wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
975 			   "did not include valid AT_MAC");
976 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
977 		eap_aka_state(data, NOTIFICATION);
978 		return;
979 	}
980 
981 	/*
982 	 * AT_RES is padded, so verify that there is enough room for RES and
983 	 * that the RES length in bits matches with the expected RES.
984 	 */
985 	if (attr->res == NULL || attr->res_len < data->res_len ||
986 	    attr->res_len_bits != data->res_len * 8 ||
987 	    os_memcmp_const(attr->res, data->res, data->res_len) != 0) {
988 		wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message did not "
989 			   "include valid AT_RES (attr len=%lu, res len=%lu "
990 			   "bits, expected %lu bits)",
991 			   (unsigned long) attr->res_len,
992 			   (unsigned long) attr->res_len_bits,
993 			   (unsigned long) data->res_len * 8);
994 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
995 		eap_aka_state(data, NOTIFICATION);
996 		return;
997 	}
998 
999 	wpa_printf(MSG_DEBUG, "EAP-AKA: Challenge response includes the "
1000 		   "correct AT_MAC");
1001 	if (sm->eap_sim_aka_result_ind && attr->result_ind) {
1002 		data->use_result_ind = 1;
1003 		data->notification = EAP_SIM_SUCCESS;
1004 		eap_aka_state(data, NOTIFICATION);
1005 	} else
1006 		eap_aka_state(data, SUCCESS);
1007 
1008 	if (data->next_pseudonym) {
1009 		eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent,
1010 					 data->next_pseudonym);
1011 		data->next_pseudonym = NULL;
1012 	}
1013 	if (data->next_reauth_id) {
1014 		if (data->eap_method == EAP_TYPE_AKA_PRIME) {
1015 #ifdef EAP_SERVER_AKA_PRIME
1016 			eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
1017 						    data->permanent,
1018 						    data->next_reauth_id,
1019 						    data->counter + 1,
1020 						    data->k_encr, data->k_aut,
1021 						    data->k_re);
1022 #endif /* EAP_SERVER_AKA_PRIME */
1023 		} else {
1024 			eap_sim_db_add_reauth(sm->eap_sim_db_priv,
1025 					      data->permanent,
1026 					      data->next_reauth_id,
1027 					      data->counter + 1,
1028 					      data->mk);
1029 		}
1030 		data->next_reauth_id = NULL;
1031 	}
1032 }
1033 
1034 
eap_aka_process_sync_failure(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1035 static void eap_aka_process_sync_failure(struct eap_sm *sm,
1036 					 struct eap_aka_data *data,
1037 					 struct wpabuf *respData,
1038 					 struct eap_sim_attrs *attr)
1039 {
1040 	wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Synchronization-Failure");
1041 
1042 	if (attr->auts == NULL) {
1043 		wpa_printf(MSG_WARNING, "EAP-AKA: Synchronization-Failure "
1044 			   "message did not include valid AT_AUTS");
1045 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1046 		eap_aka_state(data, NOTIFICATION);
1047 		return;
1048 	}
1049 
1050 	/* Avoid re-reporting AUTS when processing pending EAP packet by
1051 	 * maintaining a local flag stating whether this AUTS has already been
1052 	 * reported. */
1053 	if (!data->auts_reported &&
1054 	    eap_sim_db_resynchronize(sm->eap_sim_db_priv, data->permanent,
1055 				     attr->auts, data->rand)) {
1056 		wpa_printf(MSG_WARNING, "EAP-AKA: Resynchronization failed");
1057 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1058 		eap_aka_state(data, NOTIFICATION);
1059 		return;
1060 	}
1061 	data->auts_reported = 1;
1062 
1063 	/* Remain in CHALLENGE state to re-try after resynchronization */
1064 	eap_aka_fullauth(sm, data);
1065 }
1066 
1067 
eap_aka_process_reauth(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1068 static void eap_aka_process_reauth(struct eap_sm *sm,
1069 				   struct eap_aka_data *data,
1070 				   struct wpabuf *respData,
1071 				   struct eap_sim_attrs *attr)
1072 {
1073 	struct eap_sim_attrs eattr;
1074 	u8 *decrypted = NULL;
1075 
1076 	wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Reauthentication");
1077 
1078 	if (attr->mac == NULL ||
1079 	    eap_aka_verify_mac(data, respData, attr->mac, data->nonce_s,
1080 			       EAP_SIM_NONCE_S_LEN)) {
1081 		wpa_printf(MSG_WARNING, "EAP-AKA: Re-authentication message "
1082 			   "did not include valid AT_MAC");
1083 		goto fail;
1084 	}
1085 
1086 	if (attr->encr_data == NULL || attr->iv == NULL) {
1087 		wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication "
1088 			   "message did not include encrypted data");
1089 		goto fail;
1090 	}
1091 
1092 	decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
1093 				       attr->encr_data_len, attr->iv, &eattr,
1094 				       0);
1095 	if (decrypted == NULL) {
1096 		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted "
1097 			   "data from reauthentication message");
1098 		goto fail;
1099 	}
1100 
1101 	if (eattr.counter != data->counter) {
1102 		wpa_printf(MSG_WARNING, "EAP-AKA: Re-authentication message "
1103 			   "used incorrect counter %u, expected %u",
1104 			   eattr.counter, data->counter);
1105 		goto fail;
1106 	}
1107 	os_free(decrypted);
1108 	decrypted = NULL;
1109 
1110 	wpa_printf(MSG_DEBUG, "EAP-AKA: Re-authentication response includes "
1111 		   "the correct AT_MAC");
1112 
1113 	if (eattr.counter_too_small) {
1114 		wpa_printf(MSG_DEBUG, "EAP-AKA: Re-authentication response "
1115 			   "included AT_COUNTER_TOO_SMALL - starting full "
1116 			   "authentication");
1117 		eap_aka_fullauth(sm, data);
1118 		return;
1119 	}
1120 
1121 	if (sm->eap_sim_aka_result_ind && attr->result_ind) {
1122 		data->use_result_ind = 1;
1123 		data->notification = EAP_SIM_SUCCESS;
1124 		eap_aka_state(data, NOTIFICATION);
1125 	} else
1126 		eap_aka_state(data, SUCCESS);
1127 
1128 	if (data->next_reauth_id) {
1129 		if (data->eap_method == EAP_TYPE_AKA_PRIME) {
1130 #ifdef EAP_SERVER_AKA_PRIME
1131 			eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
1132 						    data->permanent,
1133 						    data->next_reauth_id,
1134 						    data->counter + 1,
1135 						    data->k_encr, data->k_aut,
1136 						    data->k_re);
1137 #endif /* EAP_SERVER_AKA_PRIME */
1138 		} else {
1139 			eap_sim_db_add_reauth(sm->eap_sim_db_priv,
1140 					      data->permanent,
1141 					      data->next_reauth_id,
1142 					      data->counter + 1,
1143 					      data->mk);
1144 		}
1145 		data->next_reauth_id = NULL;
1146 	} else {
1147 		eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
1148 		data->reauth = NULL;
1149 	}
1150 
1151 	return;
1152 
1153 fail:
1154 	data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1155 	eap_aka_state(data, NOTIFICATION);
1156 	eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
1157 	data->reauth = NULL;
1158 	os_free(decrypted);
1159 }
1160 
1161 
eap_aka_process_client_error(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1162 static void eap_aka_process_client_error(struct eap_sm *sm,
1163 					 struct eap_aka_data *data,
1164 					 struct wpabuf *respData,
1165 					 struct eap_sim_attrs *attr)
1166 {
1167 	wpa_printf(MSG_DEBUG, "EAP-AKA: Client reported error %d",
1168 		   attr->client_error_code);
1169 	if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind)
1170 		eap_aka_state(data, SUCCESS);
1171 	else
1172 		eap_aka_state(data, FAILURE);
1173 }
1174 
1175 
eap_aka_process_authentication_reject(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1176 static void eap_aka_process_authentication_reject(
1177 	struct eap_sm *sm, struct eap_aka_data *data,
1178 	struct wpabuf *respData, struct eap_sim_attrs *attr)
1179 {
1180 	wpa_printf(MSG_DEBUG, "EAP-AKA: Client rejected authentication");
1181 	eap_aka_state(data, FAILURE);
1182 }
1183 
1184 
eap_aka_process_notification(struct eap_sm * sm,struct eap_aka_data * data,struct wpabuf * respData,struct eap_sim_attrs * attr)1185 static void eap_aka_process_notification(struct eap_sm *sm,
1186 					 struct eap_aka_data *data,
1187 					 struct wpabuf *respData,
1188 					 struct eap_sim_attrs *attr)
1189 {
1190 	wpa_printf(MSG_DEBUG, "EAP-AKA: Client replied to notification");
1191 	if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind)
1192 		eap_aka_state(data, SUCCESS);
1193 	else
1194 		eap_aka_state(data, FAILURE);
1195 }
1196 
1197 
eap_aka_process(struct eap_sm * sm,void * priv,struct wpabuf * respData)1198 static void eap_aka_process(struct eap_sm *sm, void *priv,
1199 			    struct wpabuf *respData)
1200 {
1201 	struct eap_aka_data *data = priv;
1202 	const u8 *pos, *end;
1203 	u8 subtype;
1204 	size_t len;
1205 	struct eap_sim_attrs attr;
1206 
1207 	pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, respData,
1208 			       &len);
1209 	if (pos == NULL || len < 3)
1210 		return;
1211 
1212 	end = pos + len;
1213 	subtype = *pos;
1214 	pos += 3;
1215 
1216 	if (eap_aka_subtype_ok(data, subtype)) {
1217 		wpa_printf(MSG_DEBUG, "EAP-AKA: Unrecognized or unexpected "
1218 			   "EAP-AKA Subtype in EAP Response");
1219 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1220 		eap_aka_state(data, NOTIFICATION);
1221 		return;
1222 	}
1223 
1224 	if (eap_sim_parse_attr(pos, end, &attr,
1225 			       data->eap_method == EAP_TYPE_AKA_PRIME ? 2 : 1,
1226 			       0)) {
1227 		wpa_printf(MSG_DEBUG, "EAP-AKA: Failed to parse attributes");
1228 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1229 		eap_aka_state(data, NOTIFICATION);
1230 		return;
1231 	}
1232 
1233 	if (subtype == EAP_AKA_SUBTYPE_CLIENT_ERROR) {
1234 		eap_aka_process_client_error(sm, data, respData, &attr);
1235 		return;
1236 	}
1237 
1238 	if (subtype == EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT) {
1239 		eap_aka_process_authentication_reject(sm, data, respData,
1240 						      &attr);
1241 		return;
1242 	}
1243 
1244 	switch (data->state) {
1245 	case IDENTITY:
1246 		eap_aka_process_identity(sm, data, respData, &attr);
1247 		break;
1248 	case CHALLENGE:
1249 		if (subtype == EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE) {
1250 			eap_aka_process_sync_failure(sm, data, respData,
1251 						     &attr);
1252 		} else {
1253 			eap_aka_process_challenge(sm, data, respData, &attr);
1254 		}
1255 		break;
1256 	case REAUTH:
1257 		eap_aka_process_reauth(sm, data, respData, &attr);
1258 		break;
1259 	case NOTIFICATION:
1260 		eap_aka_process_notification(sm, data, respData, &attr);
1261 		break;
1262 	default:
1263 		wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown state %d in "
1264 			   "process", data->state);
1265 		break;
1266 	}
1267 }
1268 
1269 
eap_aka_isDone(struct eap_sm * sm,void * priv)1270 static Boolean eap_aka_isDone(struct eap_sm *sm, void *priv)
1271 {
1272 	struct eap_aka_data *data = priv;
1273 	return data->state == SUCCESS || data->state == FAILURE;
1274 }
1275 
1276 
eap_aka_getKey(struct eap_sm * sm,void * priv,size_t * len)1277 static u8 * eap_aka_getKey(struct eap_sm *sm, void *priv, size_t *len)
1278 {
1279 	struct eap_aka_data *data = priv;
1280 	u8 *key;
1281 
1282 	if (data->state != SUCCESS)
1283 		return NULL;
1284 
1285 	key = os_memdup(data->msk, EAP_SIM_KEYING_DATA_LEN);
1286 	if (key == NULL)
1287 		return NULL;
1288 	*len = EAP_SIM_KEYING_DATA_LEN;
1289 	return key;
1290 }
1291 
1292 
eap_aka_get_emsk(struct eap_sm * sm,void * priv,size_t * len)1293 static u8 * eap_aka_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1294 {
1295 	struct eap_aka_data *data = priv;
1296 	u8 *key;
1297 
1298 	if (data->state != SUCCESS)
1299 		return NULL;
1300 
1301 	key = os_memdup(data->emsk, EAP_EMSK_LEN);
1302 	if (key == NULL)
1303 		return NULL;
1304 	*len = EAP_EMSK_LEN;
1305 	return key;
1306 }
1307 
1308 
eap_aka_isSuccess(struct eap_sm * sm,void * priv)1309 static Boolean eap_aka_isSuccess(struct eap_sm *sm, void *priv)
1310 {
1311 	struct eap_aka_data *data = priv;
1312 	return data->state == SUCCESS;
1313 }
1314 
1315 
eap_aka_get_session_id(struct eap_sm * sm,void * priv,size_t * len)1316 static u8 * eap_aka_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
1317 {
1318 	struct eap_aka_data *data = priv;
1319 	u8 *id;
1320 
1321 	if (data->state != SUCCESS)
1322 		return NULL;
1323 
1324 	if (!data->reauth)
1325 		*len = 1 + EAP_AKA_RAND_LEN + EAP_AKA_AUTN_LEN;
1326 	else
1327 		*len = 1 + EAP_SIM_NONCE_S_LEN + EAP_SIM_MAC_LEN;
1328 	id = os_malloc(*len);
1329 	if (id == NULL)
1330 		return NULL;
1331 
1332 	id[0] = data->eap_method;
1333 	if (!data->reauth) {
1334 		os_memcpy(id + 1, data->rand, EAP_AKA_RAND_LEN);
1335 		os_memcpy(id + 1 + EAP_AKA_RAND_LEN, data->autn,
1336 			  EAP_AKA_AUTN_LEN);
1337 	} else {
1338 		os_memcpy(id + 1, data->nonce_s, EAP_SIM_NONCE_S_LEN);
1339 		os_memcpy(id + 1 + EAP_SIM_NONCE_S_LEN, data->reauth_mac,
1340 			  EAP_SIM_MAC_LEN);
1341 	}
1342 	wpa_hexdump(MSG_DEBUG, "EAP-AKA: Derived Session-Id", id, *len);
1343 
1344 	return id;
1345 }
1346 
1347 
eap_server_aka_register(void)1348 int eap_server_aka_register(void)
1349 {
1350 	struct eap_method *eap;
1351 
1352 	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1353 				      EAP_VENDOR_IETF, EAP_TYPE_AKA, "AKA");
1354 	if (eap == NULL)
1355 		return -1;
1356 
1357 	eap->init = eap_aka_init;
1358 	eap->reset = eap_aka_reset;
1359 	eap->buildReq = eap_aka_buildReq;
1360 	eap->check = eap_aka_check;
1361 	eap->process = eap_aka_process;
1362 	eap->isDone = eap_aka_isDone;
1363 	eap->getKey = eap_aka_getKey;
1364 	eap->isSuccess = eap_aka_isSuccess;
1365 	eap->get_emsk = eap_aka_get_emsk;
1366 	eap->getSessionId = eap_aka_get_session_id;
1367 
1368 	return eap_server_method_register(eap);
1369 }
1370 
1371 
1372 #ifdef EAP_SERVER_AKA_PRIME
eap_server_aka_prime_register(void)1373 int eap_server_aka_prime_register(void)
1374 {
1375 	struct eap_method *eap;
1376 
1377 	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1378 				      EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME,
1379 				      "AKA'");
1380 	if (eap == NULL)
1381 		return -1;
1382 
1383 	eap->init = eap_aka_prime_init;
1384 	eap->reset = eap_aka_reset;
1385 	eap->buildReq = eap_aka_buildReq;
1386 	eap->check = eap_aka_check;
1387 	eap->process = eap_aka_process;
1388 	eap->isDone = eap_aka_isDone;
1389 	eap->getKey = eap_aka_getKey;
1390 	eap->isSuccess = eap_aka_isSuccess;
1391 	eap->get_emsk = eap_aka_get_emsk;
1392 	eap->getSessionId = eap_aka_get_session_id;
1393 
1394 	return eap_server_method_register(eap);
1395 }
1396 #endif /* EAP_SERVER_AKA_PRIME */
1397