1 /* 2 * EAP peer method: EAP-AKA (RFC 4187) and EAP-AKA' (draft-arkko-eap-aka-kdf) 3 * Copyright (c) 2004-2008, Jouni Malinen <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "pcsc_funcs.h" 19 #include "crypto/crypto.h" 20 #include "crypto/sha1.h" 21 #include "crypto/sha256.h" 22 #include "crypto/milenage.h" 23 #include "eap_common/eap_sim_common.h" 24 #include "eap_config.h" 25 #include "eap_i.h" 26 27 28 struct eap_aka_data { 29 u8 ik[EAP_AKA_IK_LEN], ck[EAP_AKA_CK_LEN], res[EAP_AKA_RES_MAX_LEN]; 30 size_t res_len; 31 u8 nonce_s[EAP_SIM_NONCE_S_LEN]; 32 u8 mk[EAP_SIM_MK_LEN]; 33 u8 k_aut[EAP_AKA_PRIME_K_AUT_LEN]; 34 u8 k_encr[EAP_SIM_K_ENCR_LEN]; 35 u8 k_re[EAP_AKA_PRIME_K_RE_LEN]; /* EAP-AKA' only */ 36 u8 msk[EAP_SIM_KEYING_DATA_LEN]; 37 u8 emsk[EAP_EMSK_LEN]; 38 u8 rand[EAP_AKA_RAND_LEN], autn[EAP_AKA_AUTN_LEN]; 39 u8 auts[EAP_AKA_AUTS_LEN]; 40 41 int num_id_req, num_notification; 42 u8 *pseudonym; 43 size_t pseudonym_len; 44 u8 *reauth_id; 45 size_t reauth_id_len; 46 int reauth; 47 unsigned int counter, counter_too_small; 48 u8 *last_eap_identity; 49 size_t last_eap_identity_len; 50 enum { 51 CONTINUE, RESULT_SUCCESS, RESULT_FAILURE, SUCCESS, FAILURE 52 } state; 53 54 struct wpabuf *id_msgs; 55 int prev_id; 56 int result_ind, use_result_ind; 57 u8 eap_method; 58 u8 *network_name; 59 size_t network_name_len; 60 u16 kdf; 61 int kdf_negotiation; 62 }; 63 64 65 #ifndef CONFIG_NO_STDOUT_DEBUG 66 static const char * eap_aka_state_txt(int state) 67 { 68 switch (state) { 69 case CONTINUE: 70 return "CONTINUE"; 71 case RESULT_SUCCESS: 72 return "RESULT_SUCCESS"; 73 case RESULT_FAILURE: 74 return "RESULT_FAILURE"; 75 case SUCCESS: 76 return "SUCCESS"; 77 case FAILURE: 78 return "FAILURE"; 79 default: 80 return "?"; 81 } 82 } 83 #endif /* CONFIG_NO_STDOUT_DEBUG */ 84 85 86 static void eap_aka_state(struct eap_aka_data *data, int state) 87 { 88 wpa_printf(MSG_DEBUG, "EAP-AKA: %s -> %s", 89 eap_aka_state_txt(data->state), 90 eap_aka_state_txt(state)); 91 data->state = state; 92 } 93 94 95 static void * eap_aka_init(struct eap_sm *sm) 96 { 97 struct eap_aka_data *data; 98 const char *phase1 = eap_get_config_phase1(sm); 99 100 data = os_zalloc(sizeof(*data)); 101 if (data == NULL) 102 return NULL; 103 104 data->eap_method = EAP_TYPE_AKA; 105 106 eap_aka_state(data, CONTINUE); 107 data->prev_id = -1; 108 109 data->result_ind = phase1 && os_strstr(phase1, "result_ind=1") != NULL; 110 111 return data; 112 } 113 114 115 #ifdef EAP_AKA_PRIME 116 static void * eap_aka_prime_init(struct eap_sm *sm) 117 { 118 struct eap_aka_data *data = eap_aka_init(sm); 119 if (data == NULL) 120 return NULL; 121 data->eap_method = EAP_TYPE_AKA_PRIME; 122 return data; 123 } 124 #endif /* EAP_AKA_PRIME */ 125 126 127 static void eap_aka_deinit(struct eap_sm *sm, void *priv) 128 { 129 struct eap_aka_data *data = priv; 130 if (data) { 131 os_free(data->pseudonym); 132 os_free(data->reauth_id); 133 os_free(data->last_eap_identity); 134 wpabuf_free(data->id_msgs); 135 os_free(data->network_name); 136 os_free(data); 137 } 138 } 139 140 141 static int eap_aka_umts_auth(struct eap_sm *sm, struct eap_aka_data *data) 142 { 143 struct eap_peer_config *conf; 144 145 wpa_printf(MSG_DEBUG, "EAP-AKA: UMTS authentication algorithm"); 146 147 conf = eap_get_config(sm); 148 if (conf == NULL) 149 return -1; 150 if (conf->pcsc) { 151 return scard_umts_auth(sm->scard_ctx, data->rand, 152 data->autn, data->res, &data->res_len, 153 data->ik, data->ck, data->auts); 154 } 155 156 #ifdef CONFIG_USIM_SIMULATOR 157 if (conf->password) { 158 u8 opc[16], k[16], sqn[6]; 159 const char *pos; 160 wpa_printf(MSG_DEBUG, "EAP-AKA: Use internal Milenage " 161 "implementation for UMTS authentication"); 162 if (conf->password_len < 78) { 163 wpa_printf(MSG_DEBUG, "EAP-AKA: invalid Milenage " 164 "password"); 165 return -1; 166 } 167 pos = (const char *) conf->password; 168 if (hexstr2bin(pos, k, 16)) 169 return -1; 170 pos += 32; 171 if (*pos != ':') 172 return -1; 173 pos++; 174 175 if (hexstr2bin(pos, opc, 16)) 176 return -1; 177 pos += 32; 178 if (*pos != ':') 179 return -1; 180 pos++; 181 182 if (hexstr2bin(pos, sqn, 6)) 183 return -1; 184 185 return milenage_check(opc, k, sqn, data->rand, data->autn, 186 data->ik, data->ck, 187 data->res, &data->res_len, data->auts); 188 } 189 #endif /* CONFIG_USIM_SIMULATOR */ 190 191 #ifdef CONFIG_USIM_HARDCODED 192 wpa_printf(MSG_DEBUG, "EAP-AKA: Use hardcoded Kc and SRES values for " 193 "testing"); 194 195 /* These hardcoded Kc and SRES values are used for testing. 196 * Could consider making them configurable. */ 197 os_memset(data->res, '2', EAP_AKA_RES_MAX_LEN); 198 data->res_len = EAP_AKA_RES_MAX_LEN; 199 os_memset(data->ik, '3', EAP_AKA_IK_LEN); 200 os_memset(data->ck, '4', EAP_AKA_CK_LEN); 201 { 202 u8 autn[EAP_AKA_AUTN_LEN]; 203 os_memset(autn, '1', EAP_AKA_AUTN_LEN); 204 if (os_memcmp(autn, data->autn, EAP_AKA_AUTN_LEN) != 0) { 205 wpa_printf(MSG_WARNING, "EAP-AKA: AUTN did not match " 206 "with expected value"); 207 return -1; 208 } 209 } 210 #if 0 211 { 212 static int test_resync = 1; 213 if (test_resync) { 214 /* Test Resynchronization */ 215 test_resync = 0; 216 return -2; 217 } 218 } 219 #endif 220 return 0; 221 222 #else /* CONFIG_USIM_HARDCODED */ 223 224 wpa_printf(MSG_DEBUG, "EAP-AKA: No UMTS authentication algorith " 225 "enabled"); 226 return -1; 227 228 #endif /* CONFIG_USIM_HARDCODED */ 229 } 230 231 232 #define CLEAR_PSEUDONYM 0x01 233 #define CLEAR_REAUTH_ID 0x02 234 #define CLEAR_EAP_ID 0x04 235 236 static void eap_aka_clear_identities(struct eap_aka_data *data, int id) 237 { 238 wpa_printf(MSG_DEBUG, "EAP-AKA: forgetting old%s%s%s", 239 id & CLEAR_PSEUDONYM ? " pseudonym" : "", 240 id & CLEAR_REAUTH_ID ? " reauth_id" : "", 241 id & CLEAR_EAP_ID ? " eap_id" : ""); 242 if (id & CLEAR_PSEUDONYM) { 243 os_free(data->pseudonym); 244 data->pseudonym = NULL; 245 data->pseudonym_len = 0; 246 } 247 if (id & CLEAR_REAUTH_ID) { 248 os_free(data->reauth_id); 249 data->reauth_id = NULL; 250 data->reauth_id_len = 0; 251 } 252 if (id & CLEAR_EAP_ID) { 253 os_free(data->last_eap_identity); 254 data->last_eap_identity = NULL; 255 data->last_eap_identity_len = 0; 256 } 257 } 258 259 260 static int eap_aka_learn_ids(struct eap_aka_data *data, 261 struct eap_sim_attrs *attr) 262 { 263 if (attr->next_pseudonym) { 264 os_free(data->pseudonym); 265 data->pseudonym = os_malloc(attr->next_pseudonym_len); 266 if (data->pseudonym == NULL) { 267 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for " 268 "next pseudonym"); 269 return -1; 270 } 271 os_memcpy(data->pseudonym, attr->next_pseudonym, 272 attr->next_pseudonym_len); 273 data->pseudonym_len = attr->next_pseudonym_len; 274 wpa_hexdump_ascii(MSG_DEBUG, 275 "EAP-AKA: (encr) AT_NEXT_PSEUDONYM", 276 data->pseudonym, 277 data->pseudonym_len); 278 } 279 280 if (attr->next_reauth_id) { 281 os_free(data->reauth_id); 282 data->reauth_id = os_malloc(attr->next_reauth_id_len); 283 if (data->reauth_id == NULL) { 284 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for " 285 "next reauth_id"); 286 return -1; 287 } 288 os_memcpy(data->reauth_id, attr->next_reauth_id, 289 attr->next_reauth_id_len); 290 data->reauth_id_len = attr->next_reauth_id_len; 291 wpa_hexdump_ascii(MSG_DEBUG, 292 "EAP-AKA: (encr) AT_NEXT_REAUTH_ID", 293 data->reauth_id, 294 data->reauth_id_len); 295 } 296 297 return 0; 298 } 299 300 301 static int eap_aka_add_id_msg(struct eap_aka_data *data, 302 const struct wpabuf *msg) 303 { 304 if (msg == NULL) 305 return -1; 306 307 if (data->id_msgs == NULL) { 308 data->id_msgs = wpabuf_dup(msg); 309 return data->id_msgs == NULL ? -1 : 0; 310 } 311 312 if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0) 313 return -1; 314 wpabuf_put_buf(data->id_msgs, msg); 315 316 return 0; 317 } 318 319 320 static void eap_aka_add_checkcode(struct eap_aka_data *data, 321 struct eap_sim_msg *msg) 322 { 323 const u8 *addr; 324 size_t len; 325 u8 hash[SHA256_MAC_LEN]; 326 327 wpa_printf(MSG_DEBUG, " AT_CHECKCODE"); 328 329 if (data->id_msgs == NULL) { 330 /* 331 * No EAP-AKA/Identity packets were exchanged - send empty 332 * checkcode. 333 */ 334 eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, NULL, 0); 335 return; 336 } 337 338 /* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */ 339 addr = wpabuf_head(data->id_msgs); 340 len = wpabuf_len(data->id_msgs); 341 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len); 342 #ifdef EAP_AKA_PRIME 343 if (data->eap_method == EAP_TYPE_AKA_PRIME) 344 sha256_vector(1, &addr, &len, hash); 345 else 346 #endif /* EAP_AKA_PRIME */ 347 sha1_vector(1, &addr, &len, hash); 348 349 eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash, 350 data->eap_method == EAP_TYPE_AKA_PRIME ? 351 EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN); 352 } 353 354 355 static int eap_aka_verify_checkcode(struct eap_aka_data *data, 356 const u8 *checkcode, size_t checkcode_len) 357 { 358 const u8 *addr; 359 size_t len; 360 u8 hash[SHA256_MAC_LEN]; 361 size_t hash_len; 362 363 if (checkcode == NULL) 364 return -1; 365 366 if (data->id_msgs == NULL) { 367 if (checkcode_len != 0) { 368 wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server " 369 "indicates that AKA/Identity messages were " 370 "used, but they were not"); 371 return -1; 372 } 373 return 0; 374 } 375 376 hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ? 377 EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN; 378 379 if (checkcode_len != hash_len) { 380 wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server " 381 "indicates that AKA/Identity message were not " 382 "used, but they were"); 383 return -1; 384 } 385 386 /* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */ 387 addr = wpabuf_head(data->id_msgs); 388 len = wpabuf_len(data->id_msgs); 389 #ifdef EAP_AKA_PRIME 390 if (data->eap_method == EAP_TYPE_AKA_PRIME) 391 sha256_vector(1, &addr, &len, hash); 392 else 393 #endif /* EAP_AKA_PRIME */ 394 sha1_vector(1, &addr, &len, hash); 395 396 if (os_memcmp(hash, checkcode, hash_len) != 0) { 397 wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE"); 398 return -1; 399 } 400 401 return 0; 402 } 403 404 405 static struct wpabuf * eap_aka_client_error(struct eap_aka_data *data, u8 id, 406 int err) 407 { 408 struct eap_sim_msg *msg; 409 410 eap_aka_state(data, FAILURE); 411 data->num_id_req = 0; 412 data->num_notification = 0; 413 414 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 415 EAP_AKA_SUBTYPE_CLIENT_ERROR); 416 eap_sim_msg_add(msg, EAP_SIM_AT_CLIENT_ERROR_CODE, err, NULL, 0); 417 return eap_sim_msg_finish(msg, NULL, NULL, 0); 418 } 419 420 421 static struct wpabuf * eap_aka_authentication_reject(struct eap_aka_data *data, 422 u8 id) 423 { 424 struct eap_sim_msg *msg; 425 426 eap_aka_state(data, FAILURE); 427 data->num_id_req = 0; 428 data->num_notification = 0; 429 430 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Authentication-Reject " 431 "(id=%d)", id); 432 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 433 EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT); 434 return eap_sim_msg_finish(msg, NULL, NULL, 0); 435 } 436 437 438 static struct wpabuf * eap_aka_synchronization_failure( 439 struct eap_aka_data *data, u8 id) 440 { 441 struct eap_sim_msg *msg; 442 443 data->num_id_req = 0; 444 data->num_notification = 0; 445 446 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Synchronization-Failure " 447 "(id=%d)", id); 448 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 449 EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE); 450 wpa_printf(MSG_DEBUG, " AT_AUTS"); 451 eap_sim_msg_add_full(msg, EAP_SIM_AT_AUTS, data->auts, 452 EAP_AKA_AUTS_LEN); 453 return eap_sim_msg_finish(msg, NULL, NULL, 0); 454 } 455 456 457 static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm, 458 struct eap_aka_data *data, 459 u8 id, 460 enum eap_sim_id_req id_req) 461 { 462 const u8 *identity = NULL; 463 size_t identity_len = 0; 464 struct eap_sim_msg *msg; 465 466 data->reauth = 0; 467 if (id_req == ANY_ID && data->reauth_id) { 468 identity = data->reauth_id; 469 identity_len = data->reauth_id_len; 470 data->reauth = 1; 471 } else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) && 472 data->pseudonym) { 473 identity = data->pseudonym; 474 identity_len = data->pseudonym_len; 475 eap_aka_clear_identities(data, CLEAR_REAUTH_ID); 476 } else if (id_req != NO_ID_REQ) { 477 identity = eap_get_config_identity(sm, &identity_len); 478 if (identity) { 479 eap_aka_clear_identities(data, CLEAR_PSEUDONYM | 480 CLEAR_REAUTH_ID); 481 } 482 } 483 if (id_req != NO_ID_REQ) 484 eap_aka_clear_identities(data, CLEAR_EAP_ID); 485 486 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Identity (id=%d)", id); 487 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 488 EAP_AKA_SUBTYPE_IDENTITY); 489 490 if (identity) { 491 wpa_hexdump_ascii(MSG_DEBUG, " AT_IDENTITY", 492 identity, identity_len); 493 eap_sim_msg_add(msg, EAP_SIM_AT_IDENTITY, identity_len, 494 identity, identity_len); 495 } 496 497 return eap_sim_msg_finish(msg, NULL, NULL, 0); 498 } 499 500 501 static struct wpabuf * eap_aka_response_challenge(struct eap_aka_data *data, 502 u8 id) 503 { 504 struct eap_sim_msg *msg; 505 506 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d)", id); 507 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 508 EAP_AKA_SUBTYPE_CHALLENGE); 509 wpa_printf(MSG_DEBUG, " AT_RES"); 510 eap_sim_msg_add(msg, EAP_SIM_AT_RES, data->res_len * 8, 511 data->res, data->res_len); 512 eap_aka_add_checkcode(data, msg); 513 if (data->use_result_ind) { 514 wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); 515 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); 516 } 517 wpa_printf(MSG_DEBUG, " AT_MAC"); 518 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 519 return eap_sim_msg_finish(msg, data->k_aut, (u8 *) "", 0); 520 } 521 522 523 static struct wpabuf * eap_aka_response_reauth(struct eap_aka_data *data, 524 u8 id, int counter_too_small, 525 const u8 *nonce_s) 526 { 527 struct eap_sim_msg *msg; 528 unsigned int counter; 529 530 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Reauthentication (id=%d)", 531 id); 532 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 533 EAP_AKA_SUBTYPE_REAUTHENTICATION); 534 wpa_printf(MSG_DEBUG, " AT_IV"); 535 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA"); 536 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA); 537 538 if (counter_too_small) { 539 wpa_printf(MSG_DEBUG, " *AT_COUNTER_TOO_SMALL"); 540 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER_TOO_SMALL, 0, NULL, 0); 541 counter = data->counter_too_small; 542 } else 543 counter = data->counter; 544 545 wpa_printf(MSG_DEBUG, " *AT_COUNTER %d", counter); 546 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0); 547 548 if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) { 549 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt " 550 "AT_ENCR_DATA"); 551 eap_sim_msg_free(msg); 552 return NULL; 553 } 554 eap_aka_add_checkcode(data, msg); 555 if (data->use_result_ind) { 556 wpa_printf(MSG_DEBUG, " AT_RESULT_IND"); 557 eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0); 558 } 559 wpa_printf(MSG_DEBUG, " AT_MAC"); 560 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 561 return eap_sim_msg_finish(msg, data->k_aut, nonce_s, 562 EAP_SIM_NONCE_S_LEN); 563 } 564 565 566 static struct wpabuf * eap_aka_response_notification(struct eap_aka_data *data, 567 u8 id, u16 notification) 568 { 569 struct eap_sim_msg *msg; 570 u8 *k_aut = (notification & 0x4000) == 0 ? data->k_aut : NULL; 571 572 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Notification (id=%d)", id); 573 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 574 EAP_AKA_SUBTYPE_NOTIFICATION); 575 if (k_aut && data->reauth) { 576 wpa_printf(MSG_DEBUG, " AT_IV"); 577 wpa_printf(MSG_DEBUG, " AT_ENCR_DATA"); 578 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, 579 EAP_SIM_AT_ENCR_DATA); 580 wpa_printf(MSG_DEBUG, " *AT_COUNTER %d", data->counter); 581 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter, 582 NULL, 0); 583 if (eap_sim_msg_add_encr_end(msg, data->k_encr, 584 EAP_SIM_AT_PADDING)) { 585 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt " 586 "AT_ENCR_DATA"); 587 eap_sim_msg_free(msg); 588 return NULL; 589 } 590 } 591 if (k_aut) { 592 wpa_printf(MSG_DEBUG, " AT_MAC"); 593 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC); 594 } 595 return eap_sim_msg_finish(msg, k_aut, (u8 *) "", 0); 596 } 597 598 599 static struct wpabuf * eap_aka_process_identity(struct eap_sm *sm, 600 struct eap_aka_data *data, 601 u8 id, 602 const struct wpabuf *reqData, 603 struct eap_sim_attrs *attr) 604 { 605 int id_error; 606 struct wpabuf *buf; 607 608 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Identity"); 609 610 id_error = 0; 611 switch (attr->id_req) { 612 case NO_ID_REQ: 613 break; 614 case ANY_ID: 615 if (data->num_id_req > 0) 616 id_error++; 617 data->num_id_req++; 618 break; 619 case FULLAUTH_ID: 620 if (data->num_id_req > 1) 621 id_error++; 622 data->num_id_req++; 623 break; 624 case PERMANENT_ID: 625 if (data->num_id_req > 2) 626 id_error++; 627 data->num_id_req++; 628 break; 629 } 630 if (id_error) { 631 wpa_printf(MSG_INFO, "EAP-AKA: Too many ID requests " 632 "used within one authentication"); 633 return eap_aka_client_error(data, id, 634 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 635 } 636 637 buf = eap_aka_response_identity(sm, data, id, attr->id_req); 638 639 if (data->prev_id != id) { 640 eap_aka_add_id_msg(data, reqData); 641 eap_aka_add_id_msg(data, buf); 642 data->prev_id = id; 643 } 644 645 return buf; 646 } 647 648 649 static int eap_aka_verify_mac(struct eap_aka_data *data, 650 const struct wpabuf *req, 651 const u8 *mac, const u8 *extra, 652 size_t extra_len) 653 { 654 if (data->eap_method == EAP_TYPE_AKA_PRIME) 655 return eap_sim_verify_mac_sha256(data->k_aut, req, mac, extra, 656 extra_len); 657 return eap_sim_verify_mac(data->k_aut, req, mac, extra, extra_len); 658 } 659 660 661 #ifdef EAP_AKA_PRIME 662 static struct wpabuf * eap_aka_prime_kdf_select(struct eap_aka_data *data, 663 u8 id, u16 kdf) 664 { 665 struct eap_sim_msg *msg; 666 667 data->kdf_negotiation = 1; 668 data->kdf = kdf; 669 wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d) (KDF " 670 "select)", id); 671 msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method, 672 EAP_AKA_SUBTYPE_CHALLENGE); 673 wpa_printf(MSG_DEBUG, " AT_KDF"); 674 eap_sim_msg_add(msg, EAP_SIM_AT_KDF, kdf, NULL, 0); 675 return eap_sim_msg_finish(msg, NULL, NULL, 0); 676 } 677 678 679 static struct wpabuf * eap_aka_prime_kdf_neg(struct eap_aka_data *data, 680 u8 id, struct eap_sim_attrs *attr) 681 { 682 size_t i; 683 684 for (i = 0; i < attr->kdf_count; i++) { 685 if (attr->kdf[i] == EAP_AKA_PRIME_KDF) 686 return eap_aka_prime_kdf_select(data, id, 687 EAP_AKA_PRIME_KDF); 688 } 689 690 /* No matching KDF found - fail authentication as if AUTN had been 691 * incorrect */ 692 return eap_aka_authentication_reject(data, id); 693 } 694 695 696 static int eap_aka_prime_kdf_valid(struct eap_aka_data *data, 697 struct eap_sim_attrs *attr) 698 { 699 size_t i, j; 700 701 if (attr->kdf_count == 0) 702 return 0; 703 704 /* The only allowed (and required) duplication of a KDF is the addition 705 * of the selected KDF into the beginning of the list. */ 706 707 if (data->kdf_negotiation) { 708 if (attr->kdf[0] != data->kdf) { 709 wpa_printf(MSG_WARNING, "EAP-AKA': The server did not " 710 "accept the selected KDF"); 711 return 0; 712 } 713 714 for (i = 1; i < attr->kdf_count; i++) { 715 if (attr->kdf[i] == data->kdf) 716 break; 717 } 718 if (i == attr->kdf_count && 719 attr->kdf_count < EAP_AKA_PRIME_KDF_MAX) { 720 wpa_printf(MSG_WARNING, "EAP-AKA': The server did not " 721 "duplicate the selected KDF"); 722 return 0; 723 } 724 725 /* TODO: should check that the list is identical to the one 726 * used in the previous Challenge message apart from the added 727 * entry in the beginning. */ 728 } 729 730 for (i = data->kdf ? 1 : 0; i < attr->kdf_count; i++) { 731 for (j = i + 1; j < attr->kdf_count; j++) { 732 if (attr->kdf[i] == attr->kdf[j]) { 733 wpa_printf(MSG_WARNING, "EAP-AKA': The server " 734 "included a duplicated KDF"); 735 return 0; 736 } 737 } 738 } 739 740 return 1; 741 } 742 #endif /* EAP_AKA_PRIME */ 743 744 745 static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm, 746 struct eap_aka_data *data, 747 u8 id, 748 const struct wpabuf *reqData, 749 struct eap_sim_attrs *attr) 750 { 751 const u8 *identity; 752 size_t identity_len; 753 int res; 754 struct eap_sim_attrs eattr; 755 756 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Challenge"); 757 758 if (attr->checkcode && 759 eap_aka_verify_checkcode(data, attr->checkcode, 760 attr->checkcode_len)) { 761 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the " 762 "message"); 763 return eap_aka_client_error(data, id, 764 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 765 } 766 767 #ifdef EAP_AKA_PRIME 768 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 769 if (!attr->kdf_input || attr->kdf_input_len == 0) { 770 wpa_printf(MSG_WARNING, "EAP-AKA': Challenge message " 771 "did not include non-empty AT_KDF_INPUT"); 772 /* Fail authentication as if AUTN had been incorrect */ 773 return eap_aka_authentication_reject(data, id); 774 } 775 os_free(data->network_name); 776 data->network_name = os_malloc(attr->kdf_input_len); 777 if (data->network_name == NULL) { 778 wpa_printf(MSG_WARNING, "EAP-AKA': No memory for " 779 "storing Network Name"); 780 return eap_aka_authentication_reject(data, id); 781 } 782 os_memcpy(data->network_name, attr->kdf_input, 783 attr->kdf_input_len); 784 data->network_name_len = attr->kdf_input_len; 785 wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA': Network Name " 786 "(AT_KDF_INPUT)", 787 data->network_name, data->network_name_len); 788 /* TODO: check Network Name per 3GPP.33.402 */ 789 790 if (!eap_aka_prime_kdf_valid(data, attr)) 791 return eap_aka_authentication_reject(data, id); 792 793 if (attr->kdf[0] != EAP_AKA_PRIME_KDF) 794 return eap_aka_prime_kdf_neg(data, id, attr); 795 796 data->kdf = EAP_AKA_PRIME_KDF; 797 wpa_printf(MSG_DEBUG, "EAP-AKA': KDF %d selected", data->kdf); 798 } 799 800 if (data->eap_method == EAP_TYPE_AKA && attr->bidding) { 801 u16 flags = WPA_GET_BE16(attr->bidding); 802 if ((flags & EAP_AKA_BIDDING_FLAG_D) && 803 eap_allowed_method(sm, EAP_VENDOR_IETF, 804 EAP_TYPE_AKA_PRIME)) { 805 wpa_printf(MSG_WARNING, "EAP-AKA: Bidding down from " 806 "AKA' to AKA detected"); 807 /* Fail authentication as if AUTN had been incorrect */ 808 return eap_aka_authentication_reject(data, id); 809 } 810 } 811 #endif /* EAP_AKA_PRIME */ 812 813 data->reauth = 0; 814 if (!attr->mac || !attr->rand || !attr->autn) { 815 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message " 816 "did not include%s%s%s", 817 !attr->mac ? " AT_MAC" : "", 818 !attr->rand ? " AT_RAND" : "", 819 !attr->autn ? " AT_AUTN" : ""); 820 return eap_aka_client_error(data, id, 821 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 822 } 823 os_memcpy(data->rand, attr->rand, EAP_AKA_RAND_LEN); 824 os_memcpy(data->autn, attr->autn, EAP_AKA_AUTN_LEN); 825 826 res = eap_aka_umts_auth(sm, data); 827 if (res == -1) { 828 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication " 829 "failed (AUTN)"); 830 return eap_aka_authentication_reject(data, id); 831 } else if (res == -2) { 832 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication " 833 "failed (AUTN seq# -> AUTS)"); 834 return eap_aka_synchronization_failure(data, id); 835 } else if (res) { 836 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication failed"); 837 return eap_aka_client_error(data, id, 838 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 839 } 840 #ifdef EAP_AKA_PRIME 841 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 842 /* Note: AUTN = (SQN ^ AK) || AMF || MAC which gives us the 843 * needed 6-octet SQN ^ AK for CK',IK' derivation */ 844 u16 amf = WPA_GET_BE16(data->autn + 6); 845 if (!(amf & 0x8000)) { 846 wpa_printf(MSG_WARNING, "EAP-AKA': AMF separation bit " 847 "not set (AMF=0x%4x)", amf); 848 return eap_aka_authentication_reject(data, id); 849 } 850 eap_aka_prime_derive_ck_ik_prime(data->ck, data->ik, 851 data->autn, 852 data->network_name, 853 data->network_name_len); 854 } 855 #endif /* EAP_AKA_PRIME */ 856 if (data->last_eap_identity) { 857 identity = data->last_eap_identity; 858 identity_len = data->last_eap_identity_len; 859 } else if (data->pseudonym) { 860 identity = data->pseudonym; 861 identity_len = data->pseudonym_len; 862 } else 863 identity = eap_get_config_identity(sm, &identity_len); 864 wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Selected identity for MK " 865 "derivation", identity, identity_len); 866 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 867 eap_aka_prime_derive_keys(identity, identity_len, data->ik, 868 data->ck, data->k_encr, data->k_aut, 869 data->k_re, data->msk, data->emsk); 870 } else { 871 eap_aka_derive_mk(identity, identity_len, data->ik, data->ck, 872 data->mk); 873 eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, 874 data->msk, data->emsk); 875 } 876 if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { 877 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message " 878 "used invalid AT_MAC"); 879 return eap_aka_client_error(data, id, 880 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 881 } 882 883 /* Old reauthentication and pseudonym identities must not be used 884 * anymore. In other words, if no new identities are received, full 885 * authentication will be used on next reauthentication. */ 886 eap_aka_clear_identities(data, CLEAR_PSEUDONYM | CLEAR_REAUTH_ID | 887 CLEAR_EAP_ID); 888 889 if (attr->encr_data) { 890 u8 *decrypted; 891 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 892 attr->encr_data_len, attr->iv, 893 &eattr, 0); 894 if (decrypted == NULL) { 895 return eap_aka_client_error( 896 data, id, EAP_AKA_UNABLE_TO_PROCESS_PACKET); 897 } 898 eap_aka_learn_ids(data, &eattr); 899 os_free(decrypted); 900 } 901 902 if (data->result_ind && attr->result_ind) 903 data->use_result_ind = 1; 904 905 if (data->state != FAILURE && data->state != RESULT_FAILURE) { 906 eap_aka_state(data, data->use_result_ind ? 907 RESULT_SUCCESS : SUCCESS); 908 } 909 910 data->num_id_req = 0; 911 data->num_notification = 0; 912 /* RFC 4187 specifies that counter is initialized to one after 913 * fullauth, but initializing it to zero makes it easier to implement 914 * reauth verification. */ 915 data->counter = 0; 916 return eap_aka_response_challenge(data, id); 917 } 918 919 920 static int eap_aka_process_notification_reauth(struct eap_aka_data *data, 921 struct eap_sim_attrs *attr) 922 { 923 struct eap_sim_attrs eattr; 924 u8 *decrypted; 925 926 if (attr->encr_data == NULL || attr->iv == NULL) { 927 wpa_printf(MSG_WARNING, "EAP-AKA: Notification message after " 928 "reauth did not include encrypted data"); 929 return -1; 930 } 931 932 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 933 attr->encr_data_len, attr->iv, &eattr, 934 0); 935 if (decrypted == NULL) { 936 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted " 937 "data from notification message"); 938 return -1; 939 } 940 941 if (eattr.counter < 0 || (size_t) eattr.counter != data->counter) { 942 wpa_printf(MSG_WARNING, "EAP-AKA: Counter in notification " 943 "message does not match with counter in reauth " 944 "message"); 945 os_free(decrypted); 946 return -1; 947 } 948 949 os_free(decrypted); 950 return 0; 951 } 952 953 954 static int eap_aka_process_notification_auth(struct eap_aka_data *data, 955 const struct wpabuf *reqData, 956 struct eap_sim_attrs *attr) 957 { 958 if (attr->mac == NULL) { 959 wpa_printf(MSG_INFO, "EAP-AKA: no AT_MAC in after_auth " 960 "Notification message"); 961 return -1; 962 } 963 964 if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { 965 wpa_printf(MSG_WARNING, "EAP-AKA: Notification message " 966 "used invalid AT_MAC"); 967 return -1; 968 } 969 970 if (data->reauth && 971 eap_aka_process_notification_reauth(data, attr)) { 972 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid notification " 973 "message after reauth"); 974 return -1; 975 } 976 977 return 0; 978 } 979 980 981 static struct wpabuf * eap_aka_process_notification( 982 struct eap_sm *sm, struct eap_aka_data *data, u8 id, 983 const struct wpabuf *reqData, struct eap_sim_attrs *attr) 984 { 985 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Notification"); 986 if (data->num_notification > 0) { 987 wpa_printf(MSG_INFO, "EAP-AKA: too many notification " 988 "rounds (only one allowed)"); 989 return eap_aka_client_error(data, id, 990 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 991 } 992 data->num_notification++; 993 if (attr->notification == -1) { 994 wpa_printf(MSG_INFO, "EAP-AKA: no AT_NOTIFICATION in " 995 "Notification message"); 996 return eap_aka_client_error(data, id, 997 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 998 } 999 1000 if ((attr->notification & 0x4000) == 0 && 1001 eap_aka_process_notification_auth(data, reqData, attr)) { 1002 return eap_aka_client_error(data, id, 1003 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1004 } 1005 1006 eap_sim_report_notification(sm->msg_ctx, attr->notification, 1); 1007 if (attr->notification >= 0 && attr->notification < 32768) { 1008 eap_aka_state(data, FAILURE); 1009 } else if (attr->notification == EAP_SIM_SUCCESS && 1010 data->state == RESULT_SUCCESS) 1011 eap_aka_state(data, SUCCESS); 1012 return eap_aka_response_notification(data, id, attr->notification); 1013 } 1014 1015 1016 static struct wpabuf * eap_aka_process_reauthentication( 1017 struct eap_sm *sm, struct eap_aka_data *data, u8 id, 1018 const struct wpabuf *reqData, struct eap_sim_attrs *attr) 1019 { 1020 struct eap_sim_attrs eattr; 1021 u8 *decrypted; 1022 1023 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Reauthentication"); 1024 1025 if (attr->checkcode && 1026 eap_aka_verify_checkcode(data, attr->checkcode, 1027 attr->checkcode_len)) { 1028 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the " 1029 "message"); 1030 return eap_aka_client_error(data, id, 1031 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1032 } 1033 1034 if (data->reauth_id == NULL) { 1035 wpa_printf(MSG_WARNING, "EAP-AKA: Server is trying " 1036 "reauthentication, but no reauth_id available"); 1037 return eap_aka_client_error(data, id, 1038 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1039 } 1040 1041 data->reauth = 1; 1042 if (eap_aka_verify_mac(data, reqData, attr->mac, (u8 *) "", 0)) { 1043 wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication " 1044 "did not have valid AT_MAC"); 1045 return eap_aka_client_error(data, id, 1046 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1047 } 1048 1049 if (attr->encr_data == NULL || attr->iv == NULL) { 1050 wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication " 1051 "message did not include encrypted data"); 1052 return eap_aka_client_error(data, id, 1053 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1054 } 1055 1056 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, 1057 attr->encr_data_len, attr->iv, &eattr, 1058 0); 1059 if (decrypted == NULL) { 1060 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted " 1061 "data from reauthentication message"); 1062 return eap_aka_client_error(data, id, 1063 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1064 } 1065 1066 if (eattr.nonce_s == NULL || eattr.counter < 0) { 1067 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No%s%s in reauth packet", 1068 !eattr.nonce_s ? " AT_NONCE_S" : "", 1069 eattr.counter < 0 ? " AT_COUNTER" : ""); 1070 os_free(decrypted); 1071 return eap_aka_client_error(data, id, 1072 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1073 } 1074 1075 if (eattr.counter < 0 || (size_t) eattr.counter <= data->counter) { 1076 struct wpabuf *res; 1077 wpa_printf(MSG_INFO, "EAP-AKA: (encr) Invalid counter " 1078 "(%d <= %d)", eattr.counter, data->counter); 1079 data->counter_too_small = eattr.counter; 1080 1081 /* Reply using Re-auth w/ AT_COUNTER_TOO_SMALL. The current 1082 * reauth_id must not be used to start a new reauthentication. 1083 * However, since it was used in the last EAP-Response-Identity 1084 * packet, it has to saved for the following fullauth to be 1085 * used in MK derivation. */ 1086 os_free(data->last_eap_identity); 1087 data->last_eap_identity = data->reauth_id; 1088 data->last_eap_identity_len = data->reauth_id_len; 1089 data->reauth_id = NULL; 1090 data->reauth_id_len = 0; 1091 1092 res = eap_aka_response_reauth(data, id, 1, eattr.nonce_s); 1093 os_free(decrypted); 1094 1095 return res; 1096 } 1097 data->counter = eattr.counter; 1098 1099 os_memcpy(data->nonce_s, eattr.nonce_s, EAP_SIM_NONCE_S_LEN); 1100 wpa_hexdump(MSG_DEBUG, "EAP-AKA: (encr) AT_NONCE_S", 1101 data->nonce_s, EAP_SIM_NONCE_S_LEN); 1102 1103 if (data->eap_method == EAP_TYPE_AKA_PRIME) { 1104 eap_aka_prime_derive_keys_reauth(data->k_re, data->counter, 1105 data->reauth_id, 1106 data->reauth_id_len, 1107 data->nonce_s, 1108 data->msk, data->emsk); 1109 } else { 1110 eap_sim_derive_keys_reauth(data->counter, data->reauth_id, 1111 data->reauth_id_len, 1112 data->nonce_s, data->mk, 1113 data->msk, data->emsk); 1114 } 1115 eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID); 1116 eap_aka_learn_ids(data, &eattr); 1117 1118 if (data->result_ind && attr->result_ind) 1119 data->use_result_ind = 1; 1120 1121 if (data->state != FAILURE && data->state != RESULT_FAILURE) { 1122 eap_aka_state(data, data->use_result_ind ? 1123 RESULT_SUCCESS : SUCCESS); 1124 } 1125 1126 data->num_id_req = 0; 1127 data->num_notification = 0; 1128 if (data->counter > EAP_AKA_MAX_FAST_REAUTHS) { 1129 wpa_printf(MSG_DEBUG, "EAP-AKA: Maximum number of " 1130 "fast reauths performed - force fullauth"); 1131 eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID); 1132 } 1133 os_free(decrypted); 1134 return eap_aka_response_reauth(data, id, 0, data->nonce_s); 1135 } 1136 1137 1138 static struct wpabuf * eap_aka_process(struct eap_sm *sm, void *priv, 1139 struct eap_method_ret *ret, 1140 const struct wpabuf *reqData) 1141 { 1142 struct eap_aka_data *data = priv; 1143 const struct eap_hdr *req; 1144 u8 subtype, id; 1145 struct wpabuf *res; 1146 const u8 *pos; 1147 struct eap_sim_attrs attr; 1148 size_t len; 1149 1150 wpa_hexdump_buf(MSG_DEBUG, "EAP-AKA: EAP data", reqData); 1151 if (eap_get_config_identity(sm, &len) == NULL) { 1152 wpa_printf(MSG_INFO, "EAP-AKA: Identity not configured"); 1153 eap_sm_request_identity(sm); 1154 ret->ignore = TRUE; 1155 return NULL; 1156 } 1157 1158 pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, reqData, 1159 &len); 1160 if (pos == NULL || len < 1) { 1161 ret->ignore = TRUE; 1162 return NULL; 1163 } 1164 req = wpabuf_head(reqData); 1165 id = req->identifier; 1166 len = be_to_host16(req->length); 1167 1168 ret->ignore = FALSE; 1169 ret->methodState = METHOD_MAY_CONT; 1170 ret->decision = DECISION_FAIL; 1171 ret->allowNotifications = TRUE; 1172 1173 subtype = *pos++; 1174 wpa_printf(MSG_DEBUG, "EAP-AKA: Subtype=%d", subtype); 1175 pos += 2; /* Reserved */ 1176 1177 if (eap_sim_parse_attr(pos, wpabuf_head_u8(reqData) + len, &attr, 1178 data->eap_method == EAP_TYPE_AKA_PRIME ? 2 : 1, 1179 0)) { 1180 res = eap_aka_client_error(data, id, 1181 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1182 goto done; 1183 } 1184 1185 switch (subtype) { 1186 case EAP_AKA_SUBTYPE_IDENTITY: 1187 res = eap_aka_process_identity(sm, data, id, reqData, &attr); 1188 break; 1189 case EAP_AKA_SUBTYPE_CHALLENGE: 1190 res = eap_aka_process_challenge(sm, data, id, reqData, &attr); 1191 break; 1192 case EAP_AKA_SUBTYPE_NOTIFICATION: 1193 res = eap_aka_process_notification(sm, data, id, reqData, 1194 &attr); 1195 break; 1196 case EAP_AKA_SUBTYPE_REAUTHENTICATION: 1197 res = eap_aka_process_reauthentication(sm, data, id, reqData, 1198 &attr); 1199 break; 1200 case EAP_AKA_SUBTYPE_CLIENT_ERROR: 1201 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Client-Error"); 1202 res = eap_aka_client_error(data, id, 1203 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1204 break; 1205 default: 1206 wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown subtype=%d", subtype); 1207 res = eap_aka_client_error(data, id, 1208 EAP_AKA_UNABLE_TO_PROCESS_PACKET); 1209 break; 1210 } 1211 1212 done: 1213 if (data->state == FAILURE) { 1214 ret->decision = DECISION_FAIL; 1215 ret->methodState = METHOD_DONE; 1216 } else if (data->state == SUCCESS) { 1217 ret->decision = data->use_result_ind ? 1218 DECISION_UNCOND_SUCC : DECISION_COND_SUCC; 1219 /* 1220 * It is possible for the server to reply with AKA 1221 * Notification, so we must allow the method to continue and 1222 * not only accept EAP-Success at this point. 1223 */ 1224 ret->methodState = data->use_result_ind ? 1225 METHOD_DONE : METHOD_MAY_CONT; 1226 } else if (data->state == RESULT_FAILURE) 1227 ret->methodState = METHOD_CONT; 1228 else if (data->state == RESULT_SUCCESS) 1229 ret->methodState = METHOD_CONT; 1230 1231 if (ret->methodState == METHOD_DONE) { 1232 ret->allowNotifications = FALSE; 1233 } 1234 1235 return res; 1236 } 1237 1238 1239 static Boolean eap_aka_has_reauth_data(struct eap_sm *sm, void *priv) 1240 { 1241 struct eap_aka_data *data = priv; 1242 return data->pseudonym || data->reauth_id; 1243 } 1244 1245 1246 static void eap_aka_deinit_for_reauth(struct eap_sm *sm, void *priv) 1247 { 1248 struct eap_aka_data *data = priv; 1249 eap_aka_clear_identities(data, CLEAR_EAP_ID); 1250 data->prev_id = -1; 1251 wpabuf_free(data->id_msgs); 1252 data->id_msgs = NULL; 1253 data->use_result_ind = 0; 1254 data->kdf_negotiation = 0; 1255 } 1256 1257 1258 static void * eap_aka_init_for_reauth(struct eap_sm *sm, void *priv) 1259 { 1260 struct eap_aka_data *data = priv; 1261 data->num_id_req = 0; 1262 data->num_notification = 0; 1263 eap_aka_state(data, CONTINUE); 1264 return priv; 1265 } 1266 1267 1268 static const u8 * eap_aka_get_identity(struct eap_sm *sm, void *priv, 1269 size_t *len) 1270 { 1271 struct eap_aka_data *data = priv; 1272 1273 if (data->reauth_id) { 1274 *len = data->reauth_id_len; 1275 return data->reauth_id; 1276 } 1277 1278 if (data->pseudonym) { 1279 *len = data->pseudonym_len; 1280 return data->pseudonym; 1281 } 1282 1283 return NULL; 1284 } 1285 1286 1287 static Boolean eap_aka_isKeyAvailable(struct eap_sm *sm, void *priv) 1288 { 1289 struct eap_aka_data *data = priv; 1290 return data->state == SUCCESS; 1291 } 1292 1293 1294 static u8 * eap_aka_getKey(struct eap_sm *sm, void *priv, size_t *len) 1295 { 1296 struct eap_aka_data *data = priv; 1297 u8 *key; 1298 1299 if (data->state != SUCCESS) 1300 return NULL; 1301 1302 key = os_malloc(EAP_SIM_KEYING_DATA_LEN); 1303 if (key == NULL) 1304 return NULL; 1305 1306 *len = EAP_SIM_KEYING_DATA_LEN; 1307 os_memcpy(key, data->msk, EAP_SIM_KEYING_DATA_LEN); 1308 1309 return key; 1310 } 1311 1312 1313 static u8 * eap_aka_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 1314 { 1315 struct eap_aka_data *data = priv; 1316 u8 *key; 1317 1318 if (data->state != SUCCESS) 1319 return NULL; 1320 1321 key = os_malloc(EAP_EMSK_LEN); 1322 if (key == NULL) 1323 return NULL; 1324 1325 *len = EAP_EMSK_LEN; 1326 os_memcpy(key, data->emsk, EAP_EMSK_LEN); 1327 1328 return key; 1329 } 1330 1331 1332 int eap_peer_aka_register(void) 1333 { 1334 struct eap_method *eap; 1335 int ret; 1336 1337 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1338 EAP_VENDOR_IETF, EAP_TYPE_AKA, "AKA"); 1339 if (eap == NULL) 1340 return -1; 1341 1342 eap->init = eap_aka_init; 1343 eap->deinit = eap_aka_deinit; 1344 eap->process = eap_aka_process; 1345 eap->isKeyAvailable = eap_aka_isKeyAvailable; 1346 eap->getKey = eap_aka_getKey; 1347 eap->has_reauth_data = eap_aka_has_reauth_data; 1348 eap->deinit_for_reauth = eap_aka_deinit_for_reauth; 1349 eap->init_for_reauth = eap_aka_init_for_reauth; 1350 eap->get_identity = eap_aka_get_identity; 1351 eap->get_emsk = eap_aka_get_emsk; 1352 1353 ret = eap_peer_method_register(eap); 1354 if (ret) 1355 eap_peer_method_free(eap); 1356 return ret; 1357 } 1358 1359 1360 #ifdef EAP_AKA_PRIME 1361 int eap_peer_aka_prime_register(void) 1362 { 1363 struct eap_method *eap; 1364 int ret; 1365 1366 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 1367 EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME, 1368 "AKA'"); 1369 if (eap == NULL) 1370 return -1; 1371 1372 eap->init = eap_aka_prime_init; 1373 eap->deinit = eap_aka_deinit; 1374 eap->process = eap_aka_process; 1375 eap->isKeyAvailable = eap_aka_isKeyAvailable; 1376 eap->getKey = eap_aka_getKey; 1377 eap->has_reauth_data = eap_aka_has_reauth_data; 1378 eap->deinit_for_reauth = eap_aka_deinit_for_reauth; 1379 eap->init_for_reauth = eap_aka_init_for_reauth; 1380 eap->get_identity = eap_aka_get_identity; 1381 eap->get_emsk = eap_aka_get_emsk; 1382 1383 ret = eap_peer_method_register(eap); 1384 if (ret) 1385 eap_peer_method_free(eap); 1386 1387 return ret; 1388 } 1389 #endif /* EAP_AKA_PRIME */ 1390
