Home | History | Annotate | Download | only in eap_common
      1 /*
      2  * EAP peer/server: EAP-SIM/AKA/AKA' shared routines
      3  * Copyright (c) 2004-2008, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "wpabuf.h"
     13 #include "crypto/aes_wrap.h"
     14 #include "crypto/crypto.h"
     15 #include "crypto/sha1.h"
     16 #include "crypto/sha256.h"
     17 #include "crypto/random.h"
     18 #include "eap_common/eap_defs.h"
     19 #include "eap_common/eap_sim_common.h"
     20 
     21 
     22 static int eap_sim_prf(const u8 *key, u8 *x, size_t xlen)
     23 {
     24 	return fips186_2_prf(key, EAP_SIM_MK_LEN, x, xlen);
     25 }
     26 
     27 
     28 void eap_sim_derive_mk(const u8 *identity, size_t identity_len,
     29 		       const u8 *nonce_mt, u16 selected_version,
     30 		       const u8 *ver_list, size_t ver_list_len,
     31 		       int num_chal, const u8 *kc, u8 *mk)
     32 {
     33 	u8 sel_ver[2];
     34 	const unsigned char *addr[5];
     35 	size_t len[5];
     36 
     37 	addr[0] = identity;
     38 	len[0] = identity_len;
     39 	addr[1] = kc;
     40 	len[1] = num_chal * EAP_SIM_KC_LEN;
     41 	addr[2] = nonce_mt;
     42 	len[2] = EAP_SIM_NONCE_MT_LEN;
     43 	addr[3] = ver_list;
     44 	len[3] = ver_list_len;
     45 	addr[4] = sel_ver;
     46 	len[4] = 2;
     47 
     48 	WPA_PUT_BE16(sel_ver, selected_version);
     49 
     50 	/* MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */
     51 	sha1_vector(5, addr, len, mk);
     52 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);
     53 }
     54 
     55 
     56 void eap_aka_derive_mk(const u8 *identity, size_t identity_len,
     57 		       const u8 *ik, const u8 *ck, u8 *mk)
     58 {
     59 	const u8 *addr[3];
     60 	size_t len[3];
     61 
     62 	addr[0] = identity;
     63 	len[0] = identity_len;
     64 	addr[1] = ik;
     65 	len[1] = EAP_AKA_IK_LEN;
     66 	addr[2] = ck;
     67 	len[2] = EAP_AKA_CK_LEN;
     68 
     69 	/* MK = SHA1(Identity|IK|CK) */
     70 	sha1_vector(3, addr, len, mk);
     71 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: IK", ik, EAP_AKA_IK_LEN);
     72 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: CK", ck, EAP_AKA_CK_LEN);
     73 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: MK", mk, EAP_SIM_MK_LEN);
     74 }
     75 
     76 
     77 int eap_sim_derive_keys(const u8 *mk, u8 *k_encr, u8 *k_aut, u8 *msk, u8 *emsk)
     78 {
     79 	u8 buf[EAP_SIM_K_ENCR_LEN + EAP_SIM_K_AUT_LEN +
     80 	       EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN], *pos;
     81 	if (eap_sim_prf(mk, buf, sizeof(buf)) < 0) {
     82 		wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");
     83 		return -1;
     84 	}
     85 	pos = buf;
     86 	os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);
     87 	pos += EAP_SIM_K_ENCR_LEN;
     88 	os_memcpy(k_aut, pos, EAP_SIM_K_AUT_LEN);
     89 	pos += EAP_SIM_K_AUT_LEN;
     90 	os_memcpy(msk, pos, EAP_SIM_KEYING_DATA_LEN);
     91 	pos += EAP_SIM_KEYING_DATA_LEN;
     92 	os_memcpy(emsk, pos, EAP_EMSK_LEN);
     93 
     94 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_encr",
     95 			k_encr, EAP_SIM_K_ENCR_LEN);
     96 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_aut",
     97 			k_aut, EAP_SIM_K_AUT_LEN);
     98 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: keying material (MSK)",
     99 			msk, EAP_SIM_KEYING_DATA_LEN);
    100 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);
    101 	os_memset(buf, 0, sizeof(buf));
    102 
    103 	return 0;
    104 }
    105 
    106 
    107 int eap_sim_derive_keys_reauth(u16 _counter,
    108 			       const u8 *identity, size_t identity_len,
    109 			       const u8 *nonce_s, const u8 *mk, u8 *msk,
    110 			       u8 *emsk)
    111 {
    112 	u8 xkey[SHA1_MAC_LEN];
    113 	u8 buf[EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN + 32];
    114 	u8 counter[2];
    115 	const u8 *addr[4];
    116 	size_t len[4];
    117 
    118 	while (identity_len > 0 && identity[identity_len - 1] == 0) {
    119 		wpa_printf(MSG_DEBUG, "EAP-SIM: Workaround - drop null "
    120 			   "character from the end of identity");
    121 		identity_len--;
    122 	}
    123 	addr[0] = identity;
    124 	len[0] = identity_len;
    125 	addr[1] = counter;
    126 	len[1] = 2;
    127 	addr[2] = nonce_s;
    128 	len[2] = EAP_SIM_NONCE_S_LEN;
    129 	addr[3] = mk;
    130 	len[3] = EAP_SIM_MK_LEN;
    131 
    132 	WPA_PUT_BE16(counter, _counter);
    133 
    134 	wpa_printf(MSG_DEBUG, "EAP-SIM: Deriving keying data from reauth");
    135 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity",
    136 			  identity, identity_len);
    137 	wpa_hexdump(MSG_DEBUG, "EAP-SIM: counter", counter, 2);
    138 	wpa_hexdump(MSG_DEBUG, "EAP-SIM: NONCE_S", nonce_s,
    139 		    EAP_SIM_NONCE_S_LEN);
    140 	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);
    141 
    142 	/* XKEY' = SHA1(Identity|counter|NONCE_S|MK) */
    143 	sha1_vector(4, addr, len, xkey);
    144 	wpa_hexdump(MSG_DEBUG, "EAP-SIM: XKEY'", xkey, SHA1_MAC_LEN);
    145 
    146 	if (eap_sim_prf(xkey, buf, sizeof(buf)) < 0) {
    147 		wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");
    148 		return -1;
    149 	}
    150 	if (msk) {
    151 		os_memcpy(msk, buf, EAP_SIM_KEYING_DATA_LEN);
    152 		wpa_hexdump(MSG_DEBUG, "EAP-SIM: keying material (MSK)",
    153 			    msk, EAP_SIM_KEYING_DATA_LEN);
    154 	}
    155 	if (emsk) {
    156 		os_memcpy(emsk, buf + EAP_SIM_KEYING_DATA_LEN, EAP_EMSK_LEN);
    157 		wpa_hexdump(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);
    158 	}
    159 	os_memset(buf, 0, sizeof(buf));
    160 
    161 	return 0;
    162 }
    163 
    164 
    165 int eap_sim_verify_mac(const u8 *k_aut, const struct wpabuf *req,
    166 		       const u8 *mac, const u8 *extra, size_t extra_len)
    167 {
    168 	unsigned char hmac[SHA1_MAC_LEN];
    169 	const u8 *addr[2];
    170 	size_t len[2];
    171 	u8 *tmp;
    172 
    173 	if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||
    174 	    mac < wpabuf_head_u8(req) ||
    175 	    mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)
    176 		return -1;
    177 
    178 	tmp = os_malloc(wpabuf_len(req));
    179 	if (tmp == NULL)
    180 		return -1;
    181 
    182 	addr[0] = tmp;
    183 	len[0] = wpabuf_len(req);
    184 	addr[1] = extra;
    185 	len[1] = extra_len;
    186 
    187 	/* HMAC-SHA1-128 */
    188 	os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));
    189 	os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);
    190 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - msg",
    191 		    tmp, wpabuf_len(req));
    192 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - extra data",
    193 		    extra, extra_len);
    194 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Verify MAC - K_aut",
    195 			k_aut, EAP_SIM_K_AUT_LEN);
    196 	hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);
    197 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC: MAC",
    198 		    hmac, EAP_SIM_MAC_LEN);
    199 	os_free(tmp);
    200 
    201 	return (os_memcmp_const(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;
    202 }
    203 
    204 
    205 void eap_sim_add_mac(const u8 *k_aut, const u8 *msg, size_t msg_len, u8 *mac,
    206 		     const u8 *extra, size_t extra_len)
    207 {
    208 	unsigned char hmac[SHA1_MAC_LEN];
    209 	const u8 *addr[2];
    210 	size_t len[2];
    211 
    212 	addr[0] = msg;
    213 	len[0] = msg_len;
    214 	addr[1] = extra;
    215 	len[1] = extra_len;
    216 
    217 	/* HMAC-SHA1-128 */
    218 	os_memset(mac, 0, EAP_SIM_MAC_LEN);
    219 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - msg", msg, msg_len);
    220 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - extra data",
    221 		    extra, extra_len);
    222 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Add MAC - K_aut",
    223 			k_aut, EAP_SIM_K_AUT_LEN);
    224 	hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);
    225 	os_memcpy(mac, hmac, EAP_SIM_MAC_LEN);
    226 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC: MAC",
    227 		    mac, EAP_SIM_MAC_LEN);
    228 }
    229 
    230 
    231 #if defined(EAP_AKA_PRIME) || defined(EAP_SERVER_AKA_PRIME)
    232 static void prf_prime(const u8 *k, const char *seed1,
    233 		      const u8 *seed2, size_t seed2_len,
    234 		      const u8 *seed3, size_t seed3_len,
    235 		      u8 *res, size_t res_len)
    236 {
    237 	const u8 *addr[5];
    238 	size_t len[5];
    239 	u8 hash[SHA256_MAC_LEN];
    240 	u8 iter;
    241 
    242 	/*
    243 	 * PRF'(K,S) = T1 | T2 | T3 | T4 | ...
    244 	 * T1 = HMAC-SHA-256 (K, S | 0x01)
    245 	 * T2 = HMAC-SHA-256 (K, T1 | S | 0x02)
    246 	 * T3 = HMAC-SHA-256 (K, T2 | S | 0x03)
    247 	 * T4 = HMAC-SHA-256 (K, T3 | S | 0x04)
    248 	 * ...
    249 	 */
    250 
    251 	addr[0] = hash;
    252 	len[0] = 0;
    253 	addr[1] = (const u8 *) seed1;
    254 	len[1] = os_strlen(seed1);
    255 	addr[2] = seed2;
    256 	len[2] = seed2_len;
    257 	addr[3] = seed3;
    258 	len[3] = seed3_len;
    259 	addr[4] = &iter;
    260 	len[4] = 1;
    261 
    262 	iter = 0;
    263 	while (res_len) {
    264 		size_t hlen;
    265 		iter++;
    266 		hmac_sha256_vector(k, 32, 5, addr, len, hash);
    267 		len[0] = SHA256_MAC_LEN;
    268 		hlen = res_len > SHA256_MAC_LEN ? SHA256_MAC_LEN : res_len;
    269 		os_memcpy(res, hash, hlen);
    270 		res += hlen;
    271 		res_len -= hlen;
    272 	}
    273 }
    274 
    275 
    276 void eap_aka_prime_derive_keys(const u8 *identity, size_t identity_len,
    277 			       const u8 *ik, const u8 *ck, u8 *k_encr,
    278 			       u8 *k_aut, u8 *k_re, u8 *msk, u8 *emsk)
    279 {
    280 	u8 key[EAP_AKA_IK_LEN + EAP_AKA_CK_LEN];
    281 	u8 keys[EAP_SIM_K_ENCR_LEN + EAP_AKA_PRIME_K_AUT_LEN +
    282 		EAP_AKA_PRIME_K_RE_LEN + EAP_MSK_LEN + EAP_EMSK_LEN];
    283 	u8 *pos;
    284 
    285 	/*
    286 	 * MK = PRF'(IK'|CK',"EAP-AKA'"|Identity)
    287 	 * K_encr = MK[0..127]
    288 	 * K_aut  = MK[128..383]
    289 	 * K_re   = MK[384..639]
    290 	 * MSK    = MK[640..1151]
    291 	 * EMSK   = MK[1152..1663]
    292 	 */
    293 
    294 	os_memcpy(key, ik, EAP_AKA_IK_LEN);
    295 	os_memcpy(key + EAP_AKA_IK_LEN, ck, EAP_AKA_CK_LEN);
    296 
    297 	prf_prime(key, "EAP-AKA'", identity, identity_len, NULL, 0,
    298 		  keys, sizeof(keys));
    299 
    300 	pos = keys;
    301 	os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);
    302 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_encr",
    303 			k_encr, EAP_SIM_K_ENCR_LEN);
    304 	pos += EAP_SIM_K_ENCR_LEN;
    305 
    306 	os_memcpy(k_aut, pos, EAP_AKA_PRIME_K_AUT_LEN);
    307 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_aut",
    308 			k_aut, EAP_AKA_PRIME_K_AUT_LEN);
    309 	pos += EAP_AKA_PRIME_K_AUT_LEN;
    310 
    311 	os_memcpy(k_re, pos, EAP_AKA_PRIME_K_RE_LEN);
    312 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_re",
    313 			k_re, EAP_AKA_PRIME_K_RE_LEN);
    314 	pos += EAP_AKA_PRIME_K_RE_LEN;
    315 
    316 	os_memcpy(msk, pos, EAP_MSK_LEN);
    317 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);
    318 	pos += EAP_MSK_LEN;
    319 
    320 	os_memcpy(emsk, pos, EAP_EMSK_LEN);
    321 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);
    322 }
    323 
    324 
    325 int eap_aka_prime_derive_keys_reauth(const u8 *k_re, u16 counter,
    326 				     const u8 *identity, size_t identity_len,
    327 				     const u8 *nonce_s, u8 *msk, u8 *emsk)
    328 {
    329 	u8 seed3[2 + EAP_SIM_NONCE_S_LEN];
    330 	u8 keys[EAP_MSK_LEN + EAP_EMSK_LEN];
    331 	u8 *pos;
    332 
    333 	/*
    334 	 * MK = PRF'(K_re,"EAP-AKA' re-auth"|Identity|counter|NONCE_S)
    335 	 * MSK  = MK[0..511]
    336 	 * EMSK = MK[512..1023]
    337 	 */
    338 
    339 	WPA_PUT_BE16(seed3, counter);
    340 	os_memcpy(seed3 + 2, nonce_s, EAP_SIM_NONCE_S_LEN);
    341 
    342 	prf_prime(k_re, "EAP-AKA' re-auth", identity, identity_len,
    343 		  seed3, sizeof(seed3),
    344 		  keys, sizeof(keys));
    345 
    346 	pos = keys;
    347 	os_memcpy(msk, pos, EAP_MSK_LEN);
    348 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);
    349 	pos += EAP_MSK_LEN;
    350 
    351 	os_memcpy(emsk, pos, EAP_EMSK_LEN);
    352 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);
    353 
    354 	os_memset(keys, 0, sizeof(keys));
    355 
    356 	return 0;
    357 }
    358 
    359 
    360 int eap_sim_verify_mac_sha256(const u8 *k_aut, const struct wpabuf *req,
    361 			      const u8 *mac, const u8 *extra, size_t extra_len)
    362 {
    363 	unsigned char hmac[SHA256_MAC_LEN];
    364 	const u8 *addr[2];
    365 	size_t len[2];
    366 	u8 *tmp;
    367 
    368 	if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||
    369 	    mac < wpabuf_head_u8(req) ||
    370 	    mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)
    371 		return -1;
    372 
    373 	tmp = os_malloc(wpabuf_len(req));
    374 	if (tmp == NULL)
    375 		return -1;
    376 
    377 	addr[0] = tmp;
    378 	len[0] = wpabuf_len(req);
    379 	addr[1] = extra;
    380 	len[1] = extra_len;
    381 
    382 	/* HMAC-SHA-256-128 */
    383 	os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));
    384 	os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);
    385 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - msg",
    386 		    tmp, wpabuf_len(req));
    387 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - extra data",
    388 		    extra, extra_len);
    389 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Verify MAC - K_aut",
    390 			k_aut, EAP_AKA_PRIME_K_AUT_LEN);
    391 	hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);
    392 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC: MAC",
    393 		    hmac, EAP_SIM_MAC_LEN);
    394 	os_free(tmp);
    395 
    396 	return (os_memcmp_const(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;
    397 }
    398 
    399 
    400 void eap_sim_add_mac_sha256(const u8 *k_aut, const u8 *msg, size_t msg_len,
    401 			    u8 *mac, const u8 *extra, size_t extra_len)
    402 {
    403 	unsigned char hmac[SHA256_MAC_LEN];
    404 	const u8 *addr[2];
    405 	size_t len[2];
    406 
    407 	addr[0] = msg;
    408 	len[0] = msg_len;
    409 	addr[1] = extra;
    410 	len[1] = extra_len;
    411 
    412 	/* HMAC-SHA-256-128 */
    413 	os_memset(mac, 0, EAP_SIM_MAC_LEN);
    414 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC - msg", msg, msg_len);
    415 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC - extra data",
    416 		    extra, extra_len);
    417 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Add MAC - K_aut",
    418 			k_aut, EAP_AKA_PRIME_K_AUT_LEN);
    419 	hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);
    420 	os_memcpy(mac, hmac, EAP_SIM_MAC_LEN);
    421 	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC: MAC",
    422 		    mac, EAP_SIM_MAC_LEN);
    423 }
    424 
    425 
    426 void eap_aka_prime_derive_ck_ik_prime(u8 *ck, u8 *ik, const u8 *sqn_ak,
    427 				      const u8 *network_name,
    428 				      size_t network_name_len)
    429 {
    430 	u8 key[EAP_AKA_CK_LEN + EAP_AKA_IK_LEN];
    431 	u8 hash[SHA256_MAC_LEN];
    432 	const u8 *addr[5];
    433 	size_t len[5];
    434 	u8 fc;
    435 	u8 l0[2], l1[2];
    436 
    437 	/* 3GPP TS 33.402 V8.0.0
    438 	 * (CK', IK') = F(CK, IK, <access network identity>)
    439 	 */
    440 	/* TODO: CK', IK' generation should really be moved into the actual
    441 	 * AKA procedure with network name passed in there and option to use
    442 	 * AMF separation bit = 1 (3GPP TS 33.401). */
    443 
    444 	/* Change Request 33.402 CR 0033 to version 8.1.1 from
    445 	 * 3GPP TSG-SA WG3 Meeting #53 in September 2008:
    446 	 *
    447 	 * CK' || IK' = HMAC-SHA-256(Key, S)
    448 	 * S = FC || P0 || L0 || P1 || L1 || ... || Pn || Ln
    449 	 * Key = CK || IK
    450 	 * FC = 0x20
    451 	 * P0 = access network identity (3GPP TS 24.302)
    452 	 * L0 = length of acceess network identity (2 octets, big endian)
    453 	 * P1 = SQN xor AK (if AK is not used, AK is treaded as 000..0
    454 	 * L1 = 0x00 0x06
    455 	 */
    456 
    457 	fc = 0x20;
    458 
    459 	wpa_printf(MSG_DEBUG, "EAP-AKA': Derive (CK',IK') from (CK,IK)");
    460 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': CK", ck, EAP_AKA_CK_LEN);
    461 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': IK", ik, EAP_AKA_IK_LEN);
    462 	wpa_printf(MSG_DEBUG, "EAP-AKA': FC = 0x%x", fc);
    463 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA': P0 = Access network identity",
    464 			  network_name, network_name_len);
    465 	wpa_hexdump(MSG_DEBUG, "EAP-AKA': P1 = SQN xor AK", sqn_ak, 6);
    466 
    467 	os_memcpy(key, ck, EAP_AKA_CK_LEN);
    468 	os_memcpy(key + EAP_AKA_CK_LEN, ik, EAP_AKA_IK_LEN);
    469 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': Key = CK || IK",
    470 			key, sizeof(key));
    471 
    472 	addr[0] = &fc;
    473 	len[0] = 1;
    474 	addr[1] = network_name;
    475 	len[1] = network_name_len;
    476 	WPA_PUT_BE16(l0, network_name_len);
    477 	addr[2] = l0;
    478 	len[2] = 2;
    479 	addr[3] = sqn_ak;
    480 	len[3] = 6;
    481 	WPA_PUT_BE16(l1, 6);
    482 	addr[4] = l1;
    483 	len[4] = 2;
    484 
    485 	hmac_sha256_vector(key, sizeof(key), 5, addr, len, hash);
    486 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': KDF output (CK' || IK')",
    487 			hash, sizeof(hash));
    488 
    489 	os_memcpy(ck, hash, EAP_AKA_CK_LEN);
    490 	os_memcpy(ik, hash + EAP_AKA_CK_LEN, EAP_AKA_IK_LEN);
    491 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': CK'", ck, EAP_AKA_CK_LEN);
    492 	wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': IK'", ik, EAP_AKA_IK_LEN);
    493 }
    494 #endif /* EAP_AKA_PRIME || EAP_SERVER_AKA_PRIME */
    495 
    496 
    497 int eap_sim_parse_attr(const u8 *start, const u8 *end,
    498 		       struct eap_sim_attrs *attr, int aka, int encr)
    499 {
    500 	const u8 *pos = start, *apos;
    501 	size_t alen, plen, i, list_len;
    502 
    503 	os_memset(attr, 0, sizeof(*attr));
    504 	attr->id_req = NO_ID_REQ;
    505 	attr->notification = -1;
    506 	attr->counter = -1;
    507 	attr->selected_version = -1;
    508 	attr->client_error_code = -1;
    509 
    510 	while (pos < end) {
    511 		if (pos + 2 > end) {
    512 			wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow(1)");
    513 			return -1;
    514 		}
    515 		wpa_printf(MSG_MSGDUMP, "EAP-SIM: Attribute: Type=%d Len=%d",
    516 			   pos[0], pos[1] * 4);
    517 		if (pos + pos[1] * 4 > end) {
    518 			wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow "
    519 				   "(pos=%p len=%d end=%p)",
    520 				   pos, pos[1] * 4, end);
    521 			return -1;
    522 		}
    523 		if (pos[1] == 0) {
    524 			wpa_printf(MSG_INFO, "EAP-SIM: Attribute underflow");
    525 			return -1;
    526 		}
    527 		apos = pos + 2;
    528 		alen = pos[1] * 4 - 2;
    529 		wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Attribute data",
    530 			    apos, alen);
    531 
    532 		switch (pos[0]) {
    533 		case EAP_SIM_AT_RAND:
    534 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RAND");
    535 			apos += 2;
    536 			alen -= 2;
    537 			if ((!aka && (alen % GSM_RAND_LEN)) ||
    538 			    (aka && alen != EAP_AKA_RAND_LEN)) {
    539 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_RAND"
    540 					   " (len %lu)",
    541 					   (unsigned long) alen);
    542 				return -1;
    543 			}
    544 			attr->rand = apos;
    545 			attr->num_chal = alen / GSM_RAND_LEN;
    546 			break;
    547 		case EAP_SIM_AT_AUTN:
    548 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_AUTN");
    549 			if (!aka) {
    550 				wpa_printf(MSG_DEBUG, "EAP-SIM: "
    551 					   "Unexpected AT_AUTN");
    552 				return -1;
    553 			}
    554 			apos += 2;
    555 			alen -= 2;
    556 			if (alen != EAP_AKA_AUTN_LEN) {
    557 				wpa_printf(MSG_INFO, "EAP-AKA: Invalid AT_AUTN"
    558 					   " (len %lu)",
    559 					   (unsigned long) alen);
    560 				return -1;
    561 			}
    562 			attr->autn = apos;
    563 			break;
    564 		case EAP_SIM_AT_PADDING:
    565 			if (!encr) {
    566 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
    567 					   "AT_PADDING");
    568 				return -1;
    569 			}
    570 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_PADDING");
    571 			for (i = 2; i < alen; i++) {
    572 				if (apos[i] != 0) {
    573 					wpa_printf(MSG_INFO, "EAP-SIM: (encr) "
    574 						   "AT_PADDING used a non-zero"
    575 						   " padding byte");
    576 					wpa_hexdump(MSG_DEBUG, "EAP-SIM: "
    577 						    "(encr) padding bytes",
    578 						    apos + 2, alen - 2);
    579 					return -1;
    580 				}
    581 			}
    582 			break;
    583 		case EAP_SIM_AT_NONCE_MT:
    584 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NONCE_MT");
    585 			if (alen != 2 + EAP_SIM_NONCE_MT_LEN) {
    586 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
    587 					   "AT_NONCE_MT length");
    588 				return -1;
    589 			}
    590 			attr->nonce_mt = apos + 2;
    591 			break;
    592 		case EAP_SIM_AT_PERMANENT_ID_REQ:
    593 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_PERMANENT_ID_REQ");
    594 			attr->id_req = PERMANENT_ID;
    595 			break;
    596 		case EAP_SIM_AT_MAC:
    597 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_MAC");
    598 			if (alen != 2 + EAP_SIM_MAC_LEN) {
    599 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_MAC "
    600 					   "length");
    601 				return -1;
    602 			}
    603 			attr->mac = apos + 2;
    604 			break;
    605 		case EAP_SIM_AT_NOTIFICATION:
    606 			if (alen != 2) {
    607 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
    608 					   "AT_NOTIFICATION length %lu",
    609 					   (unsigned long) alen);
    610 				return -1;
    611 			}
    612 			attr->notification = apos[0] * 256 + apos[1];
    613 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NOTIFICATION %d",
    614 				   attr->notification);
    615 			break;
    616 		case EAP_SIM_AT_ANY_ID_REQ:
    617 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_ANY_ID_REQ");
    618 			attr->id_req = ANY_ID;
    619 			break;
    620 		case EAP_SIM_AT_IDENTITY:
    621 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IDENTITY");
    622 			plen = WPA_GET_BE16(apos);
    623 			apos += 2;
    624 			alen -= 2;
    625 			if (plen > alen) {
    626 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
    627 					   "AT_IDENTITY (Actual Length %lu, "
    628 					   "remaining length %lu)",
    629 					   (unsigned long) plen,
    630 					   (unsigned long) alen);
    631 				return -1;
    632 			}
    633 
    634 			attr->identity = apos;
    635 			attr->identity_len = plen;
    636 			break;
    637 		case EAP_SIM_AT_VERSION_LIST:
    638 			if (aka) {
    639 				wpa_printf(MSG_DEBUG, "EAP-AKA: "
    640 					   "Unexpected AT_VERSION_LIST");
    641 				return -1;
    642 			}
    643 			list_len = apos[0] * 256 + apos[1];
    644 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_VERSION_LIST");
    645 			if (list_len < 2 || list_len > alen - 2) {
    646 				wpa_printf(MSG_WARNING, "EAP-SIM: Invalid "
    647 					   "AT_VERSION_LIST (list_len=%lu "
    648 					   "attr_len=%lu)",
    649 					   (unsigned long) list_len,
    650 					   (unsigned long) alen);
    651 				return -1;
    652 			}
    653 			attr->version_list = apos + 2;
    654 			attr->version_list_len = list_len;
    655 			break;
    656 		case EAP_SIM_AT_SELECTED_VERSION:
    657 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION");
    658 			if (alen != 2) {
    659 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
    660 					   "AT_SELECTED_VERSION length %lu",
    661 					   (unsigned long) alen);
    662 				return -1;
    663 			}
    664 			attr->selected_version = apos[0] * 256 + apos[1];
    665 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION "
    666 				   "%d", attr->selected_version);
    667 			break;
    668 		case EAP_SIM_AT_FULLAUTH_ID_REQ:
    669 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_FULLAUTH_ID_REQ");
    670 			attr->id_req = FULLAUTH_ID;
    671 			break;
    672 		case EAP_SIM_AT_COUNTER:
    673 			if (!encr) {
    674 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
    675 					   "AT_COUNTER");
    676 				return -1;
    677 			}
    678 			if (alen != 2) {
    679 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
    680 					   "AT_COUNTER (alen=%lu)",
    681 					   (unsigned long) alen);
    682 				return -1;
    683 			}
    684 			attr->counter = apos[0] * 256 + apos[1];
    685 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_COUNTER %d",
    686 				   attr->counter);
    687 			break;
    688 		case EAP_SIM_AT_COUNTER_TOO_SMALL:
    689 			if (!encr) {
    690 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
    691 					   "AT_COUNTER_TOO_SMALL");
    692 				return -1;
    693 			}
    694 			if (alen != 2) {
    695 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
    696 					   "AT_COUNTER_TOO_SMALL (alen=%lu)",
    697 					   (unsigned long) alen);
    698 				return -1;
    699 			}
    700 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
    701 				   "AT_COUNTER_TOO_SMALL");
    702 			attr->counter_too_small = 1;
    703 			break;
    704 		case EAP_SIM_AT_NONCE_S:
    705 			if (!encr) {
    706 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
    707 					   "AT_NONCE_S");
    708 				return -1;
    709 			}
    710 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
    711 				   "AT_NONCE_S");
    712 			if (alen != 2 + EAP_SIM_NONCE_S_LEN) {
    713 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
    714 					   "AT_NONCE_S (alen=%lu)",
    715 					   (unsigned long) alen);
    716 				return -1;
    717 			}
    718 			attr->nonce_s = apos + 2;
    719 			break;
    720 		case EAP_SIM_AT_CLIENT_ERROR_CODE:
    721 			if (alen != 2) {
    722 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
    723 					   "AT_CLIENT_ERROR_CODE length %lu",
    724 					   (unsigned long) alen);
    725 				return -1;
    726 			}
    727 			attr->client_error_code = apos[0] * 256 + apos[1];
    728 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_CLIENT_ERROR_CODE "
    729 				   "%d", attr->client_error_code);
    730 			break;
    731 		case EAP_SIM_AT_IV:
    732 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IV");
    733 			if (alen != 2 + EAP_SIM_MAC_LEN) {
    734 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_IV "
    735 					   "length %lu", (unsigned long) alen);
    736 				return -1;
    737 			}
    738 			attr->iv = apos + 2;
    739 			break;
    740 		case EAP_SIM_AT_ENCR_DATA:
    741 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_ENCR_DATA");
    742 			attr->encr_data = apos + 2;
    743 			attr->encr_data_len = alen - 2;
    744 			if (attr->encr_data_len % 16) {
    745 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
    746 					   "AT_ENCR_DATA length %lu",
    747 					   (unsigned long)
    748 					   attr->encr_data_len);
    749 				return -1;
    750 			}
    751 			break;
    752 		case EAP_SIM_AT_NEXT_PSEUDONYM:
    753 			if (!encr) {
    754 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
    755 					   "AT_NEXT_PSEUDONYM");
    756 				return -1;
    757 			}
    758 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
    759 				   "AT_NEXT_PSEUDONYM");
    760 			plen = apos[0] * 256 + apos[1];
    761 			if (plen > alen - 2) {
    762 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid"
    763 					   " AT_NEXT_PSEUDONYM (actual"
    764 					   " len %lu, attr len %lu)",
    765 					   (unsigned long) plen,
    766 					   (unsigned long) alen);
    767 				return -1;
    768 			}
    769 			attr->next_pseudonym = pos + 4;
    770 			attr->next_pseudonym_len = plen;
    771 			break;
    772 		case EAP_SIM_AT_NEXT_REAUTH_ID:
    773 			if (!encr) {
    774 				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
    775 					   "AT_NEXT_REAUTH_ID");
    776 				return -1;
    777 			}
    778 			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
    779 				   "AT_NEXT_REAUTH_ID");
    780 			plen = apos[0] * 256 + apos[1];
    781 			if (plen > alen - 2) {
    782 				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid"
    783 					   " AT_NEXT_REAUTH_ID (actual"
    784 					   " len %lu, attr len %lu)",
    785 					   (unsigned long) plen,
    786 					   (unsigned long) alen);
    787 				return -1;
    788 			}
    789 			attr->next_reauth_id = pos + 4;
    790 			attr->next_reauth_id_len = plen;
    791 			break;
    792 		case EAP_SIM_AT_RES:
    793 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RES");
    794 			attr->res_len_bits = WPA_GET_BE16(apos);
    795 			apos += 2;
    796 			alen -= 2;
    797 			if (!aka || alen < EAP_AKA_MIN_RES_LEN ||
    798 			    alen > EAP_AKA_MAX_RES_LEN) {
    799 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_RES "
    800 					   "(len %lu)",
    801 					   (unsigned long) alen);
    802 				return -1;
    803 			}
    804 			attr->res = apos;
    805 			attr->res_len = alen;
    806 			break;
    807 		case EAP_SIM_AT_AUTS:
    808 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_AUTS");
    809 			if (!aka) {
    810 				wpa_printf(MSG_DEBUG, "EAP-SIM: "
    811 					   "Unexpected AT_AUTS");
    812 				return -1;
    813 			}
    814 			if (alen != EAP_AKA_AUTS_LEN) {
    815 				wpa_printf(MSG_INFO, "EAP-AKA: Invalid AT_AUTS"
    816 					   " (len %lu)",
    817 					   (unsigned long) alen);
    818 				return -1;
    819 			}
    820 			attr->auts = apos;
    821 			break;
    822 		case EAP_SIM_AT_CHECKCODE:
    823 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_CHECKCODE");
    824 			if (!aka) {
    825 				wpa_printf(MSG_DEBUG, "EAP-SIM: "
    826 					   "Unexpected AT_CHECKCODE");
    827 				return -1;
    828 			}
    829 			apos += 2;
    830 			alen -= 2;
    831 			if (alen != 0 && alen != EAP_AKA_CHECKCODE_LEN &&
    832 			    alen != EAP_AKA_PRIME_CHECKCODE_LEN) {
    833 				wpa_printf(MSG_INFO, "EAP-AKA: Invalid "
    834 					   "AT_CHECKCODE (len %lu)",
    835 					   (unsigned long) alen);
    836 				return -1;
    837 			}
    838 			attr->checkcode = apos;
    839 			attr->checkcode_len = alen;
    840 			break;
    841 		case EAP_SIM_AT_RESULT_IND:
    842 			if (encr) {
    843 				wpa_printf(MSG_ERROR, "EAP-SIM: Encrypted "
    844 					   "AT_RESULT_IND");
    845 				return -1;
    846 			}
    847 			if (alen != 2) {
    848 				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
    849 					   "AT_RESULT_IND (alen=%lu)",
    850 					   (unsigned long) alen);
    851 				return -1;
    852 			}
    853 			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RESULT_IND");
    854 			attr->result_ind = 1;
    855 			break;
    856 #if defined(EAP_AKA_PRIME) || defined(EAP_SERVER_AKA_PRIME)
    857 		case EAP_SIM_AT_KDF_INPUT:
    858 			if (aka != 2) {
    859 				wpa_printf(MSG_INFO, "EAP-AKA: Unexpected "
    860 					   "AT_KDF_INPUT");
    861 				return -1;
    862 			}
    863 
    864 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_KDF_INPUT");
    865 			plen = WPA_GET_BE16(apos);
    866 			apos += 2;
    867 			alen -= 2;
    868 			if (plen > alen) {
    869 				wpa_printf(MSG_INFO, "EAP-AKA': Invalid "
    870 					   "AT_KDF_INPUT (Actual Length %lu, "
    871 					   "remaining length %lu)",
    872 					   (unsigned long) plen,
    873 					   (unsigned long) alen);
    874 				return -1;
    875 			}
    876 			attr->kdf_input = apos;
    877 			attr->kdf_input_len = plen;
    878 			break;
    879 		case EAP_SIM_AT_KDF:
    880 			if (aka != 2) {
    881 				wpa_printf(MSG_INFO, "EAP-AKA: Unexpected "
    882 					   "AT_KDF");
    883 				return -1;
    884 			}
    885 
    886 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_KDF");
    887 			if (alen != 2) {
    888 				wpa_printf(MSG_INFO, "EAP-AKA': Invalid "
    889 					   "AT_KDF (len %lu)",
    890 					   (unsigned long) alen);
    891 				return -1;
    892 			}
    893 			if (attr->kdf_count == EAP_AKA_PRIME_KDF_MAX) {
    894 				wpa_printf(MSG_DEBUG, "EAP-AKA': Too many "
    895 					   "AT_KDF attributes - ignore this");
    896 				break;
    897 			}
    898 			attr->kdf[attr->kdf_count] = WPA_GET_BE16(apos);
    899 			attr->kdf_count++;
    900 			break;
    901 		case EAP_SIM_AT_BIDDING:
    902 			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_BIDDING");
    903 			if (alen != 2) {
    904 				wpa_printf(MSG_INFO, "EAP-AKA: Invalid "
    905 					   "AT_BIDDING (len %lu)",
    906 					   (unsigned long) alen);
    907 				return -1;
    908 			}
    909 			attr->bidding = apos;
    910 			break;
    911 #endif /* EAP_AKA_PRIME || EAP_SERVER_AKA_PRIME */
    912 		default:
    913 			if (pos[0] < 128) {
    914 				wpa_printf(MSG_INFO, "EAP-SIM: Unrecognized "
    915 					   "non-skippable attribute %d",
    916 					   pos[0]);
    917 				return -1;
    918 			}
    919 
    920 			wpa_printf(MSG_DEBUG, "EAP-SIM: Unrecognized skippable"
    921 				   " attribute %d ignored", pos[0]);
    922 			break;
    923 		}
    924 
    925 		pos += pos[1] * 4;
    926 	}
    927 
    928 	wpa_printf(MSG_DEBUG, "EAP-SIM: Attributes parsed successfully "
    929 		   "(aka=%d encr=%d)", aka, encr);
    930 
    931 	return 0;
    932 }
    933 
    934 
    935 u8 * eap_sim_parse_encr(const u8 *k_encr, const u8 *encr_data,
    936 			size_t encr_data_len, const u8 *iv,
    937 			struct eap_sim_attrs *attr, int aka)
    938 {
    939 	u8 *decrypted;
    940 
    941 	if (!iv) {
    942 		wpa_printf(MSG_INFO, "EAP-SIM: Encrypted data, but no IV");
    943 		return NULL;
    944 	}
    945 
    946 	decrypted = os_malloc(encr_data_len);
    947 	if (decrypted == NULL)
    948 		return NULL;
    949 	os_memcpy(decrypted, encr_data, encr_data_len);
    950 
    951 	if (aes_128_cbc_decrypt(k_encr, iv, decrypted, encr_data_len)) {
    952 		os_free(decrypted);
    953 		return NULL;
    954 	}
    955 	wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Decrypted AT_ENCR_DATA",
    956 		    decrypted, encr_data_len);
    957 
    958 	if (eap_sim_parse_attr(decrypted, decrypted + encr_data_len, attr,
    959 			       aka, 1)) {
    960 		wpa_printf(MSG_INFO, "EAP-SIM: (encr) Failed to parse "
    961 			   "decrypted AT_ENCR_DATA");
    962 		os_free(decrypted);
    963 		return NULL;
    964 	}
    965 
    966 	return decrypted;
    967 }
    968 
    969 
    970 #define EAP_SIM_INIT_LEN 128
    971 
    972 struct eap_sim_msg {
    973 	struct wpabuf *buf;
    974 	size_t mac, iv, encr; /* index from buf */
    975 };
    976 
    977 
    978 struct eap_sim_msg * eap_sim_msg_init(int code, int id, int type, int subtype)
    979 {
    980 	struct eap_sim_msg *msg;
    981 	struct eap_hdr *eap;
    982 	u8 *pos;
    983 
    984 	msg = os_zalloc(sizeof(*msg));
    985 	if (msg == NULL)
    986 		return NULL;
    987 
    988 	msg->buf = wpabuf_alloc(EAP_SIM_INIT_LEN);
    989 	if (msg->buf == NULL) {
    990 		os_free(msg);
    991 		return NULL;
    992 	}
    993 	eap = wpabuf_put(msg->buf, sizeof(*eap));
    994 	eap->code = code;
    995 	eap->identifier = id;
    996 
    997 	pos = wpabuf_put(msg->buf, 4);
    998 	*pos++ = type;
    999 	*pos++ = subtype;
   1000 	*pos++ = 0; /* Reserved */
   1001 	*pos++ = 0; /* Reserved */
   1002 
   1003 	return msg;
   1004 }
   1005 
   1006 
   1007 struct wpabuf * eap_sim_msg_finish(struct eap_sim_msg *msg, int type,
   1008 				   const u8 *k_aut,
   1009 				   const u8 *extra, size_t extra_len)
   1010 {
   1011 	struct eap_hdr *eap;
   1012 	struct wpabuf *buf;
   1013 
   1014 	if (msg == NULL)
   1015 		return NULL;
   1016 
   1017 	eap = wpabuf_mhead(msg->buf);
   1018 	eap->length = host_to_be16(wpabuf_len(msg->buf));
   1019 
   1020 #if defined(EAP_AKA_PRIME) || defined(EAP_SERVER_AKA_PRIME)
   1021 	if (k_aut && msg->mac && type == EAP_TYPE_AKA_PRIME) {
   1022 		eap_sim_add_mac_sha256(k_aut, (u8 *) wpabuf_head(msg->buf),
   1023 				       wpabuf_len(msg->buf),
   1024 				       (u8 *) wpabuf_mhead(msg->buf) +
   1025 				       msg->mac, extra, extra_len);
   1026 	} else
   1027 #endif /* EAP_AKA_PRIME || EAP_SERVER_AKA_PRIME */
   1028 	if (k_aut && msg->mac) {
   1029 		eap_sim_add_mac(k_aut, (u8 *) wpabuf_head(msg->buf),
   1030 				wpabuf_len(msg->buf),
   1031 				(u8 *) wpabuf_mhead(msg->buf) + msg->mac,
   1032 				extra, extra_len);
   1033 	}
   1034 
   1035 	buf = msg->buf;
   1036 	os_free(msg);
   1037 	return buf;
   1038 }
   1039 
   1040 
   1041 void eap_sim_msg_free(struct eap_sim_msg *msg)
   1042 {
   1043 	if (msg) {
   1044 		wpabuf_free(msg->buf);
   1045 		os_free(msg);
   1046 	}
   1047 }
   1048 
   1049 
   1050 u8 * eap_sim_msg_add_full(struct eap_sim_msg *msg, u8 attr,
   1051 			  const u8 *data, size_t len)
   1052 {
   1053 	int attr_len = 2 + len;
   1054 	int pad_len;
   1055 	u8 *start;
   1056 
   1057 	if (msg == NULL)
   1058 		return NULL;
   1059 
   1060 	pad_len = (4 - attr_len % 4) % 4;
   1061 	attr_len += pad_len;
   1062 	if (wpabuf_resize(&msg->buf, attr_len))
   1063 		return NULL;
   1064 	start = wpabuf_put(msg->buf, 0);
   1065 	wpabuf_put_u8(msg->buf, attr);
   1066 	wpabuf_put_u8(msg->buf, attr_len / 4);
   1067 	wpabuf_put_data(msg->buf, data, len);
   1068 	if (pad_len)
   1069 		os_memset(wpabuf_put(msg->buf, pad_len), 0, pad_len);
   1070 	return start;
   1071 }
   1072 
   1073 
   1074 u8 * eap_sim_msg_add(struct eap_sim_msg *msg, u8 attr, u16 value,
   1075 		     const u8 *data, size_t len)
   1076 {
   1077 	int attr_len = 4 + len;
   1078 	int pad_len;
   1079 	u8 *start;
   1080 
   1081 	if (msg == NULL)
   1082 		return NULL;
   1083 
   1084 	pad_len = (4 - attr_len % 4) % 4;
   1085 	attr_len += pad_len;
   1086 	if (wpabuf_resize(&msg->buf, attr_len))
   1087 		return NULL;
   1088 	start = wpabuf_put(msg->buf, 0);
   1089 	wpabuf_put_u8(msg->buf, attr);
   1090 	wpabuf_put_u8(msg->buf, attr_len / 4);
   1091 	wpabuf_put_be16(msg->buf, value);
   1092 	if (data)
   1093 		wpabuf_put_data(msg->buf, data, len);
   1094 	else
   1095 		wpabuf_put(msg->buf, len);
   1096 	if (pad_len)
   1097 		os_memset(wpabuf_put(msg->buf, pad_len), 0, pad_len);
   1098 	return start;
   1099 }
   1100 
   1101 
   1102 u8 * eap_sim_msg_add_mac(struct eap_sim_msg *msg, u8 attr)
   1103 {
   1104 	u8 *pos = eap_sim_msg_add(msg, attr, 0, NULL, EAP_SIM_MAC_LEN);
   1105 	if (pos)
   1106 		msg->mac = (pos - wpabuf_head_u8(msg->buf)) + 4;
   1107 	return pos;
   1108 }
   1109 
   1110 
   1111 int eap_sim_msg_add_encr_start(struct eap_sim_msg *msg, u8 attr_iv,
   1112 			       u8 attr_encr)
   1113 {
   1114 	u8 *pos = eap_sim_msg_add(msg, attr_iv, 0, NULL, EAP_SIM_IV_LEN);
   1115 	if (pos == NULL)
   1116 		return -1;
   1117 	msg->iv = (pos - wpabuf_head_u8(msg->buf)) + 4;
   1118 	if (random_get_bytes(wpabuf_mhead_u8(msg->buf) + msg->iv,
   1119 			     EAP_SIM_IV_LEN)) {
   1120 		msg->iv = 0;
   1121 		return -1;
   1122 	}
   1123 
   1124 	pos = eap_sim_msg_add(msg, attr_encr, 0, NULL, 0);
   1125 	if (pos == NULL) {
   1126 		msg->iv = 0;
   1127 		return -1;
   1128 	}
   1129 	msg->encr = pos - wpabuf_head_u8(msg->buf);
   1130 
   1131 	return 0;
   1132 }
   1133 
   1134 
   1135 int eap_sim_msg_add_encr_end(struct eap_sim_msg *msg, u8 *k_encr, int attr_pad)
   1136 {
   1137 	size_t encr_len;
   1138 
   1139 	if (msg == NULL || k_encr == NULL || msg->iv == 0 || msg->encr == 0)
   1140 		return -1;
   1141 
   1142 	encr_len = wpabuf_len(msg->buf) - msg->encr - 4;
   1143 	if (encr_len % 16) {
   1144 		u8 *pos;
   1145 		int pad_len = 16 - (encr_len % 16);
   1146 		if (pad_len < 4) {
   1147 			wpa_printf(MSG_WARNING, "EAP-SIM: "
   1148 				   "eap_sim_msg_add_encr_end - invalid pad_len"
   1149 				   " %d", pad_len);
   1150 			return -1;
   1151 		}
   1152 		wpa_printf(MSG_DEBUG, "   *AT_PADDING");
   1153 		pos = eap_sim_msg_add(msg, attr_pad, 0, NULL, pad_len - 4);
   1154 		if (pos == NULL)
   1155 			return -1;
   1156 		os_memset(pos + 4, 0, pad_len - 4);
   1157 		encr_len += pad_len;
   1158 	}
   1159 	wpa_printf(MSG_DEBUG, "   (AT_ENCR_DATA data len %lu)",
   1160 		   (unsigned long) encr_len);
   1161 	wpabuf_mhead_u8(msg->buf)[msg->encr + 1] = encr_len / 4 + 1;
   1162 	return aes_128_cbc_encrypt(k_encr, wpabuf_head_u8(msg->buf) + msg->iv,
   1163 				   wpabuf_mhead_u8(msg->buf) + msg->encr + 4,
   1164 				   encr_len);
   1165 }
   1166 
   1167 
   1168 void eap_sim_report_notification(void *msg_ctx, int notification, int aka)
   1169 {
   1170 #ifndef CONFIG_NO_STDOUT_DEBUG
   1171 	const char *type = aka ? "AKA" : "SIM";
   1172 #endif /* CONFIG_NO_STDOUT_DEBUG */
   1173 
   1174 	switch (notification) {
   1175 	case EAP_SIM_GENERAL_FAILURE_AFTER_AUTH:
   1176 		wpa_printf(MSG_WARNING, "EAP-%s: General failure "
   1177 			   "notification (after authentication)", type);
   1178 		break;
   1179 	case EAP_SIM_TEMPORARILY_DENIED:
   1180 		wpa_printf(MSG_WARNING, "EAP-%s: Failure notification: "
   1181 			   "User has been temporarily denied access to the "
   1182 			   "requested service", type);
   1183 		break;
   1184 	case EAP_SIM_NOT_SUBSCRIBED:
   1185 		wpa_printf(MSG_WARNING, "EAP-%s: Failure notification: "
   1186 			   "User has not subscribed to the requested service",
   1187 			   type);
   1188 		break;
   1189 	case EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH:
   1190 		wpa_printf(MSG_WARNING, "EAP-%s: General failure "
   1191 			   "notification (before authentication)", type);
   1192 		break;
   1193 	case EAP_SIM_SUCCESS:
   1194 		wpa_printf(MSG_INFO, "EAP-%s: Successful authentication "
   1195 			   "notification", type);
   1196 		break;
   1197 	default:
   1198 		if (notification >= 32768) {
   1199 			wpa_printf(MSG_INFO, "EAP-%s: Unrecognized "
   1200 				   "non-failure notification %d",
   1201 				   type, notification);
   1202 		} else {
   1203 			wpa_printf(MSG_WARNING, "EAP-%s: Unrecognized "
   1204 				   "failure notification %d",
   1205 				   type, notification);
   1206 		}
   1207 	}
   1208 }
   1209