wpa_printf(MSG_INFO, "EAP-SIM: Insufficient number of "			   "challenges (%lu)", (unsigned long) attr->num_chal);		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_INSUFFICIENT_NUM_OF_CHAL);	}	if (attr->num_chal > 3) {		wpa_printf(MSG_INFO, "EAP-SIM: Too many challenges "			   "(%lu)", (unsigned long) attr->num_chal);		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	/* Verify that RANDs are different */	if (os_memcmp(attr->rand, attr->rand + GSM_RAND_LEN,		   GSM_RAND_LEN) == 0 ||	    (attr->num_chal > 2 &&	     (os_memcmp(attr->rand, attr->rand + 2 * GSM_RAND_LEN,			GSM_RAND_LEN) == 0 ||	      os_memcmp(attr->rand + GSM_RAND_LEN,			attr->rand + 2 * GSM_RAND_LEN,			GSM_RAND_LEN) == 0))) {		wpa_printf(MSG_INFO, "EAP-SIM: Same RAND used multiple times");		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_RAND_NOT_FRESH);	}	os_memcpy(data->rand, attr->rand, attr->num_chal * GSM_RAND_LEN);	data->num_chal = attr->num_chal;			if (eap_sim_gsm_auth(sm, data)) {		wpa_printf(MSG_WARNING, "EAP-SIM: GSM authentication failed");		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	if (data->last_eap_identity) {		identity = data->last_eap_identity;		identity_len = data->last_eap_identity_len;	} else if (data->pseudonym) {		identity = data->pseudonym;		identity_len = data->pseudonym_len;	} else		identity = eap_get_config_identity(sm, &identity_len);	wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Selected identity for MK "			  "derivation", identity, identity_len);	eap_sim_derive_mk(identity, identity_len, data->nonce_mt,			  data->selected_version, data->ver_list,			  data->ver_list_len, data->num_chal,			  (const u8 *) data->kc, data->mk);	eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk,			    data->emsk);	if (eap_sim_verify_mac(data->k_aut, (const u8 *) req, reqDataLen,			       attr->mac, data->nonce_mt,			       EAP_SIM_NONCE_MT_LEN)) {		wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message "			   "used invalid AT_MAC");		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	/* Old reauthentication and pseudonym identities must not be used	 * anymore. In other words, if no new identities are received, full	 * authentication will be used on next reauthentication. */	eap_sim_clear_identities(data, CLEAR_PSEUDONYM | CLEAR_REAUTH_ID |				 CLEAR_EAP_ID);	if (attr->encr_data) {		u8 *decrypted;		decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,					       attr->encr_data_len, attr->iv,					       &eattr, 0);		if (decrypted == NULL) {			return eap_sim_client_error(				data, req, respDataLen,				EAP_SIM_UNABLE_TO_PROCESS_PACKET);		}		eap_sim_learn_ids(data, &eattr);		os_free(decrypted);	}	if (data->state != FAILURE)		data->state = SUCCESS;	data->num_id_req = 0;	data->num_notification = 0;	/* RFC 4186 specifies that counter is initialized to one after	 * fullauth, but initializing it to zero makes it easier to implement	 * reauth verification. */	data->counter = 0;	return eap_sim_response_challenge(data, req, respDataLen);}static int eap_sim_process_notification_reauth(struct eap_sim_data *data,					       struct eap_sim_attrs *attr){	struct eap_sim_attrs eattr;	u8 *decrypted;	if (attr->encr_data == NULL || attr->iv == NULL) {		wpa_printf(MSG_WARNING, "EAP-SIM: Notification message after "			   "reauth did not include encrypted data");		return -1;	}	decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,				       attr->encr_data_len, attr->iv, &eattr,				       0);	if (decrypted == NULL) {		wpa_printf(MSG_WARNING, "EAP-SIM: Failed to parse encrypted "			   "data from notification message");		return -1;	}	if (eattr.counter < 0 || (size_t) eattr.counter != data->counter) {		wpa_printf(MSG_WARNING, "EAP-SIM: Counter in notification "			   "message does not match with counter in reauth "			   "message");		os_free(decrypted);		return -1;	}	os_free(decrypted);	return 0;}static int eap_sim_process_notification_auth(struct eap_sim_data *data,					     const struct eap_hdr *req,					     size_t reqDataLen,					     struct eap_sim_attrs *attr){	if (attr->mac == NULL) {		wpa_printf(MSG_INFO, "EAP-SIM: no AT_MAC in after_auth "			   "Notification message");		return -1;	}	if (eap_sim_verify_mac(data->k_aut, (u8 *) req, reqDataLen, attr->mac,			       (u8 *) "", 0)) {		wpa_printf(MSG_WARNING, "EAP-SIM: Notification message "			   "used invalid AT_MAC");		return -1;	}	if (data->reauth &&	    eap_sim_process_notification_reauth(data, attr)) {		wpa_printf(MSG_WARNING, "EAP-SIM: Invalid notification "			   "message after reauth");		return -1;	}	return 0;}static u8 * eap_sim_process_notification(struct eap_sm *sm,					 struct eap_sim_data *data,					 const struct eap_hdr *req,					 size_t reqDataLen,					 size_t *respDataLen,					 struct eap_sim_attrs *attr){	wpa_printf(MSG_DEBUG, "EAP-SIM: subtype Notification");	if (data->num_notification > 0) {		wpa_printf(MSG_INFO, "EAP-SIM: too many notification "			   "rounds (only one allowed)");		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	data->num_notification++;	if (attr->notification == -1) {		wpa_printf(MSG_INFO, "EAP-SIM: no AT_NOTIFICATION in "			   "Notification message");		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	if ((attr->notification & 0x4000) == 0 &&	    eap_sim_process_notification_auth(data, req, reqDataLen, attr)) {		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	eap_sim_report_notification(sm->msg_ctx, attr->notification, 0);	if (attr->notification >= 0 && attr->notification < 32768) {		data->state = FAILURE;	}	return eap_sim_response_notification(data, req, respDataLen,					     attr->notification);}static u8 * eap_sim_process_reauthentication(struct eap_sm *sm,					     struct eap_sim_data *data,					     const struct eap_hdr *req,					     size_t reqDataLen,					     size_t *respDataLen,					     struct eap_sim_attrs *attr){	struct eap_sim_attrs eattr;	u8 *decrypted;	wpa_printf(MSG_DEBUG, "EAP-SIM: subtype Reauthentication");	if (data->reauth_id == NULL) {		wpa_printf(MSG_WARNING, "EAP-SIM: Server is trying "			   "reauthentication, but no reauth_id available");		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	data->reauth = 1;	if (eap_sim_verify_mac(data->k_aut, (const u8 *) req, reqDataLen,			       attr->mac, (u8 *) "", 0)) {		wpa_printf(MSG_WARNING, "EAP-SIM: Reauthentication "			   "did not have valid AT_MAC");		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	if (attr->encr_data == NULL || attr->iv == NULL) {		wpa_printf(MSG_WARNING, "EAP-SIM: Reauthentication "			   "message did not include encrypted data");		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,				       attr->encr_data_len, attr->iv, &eattr,				       0);	if (decrypted == NULL) {		wpa_printf(MSG_WARNING, "EAP-SIM: Failed to parse encrypted "			   "data from reauthentication message");		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	if (eattr.nonce_s == NULL || eattr.counter < 0) {		wpa_printf(MSG_INFO, "EAP-SIM: (encr) No%s%s in reauth packet",			   !eattr.nonce_s ? " AT_NONCE_S" : "",			   eattr.counter < 0 ? " AT_COUNTER" : "");		os_free(decrypted);		return eap_sim_client_error(data, req, respDataLen,					    EAP_SIM_UNABLE_TO_PROCESS_PACKET);	}	if (eattr.counter < 0 || (size_t) eattr.counter <= data->counter) {		wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid counter "			   "(%d <= %d)", eattr.counter, data->counter);		data->counter_too_small = eattr.counter;		/* Reply using Re-auth w/ AT_COUNTER_TOO_SMALL. The current		 * reauth_id must not be used to start a new reauthentication.		 * However, since it was used in the last EAP-Response-Identity		 * packet, it has to saved for the following fullauth to be		 * used in MK derivation. */		os_free(data->last_eap_identity);		data->last_eap_identity = data->reauth_id;		data->last_eap_identity_len = data->reauth_id_len;		data->reauth_id = NULL;		data->reauth_id_len = 0;		os_free(decrypted);		return eap_sim_response_reauth(data, req, respDataLen, 1);	}	data->counter = eattr.counter;	os_memcpy(data->nonce_s, eattr.nonce_s, EAP_SIM_NONCE_S_LEN);	wpa_hexdump(MSG_DEBUG, "EAP-SIM: (encr) AT_NONCE_S",		    data->nonce_s, EAP_SIM_NONCE_S_LEN);	eap_sim_derive_keys_reauth(data->counter,				   data->reauth_id, data->reauth_id_len,				   data->nonce_s, data->mk, data->msk,				   data->emsk);	eap_sim_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID);	eap_sim_learn_ids(data, &eattr);	if (data->state != FAILURE)		data->state = SUCCESS;	data->num_id_req = 0;	data->num_notification = 0;	if (data->counter > EAP_SIM_MAX_FAST_REAUTHS) {		wpa_printf(MSG_DEBUG, "EAP-SIM: Maximum number of "			   "fast reauths performed - force fullauth");		eap_sim_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID);	}	os_free(decrypted);	return eap_sim_response_reauth(data, req, respDataLen, 0);}static u8 * eap_sim_process(struct eap_sm *sm, void *priv,			    struct eap_method_ret *ret,			    const u8 *reqData, size_t reqDataLen,			    size_t *respDataLen){	struct eap_sim_data *data = priv;	const struct eap_hdr *req;	u8 subtype, *res;	const u8 *pos;	struct eap_sim_attrs attr;	size_t len;	wpa_hexdump(MSG_DEBUG, "EAP-SIM: EAP data", reqData, reqDataLen);	if (eap_get_config_identity(sm, &len) == NULL) {		wpa_printf(MSG_INFO, "EAP-SIM: Identity not configured");		eap_sm_request_identity(sm);		ret->ignore = TRUE;		return NULL;	}	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SIM,			       reqData, reqDataLen, &len);	if (pos == NULL || len < 1) {		ret->ignore = TRUE;		return NULL;	}	req = (const struct eap_hdr *) reqData;	len = be_to_host16(req->length);	ret->ignore = FALSE;	ret->methodState = METHOD_MAY_CONT;	ret->decision = DECISION_FAIL;	ret->allowNotifications = TRUE;	subtype = *pos++;	wpa_printf(MSG_DEBUG, "EAP-SIM: Subtype=%d", subtype);	pos += 2; /* Reserved */	if (eap_sim_parse_attr(pos, reqData + len, &attr, 0, 0)) {		res = eap_sim_client_error(data, req, respDataLen,					   EAP_SIM_UNABLE_TO_PROCESS_PACKET);		goto done;	}	switch (subtype) {	case EAP_SIM_SUBTYPE_START:		res = eap_sim_process_start(sm, data, req,					    respDataLen, &attr);		break;	case EAP_SIM_SUBTYPE_CHALLENGE:		res = eap_sim_process_challenge(sm, data, req, len,						respDataLen, &attr);		break;	case EAP_SIM_SUBTYPE_NOTIFICATION:		res = eap_sim_process_notification(sm, data, req, len,						   respDataLen, &attr);		break;	case EAP_SIM_SUBTYPE_REAUTHENTICATION:		res = eap_sim_process_reauthentication(sm, data, req, len,						       respDataLen, &attr);		break;	case EAP_SIM_SUBTYPE_CLIENT_ERROR:		wpa_printf(MSG_DEBUG, "EAP-SIM: subtype Client-Error");		res = eap_sim_client_error(data, req, respDataLen,					   EAP_SIM_UNABLE_TO_PROCESS_PACKET);		break;	default:		wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown subtype=%d", subtype);		res = eap_sim_client_error(data, req, respDataLen,					   EAP_SIM_UNABLE_TO_PROCESS_PACKET);		break;	}done:	if (data->state == FAILURE) {		ret->decision = DECISION_FAIL;		ret->methodState = METHOD_DONE;	} else if (data->state == SUCCESS) {		ret->decision = DECISION_COND_SUCC;		ret->methodState = METHOD_DONE;	}	if (ret->methodState == METHOD_DONE) {		ret->allowNotifications = FALSE;	}	return res;}static Boolean eap_sim_has_reauth_data(struct eap_sm *sm, void *priv){	struct eap_sim_data *data = priv;	return data->pseudonym || data->reauth_id;}static void eap_sim_deinit_for_reauth(struct eap_sm *sm, void *priv){	struct eap_sim_data *data = priv;	eap_sim_clear_identities(data, CLEAR_EAP_ID);}static void * eap_sim_init_for_reauth(struct eap_sm *sm, void *priv){	struct eap_sim_data *data = priv;	if (hostapd_get_rand(data->nonce_mt, EAP_SIM_NONCE_MT_LEN)) {		wpa_printf(MSG_WARNING, "EAP-SIM: Failed to get random data "			   "for NONCE_MT");		os_free(data);		return NULL;	}	data->num_id_req = 0;	data->num_notification = 0;	data->state = CONTINUE;	return priv;}static const u8 * eap_sim_get_identity(struct eap_sm *sm, void *priv,				       size_t *len){	struct eap_sim_data *data = priv;	if (data->reauth_id) {		*len = data->reauth_id_len;		return data->reauth_id;	}	if (data->pseudonym) {		*len = data->pseudonym_len;		return data->pseudonym;	}	return NULL;}static Boolean eap_sim_isKeyAvailable(struct eap_sm *sm, void *priv){	struct eap_sim_data *data = priv;	return data->state == SUCCESS;}static u8 * eap_sim_getKey(struct eap_sm *sm, void *priv, size_t *len){	struct eap_sim_data *data = priv;	u8 *key;	if (data->state != SUCCESS)		return NULL;	key = os_malloc(EAP_SIM_KEYING_DATA_LEN);	if (key == NULL)		return NULL;	*len = EAP_SIM_KEYING_DATA_LEN;	os_memcpy(key, data->msk, EAP_SIM_KEYING_DATA_LEN);	return key;}static u8 * eap_sim_get_emsk(struct eap_sm *sm, void *priv, size_t *len){	struct eap_sim_data *data = priv;	u8 *key;	if (data->state != SUCCESS)		return NULL;	key = os_malloc(EAP_EMSK_LEN);	if (key == NULL)		return NULL;	*len = EAP_EMSK_LEN;	os_memcpy(key, data->emsk, EAP_EMSK_LEN);	return key;}int eap_peer_sim_register(void){	struct eap_method *eap;	int ret;	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,				    EAP_VENDOR_IETF, EAP_TYPE_SIM, "SIM");	if (eap == NULL)		return -1;	eap->init = eap_sim_init;	eap->deinit = eap_sim_deinit;	eap->process = eap_sim_process;	eap->isKeyAvailable = eap_sim_isKeyAvailable;	eap->getKey = eap_sim_getKey;	eap->has_reauth_data = eap_sim_has_reauth_data;	eap->deinit_for_reauth = eap_sim_deinit_for_reauth;	eap->init_for_reauth = eap_sim_init_for_reauth;	eap->get_identity = eap_sim_get_identity;	eap->get_emsk = eap_sim_get_emsk;	ret = eap_peer_method_register(eap);	if (ret)		eap_peer_method_free(eap);	return ret;}