/* * WPA Supplicant / EAP-SIM/AKA shared routines * Copyright (c) 2004-2005, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * Alternatively, this software may be distributed under the terms of BSD * license. * * See README and COPYING for more details. */#include <stdlib.h>#include <stdio.h>#include <string.h>#include "common.h"#include "eap_i.h"#include "sha1.h"#include "crypto.h"#include "aes_wrap.h"#include "eap_sim_common.h"static void eap_sim_prf(const u8 *key, u8 *x, size_t xlen){	u8 xkey[64];	u32 t[5], _t[5];	int i, j, m, k;	u8 *xpos = x;	u32 carry;	/* FIPS 186-2 + change notice 1 */	memcpy(xkey, key, EAP_SIM_MK_LEN);	memset(xkey + EAP_SIM_MK_LEN, 0, 64 - EAP_SIM_MK_LEN);	t[0] = 0x67452301;	t[1] = 0xEFCDAB89;	t[2] = 0x98BADCFE;	t[3] = 0x10325476;	t[4] = 0xC3D2E1F0;	m = xlen / 40;	for (j = 0; j < m; j++) {		/* XSEED_j = 0 */		for (i = 0; i < 2; i++) {			/* XVAL = (XKEY + XSEED_j) mod 2^b */			/* w_i = G(t, XVAL) */			memcpy(_t, t, 20);			sha1_transform((u8 *) _t, xkey);			_t[0] = host_to_be32(_t[0]);			_t[1] = host_to_be32(_t[1]);			_t[2] = host_to_be32(_t[2]);			_t[3] = host_to_be32(_t[3]);			_t[4] = host_to_be32(_t[4]);			memcpy(xpos, _t, 20);			/* XKEY = (1 + XKEY + w_i) mod 2^b */			carry = 1;			for (k = 19; k >= 0; k--) {				carry += xkey[k] + xpos[k];				xkey[k] = carry & 0xff;				carry >>= 8;			}			xpos += SHA1_MAC_LEN;		}		/* x_j = w_0|w_1 */	}}void eap_sim_derive_keys(const u8 *mk, u8 *k_encr, u8 *k_aut, u8 *msk){	u8 buf[120], *pos;	eap_sim_prf(mk, buf, 120);	pos = buf;	memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);	pos += EAP_SIM_K_ENCR_LEN;	memcpy(k_aut, pos, EAP_SIM_K_AUT_LEN);	pos += EAP_SIM_K_AUT_LEN;	memcpy(msk, pos, EAP_SIM_KEYING_DATA_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_encr",			k_encr, EAP_SIM_K_ENCR_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_aut",			k_aut, EAP_SIM_K_ENCR_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: keying material",			msk, EAP_SIM_KEYING_DATA_LEN);}void eap_sim_derive_keys_reauth(u16 _counter,				const u8 *identity, size_t identity_len,				const u8 *nonce_s, const u8 *mk, u8 *msk){	u8 xkey[SHA1_MAC_LEN];	u8 buf[EAP_SIM_KEYING_DATA_LEN + 16];	u8 counter[2];	const u8 *addr[4];	size_t len[4];	addr[0] = identity;	len[0] = identity_len;	addr[1] = counter;	len[1] = 2;	addr[2] = nonce_s;	len[2] = EAP_SIM_NONCE_S_LEN;	addr[3] = mk;	len[3] = EAP_SIM_MK_LEN;	WPA_PUT_BE16(counter, _counter);	wpa_printf(MSG_DEBUG, "EAP-SIM: Deriving keying data from reauth");	wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity",			  identity, identity_len);	wpa_hexdump(MSG_DEBUG, "EAP-SIM: counter", counter, 2);	wpa_hexdump(MSG_DEBUG, "EAP-SIM: NONCE_S", nonce_s,		    EAP_SIM_NONCE_S_LEN);	wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);	/* XKEY' = SHA1(Identity|counter|NONCE_S|MK) */	sha1_vector(4, addr, len, xkey);	wpa_hexdump(MSG_DEBUG, "EAP-SIM: XKEY'", xkey, SHA1_MAC_LEN);	eap_sim_prf(xkey, buf, sizeof(buf));	if (msk) {		memcpy(msk, buf, EAP_SIM_KEYING_DATA_LEN);		wpa_hexdump(MSG_DEBUG, "EAP-SIM: keying material",			    msk, EAP_SIM_KEYING_DATA_LEN);	}}int eap_sim_verify_mac(const u8 *k_aut, const u8 *req, size_t req_len,		       const u8 *mac, const u8 *extra, size_t extra_len){	unsigned char hmac[SHA1_MAC_LEN];	const u8 *addr[2];	size_t len[2];	u8 *tmp;	if (mac == NULL || req_len < EAP_SIM_MAC_LEN || mac < req ||	    mac > req + req_len - EAP_SIM_MAC_LEN)		return -1;	tmp = malloc(req_len);	if (tmp == NULL)		return -1;	addr[0] = tmp;	len[0] = req_len;	addr[1] = extra;	len[1] = extra_len;	/* HMAC-SHA1-128 */	memcpy(tmp, req, req_len);	memset(tmp + (mac - req), 0, EAP_SIM_MAC_LEN);	hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);	free(tmp);	return (memcmp(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;}void eap_sim_add_mac(const u8 *k_aut, u8 *msg, size_t msg_len, u8 *mac,		     const u8 *extra, size_t extra_len){	unsigned char hmac[SHA1_MAC_LEN];	const u8 *addr[2];	size_t len[2];	addr[0] = msg;	len[0] = msg_len;	addr[1] = extra;	len[1] = extra_len;	/* HMAC-SHA1-128 */	memset(mac, 0, EAP_SIM_MAC_LEN);	hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);	memcpy(mac, hmac, EAP_SIM_MAC_LEN);}int eap_sim_parse_attr(const u8 *start, const u8 *end,		       struct eap_sim_attrs *attr, int aka, int encr){	const u8 *pos = start, *apos;	size_t alen, plen;	int list_len, i;	memset(attr, 0, sizeof(*attr));	attr->id_req = NO_ID_REQ;	attr->notification = -1;	attr->counter = -1;	attr->selected_version = -1;	attr->client_error_code = -1;	while (pos < end) {		if (pos + 2 > end) {			wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow(1)");			return -1;		}		wpa_printf(MSG_MSGDUMP, "EAP-SIM: Attribute: Type=%d Len=%d",			   pos[0], pos[1] * 4);		if (pos + pos[1] * 4 > end) {			wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow "				   "(pos=%p len=%d end=%p)",				   pos, pos[1] * 4, end);			return -1;		}		if (pos[1] == 0) {			wpa_printf(MSG_INFO, "EAP-SIM: Attribute underflow");			return -1;		}		apos = pos + 2;		alen = pos[1] * 4 - 2;		wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Attribute data",			    apos, alen);		switch (pos[0]) {		case EAP_SIM_AT_RAND:			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RAND");			apos += 2;			alen -= 2;			if ((!aka && (alen % GSM_RAND_LEN)) ||			    (aka && alen != AKA_RAND_LEN)) {				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_RAND"					   " (len %lu)",					   (unsigned long) alen);				return -1;			}			attr->rand = apos;			attr->num_chal = alen / GSM_RAND_LEN;			break;		case EAP_SIM_AT_AUTN:			wpa_printf(MSG_DEBUG, "EAP-AKA: AT_AUTN");			if (!aka) {				wpa_printf(MSG_DEBUG, "EAP-SIM: "					   "Unexpected AT_AUTN");				return -1;			}			apos += 2;			alen -= 2;			if (alen != AKA_AUTN_LEN) {				wpa_printf(MSG_INFO, "EAP-AKA: Invalid AT_AUTN"					   " (len %lu)",					   (unsigned long) alen);				return -1;			}			attr->autn = apos;			break;		case EAP_SIM_AT_PADDING:			if (!encr) {				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "					   "AT_PADDING");				return -1;			}			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_PADDING");			for (i = 2; i < alen; i++) {				if (apos[i] != 0) {					wpa_printf(MSG_INFO, "EAP-SIM: (encr) "						   "AT_PADDING used a non-zero"						   " padding byte");					wpa_hexdump(MSG_DEBUG, "EAP-SIM: "						    "(encr) padding bytes",						    apos + 2, alen - 2);					return -1;				}			}			break;		case EAP_SIM_AT_NONCE_MT:			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NONCE_MT");			if (alen != 2 + EAP_SIM_NONCE_MT_LEN) {				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "					   "AT_NONCE_MT length");				return -1;			}			attr->nonce_mt = apos + 2;			break;		case EAP_SIM_AT_PERMANENT_ID_REQ:			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_PERMANENT_ID_REQ");			attr->id_req = PERMANENT_ID;			break;		case EAP_SIM_AT_MAC:			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_MAC");			if (alen != 2 + EAP_SIM_MAC_LEN) {				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_MAC "					   "length");				return -1;			}			attr->mac = apos + 2;			break;		case EAP_SIM_AT_NOTIFICATION:			if (alen != 2) {				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "					   "AT_NOTIFICATION length %lu",					   (unsigned long) alen);				return -1;			}			attr->notification = apos[0] * 256 + apos[1];			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NOTIFICATION %d",				   attr->notification);			break;		case EAP_SIM_AT_ANY_ID_REQ:			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_ANY_ID_REQ");			attr->id_req = ANY_ID;			break;		case EAP_SIM_AT_IDENTITY:			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IDENTITY");			attr->identity = apos + 2;			attr->identity_len = alen - 2;			break;		case EAP_SIM_AT_VERSION_LIST:			if (aka) {				wpa_printf(MSG_DEBUG, "EAP-AKA: "					   "Unexpected AT_VERSION_LIST");				return -1;			}			list_len = apos[0] * 256 + apos[1];			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_VERSION_LIST");			if (list_len < 2 || list_len > alen - 2) {				wpa_printf(MSG_WARNING, "EAP-SIM: Invalid "					   "AT_VERSION_LIST (list_len=%d "					   "attr_len=%lu)", list_len,					   (unsigned long) alen);				return -1;			}			attr->version_list = apos + 2;			attr->version_list_len = list_len;			break;		case EAP_SIM_AT_SELECTED_VERSION:			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION");			if (alen != 2) {				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "					   "AT_SELECTED_VERSION length %lu",					   (unsigned long) alen);				return -1;			}			attr->selected_version = apos[0] * 256 + apos[1];			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION "				   "%d", attr->selected_version);			break;		case EAP_SIM_AT_FULLAUTH_ID_REQ:			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_FULLAUTH_ID_REQ");			attr->id_req = FULLAUTH_ID;			break;		case EAP_SIM_AT_COUNTER:			if (!encr) {				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "					   "AT_COUNTER");				return -1;			}			if (alen != 2) {				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "					   "AT_COUNTER (alen=%lu)",					   (unsigned long) alen);				return -1;			}			attr->counter = apos[0] * 256 + apos[1];			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_COUNTER %d",				   attr->counter);			break;		case EAP_SIM_AT_NONCE_S:			if (!encr) {				wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "					   "AT_NONCE_S");				return -1;			}			wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "				   "AT_NONCE_S");			if (alen != 2 + EAP_SIM_NONCE_S_LEN) {				wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "					   "AT_NONCE_S (alen=%lu)",					   (unsigned long) alen);				return -1;			}			attr->nonce_s = apos + 2;			break;		case EAP_SIM_AT_CLIENT_ERROR_CODE:			if (alen != 2) {				wpa_printf(MSG_INFO, "EAP-SIM: Invalid "					   "AT_CLIENT_ERROR_CODE length %lu",					   (unsigned long) alen);				return -1;			}			attr->client_error_code = apos[0] * 256 + apos[1];			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_CLIENT_ERROR_CODE "				   "%d", attr->client_error_code);			break;		case EAP_SIM_AT_IV:			wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IV");			if (alen != 2 + EAP_SIM_MAC_LEN) {				wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_IV "					   "length %lu", (unsigned long) alen);				return -1;			}			attr->iv = apos + 2;			break;