/* * EAP peer method: EAP-AKA (RFC 4187) and EAP-AKA' (draft-arkko-eap-aka-kdf) * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * Alternatively, this software may be distributed under the terms of BSD * license. * * See README and COPYING for more details. */#include "includes.h"#include "common.h"#include "eap_peer/eap_i.h"#include "pcsc_funcs.h"#include "eap_common/eap_sim_common.h"#include "sha1.h"#include "sha256.h"#include "crypto.h"#include "eap_peer/eap_config.h"#ifdef CONFIG_USIM_SIMULATOR#include "hlr_auc_gw/milenage.h"#endif /* CONFIG_USIM_SIMULATOR */struct eap_aka_data {	u8 ik[EAP_AKA_IK_LEN], ck[EAP_AKA_CK_LEN], res[EAP_AKA_RES_MAX_LEN];	size_t res_len;	u8 nonce_s[EAP_SIM_NONCE_S_LEN];	u8 mk[EAP_SIM_MK_LEN];	u8 k_aut[EAP_AKA_PRIME_K_AUT_LEN];	u8 k_encr[EAP_SIM_K_ENCR_LEN];	u8 k_re[EAP_AKA_PRIME_K_RE_LEN]; /* EAP-AKA' only */	u8 msk[EAP_SIM_KEYING_DATA_LEN];	u8 emsk[EAP_EMSK_LEN];	u8 rand[EAP_AKA_RAND_LEN], autn[EAP_AKA_AUTN_LEN];	u8 auts[EAP_AKA_AUTS_LEN];	int num_id_req, num_notification;	u8 *pseudonym;	size_t pseudonym_len;	u8 *reauth_id;	size_t reauth_id_len;	int reauth;	unsigned int counter, counter_too_small;	u8 *last_eap_identity;	size_t last_eap_identity_len;	enum {		CONTINUE, RESULT_SUCCESS, RESULT_FAILURE, SUCCESS, FAILURE	} state;	struct wpabuf *id_msgs;	int prev_id;	int result_ind, use_result_ind;	u8 eap_method;	u8 *network_name;	size_t network_name_len;	u16 kdf;	int kdf_negotiation;};#ifndef CONFIG_NO_STDOUT_DEBUGstatic const char * eap_aka_state_txt(int state){	switch (state) {	case CONTINUE:		return "CONTINUE";	case RESULT_SUCCESS:		return "RESULT_SUCCESS";	case RESULT_FAILURE:		return "RESULT_FAILURE";	case SUCCESS:		return "SUCCESS";	case FAILURE:		return "FAILURE";	default:		return "?";	}}#endif /* CONFIG_NO_STDOUT_DEBUG */static void eap_aka_state(struct eap_aka_data *data, int state){	wpa_printf(MSG_DEBUG, "EAP-AKA: %s -> %s",		   eap_aka_state_txt(data->state),		   eap_aka_state_txt(state));	data->state = state;}static void * eap_aka_init(struct eap_sm *sm){	struct eap_aka_data *data;	const char *phase1 = eap_get_config_phase1(sm);	data = os_zalloc(sizeof(*data));	if (data == NULL)		return NULL;	data->eap_method = EAP_TYPE_AKA;	eap_aka_state(data, CONTINUE);	data->prev_id = -1;	data->result_ind = phase1 && os_strstr(phase1, "result_ind=1") != NULL;	return data;}#ifdef EAP_AKA_PRIMEstatic void * eap_aka_prime_init(struct eap_sm *sm){	struct eap_aka_data *data = eap_aka_init(sm);	if (data == NULL)		return NULL;	data->eap_method = EAP_TYPE_AKA_PRIME;	return data;}#endif /* EAP_AKA_PRIME */static void eap_aka_deinit(struct eap_sm *sm, void *priv){	struct eap_aka_data *data = priv;	if (data) {		os_free(data->pseudonym);		os_free(data->reauth_id);		os_free(data->last_eap_identity);		wpabuf_free(data->id_msgs);		os_free(data->network_name);		os_free(data);	}}static int eap_aka_umts_auth(struct eap_sm *sm, struct eap_aka_data *data){	struct eap_peer_config *conf;	wpa_printf(MSG_DEBUG, "EAP-AKA: UMTS authentication algorithm");	conf = eap_get_config(sm);	if (conf == NULL)		return -1;	if (conf->pcsc) {		return scard_umts_auth(sm->scard_ctx, data->rand,				       data->autn, data->res, &data->res_len,				       data->ik, data->ck, data->auts);	}#ifdef CONFIG_USIM_SIMULATOR	if (conf->password) {		u8 opc[16], k[16], sqn[6];		const char *pos;		wpa_printf(MSG_DEBUG, "EAP-AKA: Use internal Milenage "			   "implementation for UMTS authentication");		if (conf->password_len < 78) {			wpa_printf(MSG_DEBUG, "EAP-AKA: invalid Milenage "				   "password");			return -1;		}		pos = (const char *) conf->password;		if (hexstr2bin(pos, k, 16))			return -1;		pos += 32;		if (*pos != ':')			return -1;		pos++;		if (hexstr2bin(pos, opc, 16))			return -1;		pos += 32;		if (*pos != ':')			return -1;		pos++;		if (hexstr2bin(pos, sqn, 6))			return -1;		return milenage_check(opc, k, sqn, data->rand, data->autn,				      data->ik, data->ck,				      data->res, &data->res_len, data->auts);	}#endif /* CONFIG_USIM_SIMULATOR */#ifdef CONFIG_USIM_HARDCODED	wpa_printf(MSG_DEBUG, "EAP-AKA: Use hardcoded Kc and SRES values for "		   "testing");	/* These hardcoded Kc and SRES values are used for testing.	 * Could consider making them configurable. */	os_memset(data->res, '2', EAP_AKA_RES_MAX_LEN);	data->res_len = EAP_AKA_RES_MAX_LEN;	os_memset(data->ik, '3', EAP_AKA_IK_LEN);	os_memset(data->ck, '4', EAP_AKA_CK_LEN);	{		u8 autn[EAP_AKA_AUTN_LEN];		os_memset(autn, '1', EAP_AKA_AUTN_LEN);		if (os_memcmp(autn, data->autn, EAP_AKA_AUTN_LEN) != 0) {			wpa_printf(MSG_WARNING, "EAP-AKA: AUTN did not match "				   "with expected value");			return -1;		}	}#if 0	{		static int test_resync = 1;		if (test_resync) {			/* Test Resynchronization */			test_resync = 0;			return -2;		}	}#endif	return 0;#else /* CONFIG_USIM_HARDCODED */	wpa_printf(MSG_DEBUG, "EAP-AKA: No UMTS authentication algorith "		   "enabled");	return -1;#endif /* CONFIG_USIM_HARDCODED */}#define CLEAR_PSEUDONYM	0x01#define CLEAR_REAUTH_ID	0x02#define CLEAR_EAP_ID	0x04static void eap_aka_clear_identities(struct eap_aka_data *data, int id){	wpa_printf(MSG_DEBUG, "EAP-AKA: forgetting old%s%s%s",		   id & CLEAR_PSEUDONYM ? " pseudonym" : "",		   id & CLEAR_REAUTH_ID ? " reauth_id" : "",		   id & CLEAR_EAP_ID ? " eap_id" : "");	if (id & CLEAR_PSEUDONYM) {		os_free(data->pseudonym);		data->pseudonym = NULL;		data->pseudonym_len = 0;	}	if (id & CLEAR_REAUTH_ID) {		os_free(data->reauth_id);		data->reauth_id = NULL;		data->reauth_id_len = 0;	}	if (id & CLEAR_EAP_ID) {		os_free(data->last_eap_identity);		data->last_eap_identity = NULL;		data->last_eap_identity_len = 0;	}}static int eap_aka_learn_ids(struct eap_aka_data *data,			     struct eap_sim_attrs *attr){	if (attr->next_pseudonym) {		os_free(data->pseudonym);		data->pseudonym = os_malloc(attr->next_pseudonym_len);		if (data->pseudonym == NULL) {			wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for "				   "next pseudonym");			return -1;		}		os_memcpy(data->pseudonym, attr->next_pseudonym,			  attr->next_pseudonym_len);		data->pseudonym_len = attr->next_pseudonym_len;		wpa_hexdump_ascii(MSG_DEBUG,				  "EAP-AKA: (encr) AT_NEXT_PSEUDONYM",				  data->pseudonym,				  data->pseudonym_len);	}	if (attr->next_reauth_id) {		os_free(data->reauth_id);		data->reauth_id = os_malloc(attr->next_reauth_id_len);		if (data->reauth_id == NULL) {			wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for "				   "next reauth_id");			return -1;		}		os_memcpy(data->reauth_id, attr->next_reauth_id,			  attr->next_reauth_id_len);		data->reauth_id_len = attr->next_reauth_id_len;		wpa_hexdump_ascii(MSG_DEBUG,				  "EAP-AKA: (encr) AT_NEXT_REAUTH_ID",				  data->reauth_id,				  data->reauth_id_len);	}	return 0;}static int eap_aka_add_id_msg(struct eap_aka_data *data,			      const struct wpabuf *msg){	if (msg == NULL)		return -1;	if (data->id_msgs == NULL) {		data->id_msgs = wpabuf_dup(msg);		return data->id_msgs == NULL ? -1 : 0;	}	if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0)		return -1;	wpabuf_put_buf(data->id_msgs, msg);	return 0;}static void eap_aka_add_checkcode(struct eap_aka_data *data,				  struct eap_sim_msg *msg){	const u8 *addr;	size_t len;	u8 hash[SHA256_MAC_LEN];	wpa_printf(MSG_DEBUG, "   AT_CHECKCODE");	if (data->id_msgs == NULL) {		/*		 * No EAP-AKA/Identity packets were exchanged - send empty		 * checkcode.		 */		eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, NULL, 0);		return;	}	/* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */	addr = wpabuf_head(data->id_msgs);	len = wpabuf_len(data->id_msgs);	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len);#ifdef EAP_AKA_PRIME	if (data->eap_method == EAP_TYPE_AKA_PRIME)		sha256_vector(1, &addr, &len, hash);	else#endif /* EAP_AKA_PRIME */		sha1_vector(1, &addr, &len, hash);	eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash,			data->eap_method == EAP_TYPE_AKA_PRIME ?			EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN);}static int eap_aka_verify_checkcode(struct eap_aka_data *data,				    const u8 *checkcode, size_t checkcode_len){	const u8 *addr;	size_t len;	u8 hash[SHA256_MAC_LEN];	size_t hash_len;	if (checkcode == NULL)		return -1;	if (data->id_msgs == NULL) {		if (checkcode_len != 0) {			wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server "				   "indicates that AKA/Identity messages were "				   "used, but they were not");			return -1;		}		return 0;	}	hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ?		EAP_AKA_PRIME_CHECKCODE_LEN : EAP_AKA_CHECKCODE_LEN;	if (checkcode_len != hash_len) {		wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server "			   "indicates that AKA/Identity message were not "			   "used, but they were");		return -1;	}	/* Checkcode is SHA1/SHA256 hash over all EAP-AKA/Identity packets. */	addr = wpabuf_head(data->id_msgs);	len = wpabuf_len(data->id_msgs);#ifdef EAP_AKA_PRIME	if (data->eap_method == EAP_TYPE_AKA_PRIME)		sha256_vector(1, &addr, &len, hash);	else#endif /* EAP_AKA_PRIME */		sha1_vector(1, &addr, &len, hash);	if (os_memcmp(hash, checkcode, hash_len) != 0) {		wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE");		return -1;	}	return 0;}static struct wpabuf * eap_aka_client_error(struct eap_aka_data *data, u8 id,					    int err){	struct eap_sim_msg *msg;	eap_aka_state(data, FAILURE);	data->num_id_req = 0;	data->num_notification = 0;	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,			       EAP_AKA_SUBTYPE_CLIENT_ERROR);	eap_sim_msg_add(msg, EAP_SIM_AT_CLIENT_ERROR_CODE, err, NULL, 0);	return eap_sim_msg_finish(msg, NULL, NULL, 0);}static struct wpabuf * eap_aka_authentication_reject(struct eap_aka_data *data,						     u8 id){	struct eap_sim_msg *msg;	eap_aka_state(data, FAILURE);	data->num_id_req = 0;	data->num_notification = 0;	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Authentication-Reject "		   "(id=%d)", id);	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,			       EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT);	return eap_sim_msg_finish(msg, NULL, NULL, 0);}static struct wpabuf * eap_aka_synchronization_failure(	struct eap_aka_data *data, u8 id){	struct eap_sim_msg *msg;	data->num_id_req = 0;	data->num_notification = 0;	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Synchronization-Failure "		   "(id=%d)", id);	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, data->eap_method,			       EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE);	wpa_printf(MSG_DEBUG, "   AT_AUTS");	eap_sim_msg_add_full(msg, EAP_SIM_AT_AUTS, data->auts,			     EAP_AKA_AUTS_LEN);	return eap_sim_msg_finish(msg, NULL, NULL, 0);}static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm,						 struct eap_aka_data *data,						 u8 id,						 enum eap_sim_id_req id_req){	const u8 *identity = NULL;