1 /*
2 * EAP peer/server: EAP-SIM/AKA/AKA' shared routines
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "wpabuf.h"
13 #include "crypto/aes_wrap.h"
14 #include "crypto/crypto.h"
15 #include "crypto/sha1.h"
16 #include "crypto/sha256.h"
17 #include "crypto/random.h"
18 #include "eap_common/eap_defs.h"
19 #include "eap_common/eap_sim_common.h"
20
21
eap_sim_prf(const u8 * key,u8 * x,size_t xlen)22 static int eap_sim_prf(const u8 *key, u8 *x, size_t xlen)
23 {
24 return fips186_2_prf(key, EAP_SIM_MK_LEN, x, xlen);
25 }
26
27
eap_sim_derive_mk(const u8 * identity,size_t identity_len,const u8 * nonce_mt,u16 selected_version,const u8 * ver_list,size_t ver_list_len,int num_chal,const u8 * kc,u8 * mk)28 void eap_sim_derive_mk(const u8 *identity, size_t identity_len,
29 const u8 *nonce_mt, u16 selected_version,
30 const u8 *ver_list, size_t ver_list_len,
31 int num_chal, const u8 *kc, u8 *mk)
32 {
33 u8 sel_ver[2];
34 const unsigned char *addr[5];
35 size_t len[5];
36
37 addr[0] = identity;
38 len[0] = identity_len;
39 addr[1] = kc;
40 len[1] = num_chal * EAP_SIM_KC_LEN;
41 addr[2] = nonce_mt;
42 len[2] = EAP_SIM_NONCE_MT_LEN;
43 addr[3] = ver_list;
44 len[3] = ver_list_len;
45 addr[4] = sel_ver;
46 len[4] = 2;
47
48 WPA_PUT_BE16(sel_ver, selected_version);
49
50 /* MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */
51 sha1_vector(5, addr, len, mk);
52 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);
53 }
54
55
eap_aka_derive_mk(const u8 * identity,size_t identity_len,const u8 * ik,const u8 * ck,u8 * mk)56 void eap_aka_derive_mk(const u8 *identity, size_t identity_len,
57 const u8 *ik, const u8 *ck, u8 *mk)
58 {
59 const u8 *addr[3];
60 size_t len[3];
61
62 addr[0] = identity;
63 len[0] = identity_len;
64 addr[1] = ik;
65 len[1] = EAP_AKA_IK_LEN;
66 addr[2] = ck;
67 len[2] = EAP_AKA_CK_LEN;
68
69 /* MK = SHA1(Identity|IK|CK) */
70 sha1_vector(3, addr, len, mk);
71 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: IK", ik, EAP_AKA_IK_LEN);
72 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: CK", ck, EAP_AKA_CK_LEN);
73 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: MK", mk, EAP_SIM_MK_LEN);
74 }
75
76
eap_sim_derive_keys(const u8 * mk,u8 * k_encr,u8 * k_aut,u8 * msk,u8 * emsk)77 int eap_sim_derive_keys(const u8 *mk, u8 *k_encr, u8 *k_aut, u8 *msk, u8 *emsk)
78 {
79 u8 buf[EAP_SIM_K_ENCR_LEN + EAP_SIM_K_AUT_LEN +
80 EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN], *pos;
81 if (eap_sim_prf(mk, buf, sizeof(buf)) < 0) {
82 wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");
83 return -1;
84 }
85 pos = buf;
86 os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);
87 pos += EAP_SIM_K_ENCR_LEN;
88 os_memcpy(k_aut, pos, EAP_SIM_K_AUT_LEN);
89 pos += EAP_SIM_K_AUT_LEN;
90 os_memcpy(msk, pos, EAP_SIM_KEYING_DATA_LEN);
91 pos += EAP_SIM_KEYING_DATA_LEN;
92 os_memcpy(emsk, pos, EAP_EMSK_LEN);
93
94 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_encr",
95 k_encr, EAP_SIM_K_ENCR_LEN);
96 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_aut",
97 k_aut, EAP_SIM_K_AUT_LEN);
98 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: keying material (MSK)",
99 msk, EAP_SIM_KEYING_DATA_LEN);
100 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);
101 os_memset(buf, 0, sizeof(buf));
102
103 return 0;
104 }
105
106
eap_sim_derive_keys_reauth(u16 _counter,const u8 * identity,size_t identity_len,const u8 * nonce_s,const u8 * mk,u8 * msk,u8 * emsk)107 int eap_sim_derive_keys_reauth(u16 _counter,
108 const u8 *identity, size_t identity_len,
109 const u8 *nonce_s, const u8 *mk, u8 *msk,
110 u8 *emsk)
111 {
112 u8 xkey[SHA1_MAC_LEN];
113 u8 buf[EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN + 32];
114 u8 counter[2];
115 const u8 *addr[4];
116 size_t len[4];
117
118 while (identity_len > 0 && identity[identity_len - 1] == 0) {
119 wpa_printf(MSG_DEBUG, "EAP-SIM: Workaround - drop null "
120 "character from the end of identity");
121 identity_len--;
122 }
123 addr[0] = identity;
124 len[0] = identity_len;
125 addr[1] = counter;
126 len[1] = 2;
127 addr[2] = nonce_s;
128 len[2] = EAP_SIM_NONCE_S_LEN;
129 addr[3] = mk;
130 len[3] = EAP_SIM_MK_LEN;
131
132 WPA_PUT_BE16(counter, _counter);
133
134 wpa_printf(MSG_DEBUG, "EAP-SIM: Deriving keying data from reauth");
135 wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity",
136 identity, identity_len);
137 wpa_hexdump(MSG_DEBUG, "EAP-SIM: counter", counter, 2);
138 wpa_hexdump(MSG_DEBUG, "EAP-SIM: NONCE_S", nonce_s,
139 EAP_SIM_NONCE_S_LEN);
140 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);
141
142 /* XKEY' = SHA1(Identity|counter|NONCE_S|MK) */
143 sha1_vector(4, addr, len, xkey);
144 wpa_hexdump(MSG_DEBUG, "EAP-SIM: XKEY'", xkey, SHA1_MAC_LEN);
145
146 if (eap_sim_prf(xkey, buf, sizeof(buf)) < 0) {
147 wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");
148 return -1;
149 }
150 if (msk) {
151 os_memcpy(msk, buf, EAP_SIM_KEYING_DATA_LEN);
152 wpa_hexdump(MSG_DEBUG, "EAP-SIM: keying material (MSK)",
153 msk, EAP_SIM_KEYING_DATA_LEN);
154 }
155 if (emsk) {
156 os_memcpy(emsk, buf + EAP_SIM_KEYING_DATA_LEN, EAP_EMSK_LEN);
157 wpa_hexdump(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);
158 }
159 os_memset(buf, 0, sizeof(buf));
160
161 return 0;
162 }
163
164
eap_sim_verify_mac(const u8 * k_aut,const struct wpabuf * req,const u8 * mac,const u8 * extra,size_t extra_len)165 int eap_sim_verify_mac(const u8 *k_aut, const struct wpabuf *req,
166 const u8 *mac, const u8 *extra, size_t extra_len)
167 {
168 unsigned char hmac[SHA1_MAC_LEN];
169 const u8 *addr[2];
170 size_t len[2];
171 u8 *tmp;
172
173 if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||
174 mac < wpabuf_head_u8(req) ||
175 mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)
176 return -1;
177
178 tmp = os_malloc(wpabuf_len(req));
179 if (tmp == NULL)
180 return -1;
181
182 addr[0] = tmp;
183 len[0] = wpabuf_len(req);
184 addr[1] = extra;
185 len[1] = extra_len;
186
187 /* HMAC-SHA1-128 */
188 os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));
189 os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);
190 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - msg",
191 tmp, wpabuf_len(req));
192 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - extra data",
193 extra, extra_len);
194 wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Verify MAC - K_aut",
195 k_aut, EAP_SIM_K_AUT_LEN);
196 hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);
197 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC: MAC",
198 hmac, EAP_SIM_MAC_LEN);
199 os_free(tmp);
200
201 return (os_memcmp_const(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;
202 }
203
204
eap_sim_add_mac(const u8 * k_aut,const u8 * msg,size_t msg_len,u8 * mac,const u8 * extra,size_t extra_len)205 void eap_sim_add_mac(const u8 *k_aut, const u8 *msg, size_t msg_len, u8 *mac,
206 const u8 *extra, size_t extra_len)
207 {
208 unsigned char hmac[SHA1_MAC_LEN];
209 const u8 *addr[2];
210 size_t len[2];
211
212 addr[0] = msg;
213 len[0] = msg_len;
214 addr[1] = extra;
215 len[1] = extra_len;
216
217 /* HMAC-SHA1-128 */
218 os_memset(mac, 0, EAP_SIM_MAC_LEN);
219 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - msg", msg, msg_len);
220 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - extra data",
221 extra, extra_len);
222 wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Add MAC - K_aut",
223 k_aut, EAP_SIM_K_AUT_LEN);
224 hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);
225 os_memcpy(mac, hmac, EAP_SIM_MAC_LEN);
226 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC: MAC",
227 mac, EAP_SIM_MAC_LEN);
228 }
229
230
231 #if defined(EAP_AKA_PRIME) || defined(EAP_SERVER_AKA_PRIME)
prf_prime(const u8 * k,const char * seed1,const u8 * seed2,size_t seed2_len,const u8 * seed3,size_t seed3_len,u8 * res,size_t res_len)232 static void prf_prime(const u8 *k, const char *seed1,
233 const u8 *seed2, size_t seed2_len,
234 const u8 *seed3, size_t seed3_len,
235 u8 *res, size_t res_len)
236 {
237 const u8 *addr[5];
238 size_t len[5];
239 u8 hash[SHA256_MAC_LEN];
240 u8 iter;
241
242 /*
243 * PRF'(K,S) = T1 | T2 | T3 | T4 | ...
244 * T1 = HMAC-SHA-256 (K, S | 0x01)
245 * T2 = HMAC-SHA-256 (K, T1 | S | 0x02)
246 * T3 = HMAC-SHA-256 (K, T2 | S | 0x03)
247 * T4 = HMAC-SHA-256 (K, T3 | S | 0x04)
248 * ...
249 */
250
251 addr[0] = hash;
252 len[0] = 0;
253 addr[1] = (const u8 *) seed1;
254 len[1] = os_strlen(seed1);
255 addr[2] = seed2;
256 len[2] = seed2_len;
257 addr[3] = seed3;
258 len[3] = seed3_len;
259 addr[4] = &iter;
260 len[4] = 1;
261
262 iter = 0;
263 while (res_len) {
264 size_t hlen;
265 iter++;
266 hmac_sha256_vector(k, 32, 5, addr, len, hash);
267 len[0] = SHA256_MAC_LEN;
268 hlen = res_len > SHA256_MAC_LEN ? SHA256_MAC_LEN : res_len;
269 os_memcpy(res, hash, hlen);
270 res += hlen;
271 res_len -= hlen;
272 }
273 }
274
275
eap_aka_prime_derive_keys(const u8 * identity,size_t identity_len,const u8 * ik,const u8 * ck,u8 * k_encr,u8 * k_aut,u8 * k_re,u8 * msk,u8 * emsk)276 void eap_aka_prime_derive_keys(const u8 *identity, size_t identity_len,
277 const u8 *ik, const u8 *ck, u8 *k_encr,
278 u8 *k_aut, u8 *k_re, u8 *msk, u8 *emsk)
279 {
280 u8 key[EAP_AKA_IK_LEN + EAP_AKA_CK_LEN];
281 u8 keys[EAP_SIM_K_ENCR_LEN + EAP_AKA_PRIME_K_AUT_LEN +
282 EAP_AKA_PRIME_K_RE_LEN + EAP_MSK_LEN + EAP_EMSK_LEN];
283 u8 *pos;
284
285 /*
286 * MK = PRF'(IK'|CK',"EAP-AKA'"|Identity)
287 * K_encr = MK[0..127]
288 * K_aut = MK[128..383]
289 * K_re = MK[384..639]
290 * MSK = MK[640..1151]
291 * EMSK = MK[1152..1663]
292 */
293
294 os_memcpy(key, ik, EAP_AKA_IK_LEN);
295 os_memcpy(key + EAP_AKA_IK_LEN, ck, EAP_AKA_CK_LEN);
296
297 prf_prime(key, "EAP-AKA'", identity, identity_len, NULL, 0,
298 keys, sizeof(keys));
299
300 pos = keys;
301 os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);
302 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_encr",
303 k_encr, EAP_SIM_K_ENCR_LEN);
304 pos += EAP_SIM_K_ENCR_LEN;
305
306 os_memcpy(k_aut, pos, EAP_AKA_PRIME_K_AUT_LEN);
307 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_aut",
308 k_aut, EAP_AKA_PRIME_K_AUT_LEN);
309 pos += EAP_AKA_PRIME_K_AUT_LEN;
310
311 os_memcpy(k_re, pos, EAP_AKA_PRIME_K_RE_LEN);
312 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_re",
313 k_re, EAP_AKA_PRIME_K_RE_LEN);
314 pos += EAP_AKA_PRIME_K_RE_LEN;
315
316 os_memcpy(msk, pos, EAP_MSK_LEN);
317 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);
318 pos += EAP_MSK_LEN;
319
320 os_memcpy(emsk, pos, EAP_EMSK_LEN);
321 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);
322 }
323
324
eap_aka_prime_derive_keys_reauth(const u8 * k_re,u16 counter,const u8 * identity,size_t identity_len,const u8 * nonce_s,u8 * msk,u8 * emsk)325 int eap_aka_prime_derive_keys_reauth(const u8 *k_re, u16 counter,
326 const u8 *identity, size_t identity_len,
327 const u8 *nonce_s, u8 *msk, u8 *emsk)
328 {
329 u8 seed3[2 + EAP_SIM_NONCE_S_LEN];
330 u8 keys[EAP_MSK_LEN + EAP_EMSK_LEN];
331 u8 *pos;
332
333 /*
334 * MK = PRF'(K_re,"EAP-AKA' re-auth"|Identity|counter|NONCE_S)
335 * MSK = MK[0..511]
336 * EMSK = MK[512..1023]
337 */
338
339 WPA_PUT_BE16(seed3, counter);
340 os_memcpy(seed3 + 2, nonce_s, EAP_SIM_NONCE_S_LEN);
341
342 prf_prime(k_re, "EAP-AKA' re-auth", identity, identity_len,
343 seed3, sizeof(seed3),
344 keys, sizeof(keys));
345
346 pos = keys;
347 os_memcpy(msk, pos, EAP_MSK_LEN);
348 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);
349 pos += EAP_MSK_LEN;
350
351 os_memcpy(emsk, pos, EAP_EMSK_LEN);
352 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);
353
354 os_memset(keys, 0, sizeof(keys));
355
356 return 0;
357 }
358
359
eap_sim_verify_mac_sha256(const u8 * k_aut,const struct wpabuf * req,const u8 * mac,const u8 * extra,size_t extra_len)360 int eap_sim_verify_mac_sha256(const u8 *k_aut, const struct wpabuf *req,
361 const u8 *mac, const u8 *extra, size_t extra_len)
362 {
363 unsigned char hmac[SHA256_MAC_LEN];
364 const u8 *addr[2];
365 size_t len[2];
366 u8 *tmp;
367
368 if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||
369 mac < wpabuf_head_u8(req) ||
370 mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)
371 return -1;
372
373 tmp = os_malloc(wpabuf_len(req));
374 if (tmp == NULL)
375 return -1;
376
377 addr[0] = tmp;
378 len[0] = wpabuf_len(req);
379 addr[1] = extra;
380 len[1] = extra_len;
381
382 /* HMAC-SHA-256-128 */
383 os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));
384 os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);
385 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - msg",
386 tmp, wpabuf_len(req));
387 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - extra data",
388 extra, extra_len);
389 wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Verify MAC - K_aut",
390 k_aut, EAP_AKA_PRIME_K_AUT_LEN);
391 hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);
392 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC: MAC",
393 hmac, EAP_SIM_MAC_LEN);
394 os_free(tmp);
395
396 return (os_memcmp_const(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;
397 }
398
399
eap_sim_add_mac_sha256(const u8 * k_aut,const u8 * msg,size_t msg_len,u8 * mac,const u8 * extra,size_t extra_len)400 void eap_sim_add_mac_sha256(const u8 *k_aut, const u8 *msg, size_t msg_len,
401 u8 *mac, const u8 *extra, size_t extra_len)
402 {
403 unsigned char hmac[SHA256_MAC_LEN];
404 const u8 *addr[2];
405 size_t len[2];
406
407 addr[0] = msg;
408 len[0] = msg_len;
409 addr[1] = extra;
410 len[1] = extra_len;
411
412 /* HMAC-SHA-256-128 */
413 os_memset(mac, 0, EAP_SIM_MAC_LEN);
414 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC - msg", msg, msg_len);
415 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC - extra data",
416 extra, extra_len);
417 wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Add MAC - K_aut",
418 k_aut, EAP_AKA_PRIME_K_AUT_LEN);
419 hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);
420 os_memcpy(mac, hmac, EAP_SIM_MAC_LEN);
421 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC: MAC",
422 mac, EAP_SIM_MAC_LEN);
423 }
424
425
eap_aka_prime_derive_ck_ik_prime(u8 * ck,u8 * ik,const u8 * sqn_ak,const u8 * network_name,size_t network_name_len)426 void eap_aka_prime_derive_ck_ik_prime(u8 *ck, u8 *ik, const u8 *sqn_ak,
427 const u8 *network_name,
428 size_t network_name_len)
429 {
430 u8 key[EAP_AKA_CK_LEN + EAP_AKA_IK_LEN];
431 u8 hash[SHA256_MAC_LEN];
432 const u8 *addr[5];
433 size_t len[5];
434 u8 fc;
435 u8 l0[2], l1[2];
436
437 /* 3GPP TS 33.402 V8.0.0
438 * (CK', IK') = F(CK, IK, <access network identity>)
439 */
440 /* TODO: CK', IK' generation should really be moved into the actual
441 * AKA procedure with network name passed in there and option to use
442 * AMF separation bit = 1 (3GPP TS 33.401). */
443
444 /* Change Request 33.402 CR 0033 to version 8.1.1 from
445 * 3GPP TSG-SA WG3 Meeting #53 in September 2008:
446 *
447 * CK' || IK' = HMAC-SHA-256(Key, S)
448 * S = FC || P0 || L0 || P1 || L1 || ... || Pn || Ln
449 * Key = CK || IK
450 * FC = 0x20
451 * P0 = access network identity (3GPP TS 24.302)
452 * L0 = length of acceess network identity (2 octets, big endian)
453 * P1 = SQN xor AK (if AK is not used, AK is treaded as 000..0
454 * L1 = 0x00 0x06
455 */
456
457 fc = 0x20;
458
459 wpa_printf(MSG_DEBUG, "EAP-AKA': Derive (CK',IK') from (CK,IK)");
460 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': CK", ck, EAP_AKA_CK_LEN);
461 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': IK", ik, EAP_AKA_IK_LEN);
462 wpa_printf(MSG_DEBUG, "EAP-AKA': FC = 0x%x", fc);
463 wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA': P0 = Access network identity",
464 network_name, network_name_len);
465 wpa_hexdump(MSG_DEBUG, "EAP-AKA': P1 = SQN xor AK", sqn_ak, 6);
466
467 os_memcpy(key, ck, EAP_AKA_CK_LEN);
468 os_memcpy(key + EAP_AKA_CK_LEN, ik, EAP_AKA_IK_LEN);
469 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': Key = CK || IK",
470 key, sizeof(key));
471
472 addr[0] = &fc;
473 len[0] = 1;
474 addr[1] = network_name;
475 len[1] = network_name_len;
476 WPA_PUT_BE16(l0, network_name_len);
477 addr[2] = l0;
478 len[2] = 2;
479 addr[3] = sqn_ak;
480 len[3] = 6;
481 WPA_PUT_BE16(l1, 6);
482 addr[4] = l1;
483 len[4] = 2;
484
485 hmac_sha256_vector(key, sizeof(key), 5, addr, len, hash);
486 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': KDF output (CK' || IK')",
487 hash, sizeof(hash));
488
489 os_memcpy(ck, hash, EAP_AKA_CK_LEN);
490 os_memcpy(ik, hash + EAP_AKA_CK_LEN, EAP_AKA_IK_LEN);
491 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': CK'", ck, EAP_AKA_CK_LEN);
492 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': IK'", ik, EAP_AKA_IK_LEN);
493 }
494 #endif /* EAP_AKA_PRIME || EAP_SERVER_AKA_PRIME */
495
496
eap_sim_parse_attr(const u8 * start,const u8 * end,struct eap_sim_attrs * attr,int aka,int encr)497 int eap_sim_parse_attr(const u8 *start, const u8 *end,
498 struct eap_sim_attrs *attr, int aka, int encr)
499 {
500 const u8 *pos = start, *apos;
501 size_t alen, plen, i, list_len;
502
503 os_memset(attr, 0, sizeof(*attr));
504 attr->id_req = NO_ID_REQ;
505 attr->notification = -1;
506 attr->counter = -1;
507 attr->selected_version = -1;
508 attr->client_error_code = -1;
509
510 while (pos < end) {
511 if (pos + 2 > end) {
512 wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow(1)");
513 return -1;
514 }
515 wpa_printf(MSG_MSGDUMP, "EAP-SIM: Attribute: Type=%d Len=%d",
516 pos[0], pos[1] * 4);
517 if (pos + pos[1] * 4 > end) {
518 wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow "
519 "(pos=%p len=%d end=%p)",
520 pos, pos[1] * 4, end);
521 return -1;
522 }
523 if (pos[1] == 0) {
524 wpa_printf(MSG_INFO, "EAP-SIM: Attribute underflow");
525 return -1;
526 }
527 apos = pos + 2;
528 alen = pos[1] * 4 - 2;
529 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Attribute data",
530 apos, alen);
531
532 switch (pos[0]) {
533 case EAP_SIM_AT_RAND:
534 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RAND");
535 apos += 2;
536 alen -= 2;
537 if ((!aka && (alen % GSM_RAND_LEN)) ||
538 (aka && alen != EAP_AKA_RAND_LEN)) {
539 wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_RAND"
540 " (len %lu)",
541 (unsigned long) alen);
542 return -1;
543 }
544 attr->rand = apos;
545 attr->num_chal = alen / GSM_RAND_LEN;
546 break;
547 case EAP_SIM_AT_AUTN:
548 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_AUTN");
549 if (!aka) {
550 wpa_printf(MSG_DEBUG, "EAP-SIM: "
551 "Unexpected AT_AUTN");
552 return -1;
553 }
554 apos += 2;
555 alen -= 2;
556 if (alen != EAP_AKA_AUTN_LEN) {
557 wpa_printf(MSG_INFO, "EAP-AKA: Invalid AT_AUTN"
558 " (len %lu)",
559 (unsigned long) alen);
560 return -1;
561 }
562 attr->autn = apos;
563 break;
564 case EAP_SIM_AT_PADDING:
565 if (!encr) {
566 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
567 "AT_PADDING");
568 return -1;
569 }
570 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_PADDING");
571 for (i = 2; i < alen; i++) {
572 if (apos[i] != 0) {
573 wpa_printf(MSG_INFO, "EAP-SIM: (encr) "
574 "AT_PADDING used a non-zero"
575 " padding byte");
576 wpa_hexdump(MSG_DEBUG, "EAP-SIM: "
577 "(encr) padding bytes",
578 apos + 2, alen - 2);
579 return -1;
580 }
581 }
582 break;
583 case EAP_SIM_AT_NONCE_MT:
584 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NONCE_MT");
585 if (alen != 2 + EAP_SIM_NONCE_MT_LEN) {
586 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
587 "AT_NONCE_MT length");
588 return -1;
589 }
590 attr->nonce_mt = apos + 2;
591 break;
592 case EAP_SIM_AT_PERMANENT_ID_REQ:
593 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_PERMANENT_ID_REQ");
594 attr->id_req = PERMANENT_ID;
595 break;
596 case EAP_SIM_AT_MAC:
597 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_MAC");
598 if (alen != 2 + EAP_SIM_MAC_LEN) {
599 wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_MAC "
600 "length");
601 return -1;
602 }
603 attr->mac = apos + 2;
604 break;
605 case EAP_SIM_AT_NOTIFICATION:
606 if (alen != 2) {
607 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
608 "AT_NOTIFICATION length %lu",
609 (unsigned long) alen);
610 return -1;
611 }
612 attr->notification = apos[0] * 256 + apos[1];
613 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NOTIFICATION %d",
614 attr->notification);
615 break;
616 case EAP_SIM_AT_ANY_ID_REQ:
617 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_ANY_ID_REQ");
618 attr->id_req = ANY_ID;
619 break;
620 case EAP_SIM_AT_IDENTITY:
621 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IDENTITY");
622 plen = WPA_GET_BE16(apos);
623 apos += 2;
624 alen -= 2;
625 if (plen > alen) {
626 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
627 "AT_IDENTITY (Actual Length %lu, "
628 "remaining length %lu)",
629 (unsigned long) plen,
630 (unsigned long) alen);
631 return -1;
632 }
633
634 attr->identity = apos;
635 attr->identity_len = plen;
636 break;
637 case EAP_SIM_AT_VERSION_LIST:
638 if (aka) {
639 wpa_printf(MSG_DEBUG, "EAP-AKA: "
640 "Unexpected AT_VERSION_LIST");
641 return -1;
642 }
643 list_len = apos[0] * 256 + apos[1];
644 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_VERSION_LIST");
645 if (list_len < 2 || list_len > alen - 2) {
646 wpa_printf(MSG_WARNING, "EAP-SIM: Invalid "
647 "AT_VERSION_LIST (list_len=%lu "
648 "attr_len=%lu)",
649 (unsigned long) list_len,
650 (unsigned long) alen);
651 return -1;
652 }
653 attr->version_list = apos + 2;
654 attr->version_list_len = list_len;
655 break;
656 case EAP_SIM_AT_SELECTED_VERSION:
657 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION");
658 if (alen != 2) {
659 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
660 "AT_SELECTED_VERSION length %lu",
661 (unsigned long) alen);
662 return -1;
663 }
664 attr->selected_version = apos[0] * 256 + apos[1];
665 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION "
666 "%d", attr->selected_version);
667 break;
668 case EAP_SIM_AT_FULLAUTH_ID_REQ:
669 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_FULLAUTH_ID_REQ");
670 attr->id_req = FULLAUTH_ID;
671 break;
672 case EAP_SIM_AT_COUNTER:
673 if (!encr) {
674 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
675 "AT_COUNTER");
676 return -1;
677 }
678 if (alen != 2) {
679 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
680 "AT_COUNTER (alen=%lu)",
681 (unsigned long) alen);
682 return -1;
683 }
684 attr->counter = apos[0] * 256 + apos[1];
685 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_COUNTER %d",
686 attr->counter);
687 break;
688 case EAP_SIM_AT_COUNTER_TOO_SMALL:
689 if (!encr) {
690 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
691 "AT_COUNTER_TOO_SMALL");
692 return -1;
693 }
694 if (alen != 2) {
695 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
696 "AT_COUNTER_TOO_SMALL (alen=%lu)",
697 (unsigned long) alen);
698 return -1;
699 }
700 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
701 "AT_COUNTER_TOO_SMALL");
702 attr->counter_too_small = 1;
703 break;
704 case EAP_SIM_AT_NONCE_S:
705 if (!encr) {
706 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
707 "AT_NONCE_S");
708 return -1;
709 }
710 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
711 "AT_NONCE_S");
712 if (alen != 2 + EAP_SIM_NONCE_S_LEN) {
713 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
714 "AT_NONCE_S (alen=%lu)",
715 (unsigned long) alen);
716 return -1;
717 }
718 attr->nonce_s = apos + 2;
719 break;
720 case EAP_SIM_AT_CLIENT_ERROR_CODE:
721 if (alen != 2) {
722 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
723 "AT_CLIENT_ERROR_CODE length %lu",
724 (unsigned long) alen);
725 return -1;
726 }
727 attr->client_error_code = apos[0] * 256 + apos[1];
728 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_CLIENT_ERROR_CODE "
729 "%d", attr->client_error_code);
730 break;
731 case EAP_SIM_AT_IV:
732 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IV");
733 if (alen != 2 + EAP_SIM_MAC_LEN) {
734 wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_IV "
735 "length %lu", (unsigned long) alen);
736 return -1;
737 }
738 attr->iv = apos + 2;
739 break;
740 case EAP_SIM_AT_ENCR_DATA:
741 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_ENCR_DATA");
742 attr->encr_data = apos + 2;
743 attr->encr_data_len = alen - 2;
744 if (attr->encr_data_len % 16) {
745 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
746 "AT_ENCR_DATA length %lu",
747 (unsigned long)
748 attr->encr_data_len);
749 return -1;
750 }
751 break;
752 case EAP_SIM_AT_NEXT_PSEUDONYM:
753 if (!encr) {
754 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
755 "AT_NEXT_PSEUDONYM");
756 return -1;
757 }
758 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
759 "AT_NEXT_PSEUDONYM");
760 plen = apos[0] * 256 + apos[1];
761 if (plen > alen - 2) {
762 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid"
763 " AT_NEXT_PSEUDONYM (actual"
764 " len %lu, attr len %lu)",
765 (unsigned long) plen,
766 (unsigned long) alen);
767 return -1;
768 }
769 attr->next_pseudonym = pos + 4;
770 attr->next_pseudonym_len = plen;
771 break;
772 case EAP_SIM_AT_NEXT_REAUTH_ID:
773 if (!encr) {
774 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
775 "AT_NEXT_REAUTH_ID");
776 return -1;
777 }
778 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
779 "AT_NEXT_REAUTH_ID");
780 plen = apos[0] * 256 + apos[1];
781 if (plen > alen - 2) {
782 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid"
783 " AT_NEXT_REAUTH_ID (actual"
784 " len %lu, attr len %lu)",
785 (unsigned long) plen,
786 (unsigned long) alen);
787 return -1;
788 }
789 attr->next_reauth_id = pos + 4;
790 attr->next_reauth_id_len = plen;
791 break;
792 case EAP_SIM_AT_RES:
793 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RES");
794 attr->res_len_bits = WPA_GET_BE16(apos);
795 apos += 2;
796 alen -= 2;
797 if (!aka || alen < EAP_AKA_MIN_RES_LEN ||
798 alen > EAP_AKA_MAX_RES_LEN) {
799 wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_RES "
800 "(len %lu)",
801 (unsigned long) alen);
802 return -1;
803 }
804 attr->res = apos;
805 attr->res_len = alen;
806 break;
807 case EAP_SIM_AT_AUTS:
808 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_AUTS");
809 if (!aka) {
810 wpa_printf(MSG_DEBUG, "EAP-SIM: "
811 "Unexpected AT_AUTS");
812 return -1;
813 }
814 if (alen != EAP_AKA_AUTS_LEN) {
815 wpa_printf(MSG_INFO, "EAP-AKA: Invalid AT_AUTS"
816 " (len %lu)",
817 (unsigned long) alen);
818 return -1;
819 }
820 attr->auts = apos;
821 break;
822 case EAP_SIM_AT_CHECKCODE:
823 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_CHECKCODE");
824 if (!aka) {
825 wpa_printf(MSG_DEBUG, "EAP-SIM: "
826 "Unexpected AT_CHECKCODE");
827 return -1;
828 }
829 apos += 2;
830 alen -= 2;
831 if (alen != 0 && alen != EAP_AKA_CHECKCODE_LEN &&
832 alen != EAP_AKA_PRIME_CHECKCODE_LEN) {
833 wpa_printf(MSG_INFO, "EAP-AKA: Invalid "
834 "AT_CHECKCODE (len %lu)",
835 (unsigned long) alen);
836 return -1;
837 }
838 attr->checkcode = apos;
839 attr->checkcode_len = alen;
840 break;
841 case EAP_SIM_AT_RESULT_IND:
842 if (encr) {
843 wpa_printf(MSG_ERROR, "EAP-SIM: Encrypted "
844 "AT_RESULT_IND");
845 return -1;
846 }
847 if (alen != 2) {
848 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
849 "AT_RESULT_IND (alen=%lu)",
850 (unsigned long) alen);
851 return -1;
852 }
853 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RESULT_IND");
854 attr->result_ind = 1;
855 break;
856 #if defined(EAP_AKA_PRIME) || defined(EAP_SERVER_AKA_PRIME)
857 case EAP_SIM_AT_KDF_INPUT:
858 if (aka != 2) {
859 wpa_printf(MSG_INFO, "EAP-AKA: Unexpected "
860 "AT_KDF_INPUT");
861 return -1;
862 }
863
864 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_KDF_INPUT");
865 plen = WPA_GET_BE16(apos);
866 apos += 2;
867 alen -= 2;
868 if (plen > alen) {
869 wpa_printf(MSG_INFO, "EAP-AKA': Invalid "
870 "AT_KDF_INPUT (Actual Length %lu, "
871 "remaining length %lu)",
872 (unsigned long) plen,
873 (unsigned long) alen);
874 return -1;
875 }
876 attr->kdf_input = apos;
877 attr->kdf_input_len = plen;
878 break;
879 case EAP_SIM_AT_KDF:
880 if (aka != 2) {
881 wpa_printf(MSG_INFO, "EAP-AKA: Unexpected "
882 "AT_KDF");
883 return -1;
884 }
885
886 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_KDF");
887 if (alen != 2) {
888 wpa_printf(MSG_INFO, "EAP-AKA': Invalid "
889 "AT_KDF (len %lu)",
890 (unsigned long) alen);
891 return -1;
892 }
893 if (attr->kdf_count == EAP_AKA_PRIME_KDF_MAX) {
894 wpa_printf(MSG_DEBUG, "EAP-AKA': Too many "
895 "AT_KDF attributes - ignore this");
896 break;
897 }
898 attr->kdf[attr->kdf_count] = WPA_GET_BE16(apos);
899 attr->kdf_count++;
900 break;
901 case EAP_SIM_AT_BIDDING:
902 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_BIDDING");
903 if (alen != 2) {
904 wpa_printf(MSG_INFO, "EAP-AKA: Invalid "
905 "AT_BIDDING (len %lu)",
906 (unsigned long) alen);
907 return -1;
908 }
909 attr->bidding = apos;
910 break;
911 #endif /* EAP_AKA_PRIME || EAP_SERVER_AKA_PRIME */
912 default:
913 if (pos[0] < 128) {
914 wpa_printf(MSG_INFO, "EAP-SIM: Unrecognized "
915 "non-skippable attribute %d",
916 pos[0]);
917 return -1;
918 }
919
920 wpa_printf(MSG_DEBUG, "EAP-SIM: Unrecognized skippable"
921 " attribute %d ignored", pos[0]);
922 break;
923 }
924
925 pos += pos[1] * 4;
926 }
927
928 wpa_printf(MSG_DEBUG, "EAP-SIM: Attributes parsed successfully "
929 "(aka=%d encr=%d)", aka, encr);
930
931 return 0;
932 }
933
934
eap_sim_parse_encr(const u8 * k_encr,const u8 * encr_data,size_t encr_data_len,const u8 * iv,struct eap_sim_attrs * attr,int aka)935 u8 * eap_sim_parse_encr(const u8 *k_encr, const u8 *encr_data,
936 size_t encr_data_len, const u8 *iv,
937 struct eap_sim_attrs *attr, int aka)
938 {
939 u8 *decrypted;
940
941 if (!iv) {
942 wpa_printf(MSG_INFO, "EAP-SIM: Encrypted data, but no IV");
943 return NULL;
944 }
945
946 decrypted = os_malloc(encr_data_len);
947 if (decrypted == NULL)
948 return NULL;
949 os_memcpy(decrypted, encr_data, encr_data_len);
950
951 if (aes_128_cbc_decrypt(k_encr, iv, decrypted, encr_data_len)) {
952 os_free(decrypted);
953 return NULL;
954 }
955 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Decrypted AT_ENCR_DATA",
956 decrypted, encr_data_len);
957
958 if (eap_sim_parse_attr(decrypted, decrypted + encr_data_len, attr,
959 aka, 1)) {
960 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Failed to parse "
961 "decrypted AT_ENCR_DATA");
962 os_free(decrypted);
963 return NULL;
964 }
965
966 return decrypted;
967 }
968
969
970 #define EAP_SIM_INIT_LEN 128
971
972 struct eap_sim_msg {
973 struct wpabuf *buf;
974 size_t mac, iv, encr; /* index from buf */
975 };
976
977
eap_sim_msg_init(int code,int id,int type,int subtype)978 struct eap_sim_msg * eap_sim_msg_init(int code, int id, int type, int subtype)
979 {
980 struct eap_sim_msg *msg;
981 struct eap_hdr *eap;
982 u8 *pos;
983
984 msg = os_zalloc(sizeof(*msg));
985 if (msg == NULL)
986 return NULL;
987
988 msg->buf = wpabuf_alloc(EAP_SIM_INIT_LEN);
989 if (msg->buf == NULL) {
990 os_free(msg);
991 return NULL;
992 }
993 eap = wpabuf_put(msg->buf, sizeof(*eap));
994 eap->code = code;
995 eap->identifier = id;
996
997 pos = wpabuf_put(msg->buf, 4);
998 *pos++ = type;
999 *pos++ = subtype;
1000 *pos++ = 0; /* Reserved */
1001 *pos++ = 0; /* Reserved */
1002
1003 return msg;
1004 }
1005
1006
eap_sim_msg_finish(struct eap_sim_msg * msg,int type,const u8 * k_aut,const u8 * extra,size_t extra_len)1007 struct wpabuf * eap_sim_msg_finish(struct eap_sim_msg *msg, int type,
1008 const u8 *k_aut,
1009 const u8 *extra, size_t extra_len)
1010 {
1011 struct eap_hdr *eap;
1012 struct wpabuf *buf;
1013
1014 if (msg == NULL)
1015 return NULL;
1016
1017 eap = wpabuf_mhead(msg->buf);
1018 eap->length = host_to_be16(wpabuf_len(msg->buf));
1019
1020 #if defined(EAP_AKA_PRIME) || defined(EAP_SERVER_AKA_PRIME)
1021 if (k_aut && msg->mac && type == EAP_TYPE_AKA_PRIME) {
1022 eap_sim_add_mac_sha256(k_aut, (u8 *) wpabuf_head(msg->buf),
1023 wpabuf_len(msg->buf),
1024 (u8 *) wpabuf_mhead(msg->buf) +
1025 msg->mac, extra, extra_len);
1026 } else
1027 #endif /* EAP_AKA_PRIME || EAP_SERVER_AKA_PRIME */
1028 if (k_aut && msg->mac) {
1029 eap_sim_add_mac(k_aut, (u8 *) wpabuf_head(msg->buf),
1030 wpabuf_len(msg->buf),
1031 (u8 *) wpabuf_mhead(msg->buf) + msg->mac,
1032 extra, extra_len);
1033 }
1034
1035 buf = msg->buf;
1036 os_free(msg);
1037 return buf;
1038 }
1039
1040
eap_sim_msg_free(struct eap_sim_msg * msg)1041 void eap_sim_msg_free(struct eap_sim_msg *msg)
1042 {
1043 if (msg) {
1044 wpabuf_free(msg->buf);
1045 os_free(msg);
1046 }
1047 }
1048
1049
eap_sim_msg_add_full(struct eap_sim_msg * msg,u8 attr,const u8 * data,size_t len)1050 u8 * eap_sim_msg_add_full(struct eap_sim_msg *msg, u8 attr,
1051 const u8 *data, size_t len)
1052 {
1053 int attr_len = 2 + len;
1054 int pad_len;
1055 u8 *start;
1056
1057 if (msg == NULL)
1058 return NULL;
1059
1060 pad_len = (4 - attr_len % 4) % 4;
1061 attr_len += pad_len;
1062 if (wpabuf_resize(&msg->buf, attr_len))
1063 return NULL;
1064 start = wpabuf_put(msg->buf, 0);
1065 wpabuf_put_u8(msg->buf, attr);
1066 wpabuf_put_u8(msg->buf, attr_len / 4);
1067 wpabuf_put_data(msg->buf, data, len);
1068 if (pad_len)
1069 os_memset(wpabuf_put(msg->buf, pad_len), 0, pad_len);
1070 return start;
1071 }
1072
1073
eap_sim_msg_add(struct eap_sim_msg * msg,u8 attr,u16 value,const u8 * data,size_t len)1074 u8 * eap_sim_msg_add(struct eap_sim_msg *msg, u8 attr, u16 value,
1075 const u8 *data, size_t len)
1076 {
1077 int attr_len = 4 + len;
1078 int pad_len;
1079 u8 *start;
1080
1081 if (msg == NULL)
1082 return NULL;
1083
1084 pad_len = (4 - attr_len % 4) % 4;
1085 attr_len += pad_len;
1086 if (wpabuf_resize(&msg->buf, attr_len))
1087 return NULL;
1088 start = wpabuf_put(msg->buf, 0);
1089 wpabuf_put_u8(msg->buf, attr);
1090 wpabuf_put_u8(msg->buf, attr_len / 4);
1091 wpabuf_put_be16(msg->buf, value);
1092 if (data)
1093 wpabuf_put_data(msg->buf, data, len);
1094 else
1095 wpabuf_put(msg->buf, len);
1096 if (pad_len)
1097 os_memset(wpabuf_put(msg->buf, pad_len), 0, pad_len);
1098 return start;
1099 }
1100
1101
eap_sim_msg_add_mac(struct eap_sim_msg * msg,u8 attr)1102 u8 * eap_sim_msg_add_mac(struct eap_sim_msg *msg, u8 attr)
1103 {
1104 u8 *pos = eap_sim_msg_add(msg, attr, 0, NULL, EAP_SIM_MAC_LEN);
1105 if (pos)
1106 msg->mac = (pos - wpabuf_head_u8(msg->buf)) + 4;
1107 return pos;
1108 }
1109
1110
eap_sim_msg_add_encr_start(struct eap_sim_msg * msg,u8 attr_iv,u8 attr_encr)1111 int eap_sim_msg_add_encr_start(struct eap_sim_msg *msg, u8 attr_iv,
1112 u8 attr_encr)
1113 {
1114 u8 *pos = eap_sim_msg_add(msg, attr_iv, 0, NULL, EAP_SIM_IV_LEN);
1115 if (pos == NULL)
1116 return -1;
1117 msg->iv = (pos - wpabuf_head_u8(msg->buf)) + 4;
1118 if (random_get_bytes(wpabuf_mhead_u8(msg->buf) + msg->iv,
1119 EAP_SIM_IV_LEN)) {
1120 msg->iv = 0;
1121 return -1;
1122 }
1123
1124 pos = eap_sim_msg_add(msg, attr_encr, 0, NULL, 0);
1125 if (pos == NULL) {
1126 msg->iv = 0;
1127 return -1;
1128 }
1129 msg->encr = pos - wpabuf_head_u8(msg->buf);
1130
1131 return 0;
1132 }
1133
1134
eap_sim_msg_add_encr_end(struct eap_sim_msg * msg,u8 * k_encr,int attr_pad)1135 int eap_sim_msg_add_encr_end(struct eap_sim_msg *msg, u8 *k_encr, int attr_pad)
1136 {
1137 size_t encr_len;
1138
1139 if (msg == NULL || k_encr == NULL || msg->iv == 0 || msg->encr == 0)
1140 return -1;
1141
1142 encr_len = wpabuf_len(msg->buf) - msg->encr - 4;
1143 if (encr_len % 16) {
1144 u8 *pos;
1145 int pad_len = 16 - (encr_len % 16);
1146 if (pad_len < 4) {
1147 wpa_printf(MSG_WARNING, "EAP-SIM: "
1148 "eap_sim_msg_add_encr_end - invalid pad_len"
1149 " %d", pad_len);
1150 return -1;
1151 }
1152 wpa_printf(MSG_DEBUG, " *AT_PADDING");
1153 pos = eap_sim_msg_add(msg, attr_pad, 0, NULL, pad_len - 4);
1154 if (pos == NULL)
1155 return -1;
1156 os_memset(pos + 4, 0, pad_len - 4);
1157 encr_len += pad_len;
1158 }
1159 wpa_printf(MSG_DEBUG, " (AT_ENCR_DATA data len %lu)",
1160 (unsigned long) encr_len);
1161 wpabuf_mhead_u8(msg->buf)[msg->encr + 1] = encr_len / 4 + 1;
1162 return aes_128_cbc_encrypt(k_encr, wpabuf_head_u8(msg->buf) + msg->iv,
1163 wpabuf_mhead_u8(msg->buf) + msg->encr + 4,
1164 encr_len);
1165 }
1166
1167
eap_sim_report_notification(void * msg_ctx,int notification,int aka)1168 void eap_sim_report_notification(void *msg_ctx, int notification, int aka)
1169 {
1170 #ifndef CONFIG_NO_STDOUT_DEBUG
1171 const char *type = aka ? "AKA" : "SIM";
1172 #endif /* CONFIG_NO_STDOUT_DEBUG */
1173
1174 switch (notification) {
1175 case EAP_SIM_GENERAL_FAILURE_AFTER_AUTH:
1176 wpa_printf(MSG_WARNING, "EAP-%s: General failure "
1177 "notification (after authentication)", type);
1178 break;
1179 case EAP_SIM_TEMPORARILY_DENIED:
1180 wpa_printf(MSG_WARNING, "EAP-%s: Failure notification: "
1181 "User has been temporarily denied access to the "
1182 "requested service", type);
1183 break;
1184 case EAP_SIM_NOT_SUBSCRIBED:
1185 wpa_printf(MSG_WARNING, "EAP-%s: Failure notification: "
1186 "User has not subscribed to the requested service",
1187 type);
1188 break;
1189 case EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH:
1190 wpa_printf(MSG_WARNING, "EAP-%s: General failure "
1191 "notification (before authentication)", type);
1192 break;
1193 case EAP_SIM_SUCCESS:
1194 wpa_printf(MSG_INFO, "EAP-%s: Successful authentication "
1195 "notification", type);
1196 break;
1197 default:
1198 if (notification >= 32768) {
1199 wpa_printf(MSG_INFO, "EAP-%s: Unrecognized "
1200 "non-failure notification %d",
1201 type, notification);
1202 } else {
1203 wpa_printf(MSG_WARNING, "EAP-%s: Unrecognized "
1204 "failure notification %d",
1205 type, notification);
1206 }
1207 }
1208 }
1209