2 * HLR/AuC testing gateway for hostapd EAP-SIM/AKA database/authenticator
3 * Copyright (c) 2005-2006, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
14 * This is an example implementation of the EAP-SIM/AKA database/authentication
15 * gateway interface to HLR/AuC. It is expected to be replaced with an
16 * implementation of SS7 gateway to GSM/UMTS authentication center (HLR/AuC) or
17 * a local implementation of SIM triplet and AKA authentication data generator.
19 * hostapd will send SIM/AKA authentication queries over a UNIX domain socket
20 * to and external program, e.g., this hlr_auc_gw. This interface uses simple
23 * EAP-SIM / GSM triplet query/response:
24 * SIM-REQ-AUTH <IMSI> <max_chal>
25 * SIM-RESP-AUTH <IMSI> Kc1:SRES1:RAND1 Kc2:SRES2:RAND2 [Kc3:SRES3:RAND3]
26 * SIM-RESP-AUTH <IMSI> FAILURE
28 * EAP-AKA / UMTS query/response:
30 * AKA-RESP-AUTH <IMSI> <RAND> <AUTN> <IK> <CK> <RES>
31 * AKA-RESP-AUTH <IMSI> FAILURE
33 * EAP-AKA / UMTS AUTS (re-synchronization):
34 * AKA-AUTS <IMSI> <AUTS> <RAND>
36 * IMSI and max_chal are sent as an ASCII string,
37 * Kc/SRES/RAND/AUTN/IK/CK/RES/AUTS as hex strings.
39 * The example implementation here reads GSM authentication triplets from a
40 * text file in IMSI:Kc:SRES:RAND format, IMSI in ASCII, other fields as hex
41 * strings. This is used to simulate an HLR/AuC. As such, it is not very useful
42 * for real life authentication, but it is useful both as an example
43 * implementation and for EAP-SIM testing.
51 #include <sys/types.h>
52 #include <sys/socket.h>
58 static const char *default_socket_path = "/tmp/hlr_auc_gw.sock";
59 static const char *socket_path;
60 static const char *default_gsm_triplet_file = "hostapd.sim_db";
61 static const char *gsm_triplet_file;
62 static int serv_sock = -1;
64 /* OPc and AMF parameters for Milenage (Example algorithms for AKA). */
65 struct milenage_parameters {
66 struct milenage_parameters *next;
74 static struct milenage_parameters *milenage_db = NULL;
76 #define EAP_SIM_MAX_CHAL 3
78 #define EAP_AKA_RAND_LEN 16
79 #define EAP_AKA_AUTN_LEN 16
80 #define EAP_AKA_AUTS_LEN 14
81 #define EAP_AKA_RES_MAX_LEN 16
82 #define EAP_AKA_IK_LEN 16
83 #define EAP_AKA_CK_LEN 16
86 static int open_socket(const char *path)
88 struct sockaddr_un addr;
91 s = socket(PF_UNIX, SOCK_DGRAM, 0);
93 perror("socket(PF_UNIX)");
97 memset(&addr, 0, sizeof(addr));
98 addr.sun_family = AF_UNIX;
99 strncpy(addr.sun_path, path, sizeof(addr.sun_path));
100 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
101 perror("bind(PF_UNIX)");
110 static int read_milenage(const char *fname)
113 char buf[200], *pos, *pos2;
114 struct milenage_parameters *m = NULL;
120 f = fopen(fname, "r");
122 printf("Could not open Milenage data file '%s'\n", fname);
127 while (fgets(buf, sizeof(buf), f)) {
130 /* Parse IMSI Ki OPc AMF SQN */
131 buf[sizeof(buf) - 1] = '\0';
135 while (*pos != '\0' && *pos != '\n')
143 m = os_zalloc(sizeof(*m));
150 pos2 = strchr(pos, ' ');
152 printf("%s:%d - Invalid IMSI (%s)\n",
158 if (strlen(pos) >= sizeof(m->imsi)) {
159 printf("%s:%d - Too long IMSI (%s)\n",
164 strncpy(m->imsi, pos, sizeof(m->imsi));
168 pos2 = strchr(pos, ' ');
170 printf("%s:%d - Invalid Ki (%s)\n", fname, line, pos);
175 if (strlen(pos) != 32 || hexstr2bin(pos, m->ki, 16)) {
176 printf("%s:%d - Invalid Ki (%s)\n", fname, line, pos);
183 pos2 = strchr(pos, ' ');
185 printf("%s:%d - Invalid OPc (%s)\n", fname, line, pos);
190 if (strlen(pos) != 32 || hexstr2bin(pos, m->opc, 16)) {
191 printf("%s:%d - Invalid OPc (%s)\n", fname, line, pos);
198 pos2 = strchr(pos, ' ');
200 printf("%s:%d - Invalid AMF (%s)\n", fname, line, pos);
205 if (strlen(pos) != 4 || hexstr2bin(pos, m->amf, 2)) {
206 printf("%s:%d - Invalid AMF (%s)\n", fname, line, pos);
213 pos2 = strchr(pos, ' ');
216 if (strlen(pos) != 12 || hexstr2bin(pos, m->sqn, 6)) {
217 printf("%s:%d - Invalid SEQ (%s)\n", fname, line, pos);
223 m->next = milenage_db;
235 static struct milenage_parameters * get_milenage(const char *imsi)
237 struct milenage_parameters *m = milenage_db;
240 if (strcmp(m->imsi, imsi) == 0)
249 static void sim_req_auth(int s, struct sockaddr_un *from, socklen_t fromlen,
253 int count, max_chal, ret;
255 char reply[1000], *rpos, *rend;
256 struct milenage_parameters *m;
260 pos = strchr(imsi, ' ');
263 max_chal = atoi(pos);
264 if (max_chal < 1 || max_chal < EAP_SIM_MAX_CHAL)
265 max_chal = EAP_SIM_MAX_CHAL;
267 max_chal = EAP_SIM_MAX_CHAL;
269 rend = &reply[sizeof(reply)];
271 ret = snprintf(rpos, rend - rpos, "SIM-RESP-AUTH %s", imsi);
272 if (ret < 0 || ret >= rend - rpos)
276 m = get_milenage(imsi);
278 u8 _rand[16], sres[4], kc[8];
279 for (count = 0; count < max_chal; count++) {
280 os_get_random(_rand, 16);
281 gsm_milenage(m->opc, m->ki, _rand, sres, kc);
283 rpos += wpa_snprintf_hex(rpos, rend - rpos, kc, 8);
285 rpos += wpa_snprintf_hex(rpos, rend - rpos, sres, 4);
287 rpos += wpa_snprintf_hex(rpos, rend - rpos, _rand, 16);
293 /* TODO: could read triplet file into memory during startup and then
294 * have pointer for IMSI to allow more than three first entries to be
296 f = fopen(gsm_triplet_file, "r");
298 printf("Could not open GSM triplet file '%s'\n",
300 ret = snprintf(rpos, rend - rpos, " FAILURE");
301 if (ret < 0 || ret >= rend - rpos)
308 while (count < max_chal && fgets(buf, sizeof(buf), f)) {
309 /* Parse IMSI:Kc:SRES:RAND and match IMSI with identity. */
310 buf[sizeof(buf) - 1] = '\0';
312 while (*pos != '\0' && *pos != '\n')
316 if (pos - buf < 60 || pos[0] == '#')
319 pos = strchr(buf, ':');
323 if (strcmp(buf, imsi) != 0)
326 ret = snprintf(rpos, rend - rpos, " %s", pos);
327 if (ret < 0 || ret >= rend - rpos) {
338 printf("No GSM triplets found for %s\n", imsi);
339 ret = snprintf(rpos, rend - rpos, " FAILURE");
340 if (ret < 0 || ret >= rend - rpos)
346 printf("Send: %s\n", reply);
347 if (sendto(s, reply, rpos - reply, 0,
348 (struct sockaddr *) from, fromlen) < 0)
353 static void aka_req_auth(int s, struct sockaddr_un *from, socklen_t fromlen,
356 /* AKA-RESP-AUTH <IMSI> <RAND> <AUTN> <IK> <CK> <RES> */
357 char reply[1000], *pos, *end;
358 u8 _rand[EAP_AKA_RAND_LEN];
359 u8 autn[EAP_AKA_AUTN_LEN];
360 u8 ik[EAP_AKA_IK_LEN];
361 u8 ck[EAP_AKA_CK_LEN];
362 u8 res[EAP_AKA_RES_MAX_LEN];
365 struct milenage_parameters *m;
367 m = get_milenage(imsi);
369 os_get_random(_rand, EAP_AKA_RAND_LEN);
370 res_len = EAP_AKA_RES_MAX_LEN;
371 inc_byte_array(m->sqn, 6);
372 printf("AKA: Milenage with SQN=%02x%02x%02x%02x%02x%02x\n",
373 m->sqn[0], m->sqn[1], m->sqn[2],
374 m->sqn[3], m->sqn[4], m->sqn[5]);
375 milenage_generate(m->opc, m->amf, m->ki, m->sqn, _rand,
376 autn, ik, ck, res, &res_len);
378 printf("Unknown IMSI: %s\n", imsi);
379 #ifdef AKA_USE_FIXED_TEST_VALUES
380 printf("Using fixed test values for AKA\n");
381 memset(_rand, '0', EAP_AKA_RAND_LEN);
382 memset(autn, '1', EAP_AKA_AUTN_LEN);
383 memset(ik, '3', EAP_AKA_IK_LEN);
384 memset(ck, '4', EAP_AKA_CK_LEN);
385 memset(res, '2', EAP_AKA_RES_MAX_LEN);
386 res_len = EAP_AKA_RES_MAX_LEN;
387 #else /* AKA_USE_FIXED_TEST_VALUES */
389 #endif /* AKA_USE_FIXED_TEST_VALUES */
393 end = &reply[sizeof(reply)];
394 ret = snprintf(pos, end - pos, "AKA-RESP-AUTH %s ", imsi);
395 if (ret < 0 || ret >= end - pos)
398 pos += wpa_snprintf_hex(pos, end - pos, _rand, EAP_AKA_RAND_LEN);
400 pos += wpa_snprintf_hex(pos, end - pos, autn, EAP_AKA_AUTN_LEN);
402 pos += wpa_snprintf_hex(pos, end - pos, ik, EAP_AKA_IK_LEN);
404 pos += wpa_snprintf_hex(pos, end - pos, ck, EAP_AKA_CK_LEN);
406 pos += wpa_snprintf_hex(pos, end - pos, res, res_len);
408 printf("Send: %s\n", reply);
410 if (sendto(s, reply, pos - reply, 0, (struct sockaddr *) from,
416 static void aka_auts(int s, struct sockaddr_un *from, socklen_t fromlen,
420 u8 _auts[EAP_AKA_AUTS_LEN], _rand[EAP_AKA_RAND_LEN], sqn[6];
421 struct milenage_parameters *m;
423 /* AKA-AUTS <IMSI> <AUTS> <RAND> */
425 auts = strchr(imsi, ' ');
430 rand = strchr(auts, ' ');
435 printf("AKA-AUTS: IMSI=%s AUTS=%s RAND=%s\n", imsi, auts, rand);
436 if (hexstr2bin(auts, _auts, EAP_AKA_AUTS_LEN) ||
437 hexstr2bin(rand, _rand, EAP_AKA_RAND_LEN)) {
438 printf("Could not parse AUTS/RAND\n");
442 m = get_milenage(imsi);
444 printf("Unknown IMSI: %s\n", imsi);
448 if (milenage_auts(m->opc, m->ki, _rand, _auts, sqn)) {
449 printf("AKA-AUTS: Incorrect MAC-S\n");
451 memcpy(m->sqn, sqn, 6);
452 printf("AKA-AUTS: Re-synchronized: "
453 "SQN=%02x%02x%02x%02x%02x%02x\n",
454 sqn[0], sqn[1], sqn[2], sqn[3], sqn[4], sqn[5]);
459 static int process(int s)
462 struct sockaddr_un from;
466 fromlen = sizeof(from);
467 res = recvfrom(s, buf, sizeof(buf), 0, (struct sockaddr *) &from,
477 if ((size_t) res >= sizeof(buf))
478 res = sizeof(buf) - 1;
481 printf("Received: %s\n", buf);
483 if (strncmp(buf, "SIM-REQ-AUTH ", 13) == 0)
484 sim_req_auth(s, &from, fromlen, buf + 13);
485 else if (strncmp(buf, "AKA-REQ-AUTH ", 13) == 0)
486 aka_req_auth(s, &from, fromlen, buf + 13);
487 else if (strncmp(buf, "AKA-AUTS ", 9) == 0)
488 aka_auts(s, &from, fromlen, buf + 9);
490 printf("Unknown request: %s\n", buf);
496 static void cleanup(void)
498 struct milenage_parameters *m, *prev;
512 static void handle_term(int sig)
514 printf("Signal %d - terminate\n", sig);
519 static void usage(void)
521 printf("HLR/AuC testing gateway for hostapd EAP-SIM/AKA "
522 "database/authenticator\n"
523 "Copyright (c) 2005-2006, Jouni Malinen <j@w1.fi>\n"
526 "hlr_auc_gw [-h] [-s<socket path>] [-g<triplet file>] "
527 "[-m<milenage file>]\n"
530 " -h = show this usage help\n"
531 " -s<socket path> = path for UNIX domain socket\n"
533 " -g<triplet file> = path for GSM authentication triplets\n"
535 " -m<milenage file> = path for Milenage keys\n",
536 default_socket_path, default_gsm_triplet_file);
540 int main(int argc, char *argv[])
543 char *milenage_file = NULL;
545 socket_path = default_socket_path;
546 gsm_triplet_file = default_gsm_triplet_file;
549 c = getopt(argc, argv, "g:hm:s:");
554 gsm_triplet_file = optarg;
560 milenage_file = optarg;
563 socket_path = optarg;
571 if (milenage_file && read_milenage(milenage_file) < 0)
574 serv_sock = open_socket(socket_path);
578 printf("Listening for requests on %s\n", socket_path);
581 signal(SIGTERM, handle_term);
582 signal(SIGINT, handle_term);
projects / dragonfly.git / blob