2 * HLR/AuC testing gateway for hostapd EAP-SIM/AKA database/authenticator
3 * Copyright (c) 2005-2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
14 * This is an example implementation of the EAP-SIM/AKA database/authentication
15 * gateway interface to HLR/AuC. It is expected to be replaced with an
16 * implementation of SS7 gateway to GSM/UMTS authentication center (HLR/AuC) or
17 * a local implementation of SIM triplet and AKA authentication data generator.
19 * hostapd will send SIM/AKA authentication queries over a UNIX domain socket
20 * to and external program, e.g., this hlr_auc_gw. This interface uses simple
23 * EAP-SIM / GSM triplet query/response:
24 * SIM-REQ-AUTH <IMSI> <max_chal>
25 * SIM-RESP-AUTH <IMSI> Kc1:SRES1:RAND1 Kc2:SRES2:RAND2 [Kc3:SRES3:RAND3]
26 * SIM-RESP-AUTH <IMSI> FAILURE
28 * EAP-AKA / UMTS query/response:
30 * AKA-RESP-AUTH <IMSI> <RAND> <AUTN> <IK> <CK> <RES>
31 * AKA-RESP-AUTH <IMSI> FAILURE
33 * EAP-AKA / UMTS AUTS (re-synchronization):
34 * AKA-AUTS <IMSI> <AUTS> <RAND>
36 * IMSI and max_chal are sent as an ASCII string,
37 * Kc/SRES/RAND/AUTN/IK/CK/RES/AUTS as hex strings.
39 * The example implementation here reads GSM authentication triplets from a
40 * text file in IMSI:Kc:SRES:RAND format, IMSI in ASCII, other fields as hex
41 * strings. This is used to simulate an HLR/AuC. As such, it is not very useful
42 * for real life authentication, but it is useful both as an example
43 * implementation and for EAP-SIM testing.
52 static const char *default_socket_path = "/tmp/hlr_auc_gw.sock";
53 static const char *socket_path;
54 static int serv_sock = -1;
58 struct gsm_triplet *next;
65 static struct gsm_triplet *gsm_db = NULL, *gsm_db_pos = NULL;
67 /* OPc and AMF parameters for Milenage (Example algorithms for AKA). */
68 struct milenage_parameters {
69 struct milenage_parameters *next;
77 static struct milenage_parameters *milenage_db = NULL;
79 #define EAP_SIM_MAX_CHAL 3
81 #define EAP_AKA_RAND_LEN 16
82 #define EAP_AKA_AUTN_LEN 16
83 #define EAP_AKA_AUTS_LEN 14
84 #define EAP_AKA_RES_MAX_LEN 16
85 #define EAP_AKA_IK_LEN 16
86 #define EAP_AKA_CK_LEN 16
89 static int open_socket(const char *path)
91 struct sockaddr_un addr;
94 s = socket(PF_UNIX, SOCK_DGRAM, 0);
96 perror("socket(PF_UNIX)");
100 memset(&addr, 0, sizeof(addr));
101 addr.sun_family = AF_UNIX;
102 os_strlcpy(addr.sun_path, path, sizeof(addr.sun_path));
103 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
104 perror("bind(PF_UNIX)");
113 static int read_gsm_triplets(const char *fname)
116 char buf[200], *pos, *pos2;
117 struct gsm_triplet *g = NULL;
123 f = fopen(fname, "r");
125 printf("Could not open GSM tripler data file '%s'\n", fname);
130 while (fgets(buf, sizeof(buf), f)) {
133 /* Parse IMSI:Kc:SRES:RAND */
134 buf[sizeof(buf) - 1] = '\0';
138 while (*pos != '\0' && *pos != '\n')
146 g = os_zalloc(sizeof(*g));
153 pos2 = strchr(pos, ':');
155 printf("%s:%d - Invalid IMSI (%s)\n",
161 if (strlen(pos) >= sizeof(g->imsi)) {
162 printf("%s:%d - Too long IMSI (%s)\n",
167 os_strlcpy(g->imsi, pos, sizeof(g->imsi));
171 pos2 = strchr(pos, ':');
173 printf("%s:%d - Invalid Kc (%s)\n", fname, line, pos);
178 if (strlen(pos) != 16 || hexstr2bin(pos, g->kc, 8)) {
179 printf("%s:%d - Invalid Kc (%s)\n", fname, line, pos);
186 pos2 = strchr(pos, ':');
188 printf("%s:%d - Invalid SRES (%s)\n", fname, line,
194 if (strlen(pos) != 8 || hexstr2bin(pos, g->sres, 4)) {
195 printf("%s:%d - Invalid SRES (%s)\n", fname, line,
203 pos2 = strchr(pos, ':');
206 if (strlen(pos) != 32 || hexstr2bin(pos, g->_rand, 16)) {
207 printf("%s:%d - Invalid RAND (%s)\n", fname, line,
226 static struct gsm_triplet * get_gsm_triplet(const char *imsi)
228 struct gsm_triplet *g = gsm_db_pos;
231 if (strcmp(g->imsi, imsi) == 0) {
232 gsm_db_pos = g->next;
239 while (g && g != gsm_db_pos) {
240 if (strcmp(g->imsi, imsi) == 0) {
241 gsm_db_pos = g->next;
251 static int read_milenage(const char *fname)
254 char buf[200], *pos, *pos2;
255 struct milenage_parameters *m = NULL;
261 f = fopen(fname, "r");
263 printf("Could not open Milenage data file '%s'\n", fname);
268 while (fgets(buf, sizeof(buf), f)) {
271 /* Parse IMSI Ki OPc AMF SQN */
272 buf[sizeof(buf) - 1] = '\0';
276 while (*pos != '\0' && *pos != '\n')
284 m = os_zalloc(sizeof(*m));
291 pos2 = strchr(pos, ' ');
293 printf("%s:%d - Invalid IMSI (%s)\n",
299 if (strlen(pos) >= sizeof(m->imsi)) {
300 printf("%s:%d - Too long IMSI (%s)\n",
305 os_strlcpy(m->imsi, pos, sizeof(m->imsi));
309 pos2 = strchr(pos, ' ');
311 printf("%s:%d - Invalid Ki (%s)\n", fname, line, pos);
316 if (strlen(pos) != 32 || hexstr2bin(pos, m->ki, 16)) {
317 printf("%s:%d - Invalid Ki (%s)\n", fname, line, pos);
324 pos2 = strchr(pos, ' ');
326 printf("%s:%d - Invalid OPc (%s)\n", fname, line, pos);
331 if (strlen(pos) != 32 || hexstr2bin(pos, m->opc, 16)) {
332 printf("%s:%d - Invalid OPc (%s)\n", fname, line, pos);
339 pos2 = strchr(pos, ' ');
341 printf("%s:%d - Invalid AMF (%s)\n", fname, line, pos);
346 if (strlen(pos) != 4 || hexstr2bin(pos, m->amf, 2)) {
347 printf("%s:%d - Invalid AMF (%s)\n", fname, line, pos);
354 pos2 = strchr(pos, ' ');
357 if (strlen(pos) != 12 || hexstr2bin(pos, m->sqn, 6)) {
358 printf("%s:%d - Invalid SEQ (%s)\n", fname, line, pos);
364 m->next = milenage_db;
376 static struct milenage_parameters * get_milenage(const char *imsi)
378 struct milenage_parameters *m = milenage_db;
381 if (strcmp(m->imsi, imsi) == 0)
390 static void sim_req_auth(int s, struct sockaddr_un *from, socklen_t fromlen,
393 int count, max_chal, ret;
395 char reply[1000], *rpos, *rend;
396 struct milenage_parameters *m;
397 struct gsm_triplet *g;
401 pos = strchr(imsi, ' ');
404 max_chal = atoi(pos);
405 if (max_chal < 1 || max_chal < EAP_SIM_MAX_CHAL)
406 max_chal = EAP_SIM_MAX_CHAL;
408 max_chal = EAP_SIM_MAX_CHAL;
410 rend = &reply[sizeof(reply)];
412 ret = snprintf(rpos, rend - rpos, "SIM-RESP-AUTH %s", imsi);
413 if (ret < 0 || ret >= rend - rpos)
417 m = get_milenage(imsi);
419 u8 _rand[16], sres[4], kc[8];
420 for (count = 0; count < max_chal; count++) {
421 if (os_get_random(_rand, 16) < 0)
423 gsm_milenage(m->opc, m->ki, _rand, sres, kc);
425 rpos += wpa_snprintf_hex(rpos, rend - rpos, kc, 8);
427 rpos += wpa_snprintf_hex(rpos, rend - rpos, sres, 4);
429 rpos += wpa_snprintf_hex(rpos, rend - rpos, _rand, 16);
436 while (count < max_chal && (g = get_gsm_triplet(imsi))) {
437 if (strcmp(g->imsi, imsi) != 0)
442 rpos += wpa_snprintf_hex(rpos, rend - rpos, g->kc, 8);
445 rpos += wpa_snprintf_hex(rpos, rend - rpos, g->sres, 4);
448 rpos += wpa_snprintf_hex(rpos, rend - rpos, g->_rand, 16);
453 printf("No GSM triplets found for %s\n", imsi);
454 ret = snprintf(rpos, rend - rpos, " FAILURE");
455 if (ret < 0 || ret >= rend - rpos)
461 printf("Send: %s\n", reply);
462 if (sendto(s, reply, rpos - reply, 0,
463 (struct sockaddr *) from, fromlen) < 0)
468 static void aka_req_auth(int s, struct sockaddr_un *from, socklen_t fromlen,
471 /* AKA-RESP-AUTH <IMSI> <RAND> <AUTN> <IK> <CK> <RES> */
472 char reply[1000], *pos, *end;
473 u8 _rand[EAP_AKA_RAND_LEN];
474 u8 autn[EAP_AKA_AUTN_LEN];
475 u8 ik[EAP_AKA_IK_LEN];
476 u8 ck[EAP_AKA_CK_LEN];
477 u8 res[EAP_AKA_RES_MAX_LEN];
480 struct milenage_parameters *m;
482 m = get_milenage(imsi);
484 if (os_get_random(_rand, EAP_AKA_RAND_LEN) < 0)
486 res_len = EAP_AKA_RES_MAX_LEN;
487 inc_byte_array(m->sqn, 6);
488 printf("AKA: Milenage with SQN=%02x%02x%02x%02x%02x%02x\n",
489 m->sqn[0], m->sqn[1], m->sqn[2],
490 m->sqn[3], m->sqn[4], m->sqn[5]);
491 milenage_generate(m->opc, m->amf, m->ki, m->sqn, _rand,
492 autn, ik, ck, res, &res_len);
494 printf("Unknown IMSI: %s\n", imsi);
495 #ifdef AKA_USE_FIXED_TEST_VALUES
496 printf("Using fixed test values for AKA\n");
497 memset(_rand, '0', EAP_AKA_RAND_LEN);
498 memset(autn, '1', EAP_AKA_AUTN_LEN);
499 memset(ik, '3', EAP_AKA_IK_LEN);
500 memset(ck, '4', EAP_AKA_CK_LEN);
501 memset(res, '2', EAP_AKA_RES_MAX_LEN);
502 res_len = EAP_AKA_RES_MAX_LEN;
503 #else /* AKA_USE_FIXED_TEST_VALUES */
505 #endif /* AKA_USE_FIXED_TEST_VALUES */
509 end = &reply[sizeof(reply)];
510 ret = snprintf(pos, end - pos, "AKA-RESP-AUTH %s ", imsi);
511 if (ret < 0 || ret >= end - pos)
514 pos += wpa_snprintf_hex(pos, end - pos, _rand, EAP_AKA_RAND_LEN);
516 pos += wpa_snprintf_hex(pos, end - pos, autn, EAP_AKA_AUTN_LEN);
518 pos += wpa_snprintf_hex(pos, end - pos, ik, EAP_AKA_IK_LEN);
520 pos += wpa_snprintf_hex(pos, end - pos, ck, EAP_AKA_CK_LEN);
522 pos += wpa_snprintf_hex(pos, end - pos, res, res_len);
524 printf("Send: %s\n", reply);
526 if (sendto(s, reply, pos - reply, 0, (struct sockaddr *) from,
532 static void aka_auts(int s, struct sockaddr_un *from, socklen_t fromlen,
536 u8 _auts[EAP_AKA_AUTS_LEN], _rand[EAP_AKA_RAND_LEN], sqn[6];
537 struct milenage_parameters *m;
539 /* AKA-AUTS <IMSI> <AUTS> <RAND> */
541 auts = strchr(imsi, ' ');
546 __rand = strchr(auts, ' ');
551 printf("AKA-AUTS: IMSI=%s AUTS=%s RAND=%s\n", imsi, auts, __rand);
552 if (hexstr2bin(auts, _auts, EAP_AKA_AUTS_LEN) ||
553 hexstr2bin(__rand, _rand, EAP_AKA_RAND_LEN)) {
554 printf("Could not parse AUTS/RAND\n");
558 m = get_milenage(imsi);
560 printf("Unknown IMSI: %s\n", imsi);
564 if (milenage_auts(m->opc, m->ki, _rand, _auts, sqn)) {
565 printf("AKA-AUTS: Incorrect MAC-S\n");
567 memcpy(m->sqn, sqn, 6);
568 printf("AKA-AUTS: Re-synchronized: "
569 "SQN=%02x%02x%02x%02x%02x%02x\n",
570 sqn[0], sqn[1], sqn[2], sqn[3], sqn[4], sqn[5]);
575 static int process(int s)
578 struct sockaddr_un from;
582 fromlen = sizeof(from);
583 res = recvfrom(s, buf, sizeof(buf), 0, (struct sockaddr *) &from,
593 if ((size_t) res >= sizeof(buf))
594 res = sizeof(buf) - 1;
597 printf("Received: %s\n", buf);
599 if (strncmp(buf, "SIM-REQ-AUTH ", 13) == 0)
600 sim_req_auth(s, &from, fromlen, buf + 13);
601 else if (strncmp(buf, "AKA-REQ-AUTH ", 13) == 0)
602 aka_req_auth(s, &from, fromlen, buf + 13);
603 else if (strncmp(buf, "AKA-AUTS ", 9) == 0)
604 aka_auts(s, &from, fromlen, buf + 9);
606 printf("Unknown request: %s\n", buf);
612 static void cleanup(void)
614 struct gsm_triplet *g, *gprev;
615 struct milenage_parameters *m, *prev;
636 static void handle_term(int sig)
638 printf("Signal %d - terminate\n", sig);
643 static void usage(void)
645 printf("HLR/AuC testing gateway for hostapd EAP-SIM/AKA "
646 "database/authenticator\n"
647 "Copyright (c) 2005-2007, Jouni Malinen <j@w1.fi>\n"
650 "hlr_auc_gw [-h] [-s<socket path>] [-g<triplet file>] "
651 "[-m<milenage file>]\n"
654 " -h = show this usage help\n"
655 " -s<socket path> = path for UNIX domain socket\n"
657 " -g<triplet file> = path for GSM authentication triplets\n"
658 " -m<milenage file> = path for Milenage keys\n",
659 default_socket_path);
663 int main(int argc, char *argv[])
666 char *milenage_file = NULL;
667 char *gsm_triplet_file = NULL;
669 socket_path = default_socket_path;
672 c = getopt(argc, argv, "g:hm:s:");
677 gsm_triplet_file = optarg;
683 milenage_file = optarg;
686 socket_path = optarg;
694 if (gsm_triplet_file && read_gsm_triplets(gsm_triplet_file) < 0)
697 if (milenage_file && read_milenage(milenage_file) < 0)
700 serv_sock = open_socket(socket_path);
704 printf("Listening for requests on %s\n", socket_path);
707 signal(SIGTERM, handle_term);
708 signal(SIGINT, handle_term);
tuxillo's projects / dragonfly.git / blob