contrib/wpa_supplicant-0.4.9/eap_aka.c

   1 /*
   2  * WPA Supplicant / EAP-AKA (draft-arkko-pppext-eap-aka-12.txt)
   3  * Copyright (c) 2004-2005, Jouni Malinen <jkmaline@cc.hut.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include <stdlib.h>
  16 #include <stdio.h>
  17 #include <string.h>
  18
  19 #include "common.h"
  20 #include "eap_i.h"
  21 #include "wpa_supplicant.h"
  22 #include "config_ssid.h"
  23 #include "crypto.h"
  24 #include "pcsc_funcs.h"
  25 #include "eap_sim_common.h"
  26
  27 /* EAP-AKA Subtypes */
  28 #define EAP_AKA_SUBTYPE_CHALLENGE 1
  29 #define EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT 2
  30 #define EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE 4
  31 #define EAP_AKA_SUBTYPE_IDENTITY 5
  32 #define EAP_AKA_SUBTYPE_NOTIFICATION 12
  33 #define EAP_AKA_SUBTYPE_REAUTHENTICATION 13
  34 #define EAP_AKA_SUBTYPE_CLIENT_ERROR 14
  35
  36 /* AT_CLIENT_ERROR_CODE error codes */
  37 #define EAP_AKA_UNABLE_TO_PROCESS_PACKET 0
  38
  39 #define AKA_AUTS_LEN 14
  40 #define RES_MAX_LEN 16
  41 #define IK_LEN 16
  42 #define CK_LEN 16
  43 #define EAP_AKA_MAX_FAST_REAUTHS 1000
  44
  45 struct eap_aka_data {
  46         u8 ik[IK_LEN], ck[CK_LEN], res[RES_MAX_LEN];
  47         size_t res_len;
  48         u8 nonce_s[EAP_SIM_NONCE_S_LEN];
  49         u8 mk[EAP_SIM_MK_LEN];
  50         u8 k_aut[EAP_SIM_K_AUT_LEN];
  51         u8 k_encr[EAP_SIM_K_ENCR_LEN];
  52         u8 msk[EAP_SIM_KEYING_DATA_LEN];
  53         u8 rand[AKA_RAND_LEN], autn[AKA_AUTN_LEN];
  54         u8 auts[AKA_AUTS_LEN];
  55
  56         int num_id_req, num_notification;
  57         u8 *pseudonym;
  58         size_t pseudonym_len;
  59         u8 *reauth_id;
  60         size_t reauth_id_len;
  61         int reauth;
  62         unsigned int counter, counter_too_small;
  63         u8 *last_eap_identity;
  64         size_t last_eap_identity_len;
  65         enum { CONTINUE, SUCCESS, FAILURE } state;
  66 };
  67
  68
  69 static void * eap_aka_init(struct eap_sm *sm)
  70 {
  71         struct eap_aka_data *data;
  72         data = malloc(sizeof(*data));
  73         if (data == NULL)
  74                 return NULL;
  75         memset(data, 0, sizeof(*data));
  76
  77         data->state = CONTINUE;
  78
  79         return data;
  80 }
  81
  82
  83 static void eap_aka_deinit(struct eap_sm *sm, void *priv)
  84 {
  85         struct eap_aka_data *data = priv;
  86         if (data) {
  87                 free(data->pseudonym);
  88                 free(data->reauth_id);
  89                 free(data->last_eap_identity);
  90                 free(data);
  91         }
  92 }
  93
  94
  95 static int eap_aka_umts_auth(struct eap_sm *sm, struct eap_aka_data *data)
  96 {
  97         wpa_printf(MSG_DEBUG, "EAP-AKA: UMTS authentication algorithm");
  98 #ifdef PCSC_FUNCS
  99         return scard_umts_auth(sm->scard_ctx, data->rand,
 100                                data->autn, data->res, &data->res_len,
 101                                data->ik, data->ck, data->auts);
 102 #else /* PCSC_FUNCS */
 103         /* These hardcoded Kc and SRES values are used for testing.
 104          * Could consider making them configurable. */
 105         memset(data->res, '2', RES_MAX_LEN);
 106         data->res_len = 16;
 107         memset(data->ik, '3', IK_LEN);
 108         memset(data->ck, '4', CK_LEN);
 109         {
 110                 u8 autn[AKA_AUTN_LEN];
 111                 memset(autn, '1', AKA_AUTN_LEN);
 112                 if (memcmp(autn, data->autn, AKA_AUTN_LEN) != 0) {
 113                         wpa_printf(MSG_WARNING, "EAP-AKA: AUTN did not match "
 114                                    "with expected value");
 115                         return -1;
 116                 }
 117         }
 118         return 0;
 119 #endif /* PCSC_FUNCS */
 120 }
 121
 122
 123 static void eap_aka_derive_mk(struct eap_aka_data *data,
 124                               const u8 *identity, size_t identity_len)
 125 {
 126         const u8 *addr[3];
 127         size_t len[3];
 128
 129         addr[0] = identity;
 130         len[0] = identity_len;
 131         addr[1] = data->ik;
 132         len[1] = IK_LEN;
 133         addr[2] = data->ck;
 134         len[2] = CK_LEN;
 135
 136         /* MK = SHA1(Identity|IK|CK) */
 137         sha1_vector(3, addr, len, data->mk);
 138         wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: IK", data->ik, IK_LEN);
 139         wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: CK", data->ck, CK_LEN);
 140         wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: MK", data->mk, EAP_SIM_MK_LEN);
 141 }
 142
 143
 144 #define CLEAR_PSEUDONYM 0x01
 145 #define CLEAR_REAUTH_ID 0x02
 146 #define CLEAR_EAP_ID    0x04
 147
 148 static void eap_aka_clear_identities(struct eap_aka_data *data, int id)
 149 {
 150         wpa_printf(MSG_DEBUG, "EAP-AKA: forgetting old%s%s%s",
 151                    id & CLEAR_PSEUDONYM ? " pseudonym" : "",
 152                    id & CLEAR_REAUTH_ID ? " reauth_id" : "",
 153                    id & CLEAR_EAP_ID ? " eap_id" : "");
 154         if (id & CLEAR_PSEUDONYM) {
 155                 free(data->pseudonym);
 156                 data->pseudonym = NULL;
 157                 data->pseudonym_len = 0;
 158         }
 159         if (id & CLEAR_REAUTH_ID) {
 160                 free(data->reauth_id);
 161                 data->reauth_id = NULL;
 162                 data->reauth_id_len = 0;
 163         }
 164         if (id & CLEAR_EAP_ID) {
 165                 free(data->last_eap_identity);
 166                 data->last_eap_identity = NULL;
 167                 data->last_eap_identity_len = 0;
 168         }
 169 }
 170
 171
 172 static int eap_aka_learn_ids(struct eap_aka_data *data,
 173                              struct eap_sim_attrs *attr)
 174 {
 175         if (attr->next_pseudonym) {
 176                 free(data->pseudonym);
 177                 data->pseudonym = malloc(attr->next_pseudonym_len);
 178                 if (data->pseudonym == NULL) {
 179                         wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for "
 180                                    "next pseudonym");
 181                         return -1;
 182                 }
 183                 memcpy(data->pseudonym, attr->next_pseudonym,
 184                        attr->next_pseudonym_len);
 185                 data->pseudonym_len = attr->next_pseudonym_len;
 186                 wpa_hexdump_ascii(MSG_DEBUG,
 187                                   "EAP-AKA: (encr) AT_NEXT_PSEUDONYM",
 188                                   data->pseudonym,
 189                                   data->pseudonym_len);
 190         }
 191
 192         if (attr->next_reauth_id) {
 193                 free(data->reauth_id);
 194                 data->reauth_id = malloc(attr->next_reauth_id_len);
 195                 if (data->reauth_id == NULL) {
 196                         wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for "
 197                                    "next reauth_id");
 198                         return -1;
 199                 }
 200                 memcpy(data->reauth_id, attr->next_reauth_id,
 201                        attr->next_reauth_id_len);
 202                 data->reauth_id_len = attr->next_reauth_id_len;
 203                 wpa_hexdump_ascii(MSG_DEBUG,
 204                                   "EAP-AKA: (encr) AT_NEXT_REAUTH_ID",
 205                                   data->reauth_id,
 206                                   data->reauth_id_len);
 207         }
 208
 209         return 0;
 210 }
 211
 212
 213 static u8 * eap_aka_client_error(struct eap_sm *sm, struct eap_aka_data *data,
 214                                  const struct eap_hdr *req,
 215                                  size_t *respDataLen, int err)
 216 {
 217         struct eap_sim_msg *msg;
 218
 219         data->state = FAILURE;
 220         data->num_id_req = 0;
 221         data->num_notification = 0;
 222
 223         msg = eap_sim_msg_init(EAP_CODE_RESPONSE, req->identifier,
 224                                EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CLIENT_ERROR);
 225         eap_sim_msg_add(msg, EAP_SIM_AT_CLIENT_ERROR_CODE, err, NULL, 0);
 226         return eap_sim_msg_finish(msg, respDataLen, NULL, NULL, 0);
 227 }
 228
 229
 230 static u8 * eap_aka_authentication_reject(struct eap_sm *sm,
 231                                           struct eap_aka_data *data,
 232                                           const struct eap_hdr *req,
 233                                           size_t *respDataLen)
 234 {
 235         struct eap_sim_msg *msg;
 236
 237         data->state = FAILURE;
 238         data->num_id_req = 0;
 239         data->num_notification = 0;
 240
 241         wpa_printf(MSG_DEBUG, "Generating EAP-AKA Authentication-Reject "
 242                    "(id=%d)", req->identifier);
 243         msg = eap_sim_msg_init(EAP_CODE_RESPONSE, req->identifier,
 244                                EAP_TYPE_AKA,
 245                                EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT);
 246         return eap_sim_msg_finish(msg, respDataLen, NULL, NULL, 0);
 247 }
 248
 249
 250 static u8 * eap_aka_synchronization_failure(struct eap_sm *sm,
 251                                             struct eap_aka_data *data,
 252                                             const struct eap_hdr *req,
 253                                             size_t *respDataLen)
 254 {
 255         struct eap_sim_msg *msg;
 256
 257         data->state = FAILURE;
 258         data->num_id_req = 0;
 259         data->num_notification = 0;
 260
 261         wpa_printf(MSG_DEBUG, "Generating EAP-AKA Synchronization-Failure "
 262                    "(id=%d)", req->identifier);
 263         msg = eap_sim_msg_init(EAP_CODE_RESPONSE, req->identifier,
 264                                EAP_TYPE_AKA,
 265                                EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE);
 266         wpa_printf(MSG_DEBUG, "   AT_AUTS");
 267         eap_sim_msg_add_full(msg, EAP_SIM_AT_AUTS, data->auts, AKA_AUTS_LEN);
 268         return eap_sim_msg_finish(msg, respDataLen, NULL, NULL, 0);
 269 }
 270
 271
 272 static u8 * eap_aka_response_identity(struct eap_sm *sm,
 273                                       struct eap_aka_data *data,
 274                                       const struct eap_hdr *req,
 275                                       size_t *respDataLen,
 276                                       enum eap_sim_id_req id_req)
 277 {
 278         struct wpa_ssid *config = eap_get_config(sm);
 279         u8 *identity = NULL;
 280         size_t identity_len = 0;
 281         struct eap_sim_msg *msg;
 282
 283         data->reauth = 0;
 284         if (id_req == ANY_ID && data->reauth_id) {
 285                 identity = data->reauth_id;
 286                 identity_len = data->reauth_id_len;
 287                 data->reauth = 1;
 288         } else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) &&
 289                    data->pseudonym) {
 290                 identity = data->pseudonym;
 291                 identity_len = data->pseudonym_len;
 292                 eap_aka_clear_identities(data, CLEAR_REAUTH_ID);
 293         } else if (id_req != NO_ID_REQ && config && config->identity) {
 294                 identity = config->identity;
 295                 identity_len = config->identity_len;
 296                 eap_aka_clear_identities(data,
 297                                          CLEAR_PSEUDONYM | CLEAR_REAUTH_ID);
 298         }
 299         if (id_req != NO_ID_REQ)
 300                 eap_aka_clear_identities(data, CLEAR_EAP_ID);
 301
 302         wpa_printf(MSG_DEBUG, "Generating EAP-AKA Identity (id=%d)",
 303                    req->identifier);
 304         msg = eap_sim_msg_init(EAP_CODE_RESPONSE, req->identifier,
 305                                EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY);
 306
 307         if (identity) {
 308                 wpa_hexdump_ascii(MSG_DEBUG, "   AT_IDENTITY",
 309                                   identity, identity_len);
 310                 eap_sim_msg_add(msg, EAP_SIM_AT_IDENTITY, identity_len,
 311                                 identity, identity_len);
 312         }
 313
 314         return eap_sim_msg_finish(msg, respDataLen, NULL, NULL, 0);
 315 }
 316
 317
 318 static u8 * eap_aka_response_challenge(struct eap_sm *sm,
 319                                        struct eap_aka_data *data,
 320                                        const struct eap_hdr *req,
 321                                        size_t *respDataLen)
 322 {
 323         struct eap_sim_msg *msg;
 324
 325         wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d)",
 326                    req->identifier);
 327         msg = eap_sim_msg_init(EAP_CODE_RESPONSE, req->identifier,
 328                                EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE);
 329         wpa_printf(MSG_DEBUG, "   AT_RES");
 330         eap_sim_msg_add(msg, EAP_SIM_AT_RES, data->res_len,
 331                         data->res, data->res_len);
 332         wpa_printf(MSG_DEBUG, "   AT_MAC");
 333         eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
 334         return eap_sim_msg_finish(msg, respDataLen, data->k_aut, (u8 *) "", 0);
 335 }
 336
 337
 338 static u8 * eap_aka_response_reauth(struct eap_sm *sm,
 339                                     struct eap_aka_data *data,
 340                                     const struct eap_hdr *req,
 341                                     size_t *respDataLen, int counter_too_small)
 342 {
 343         struct eap_sim_msg *msg;
 344         unsigned int counter;
 345
 346         wpa_printf(MSG_DEBUG, "Generating EAP-AKA Reauthentication (id=%d)",
 347                    req->identifier);
 348         msg = eap_sim_msg_init(EAP_CODE_RESPONSE, req->identifier,
 349                                EAP_TYPE_AKA,
 350                                EAP_AKA_SUBTYPE_REAUTHENTICATION);
 351         wpa_printf(MSG_DEBUG, "   AT_IV");
 352         wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
 353         eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA);
 354
 355         if (counter_too_small) {
 356                 wpa_printf(MSG_DEBUG, "   *AT_COUNTER_TOO_SMALL");
 357                 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER_TOO_SMALL, 0, NULL, 0);
 358                 counter = data->counter_too_small;
 359         } else
 360                 counter = data->counter;
 361
 362         wpa_printf(MSG_DEBUG, "   *AT_COUNTER %d", counter);
 363         eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0);
 364
 365         if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) {
 366                 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt "
 367                            "AT_ENCR_DATA");
 368                 eap_sim_msg_free(msg);
 369                 return NULL;
 370         }
 371         wpa_printf(MSG_DEBUG, "   AT_MAC");
 372         eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
 373         return eap_sim_msg_finish(msg, respDataLen, data->k_aut, data->nonce_s,
 374                                   EAP_SIM_NONCE_S_LEN);
 375 }
 376
 377
 378 static u8 * eap_aka_response_notification(struct eap_sm *sm,
 379                                           struct eap_aka_data *data,
 380                                           const struct eap_hdr *req,
 381                                           size_t *respDataLen,
 382                                           u16 notification)
 383 {
 384         struct eap_sim_msg *msg;
 385         u8 *k_aut = (notification & 0x4000) == 0 ? data->k_aut : NULL;
 386
 387         wpa_printf(MSG_DEBUG, "Generating EAP-AKA Notification (id=%d)",
 388                    req->identifier);
 389         msg = eap_sim_msg_init(EAP_CODE_RESPONSE, req->identifier,
 390                                EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION);
 391         wpa_printf(MSG_DEBUG, "   AT_NOTIFICATION");
 392         eap_sim_msg_add(msg, EAP_SIM_AT_NOTIFICATION, notification, NULL, 0);
 393         if (k_aut && data->reauth) {
 394                 wpa_printf(MSG_DEBUG, "   AT_IV");
 395                 wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
 396                 eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV,
 397                                            EAP_SIM_AT_ENCR_DATA);
 398                 wpa_printf(MSG_DEBUG, "   *AT_COUNTER %d", data->counter);
 399                 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter,
 400                                 NULL, 0);
 401                 if (eap_sim_msg_add_encr_end(msg, data->k_encr,
 402                                              EAP_SIM_AT_PADDING)) {
 403                         wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt "
 404                                    "AT_ENCR_DATA");
 405                         eap_sim_msg_free(msg);
 406                         return NULL;
 407                 }
 408         }
 409         if (k_aut) {
 410                 wpa_printf(MSG_DEBUG, "   AT_MAC");
 411                 eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
 412         }
 413         return eap_sim_msg_finish(msg, respDataLen, k_aut, (u8 *) "", 0);
 414 }
 415
 416
 417 static u8 * eap_aka_process_identity(struct eap_sm *sm,
 418                                      struct eap_aka_data *data,
 419                                      const struct eap_hdr *req,
 420                                      size_t reqDataLen,
 421                                      size_t *respDataLen,
 422                                      struct eap_sim_attrs *attr)
 423 {
 424         int id_error;
 425
 426         wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Identity");
 427
 428         id_error = 0;
 429         switch (attr->id_req) {
 430         case NO_ID_REQ:
 431                 break;
 432         case ANY_ID:
 433                 if (data->num_id_req > 0)
 434                         id_error++;
 435                 data->num_id_req++;
 436                 break;
 437         case FULLAUTH_ID:
 438                 if (data->num_id_req > 1)
 439                         id_error++;
 440                 data->num_id_req++;
 441                 break;
 442         case PERMANENT_ID:
 443                 if (data->num_id_req > 2)
 444                         id_error++;
 445                 data->num_id_req++;
 446                 break;
 447         }
 448         if (id_error) {
 449                 wpa_printf(MSG_INFO, "EAP-AKA: Too many ID requests "
 450                            "used within one authentication");
 451                 return eap_aka_client_error(sm, data, req, respDataLen,
 452                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 453         }
 454
 455         return eap_aka_response_identity(sm, data, req, respDataLen,
 456                                          attr->id_req);
 457 }
 458
 459
 460 static u8 * eap_aka_process_challenge(struct eap_sm *sm,
 461                                       struct eap_aka_data *data,
 462                                       const struct eap_hdr *req,
 463                                       size_t reqDataLen,
 464                                       size_t *respDataLen,
 465                                       struct eap_sim_attrs *attr)
 466 {
 467         struct wpa_ssid *config = eap_get_config(sm);
 468         u8 *identity;
 469         size_t identity_len;
 470         int res;
 471         struct eap_sim_attrs eattr;
 472
 473         wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Challenge");
 474         data->reauth = 0;
 475         if (!attr->mac || !attr->rand || !attr->autn) {
 476                 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
 477                            "did not include%s%s%s",
 478                            !attr->mac ? " AT_MAC" : "",
 479                            !attr->rand ? " AT_RAND" : "",
 480                            !attr->autn ? " AT_AUTN" : "");
 481                 return eap_aka_client_error(sm, data, req, respDataLen,
 482                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 483         }
 484         memcpy(data->rand, attr->rand, AKA_RAND_LEN);
 485         memcpy(data->autn, attr->autn, AKA_AUTN_LEN);
 486
 487         res = eap_aka_umts_auth(sm, data);
 488         if (res == -1) {
 489                 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication "
 490                            "failed (AUTN)");
 491                 return eap_aka_authentication_reject(sm, data, req,
 492                                                      respDataLen);
 493         } else if (res == -2) {
 494                 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication "
 495                            "failed (AUTN seq# -> AUTS)");
 496                 return eap_aka_synchronization_failure(sm, data, req,
 497                                                        respDataLen);
 498         } else if (res) {
 499                 wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication failed");
 500                 return eap_aka_client_error(sm, data, req, respDataLen,
 501                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 502         }
 503         if (data->last_eap_identity) {
 504                 identity = data->last_eap_identity;
 505                 identity_len = data->last_eap_identity_len;
 506         } else if (data->pseudonym) {
 507                 identity = data->pseudonym;
 508                 identity_len = data->pseudonym_len;
 509         } else {
 510                 identity = config->identity;
 511                 identity_len = config->identity_len;
 512         }
 513         wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Selected identity for MK "
 514                           "derivation", identity, identity_len);
 515         eap_aka_derive_mk(data, identity, identity_len);
 516         eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk);
 517         if (eap_sim_verify_mac(data->k_aut, (const u8 *) req, reqDataLen,
 518                                attr->mac, (u8 *) "", 0)) {
 519                 wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
 520                            "used invalid AT_MAC");
 521                 return eap_aka_client_error(sm, data, req, respDataLen,
 522                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 523         }
 524
 525         /* Old reauthentication and pseudonym identities must not be used
 526          * anymore. In other words, if no new identities are received, full
 527          * authentication will be used on next reauthentication. */
 528         eap_aka_clear_identities(data, CLEAR_PSEUDONYM | CLEAR_REAUTH_ID |
 529                                  CLEAR_EAP_ID);
 530
 531         if (attr->encr_data) {
 532                 u8 *decrypted;
 533                 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
 534                                                attr->encr_data_len, attr->iv,
 535                                                &eattr, 0);
 536                 if (decrypted == NULL) {
 537                         return eap_aka_client_error(
 538                                 sm, data, req, respDataLen,
 539                                 EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 540                 }
 541                 eap_aka_learn_ids(data, &eattr);
 542                 free(decrypted);
 543         }
 544
 545         if (data->state != FAILURE)
 546                 data->state = SUCCESS;
 547
 548         data->num_id_req = 0;
 549         data->num_notification = 0;
 550         /* draft-arkko-pppext-eap-aka-12.txt specifies that counter
 551          * is initialized to one after fullauth, but initializing it to
 552          * zero makes it easier to implement reauth verification. */
 553         data->counter = 0;
 554         return eap_aka_response_challenge(sm, data, req, respDataLen);
 555 }
 556
 557
 558 static int eap_aka_process_notification_reauth(struct eap_aka_data *data,
 559                                                const struct eap_hdr *req,
 560                                                size_t reqDataLen,
 561                                                struct eap_sim_attrs *attr)
 562 {
 563         struct eap_sim_attrs eattr;
 564         u8 *decrypted;
 565
 566         if (attr->encr_data == NULL || attr->iv == NULL) {
 567                 wpa_printf(MSG_WARNING, "EAP-AKA: Notification message after "
 568                            "reauth did not include encrypted data");
 569                 return -1;
 570         }
 571
 572         decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
 573                                        attr->encr_data_len, attr->iv, &eattr,
 574                                        0);
 575         if (decrypted == NULL) {
 576                 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted "
 577                            "data from notification message");
 578                 return -1;
 579         }
 580
 581         if (eattr.counter != data->counter) {
 582                 wpa_printf(MSG_WARNING, "EAP-AKA: Counter in notification "
 583                            "message does not match with counter in reauth "
 584                            "message");
 585                 free(decrypted);
 586                 return -1;
 587         }
 588
 589         free(decrypted);
 590         return 0;
 591 }
 592
 593
 594 static int eap_aka_process_notification_auth(struct eap_aka_data *data,
 595                                              const struct eap_hdr *req,
 596                                              size_t reqDataLen,
 597                                              struct eap_sim_attrs *attr)
 598 {
 599         if (attr->mac == NULL) {
 600                 wpa_printf(MSG_INFO, "EAP-AKA: no AT_MAC in after_auth "
 601                            "Notification message");
 602                 return -1;
 603         }
 604
 605         if (eap_sim_verify_mac(data->k_aut, (const u8 *) req, reqDataLen,
 606                                attr->mac, (u8 *) "", 0)) {
 607                 wpa_printf(MSG_WARNING, "EAP-AKA: Notification message "
 608                            "used invalid AT_MAC");
 609                 return -1;
 610         }
 611
 612         if (data->reauth &&
 613             eap_aka_process_notification_reauth(data, req, reqDataLen, attr)) {
 614                 wpa_printf(MSG_WARNING, "EAP-AKA: Invalid notification "
 615                            "message after reauth");
 616                 return -1;
 617         }
 618
 619         return 0;
 620 }
 621
 622
 623 static u8 * eap_aka_process_notification(struct eap_sm *sm,
 624                                          struct eap_aka_data *data,
 625                                          const struct eap_hdr *req,
 626                                          size_t reqDataLen,
 627                                          size_t *respDataLen,
 628                                          struct eap_sim_attrs *attr)
 629 {
 630         wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Notification");
 631         if (data->num_notification > 0) {
 632                 wpa_printf(MSG_INFO, "EAP-AKA: too many notification "
 633                            "rounds (only one allowed)");
 634                 return eap_aka_client_error(sm, data, req, respDataLen,
 635                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 636         }
 637         data->num_notification++;
 638         if (attr->notification == -1) {
 639                 wpa_printf(MSG_INFO, "EAP-AKA: no AT_NOTIFICATION in "
 640                            "Notification message");
 641                 return eap_aka_client_error(sm, data, req, respDataLen,
 642                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 643         }
 644
 645         if ((attr->notification & 0x4000) == 0 &&
 646             eap_aka_process_notification_auth(data, req, reqDataLen, attr)) {
 647                 return eap_aka_client_error(sm, data, req, respDataLen,
 648                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 649         }
 650
 651         eap_sim_report_notification(sm->msg_ctx, attr->notification, 1);
 652         if (attr->notification >= 0 && attr->notification < 32768) {
 653                 data->state = FAILURE;
 654         }
 655         return eap_aka_response_notification(sm, data, req, respDataLen,
 656                                              attr->notification);
 657 }
 658
 659
 660 static u8 * eap_aka_process_reauthentication(struct eap_sm *sm,
 661                                              struct eap_aka_data *data,
 662                                              const struct eap_hdr *req,
 663                                              size_t reqDataLen,
 664                                              size_t *respDataLen,
 665                                              struct eap_sim_attrs *attr)
 666 {
 667         struct eap_sim_attrs eattr;
 668         u8 *decrypted;
 669
 670         wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Reauthentication");
 671
 672         if (data->reauth_id == NULL) {
 673                 wpa_printf(MSG_WARNING, "EAP-AKA: Server is trying "
 674                            "reauthentication, but no reauth_id available");
 675                 return eap_aka_client_error(sm, data, req, respDataLen,
 676                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 677         }
 678
 679         data->reauth = 1;
 680         if (eap_sim_verify_mac(data->k_aut, (const u8 *) req, reqDataLen,
 681                                attr->mac, (u8 *) "", 0)) {
 682                 wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication "
 683                            "did not have valid AT_MAC");
 684                 return eap_aka_client_error(sm, data, req, respDataLen,
 685                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 686         }
 687
 688         if (attr->encr_data == NULL || attr->iv == NULL) {
 689                 wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication "
 690                            "message did not include encrypted data");
 691                 return eap_aka_client_error(sm, data, req, respDataLen,
 692                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 693         }
 694
 695         decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
 696                                        attr->encr_data_len, attr->iv, &eattr,
 697                                        0);
 698         if (decrypted == NULL) {
 699                 wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted "
 700                            "data from reauthentication message");
 701                 return eap_aka_client_error(sm, data, req, respDataLen,
 702                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 703         }
 704
 705         if (eattr.nonce_s == NULL || eattr.counter < 0) {
 706                 wpa_printf(MSG_INFO, "EAP-AKA: (encr) No%s%s in reauth packet",
 707                            !eattr.nonce_s ? " AT_NONCE_S" : "",
 708                            eattr.counter < 0 ? " AT_COUNTER" : "");
 709                 free(decrypted);
 710                 return eap_aka_client_error(sm, data, req, respDataLen,
 711                                             EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 712         }
 713
 714         if (eattr.counter <= data->counter) {
 715                 wpa_printf(MSG_INFO, "EAP-AKA: (encr) Invalid counter "
 716                            "(%d <= %d)", eattr.counter, data->counter);
 717                 data->counter_too_small = eattr.counter;
 718                 /* Reply using Re-auth w/ AT_COUNTER_TOO_SMALL. The current
 719                  * reauth_id must not be used to start a new reauthentication.
 720                  * However, since it was used in the last EAP-Response-Identity
 721                  * packet, it has to saved for the following fullauth to be
 722                  * used in MK derivation. */
 723                 free(data->last_eap_identity);
 724                 data->last_eap_identity = data->reauth_id;
 725                 data->last_eap_identity_len = data->reauth_id_len;
 726                 data->reauth_id = NULL;
 727                 data->reauth_id_len = 0;
 728                 free(decrypted);
 729                 return eap_aka_response_reauth(sm, data, req, respDataLen, 1);
 730         }
 731         data->counter = eattr.counter;
 732
 733         memcpy(data->nonce_s, eattr.nonce_s, EAP_SIM_NONCE_S_LEN);
 734         wpa_hexdump(MSG_DEBUG, "EAP-AKA: (encr) AT_NONCE_S",
 735                     data->nonce_s, EAP_SIM_NONCE_S_LEN);
 736
 737         eap_sim_derive_keys_reauth(data->counter,
 738                                    data->reauth_id, data->reauth_id_len,
 739                                    data->nonce_s, data->mk, data->msk);
 740         eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID);
 741         eap_aka_learn_ids(data, &eattr);
 742
 743         if (data->state != FAILURE)
 744                 data->state = SUCCESS;
 745
 746         data->num_id_req = 0;
 747         data->num_notification = 0;
 748         if (data->counter > EAP_AKA_MAX_FAST_REAUTHS) {
 749                 wpa_printf(MSG_DEBUG, "EAP-AKA: Maximum number of "
 750                            "fast reauths performed - force fullauth");
 751                 eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID);
 752         }
 753         free(decrypted);
 754         return eap_aka_response_reauth(sm, data, req, respDataLen, 0);
 755 }
 756
 757
 758 static u8 * eap_aka_process(struct eap_sm *sm, void *priv,
 759                             struct eap_method_ret *ret,
 760                             const u8 *reqData, size_t reqDataLen,
 761                             size_t *respDataLen)
 762 {
 763         struct eap_aka_data *data = priv;
 764         struct wpa_ssid *config = eap_get_config(sm);
 765         const struct eap_hdr *req;
 766         u8 subtype, *res;
 767         const u8 *pos;
 768         struct eap_sim_attrs attr;
 769         size_t len;
 770
 771         wpa_hexdump(MSG_DEBUG, "EAP-AKA: EAP data", reqData, reqDataLen);
 772         if (config == NULL || config->identity == NULL) {
 773                 wpa_printf(MSG_INFO, "EAP-AKA: Identity not configured");
 774                 eap_sm_request_identity(sm, config);
 775                 ret->ignore = TRUE;
 776                 return NULL;
 777         }
 778
 779         pos = eap_hdr_validate(EAP_TYPE_AKA, reqData, reqDataLen, &len);
 780         if (pos == NULL || len < 1) {
 781                 ret->ignore = TRUE;
 782                 return NULL;
 783         }
 784         req = (const struct eap_hdr *) reqData;
 785         len = be_to_host16(req->length);
 786
 787         ret->ignore = FALSE;
 788         ret->methodState = METHOD_MAY_CONT;
 789         ret->decision = DECISION_FAIL;
 790         ret->allowNotifications = TRUE;
 791
 792         subtype = *pos++;
 793         wpa_printf(MSG_DEBUG, "EAP-AKA: Subtype=%d", subtype);
 794         pos += 2; /* Reserved */
 795
 796         if (eap_sim_parse_attr(pos, reqData + len, &attr, 1, 0)) {
 797                 res = eap_aka_client_error(sm, data, req, respDataLen,
 798                                            EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 799                 goto done;
 800         }
 801
 802         switch (subtype) {
 803         case EAP_AKA_SUBTYPE_IDENTITY:
 804                 res = eap_aka_process_identity(sm, data, req, len,
 805                                                respDataLen, &attr);
 806                 break;
 807         case EAP_AKA_SUBTYPE_CHALLENGE:
 808                 res = eap_aka_process_challenge(sm, data, req, len,
 809                                                 respDataLen, &attr);
 810                 break;
 811         case EAP_AKA_SUBTYPE_NOTIFICATION:
 812                 res = eap_aka_process_notification(sm, data, req, len,
 813                                                    respDataLen, &attr);
 814                 break;
 815         case EAP_AKA_SUBTYPE_REAUTHENTICATION:
 816                 res = eap_aka_process_reauthentication(sm, data, req, len,
 817                                                        respDataLen, &attr);
 818                 break;
 819         case EAP_AKA_SUBTYPE_CLIENT_ERROR:
 820                 wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Client-Error");
 821                 res = eap_aka_client_error(sm, data, req, respDataLen,
 822                                            EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 823                 break;
 824         default:
 825                 wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown subtype=%d", subtype);
 826                 res = eap_aka_client_error(sm, data, req, respDataLen,
 827                                            EAP_AKA_UNABLE_TO_PROCESS_PACKET);
 828                 break;
 829         }
 830
 831 done:
 832         if (data->state == FAILURE) {
 833                 ret->decision = DECISION_FAIL;
 834                 ret->methodState = METHOD_DONE;
 835         } else if (data->state == SUCCESS) {
 836                 ret->decision = DECISION_COND_SUCC;
 837                 ret->methodState = METHOD_DONE;
 838         }
 839
 840         if (ret->methodState == METHOD_DONE) {
 841                 ret->allowNotifications = FALSE;
 842         }
 843
 844         return res;
 845 }
 846
 847
 848 static Boolean eap_aka_has_reauth_data(struct eap_sm *sm, void *priv)
 849 {
 850         struct eap_aka_data *data = priv;
 851         return data->pseudonym || data->reauth_id;
 852 }
 853
 854
 855 static void eap_aka_deinit_for_reauth(struct eap_sm *sm, void *priv)
 856 {
 857         struct eap_aka_data *data = priv;
 858         eap_aka_clear_identities(data, CLEAR_EAP_ID);
 859 }
 860
 861
 862 static void * eap_aka_init_for_reauth(struct eap_sm *sm, void *priv)
 863 {
 864         struct eap_aka_data *data = priv;
 865         data->num_id_req = 0;
 866         data->num_notification = 0;
 867         data->state = CONTINUE;
 868         return priv;
 869 }
 870
 871
 872 static const u8 * eap_aka_get_identity(struct eap_sm *sm, void *priv,
 873                                        size_t *len)
 874 {
 875         struct eap_aka_data *data = priv;
 876
 877         if (data->reauth_id) {
 878                 *len = data->reauth_id_len;
 879                 return data->reauth_id;
 880         }
 881
 882         if (data->pseudonym) {
 883                 *len = data->pseudonym_len;
 884                 return data->pseudonym;
 885         }
 886
 887         return NULL;
 888 }
 889
 890
 891 static Boolean eap_aka_isKeyAvailable(struct eap_sm *sm, void *priv)
 892 {
 893         struct eap_aka_data *data = priv;
 894         return data->state == SUCCESS;
 895 }
 896
 897
 898 static u8 * eap_aka_getKey(struct eap_sm *sm, void *priv, size_t *len)
 899 {
 900         struct eap_aka_data *data = priv;
 901         u8 *key;
 902
 903         if (data->state != SUCCESS)
 904                 return NULL;
 905
 906         key = malloc(EAP_SIM_KEYING_DATA_LEN);
 907         if (key == NULL)
 908                 return NULL;
 909
 910         *len = EAP_SIM_KEYING_DATA_LEN;
 911         memcpy(key, data->msk, EAP_SIM_KEYING_DATA_LEN);
 912
 913         return key;
 914 }
 915
 916
 917 const struct eap_method eap_method_aka =
 918 {
 919         .method = EAP_TYPE_AKA,
 920         .name = "AKA",
 921         .init = eap_aka_init,
 922         .deinit = eap_aka_deinit,
 923         .process = eap_aka_process,
 924         .isKeyAvailable = eap_aka_isKeyAvailable,
 925         .getKey = eap_aka_getKey,
 926         .has_reauth_data = eap_aka_has_reauth_data,
 927         .deinit_for_reauth = eap_aka_deinit_for_reauth,
 928         .init_for_reauth = eap_aka_init_for_reauth,
 929         .get_identity = eap_aka_get_identity,
 930 };