2 * EAP peer/server: EAP-SIM/AKA/AKA' shared routines
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "eap_common/eap_defs.h"
24 #include "eap_common/eap_sim_common.h"
27 static int eap_sim_prf(const u8 *key, u8 *x, size_t xlen)
29 return fips186_2_prf(key, EAP_SIM_MK_LEN, x, xlen);
33 void eap_sim_derive_mk(const u8 *identity, size_t identity_len,
34 const u8 *nonce_mt, u16 selected_version,
35 const u8 *ver_list, size_t ver_list_len,
36 int num_chal, const u8 *kc, u8 *mk)
39 const unsigned char *addr[5];
43 len[0] = identity_len;
45 len[1] = num_chal * EAP_SIM_KC_LEN;
47 len[2] = EAP_SIM_NONCE_MT_LEN;
49 len[3] = ver_list_len;
53 WPA_PUT_BE16(sel_ver, selected_version);
55 /* MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */
56 sha1_vector(5, addr, len, mk);
57 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);
61 void eap_aka_derive_mk(const u8 *identity, size_t identity_len,
62 const u8 *ik, const u8 *ck, u8 *mk)
68 len[0] = identity_len;
70 len[1] = EAP_AKA_IK_LEN;
72 len[2] = EAP_AKA_CK_LEN;
74 /* MK = SHA1(Identity|IK|CK) */
75 sha1_vector(3, addr, len, mk);
76 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: IK", ik, EAP_AKA_IK_LEN);
77 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: CK", ck, EAP_AKA_CK_LEN);
78 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA: MK", mk, EAP_SIM_MK_LEN);
82 int eap_sim_derive_keys(const u8 *mk, u8 *k_encr, u8 *k_aut, u8 *msk, u8 *emsk)
84 u8 buf[EAP_SIM_K_ENCR_LEN + EAP_SIM_K_AUT_LEN +
85 EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN], *pos;
86 if (eap_sim_prf(mk, buf, sizeof(buf)) < 0) {
87 wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");
91 os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);
92 pos += EAP_SIM_K_ENCR_LEN;
93 os_memcpy(k_aut, pos, EAP_SIM_K_AUT_LEN);
94 pos += EAP_SIM_K_AUT_LEN;
95 os_memcpy(msk, pos, EAP_SIM_KEYING_DATA_LEN);
96 pos += EAP_SIM_KEYING_DATA_LEN;
97 os_memcpy(emsk, pos, EAP_EMSK_LEN);
99 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_encr",
100 k_encr, EAP_SIM_K_ENCR_LEN);
101 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: K_aut",
102 k_aut, EAP_SIM_K_AUT_LEN);
103 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: keying material (MSK)",
104 msk, EAP_SIM_KEYING_DATA_LEN);
105 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);
106 os_memset(buf, 0, sizeof(buf));
112 int eap_sim_derive_keys_reauth(u16 _counter,
113 const u8 *identity, size_t identity_len,
114 const u8 *nonce_s, const u8 *mk, u8 *msk,
117 u8 xkey[SHA1_MAC_LEN];
118 u8 buf[EAP_SIM_KEYING_DATA_LEN + EAP_EMSK_LEN + 32];
123 while (identity_len > 0 && identity[identity_len - 1] == 0) {
124 wpa_printf(MSG_DEBUG, "EAP-SIM: Workaround - drop null "
125 "character from the end of identity");
129 len[0] = identity_len;
133 len[2] = EAP_SIM_NONCE_S_LEN;
135 len[3] = EAP_SIM_MK_LEN;
137 WPA_PUT_BE16(counter, _counter);
139 wpa_printf(MSG_DEBUG, "EAP-SIM: Deriving keying data from reauth");
140 wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity",
141 identity, identity_len);
142 wpa_hexdump(MSG_DEBUG, "EAP-SIM: counter", counter, 2);
143 wpa_hexdump(MSG_DEBUG, "EAP-SIM: NONCE_S", nonce_s,
144 EAP_SIM_NONCE_S_LEN);
145 wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: MK", mk, EAP_SIM_MK_LEN);
147 /* XKEY' = SHA1(Identity|counter|NONCE_S|MK) */
148 sha1_vector(4, addr, len, xkey);
149 wpa_hexdump(MSG_DEBUG, "EAP-SIM: XKEY'", xkey, SHA1_MAC_LEN);
151 if (eap_sim_prf(xkey, buf, sizeof(buf)) < 0) {
152 wpa_printf(MSG_ERROR, "EAP-SIM: Failed to derive keys");
156 os_memcpy(msk, buf, EAP_SIM_KEYING_DATA_LEN);
157 wpa_hexdump(MSG_DEBUG, "EAP-SIM: keying material (MSK)",
158 msk, EAP_SIM_KEYING_DATA_LEN);
161 os_memcpy(emsk, buf + EAP_SIM_KEYING_DATA_LEN, EAP_EMSK_LEN);
162 wpa_hexdump(MSG_DEBUG, "EAP-SIM: EMSK", emsk, EAP_EMSK_LEN);
164 os_memset(buf, 0, sizeof(buf));
170 int eap_sim_verify_mac(const u8 *k_aut, const struct wpabuf *req,
171 const u8 *mac, const u8 *extra, size_t extra_len)
173 unsigned char hmac[SHA1_MAC_LEN];
178 if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||
179 mac < wpabuf_head_u8(req) ||
180 mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)
183 tmp = os_malloc(wpabuf_len(req));
188 len[0] = wpabuf_len(req);
193 os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));
194 os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);
195 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - msg",
196 tmp, wpabuf_len(req));
197 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC - extra data",
199 wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Verify MAC - K_aut",
200 k_aut, EAP_SIM_K_AUT_LEN);
201 hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);
202 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Verify MAC: MAC",
203 hmac, EAP_SIM_MAC_LEN);
206 return (os_memcmp(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;
210 void eap_sim_add_mac(const u8 *k_aut, const u8 *msg, size_t msg_len, u8 *mac,
211 const u8 *extra, size_t extra_len)
213 unsigned char hmac[SHA1_MAC_LEN];
223 os_memset(mac, 0, EAP_SIM_MAC_LEN);
224 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - msg", msg, msg_len);
225 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC - extra data",
227 wpa_hexdump_key(MSG_MSGDUMP, "EAP-SIM: Add MAC - K_aut",
228 k_aut, EAP_SIM_K_AUT_LEN);
229 hmac_sha1_vector(k_aut, EAP_SIM_K_AUT_LEN, 2, addr, len, hmac);
230 os_memcpy(mac, hmac, EAP_SIM_MAC_LEN);
231 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Add MAC: MAC",
232 mac, EAP_SIM_MAC_LEN);
237 static void prf_prime(const u8 *k, const char *seed1,
238 const u8 *seed2, size_t seed2_len,
239 const u8 *seed3, size_t seed3_len,
240 u8 *res, size_t res_len)
244 u8 hash[SHA256_MAC_LEN];
248 * PRF'(K,S) = T1 | T2 | T3 | T4 | ...
249 * T1 = HMAC-SHA-256 (K, S | 0x01)
250 * T2 = HMAC-SHA-256 (K, T1 | S | 0x02)
251 * T3 = HMAC-SHA-256 (K, T2 | S | 0x03)
252 * T4 = HMAC-SHA-256 (K, T3 | S | 0x04)
258 addr[1] = (const u8 *) seed1;
259 len[1] = os_strlen(seed1);
271 hmac_sha256_vector(k, 32, 5, addr, len, hash);
272 len[0] = SHA256_MAC_LEN;
273 hlen = res_len > SHA256_MAC_LEN ? SHA256_MAC_LEN : res_len;
274 os_memcpy(res, hash, hlen);
281 void eap_aka_prime_derive_keys(const u8 *identity, size_t identity_len,
282 const u8 *ik, const u8 *ck, u8 *k_encr,
283 u8 *k_aut, u8 *k_re, u8 *msk, u8 *emsk)
285 u8 key[EAP_AKA_IK_LEN + EAP_AKA_CK_LEN];
286 u8 keys[EAP_SIM_K_ENCR_LEN + EAP_AKA_PRIME_K_AUT_LEN +
287 EAP_AKA_PRIME_K_RE_LEN + EAP_MSK_LEN + EAP_EMSK_LEN];
291 * MK = PRF'(IK'|CK',"EAP-AKA'"|Identity)
292 * K_encr = MK[0..127]
293 * K_aut = MK[128..383]
294 * K_re = MK[384..639]
295 * MSK = MK[640..1151]
296 * EMSK = MK[1152..1663]
299 os_memcpy(key, ik, EAP_AKA_IK_LEN);
300 os_memcpy(key + EAP_AKA_IK_LEN, ck, EAP_AKA_CK_LEN);
302 prf_prime(key, "EAP-AKA'", identity, identity_len, NULL, 0,
306 os_memcpy(k_encr, pos, EAP_SIM_K_ENCR_LEN);
307 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_encr",
308 k_encr, EAP_SIM_K_ENCR_LEN);
309 pos += EAP_SIM_K_ENCR_LEN;
311 os_memcpy(k_aut, pos, EAP_AKA_PRIME_K_AUT_LEN);
312 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_aut",
313 k_aut, EAP_AKA_PRIME_K_AUT_LEN);
314 pos += EAP_AKA_PRIME_K_AUT_LEN;
316 os_memcpy(k_re, pos, EAP_AKA_PRIME_K_RE_LEN);
317 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': K_re",
318 k_re, EAP_AKA_PRIME_K_RE_LEN);
319 pos += EAP_AKA_PRIME_K_RE_LEN;
321 os_memcpy(msk, pos, EAP_MSK_LEN);
322 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);
325 os_memcpy(emsk, pos, EAP_EMSK_LEN);
326 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);
330 int eap_aka_prime_derive_keys_reauth(const u8 *k_re, u16 counter,
331 const u8 *identity, size_t identity_len,
332 const u8 *nonce_s, u8 *msk, u8 *emsk)
334 u8 seed3[2 + EAP_SIM_NONCE_S_LEN];
335 u8 keys[EAP_MSK_LEN + EAP_EMSK_LEN];
339 * MK = PRF'(K_re,"EAP-AKA' re-auth"|Identity|counter|NONCE_S)
341 * EMSK = MK[512..1023]
344 WPA_PUT_BE16(seed3, counter);
345 os_memcpy(seed3 + 2, nonce_s, EAP_SIM_NONCE_S_LEN);
347 prf_prime(k_re, "EAP-AKA' re-auth", identity, identity_len,
348 seed3, sizeof(seed3),
352 os_memcpy(msk, pos, EAP_MSK_LEN);
353 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': MSK", msk, EAP_MSK_LEN);
356 os_memcpy(emsk, pos, EAP_EMSK_LEN);
357 wpa_hexdump_key(MSG_DEBUG, "EAP-AKA': EMSK", emsk, EAP_EMSK_LEN);
359 os_memset(keys, 0, sizeof(keys));
365 int eap_sim_verify_mac_sha256(const u8 *k_aut, const struct wpabuf *req,
366 const u8 *mac, const u8 *extra, size_t extra_len)
368 unsigned char hmac[SHA256_MAC_LEN];
373 if (mac == NULL || wpabuf_len(req) < EAP_SIM_MAC_LEN ||
374 mac < wpabuf_head_u8(req) ||
375 mac > wpabuf_head_u8(req) + wpabuf_len(req) - EAP_SIM_MAC_LEN)
378 tmp = os_malloc(wpabuf_len(req));
383 len[0] = wpabuf_len(req);
387 /* HMAC-SHA-256-128 */
388 os_memcpy(tmp, wpabuf_head(req), wpabuf_len(req));
389 os_memset(tmp + (mac - wpabuf_head_u8(req)), 0, EAP_SIM_MAC_LEN);
390 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - msg",
391 tmp, wpabuf_len(req));
392 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC - extra data",
394 wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Verify MAC - K_aut",
395 k_aut, EAP_AKA_PRIME_K_AUT_LEN);
396 hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);
397 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Verify MAC: MAC",
398 hmac, EAP_SIM_MAC_LEN);
401 return (os_memcmp(hmac, mac, EAP_SIM_MAC_LEN) == 0) ? 0 : 1;
405 void eap_sim_add_mac_sha256(const u8 *k_aut, const u8 *msg, size_t msg_len,
406 u8 *mac, const u8 *extra, size_t extra_len)
408 unsigned char hmac[SHA256_MAC_LEN];
417 /* HMAC-SHA-256-128 */
418 os_memset(mac, 0, EAP_SIM_MAC_LEN);
419 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC - msg", msg, msg_len);
420 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC - extra data",
422 wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA': Add MAC - K_aut",
423 k_aut, EAP_AKA_PRIME_K_AUT_LEN);
424 hmac_sha256_vector(k_aut, EAP_AKA_PRIME_K_AUT_LEN, 2, addr, len, hmac);
425 os_memcpy(mac, hmac, EAP_SIM_MAC_LEN);
426 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA': Add MAC: MAC",
427 mac, EAP_SIM_MAC_LEN);
429 #endif /* EAP_AKA_PRIME */
432 int eap_sim_parse_attr(const u8 *start, const u8 *end,
433 struct eap_sim_attrs *attr, int aka, int encr)
435 const u8 *pos = start, *apos;
436 size_t alen, plen, i, list_len;
438 os_memset(attr, 0, sizeof(*attr));
439 attr->id_req = NO_ID_REQ;
440 attr->notification = -1;
442 attr->selected_version = -1;
443 attr->client_error_code = -1;
447 wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow(1)");
450 wpa_printf(MSG_MSGDUMP, "EAP-SIM: Attribute: Type=%d Len=%d",
452 if (pos + pos[1] * 4 > end) {
453 wpa_printf(MSG_INFO, "EAP-SIM: Attribute overflow "
454 "(pos=%p len=%d end=%p)",
455 pos, pos[1] * 4, end);
459 wpa_printf(MSG_INFO, "EAP-SIM: Attribute underflow");
463 alen = pos[1] * 4 - 2;
464 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Attribute data",
468 case EAP_SIM_AT_RAND:
469 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RAND");
472 if ((!aka && (alen % GSM_RAND_LEN)) ||
473 (aka && alen != EAP_AKA_RAND_LEN)) {
474 wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_RAND"
476 (unsigned long) alen);
480 attr->num_chal = alen / GSM_RAND_LEN;
482 case EAP_SIM_AT_AUTN:
483 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_AUTN");
485 wpa_printf(MSG_DEBUG, "EAP-SIM: "
486 "Unexpected AT_AUTN");
491 if (alen != EAP_AKA_AUTN_LEN) {
492 wpa_printf(MSG_INFO, "EAP-AKA: Invalid AT_AUTN"
494 (unsigned long) alen);
499 case EAP_SIM_AT_PADDING:
501 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
505 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_PADDING");
506 for (i = 2; i < alen; i++) {
508 wpa_printf(MSG_INFO, "EAP-SIM: (encr) "
509 "AT_PADDING used a non-zero"
511 wpa_hexdump(MSG_DEBUG, "EAP-SIM: "
512 "(encr) padding bytes",
518 case EAP_SIM_AT_NONCE_MT:
519 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NONCE_MT");
520 if (alen != 2 + EAP_SIM_NONCE_MT_LEN) {
521 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
522 "AT_NONCE_MT length");
525 attr->nonce_mt = apos + 2;
527 case EAP_SIM_AT_PERMANENT_ID_REQ:
528 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_PERMANENT_ID_REQ");
529 attr->id_req = PERMANENT_ID;
532 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_MAC");
533 if (alen != 2 + EAP_SIM_MAC_LEN) {
534 wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_MAC "
538 attr->mac = apos + 2;
540 case EAP_SIM_AT_NOTIFICATION:
542 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
543 "AT_NOTIFICATION length %lu",
544 (unsigned long) alen);
547 attr->notification = apos[0] * 256 + apos[1];
548 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_NOTIFICATION %d",
551 case EAP_SIM_AT_ANY_ID_REQ:
552 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_ANY_ID_REQ");
553 attr->id_req = ANY_ID;
555 case EAP_SIM_AT_IDENTITY:
556 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IDENTITY");
557 plen = WPA_GET_BE16(apos);
561 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
562 "AT_IDENTITY (Actual Length %lu, "
563 "remaining length %lu)",
564 (unsigned long) plen,
565 (unsigned long) alen);
569 attr->identity = apos;
570 attr->identity_len = plen;
572 case EAP_SIM_AT_VERSION_LIST:
574 wpa_printf(MSG_DEBUG, "EAP-AKA: "
575 "Unexpected AT_VERSION_LIST");
578 list_len = apos[0] * 256 + apos[1];
579 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_VERSION_LIST");
580 if (list_len < 2 || list_len > alen - 2) {
581 wpa_printf(MSG_WARNING, "EAP-SIM: Invalid "
582 "AT_VERSION_LIST (list_len=%lu "
584 (unsigned long) list_len,
585 (unsigned long) alen);
588 attr->version_list = apos + 2;
589 attr->version_list_len = list_len;
591 case EAP_SIM_AT_SELECTED_VERSION:
592 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION");
594 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
595 "AT_SELECTED_VERSION length %lu",
596 (unsigned long) alen);
599 attr->selected_version = apos[0] * 256 + apos[1];
600 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_SELECTED_VERSION "
601 "%d", attr->selected_version);
603 case EAP_SIM_AT_FULLAUTH_ID_REQ:
604 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_FULLAUTH_ID_REQ");
605 attr->id_req = FULLAUTH_ID;
607 case EAP_SIM_AT_COUNTER:
609 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
614 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
615 "AT_COUNTER (alen=%lu)",
616 (unsigned long) alen);
619 attr->counter = apos[0] * 256 + apos[1];
620 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) AT_COUNTER %d",
623 case EAP_SIM_AT_COUNTER_TOO_SMALL:
625 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
626 "AT_COUNTER_TOO_SMALL");
630 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
631 "AT_COUNTER_TOO_SMALL (alen=%lu)",
632 (unsigned long) alen);
635 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
636 "AT_COUNTER_TOO_SMALL");
637 attr->counter_too_small = 1;
639 case EAP_SIM_AT_NONCE_S:
641 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
645 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
647 if (alen != 2 + EAP_SIM_NONCE_S_LEN) {
648 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid "
649 "AT_NONCE_S (alen=%lu)",
650 (unsigned long) alen);
653 attr->nonce_s = apos + 2;
655 case EAP_SIM_AT_CLIENT_ERROR_CODE:
657 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
658 "AT_CLIENT_ERROR_CODE length %lu",
659 (unsigned long) alen);
662 attr->client_error_code = apos[0] * 256 + apos[1];
663 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_CLIENT_ERROR_CODE "
664 "%d", attr->client_error_code);
667 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_IV");
668 if (alen != 2 + EAP_SIM_MAC_LEN) {
669 wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_IV "
670 "length %lu", (unsigned long) alen);
675 case EAP_SIM_AT_ENCR_DATA:
676 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_ENCR_DATA");
677 attr->encr_data = apos + 2;
678 attr->encr_data_len = alen - 2;
679 if (attr->encr_data_len % 16) {
680 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
681 "AT_ENCR_DATA length %lu",
683 attr->encr_data_len);
687 case EAP_SIM_AT_NEXT_PSEUDONYM:
689 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
690 "AT_NEXT_PSEUDONYM");
693 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
694 "AT_NEXT_PSEUDONYM");
695 plen = apos[0] * 256 + apos[1];
696 if (plen > alen - 2) {
697 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid"
698 " AT_NEXT_PSEUDONYM (actual"
699 " len %lu, attr len %lu)",
700 (unsigned long) plen,
701 (unsigned long) alen);
704 attr->next_pseudonym = pos + 4;
705 attr->next_pseudonym_len = plen;
707 case EAP_SIM_AT_NEXT_REAUTH_ID:
709 wpa_printf(MSG_ERROR, "EAP-SIM: Unencrypted "
710 "AT_NEXT_REAUTH_ID");
713 wpa_printf(MSG_DEBUG, "EAP-SIM: (encr) "
714 "AT_NEXT_REAUTH_ID");
715 plen = apos[0] * 256 + apos[1];
716 if (plen > alen - 2) {
717 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid"
718 " AT_NEXT_REAUTH_ID (actual"
719 " len %lu, attr len %lu)",
720 (unsigned long) plen,
721 (unsigned long) alen);
724 attr->next_reauth_id = pos + 4;
725 attr->next_reauth_id_len = plen;
728 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RES");
729 attr->res_len_bits = WPA_GET_BE16(apos);
732 if (!aka || alen < EAP_AKA_MIN_RES_LEN ||
733 alen > EAP_AKA_MAX_RES_LEN) {
734 wpa_printf(MSG_INFO, "EAP-SIM: Invalid AT_RES "
736 (unsigned long) alen);
740 attr->res_len = alen;
742 case EAP_SIM_AT_AUTS:
743 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_AUTS");
745 wpa_printf(MSG_DEBUG, "EAP-SIM: "
746 "Unexpected AT_AUTS");
749 if (alen != EAP_AKA_AUTS_LEN) {
750 wpa_printf(MSG_INFO, "EAP-AKA: Invalid AT_AUTS"
752 (unsigned long) alen);
757 case EAP_SIM_AT_CHECKCODE:
758 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_CHECKCODE");
760 wpa_printf(MSG_DEBUG, "EAP-SIM: "
761 "Unexpected AT_CHECKCODE");
766 if (alen != 0 && alen != EAP_AKA_CHECKCODE_LEN &&
767 alen != EAP_AKA_PRIME_CHECKCODE_LEN) {
768 wpa_printf(MSG_INFO, "EAP-AKA: Invalid "
769 "AT_CHECKCODE (len %lu)",
770 (unsigned long) alen);
773 attr->checkcode = apos;
774 attr->checkcode_len = alen;
776 case EAP_SIM_AT_RESULT_IND:
778 wpa_printf(MSG_ERROR, "EAP-SIM: Encrypted "
783 wpa_printf(MSG_INFO, "EAP-SIM: Invalid "
784 "AT_RESULT_IND (alen=%lu)",
785 (unsigned long) alen);
788 wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RESULT_IND");
789 attr->result_ind = 1;
792 case EAP_SIM_AT_KDF_INPUT:
794 wpa_printf(MSG_INFO, "EAP-AKA: Unexpected "
799 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_KDF_INPUT");
800 plen = WPA_GET_BE16(apos);
804 wpa_printf(MSG_INFO, "EAP-AKA': Invalid "
805 "AT_KDF_INPUT (Actual Length %lu, "
806 "remaining length %lu)",
807 (unsigned long) plen,
808 (unsigned long) alen);
811 attr->kdf_input = apos;
812 attr->kdf_input_len = plen;
816 wpa_printf(MSG_INFO, "EAP-AKA: Unexpected "
821 wpa_printf(MSG_DEBUG, "EAP-AKA: AT_KDF");
823 wpa_printf(MSG_INFO, "EAP-AKA': Invalid "
825 (unsigned long) alen);
828 if (attr->kdf_count == EAP_AKA_PRIME_KDF_MAX) {
829 wpa_printf(MSG_DEBUG, "EAP-AKA': Too many "
830 "AT_KDF attributes - ignore this");
833 attr->kdf[attr->kdf_count] = WPA_GET_BE16(apos);
836 #endif /* EAP_AKA_PRIME */
839 wpa_printf(MSG_INFO, "EAP-SIM: Unrecognized "
840 "non-skippable attribute %d",
845 wpa_printf(MSG_DEBUG, "EAP-SIM: Unrecognized skippable"
846 " attribute %d ignored", pos[0]);
853 wpa_printf(MSG_DEBUG, "EAP-SIM: Attributes parsed successfully "
854 "(aka=%d encr=%d)", aka, encr);
860 u8 * eap_sim_parse_encr(const u8 *k_encr, const u8 *encr_data,
861 size_t encr_data_len, const u8 *iv,
862 struct eap_sim_attrs *attr, int aka)
867 wpa_printf(MSG_INFO, "EAP-SIM: Encrypted data, but no IV");
871 decrypted = os_malloc(encr_data_len);
872 if (decrypted == NULL)
874 os_memcpy(decrypted, encr_data, encr_data_len);
876 if (aes_128_cbc_decrypt(k_encr, iv, decrypted, encr_data_len)) {
880 wpa_hexdump(MSG_MSGDUMP, "EAP-SIM: Decrypted AT_ENCR_DATA",
881 decrypted, encr_data_len);
883 if (eap_sim_parse_attr(decrypted, decrypted + encr_data_len, attr,
885 wpa_printf(MSG_INFO, "EAP-SIM: (encr) Failed to parse "
886 "decrypted AT_ENCR_DATA");
895 #define EAP_SIM_INIT_LEN 128
899 size_t mac, iv, encr; /* index from buf */
904 struct eap_sim_msg * eap_sim_msg_init(int code, int id, int type, int subtype)
906 struct eap_sim_msg *msg;
910 msg = os_zalloc(sizeof(*msg));
915 msg->buf = wpabuf_alloc(EAP_SIM_INIT_LEN);
916 if (msg->buf == NULL) {
920 eap = wpabuf_put(msg->buf, sizeof(*eap));
922 eap->identifier = id;
924 pos = wpabuf_put(msg->buf, 4);
927 *pos++ = 0; /* Reserved */
928 *pos++ = 0; /* Reserved */
934 struct wpabuf * eap_sim_msg_finish(struct eap_sim_msg *msg, const u8 *k_aut,
935 const u8 *extra, size_t extra_len)
943 eap = wpabuf_mhead(msg->buf);
944 eap->length = host_to_be16(wpabuf_len(msg->buf));
947 if (k_aut && msg->mac && msg->type == EAP_TYPE_AKA_PRIME) {
948 eap_sim_add_mac_sha256(k_aut, (u8 *) wpabuf_head(msg->buf),
949 wpabuf_len(msg->buf),
950 (u8 *) wpabuf_mhead(msg->buf) +
951 msg->mac, extra, extra_len);
953 #endif /* EAP_AKA_PRIME */
954 if (k_aut && msg->mac) {
955 eap_sim_add_mac(k_aut, (u8 *) wpabuf_head(msg->buf),
956 wpabuf_len(msg->buf),
957 (u8 *) wpabuf_mhead(msg->buf) + msg->mac,
967 void eap_sim_msg_free(struct eap_sim_msg *msg)
970 wpabuf_free(msg->buf);
976 u8 * eap_sim_msg_add_full(struct eap_sim_msg *msg, u8 attr,
977 const u8 *data, size_t len)
979 int attr_len = 2 + len;
986 pad_len = (4 - attr_len % 4) % 4;
988 if (wpabuf_resize(&msg->buf, attr_len))
990 start = wpabuf_put(msg->buf, 0);
991 wpabuf_put_u8(msg->buf, attr);
992 wpabuf_put_u8(msg->buf, attr_len / 4);
993 wpabuf_put_data(msg->buf, data, len);
995 os_memset(wpabuf_put(msg->buf, pad_len), 0, pad_len);
1000 u8 * eap_sim_msg_add(struct eap_sim_msg *msg, u8 attr, u16 value,
1001 const u8 *data, size_t len)
1003 int attr_len = 4 + len;
1010 pad_len = (4 - attr_len % 4) % 4;
1011 attr_len += pad_len;
1012 if (wpabuf_resize(&msg->buf, attr_len))
1014 start = wpabuf_put(msg->buf, 0);
1015 wpabuf_put_u8(msg->buf, attr);
1016 wpabuf_put_u8(msg->buf, attr_len / 4);
1017 wpabuf_put_be16(msg->buf, value);
1019 wpabuf_put_data(msg->buf, data, len);
1021 wpabuf_put(msg->buf, len);
1023 os_memset(wpabuf_put(msg->buf, pad_len), 0, pad_len);
1028 u8 * eap_sim_msg_add_mac(struct eap_sim_msg *msg, u8 attr)
1030 u8 *pos = eap_sim_msg_add(msg, attr, 0, NULL, EAP_SIM_MAC_LEN);
1032 msg->mac = (pos - wpabuf_head_u8(msg->buf)) + 4;
1037 int eap_sim_msg_add_encr_start(struct eap_sim_msg *msg, u8 attr_iv,
1040 u8 *pos = eap_sim_msg_add(msg, attr_iv, 0, NULL, EAP_SIM_IV_LEN);
1043 msg->iv = (pos - wpabuf_head_u8(msg->buf)) + 4;
1044 if (os_get_random(wpabuf_mhead_u8(msg->buf) + msg->iv,
1050 pos = eap_sim_msg_add(msg, attr_encr, 0, NULL, 0);
1055 msg->encr = pos - wpabuf_head_u8(msg->buf);
1061 int eap_sim_msg_add_encr_end(struct eap_sim_msg *msg, u8 *k_encr, int attr_pad)
1065 if (msg == NULL || k_encr == NULL || msg->iv == 0 || msg->encr == 0)
1068 encr_len = wpabuf_len(msg->buf) - msg->encr - 4;
1069 if (encr_len % 16) {
1071 int pad_len = 16 - (encr_len % 16);
1073 wpa_printf(MSG_WARNING, "EAP-SIM: "
1074 "eap_sim_msg_add_encr_end - invalid pad_len"
1078 wpa_printf(MSG_DEBUG, " *AT_PADDING");
1079 pos = eap_sim_msg_add(msg, attr_pad, 0, NULL, pad_len - 4);
1082 os_memset(pos + 4, 0, pad_len - 4);
1083 encr_len += pad_len;
1085 wpa_printf(MSG_DEBUG, " (AT_ENCR_DATA data len %lu)",
1086 (unsigned long) encr_len);
1087 wpabuf_mhead_u8(msg->buf)[msg->encr + 1] = encr_len / 4 + 1;
1088 return aes_128_cbc_encrypt(k_encr, wpabuf_head_u8(msg->buf) + msg->iv,
1089 wpabuf_mhead_u8(msg->buf) + msg->encr + 4,
1094 void eap_sim_report_notification(void *msg_ctx, int notification, int aka)
1096 #ifndef CONFIG_NO_STDOUT_DEBUG
1097 const char *type = aka ? "AKA" : "SIM";
1098 #endif /* CONFIG_NO_STDOUT_DEBUG */
1100 switch (notification) {
1101 case EAP_SIM_GENERAL_FAILURE_AFTER_AUTH:
1102 wpa_printf(MSG_WARNING, "EAP-%s: General failure "
1103 "notification (after authentication)", type);
1105 case EAP_SIM_TEMPORARILY_DENIED:
1106 wpa_printf(MSG_WARNING, "EAP-%s: Failure notification: "
1107 "User has been temporarily denied access to the "
1108 "requested service", type);
1110 case EAP_SIM_NOT_SUBSCRIBED:
1111 wpa_printf(MSG_WARNING, "EAP-%s: Failure notification: "
1112 "User has not subscribed to the requested service",
1115 case EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH:
1116 wpa_printf(MSG_WARNING, "EAP-%s: General failure "
1117 "notification (before authentication)", type);
1119 case EAP_SIM_SUCCESS:
1120 wpa_printf(MSG_INFO, "EAP-%s: Successful authentication "
1121 "notification", type);
1124 if (notification >= 32768) {
1125 wpa_printf(MSG_INFO, "EAP-%s: Unrecognized "
1126 "non-failure notification %d",
1127 type, notification);
1129 wpa_printf(MSG_WARNING, "EAP-%s: Unrecognized "
1130 "failure notification %d",
1131 type, notification);