static u8 * eap_sim_response_start(struct eap_sm *sm, struct eap_sim_data *data, const struct eap_hdr *req, size_t *respDataLen, enum eap_sim_id_req id_req) { const u8 *identity = NULL; size_t identity_len = 0; struct eap_sim_msg *msg; data->reauth = 0; if (id_req == ANY_ID && data->reauth_id) { identity = data->reauth_id; identity_len = data->reauth_id_len; data->reauth = 1; } else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) && data->pseudonym) { identity = data->pseudonym; identity_len = data->pseudonym_len; eap_sim_clear_identities(data, CLEAR_REAUTH_ID); } else if (id_req != NO_ID_REQ) { identity = eap_get_config_identity(sm, &identity_len); if (identity) { eap_sim_clear_identities(data, CLEAR_PSEUDONYM | CLEAR_REAUTH_ID); } } if (id_req != NO_ID_REQ) eap_sim_clear_identities(data, CLEAR_EAP_ID); wpa_printf(MSG_DEBUG, "Generating EAP-SIM Start (id=%d)", req->identifier); msg = eap_sim_msg_init(EAP_CODE_RESPONSE, req->identifier, EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START); if (!data->reauth) { wpa_hexdump(MSG_DEBUG, " AT_NONCE_MT", data->nonce_mt, EAP_SIM_NONCE_MT_LEN); eap_sim_msg_add(msg, EAP_SIM_AT_NONCE_MT, 0, data->nonce_mt, EAP_SIM_NONCE_MT_LEN); wpa_printf(MSG_DEBUG, " AT_SELECTED_VERSION %d", data->selected_version); eap_sim_msg_add(msg, EAP_SIM_AT_SELECTED_VERSION, data->selected_version, NULL, 0); } if (identity) { wpa_hexdump_ascii(MSG_DEBUG, " AT_IDENTITY", identity, identity_len); eap_sim_msg_add(msg, EAP_SIM_AT_IDENTITY, identity_len, identity, identity_len); } return eap_sim_msg_finish(msg, respDataLen, NULL, NULL, 0); }
static void eap_sim_deinit_for_reauth(struct eap_sm *sm, void *priv) { struct eap_sim_data *data = priv; eap_sim_clear_identities(sm, data, CLEAR_EAP_ID); data->use_result_ind = 0; eap_sim_clear_keys(data, 1); }
static void eap_sim_deinit_for_reauth(struct eap_sm *sm, void *priv) { struct eap_sim_data *data = priv; eap_sim_clear_identities(data, CLEAR_EAP_ID); }
static u8 * eap_sim_process_reauthentication(struct eap_sm *sm, struct eap_sim_data *data, struct eap_hdr *req, size_t reqDataLen, size_t *respDataLen, struct eap_sim_attrs *attr) { struct eap_sim_attrs eattr; wpa_printf(MSG_DEBUG, "EAP-SIM: subtype Reauthentication"); if (data->reauth_id == NULL) { wpa_printf(MSG_WARNING, "EAP-SIM: Server is trying " "reauthentication, but no reauth_id available"); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } data->reauth = 1; if (eap_sim_verify_mac(data->k_aut, (u8 *) req, reqDataLen, attr->mac, (u8 *) "", 0)) { wpa_printf(MSG_WARNING, "EAP-SIM: Reauthentication " "did not have valid AT_MAC"); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } if (attr->encr_data == NULL || attr->iv == NULL) { wpa_printf(MSG_WARNING, "EAP-SIM: Reauthentication " "message did not include encrypted data"); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } if (eap_sim_parse_encr(data->k_encr, attr->encr_data, attr->encr_data_len, attr->iv, &eattr, 0)) { wpa_printf(MSG_WARNING, "EAP-SIM: Failed to parse encrypted " "data from reauthentication message"); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } if (eattr.nonce_s == NULL || eattr.counter < 0) { wpa_printf(MSG_INFO, "EAP-SIM: (encr) No%s%s in reauth packet", !eattr.nonce_s ? " AT_NONCE_S" : "", eattr.counter < 0 ? " AT_COUNTER" : ""); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } if (eattr.counter <= data->counter) { wpa_printf(MSG_INFO, "EAP-SIM: (encr) Invalid counter " "(%d <= %d)", eattr.counter, data->counter); data->counter_too_small = eattr.counter; /* Reply using Re-auth w/ AT_COUNTER_TOO_SMALL. The current * reauth_id must not be used to start a new reauthentication. * However, since it was used in the last EAP-Response-Identity * packet, it has to saved for the following fullauth to be * used in MK derivation. */ free(data->last_eap_identity); data->last_eap_identity = data->reauth_id; data->last_eap_identity_len = data->reauth_id_len; data->reauth_id = NULL; data->reauth_id_len = 0; return eap_sim_response_reauth(sm, data, req, respDataLen, 1); } data->counter = eattr.counter; memcpy(data->nonce_s, eattr.nonce_s, EAP_SIM_NONCE_S_LEN); wpa_hexdump(MSG_DEBUG, "EAP-SIM: (encr) AT_NONCE_S", data->nonce_s, EAP_SIM_NONCE_S_LEN); eap_sim_derive_keys_reauth(data->counter, data->reauth_id, data->reauth_id_len, data->nonce_s, data->mk, data->msk); eap_sim_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID); eap_sim_learn_ids(data, &eattr); if (data->state != FAILURE) data->state = SUCCESS; data->num_id_req = 0; data->num_notification = 0; if (data->counter > EAP_SIM_MAX_FAST_REAUTHS) { wpa_printf(MSG_DEBUG, "EAP-SIM: Maximum number of " "fast reauths performed - force fullauth"); eap_sim_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID); } return eap_sim_response_reauth(sm, data, req, respDataLen, 0); }
static u8 * eap_sim_process_challenge(struct eap_sm *sm, struct eap_sim_data *data, struct eap_hdr *req, size_t reqDataLen, size_t *respDataLen, struct eap_sim_attrs *attr) { struct wpa_ssid *config = eap_get_config(sm); u8 *identity; size_t identity_len; struct eap_sim_attrs eattr; wpa_printf(MSG_DEBUG, "EAP-SIM: subtype Challenge"); data->reauth = 0; if (!attr->mac || !attr->rand) { wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message " "did not include%s%s", !attr->mac ? " AT_MAC" : "", !attr->rand ? " AT_RAND" : ""); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } wpa_printf(MSG_DEBUG, "EAP-SIM: %lu challenges", (unsigned long) attr->num_chal); if (attr->num_chal < data->min_num_chal) { wpa_printf(MSG_INFO, "EAP-SIM: Insufficient number of " "challenges (%lu)", (unsigned long) attr->num_chal); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_INSUFFICIENT_NUM_OF_CHAL); } if (attr->num_chal > 3) { wpa_printf(MSG_INFO, "EAP-SIM: Too many challenges " "(%lu)", (unsigned long) attr->num_chal); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } /* Verify that RANDs are different */ if (memcmp(attr->rand, attr->rand + GSM_RAND_LEN, GSM_RAND_LEN) == 0 || (attr->num_chal > 2 && (memcmp(attr->rand, attr->rand + 2 * GSM_RAND_LEN, GSM_RAND_LEN) == 0 || memcmp(attr->rand + GSM_RAND_LEN, attr->rand + 2 * GSM_RAND_LEN, GSM_RAND_LEN) == 0))) { wpa_printf(MSG_INFO, "EAP-SIM: Same RAND used multiple times"); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_RAND_NOT_FRESH); } memcpy(data->rand, attr->rand, attr->num_chal * GSM_RAND_LEN); data->num_chal = attr->num_chal; if (eap_sim_gsm_auth(sm, data)) { wpa_printf(MSG_WARNING, "EAP-SIM: GSM authentication failed"); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } if (data->last_eap_identity) { identity = data->last_eap_identity; identity_len = data->last_eap_identity_len; } else if (data->pseudonym) { identity = data->pseudonym; identity_len = data->pseudonym_len; } else { identity = config->identity; identity_len = config->identity_len; } wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Selected identity for MK " "derivation", identity, identity_len); eap_sim_derive_mk(data, identity, identity_len); eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk); if (eap_sim_verify_mac(data->k_aut, (u8 *) req, reqDataLen, attr->mac, data->nonce_mt, EAP_SIM_NONCE_MT_LEN)) { wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message " "used invalid AT_MAC"); return eap_sim_client_error(sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } /* Old reauthentication and pseudonym identities must not be used * anymore. In other words, if no new identities are received, full * authentication will be used on next reauthentication. */ eap_sim_clear_identities(data, CLEAR_PSEUDONYM | CLEAR_REAUTH_ID | CLEAR_EAP_ID); if (attr->encr_data) { if (eap_sim_parse_encr(data->k_encr, attr->encr_data, attr->encr_data_len, attr->iv, &eattr, 0)) { return eap_sim_client_error( sm, data, req, respDataLen, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } eap_sim_learn_ids(data, &eattr); } if (data->state != FAILURE) data->state = SUCCESS; data->num_id_req = 0; data->num_notification = 0; /* draft-haverinen-pppext-eap-sim-13.txt specifies that counter * is initialized to one after fullauth, but initializing it to * zero makes it easier to implement reauth verification. */ data->counter = 0; return eap_sim_response_challenge(sm, data, req, respDataLen); }
static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm, struct eap_sim_data *data, u8 id, const struct wpabuf *reqData, struct eap_sim_attrs *attr) { const u8 *identity; size_t identity_len; struct eap_sim_attrs eattr; wpa_printf(MSG_DEBUG, "EAP-SIM: subtype Challenge"); data->reauth = 0; if (!attr->mac || !attr->rand) { wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message " "did not include%s%s", !attr->mac ? " AT_MAC" : "", !attr->rand ? " AT_RAND" : ""); return eap_sim_client_error(data, id, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } wpa_printf(MSG_DEBUG, "EAP-SIM: %lu challenges", (unsigned long) attr->num_chal); if (attr->num_chal < data->min_num_chal) { wpa_printf(MSG_INFO, "EAP-SIM: Insufficient number of " "challenges (%lu)", (unsigned long) attr->num_chal); return eap_sim_client_error(data, id, EAP_SIM_INSUFFICIENT_NUM_OF_CHAL); } if (attr->num_chal > 3) { wpa_printf(MSG_INFO, "EAP-SIM: Too many challenges " "(%lu)", (unsigned long) attr->num_chal); return eap_sim_client_error(data, id, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } /* Verify that RANDs are different */ if (os_memcmp(attr->rand, attr->rand + GSM_RAND_LEN, GSM_RAND_LEN) == 0 || (attr->num_chal > 2 && (os_memcmp(attr->rand, attr->rand + 2 * GSM_RAND_LEN, GSM_RAND_LEN) == 0 || os_memcmp(attr->rand + GSM_RAND_LEN, attr->rand + 2 * GSM_RAND_LEN, GSM_RAND_LEN) == 0))) { wpa_printf(MSG_INFO, "EAP-SIM: Same RAND used multiple times"); return eap_sim_client_error(data, id, EAP_SIM_RAND_NOT_FRESH); } os_memcpy(data->rand, attr->rand, attr->num_chal * GSM_RAND_LEN); data->num_chal = attr->num_chal; if (eap_sim_gsm_auth(sm, data)) { wpa_printf(MSG_WARNING, "EAP-SIM: GSM authentication failed"); return eap_sim_client_error(data, id, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } if (data->last_eap_identity) { identity = data->last_eap_identity; identity_len = data->last_eap_identity_len; } else if (data->pseudonym) { identity = data->pseudonym; identity_len = data->pseudonym_len; } else identity = eap_get_config_identity(sm, &identity_len); wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Selected identity for MK " "derivation", identity, identity_len); eap_sim_derive_mk(identity, identity_len, data->nonce_mt, data->selected_version, data->ver_list, data->ver_list_len, data->num_chal, (const u8 *) data->kc, data->mk); eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk, data->emsk); if (eap_sim_verify_mac(data->k_aut, reqData, attr->mac, data->nonce_mt, EAP_SIM_NONCE_MT_LEN)) { wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message " "used invalid AT_MAC"); return eap_sim_client_error(data, id, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } /* Old reauthentication identity must not be used anymore. In * other words, if no new reauth identity is received, full * authentication will be used on next reauthentication (using * pseudonym identity or permanent identity). */ eap_sim_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID); if (attr->encr_data) { u8 *decrypted; decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data, attr->encr_data_len, attr->iv, &eattr, 0); if (decrypted == NULL) { return eap_sim_client_error( data, id, EAP_SIM_UNABLE_TO_PROCESS_PACKET); } eap_sim_learn_ids(sm, data, &eattr); os_free(decrypted); } if (data->result_ind && attr->result_ind) data->use_result_ind = 1; if (data->state != FAILURE && data->state != RESULT_FAILURE) { eap_sim_state(data, data->use_result_ind ? RESULT_SUCCESS : SUCCESS); } data->num_id_req = 0; data->num_notification = 0; /* RFC 4186 specifies that counter is initialized to one after * fullauth, but initializing it to zero makes it easier to implement * reauth verification. */ data->counter = 0; return eap_sim_response_challenge(data, id); }