Lines Matching full:data
59 static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data);
83 static void eap_aka_state(struct eap_aka_data *data, int state)
86 eap_aka_state_txt(data->state),
88 data->state = state;
93 struct eap_aka_data *data,
96 if (data->eap_method == EAP_TYPE_AKA_PRIME &&
99 if (data->eap_method == EAP_TYPE_AKA &&
104 data->reauth = eap_sim_db_get_reauth_entry(sm->cfg->eap_sim_db_priv,
106 if (data->reauth == NULL) {
113 if (data->reauth->counter > sm->cfg->eap_sim_aka_fast_reauth_limit) {
119 os_strlcpy(data->permanent, data->reauth->permanent,
120 sizeof(data->permanent));
122 data->reauth->permanent,
125 data->reauth);
126 data->reauth = NULL;
127 eap_aka_fullauth(sm, data);
135 data->reauth->counter);
136 os_strlcpy(data->permanent, data->reauth->permanent,
137 sizeof(data->permanent));
138 data->counter = data->reauth->counter;
139 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
140 os_memcpy(data->k_encr, data->reauth->k_encr,
142 os_memcpy(data->k_aut, data->reauth->k_aut,
144 os_memcpy(data->k_re, data->reauth->k_re,
147 os_memcpy(data->mk, data->reauth->mk, EAP_SIM_MK_LEN);
150 eap_aka_state(data, REAUTH);
156 struct eap_aka_data *data)
173 if (eap_aka_check_identity_reauth(sm, data, username) > 0) {
182 if (sm->sim_aka_permanent[0] && data->state == IDENTITY) {
186 os_strlcpy(data->permanent, sm->sim_aka_permanent,
187 sizeof(data->permanent));
188 eap_aka_fullauth(sm, data);
192 if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
194 (data->eap_method == EAP_TYPE_AKA &&
208 os_strlcpy(data->permanent, permanent,
209 sizeof(data->permanent));
214 eap_aka_fullauth(sm, data);
223 struct eap_aka_data *data;
230 data = os_zalloc(sizeof(*data));
231 if (data == NULL)
234 data->eap_method = EAP_TYPE_AKA;
236 data->state = IDENTITY;
237 data->pending_id = -1;
238 eap_aka_check_identity(sm, data);
240 return data;
247 struct eap_aka_data *data;
256 data = os_zalloc(sizeof(*data));
257 if (data == NULL)
260 data->eap_method = EAP_TYPE_AKA_PRIME;
261 data->network_name = (u8 *) os_strdup(network_name);
262 if (data->network_name == NULL) {
263 os_free(data);
267 data->network_name_len = os_strlen(network_name);
269 data->state = IDENTITY;
270 data->pending_id = -1;
271 eap_aka_check_identity(sm, data);
273 return data;
280 struct eap_aka_data *data = priv;
281 os_free(data->next_pseudonym);
282 os_free(data->next_reauth_id);
283 wpabuf_free(data->id_msgs);
284 os_free(data->network_name);
285 bin_clear_free(data, sizeof(*data));
289 static int eap_aka_add_id_msg(struct eap_aka_data *data,
295 if (data->id_msgs == NULL) {
296 data->id_msgs = wpabuf_dup(msg);
297 return data->id_msgs == NULL ? -1 : 0;
300 if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0)
302 wpabuf_put_buf(data->id_msgs, msg);
308 static void eap_aka_add_checkcode(struct eap_aka_data *data,
317 if (data->id_msgs == NULL) {
327 addr = wpabuf_head(data->id_msgs);
328 len = wpabuf_len(data->id_msgs);
329 wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len);
330 if (data->eap_method == EAP_TYPE_AKA_PRIME)
336 data->eap_method == EAP_TYPE_AKA_PRIME ?
341 static int eap_aka_verify_checkcode(struct eap_aka_data *data,
352 if (data->id_msgs == NULL) {
362 hash_len = data->eap_method == EAP_TYPE_AKA_PRIME ?
373 addr = wpabuf_head(data->id_msgs);
374 len = wpabuf_len(data->id_msgs);
375 if (data->eap_method == EAP_TYPE_AKA_PRIME)
390 struct eap_aka_data *data, u8 id)
396 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
398 data->identity_round++;
399 if (data->identity_round == 1) {
407 } else if (data->identity_round > 3) {
421 buf = eap_sim_msg_finish(msg, data->eap_method, NULL, NULL, 0);
422 if (eap_aka_add_id_msg(data, buf) < 0) {
426 data->pending_id = id;
431 static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
435 os_free(data->next_pseudonym);
438 data->next_pseudonym = NULL;
440 data->next_pseudonym =
443 data->eap_method == EAP_TYPE_AKA_PRIME ?
447 data->next_pseudonym = NULL;
449 os_free(data->next_reauth_id);
452 data->next_reauth_id = NULL;
453 } else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
454 data->next_reauth_id =
457 data->eap_method == EAP_TYPE_AKA_PRIME ?
462 data->next_reauth_id = NULL;
465 if (data->next_pseudonym == NULL && data->next_reauth_id == NULL &&
484 if (data->next_pseudonym) {
486 data->next_pseudonym);
488 os_strlen(data->next_pseudonym),
489 (u8 *) data->next_pseudonym,
490 os_strlen(data->next_pseudonym));
493 if (data->next_reauth_id) {
495 data->next_reauth_id);
497 os_strlen(data->next_reauth_id),
498 (u8 *) data->next_reauth_id,
499 os_strlen(data->next_reauth_id));
502 if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) {
513 struct eap_aka_data *data,
519 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
522 eap_sim_msg_add(msg, EAP_SIM_AT_RAND, 0, data->rand, EAP_AKA_RAND_LEN);
524 eap_sim_msg_add(msg, EAP_SIM_AT_AUTN, 0, data->autn, EAP_AKA_AUTN_LEN);
525 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
526 if (data->kdf) {
529 eap_sim_msg_add(msg, EAP_SIM_AT_KDF, data->kdf,
537 data->network_name_len,
538 data->network_name, data->network_name_len);
541 if (eap_aka_build_encr(sm, data, msg, 0, NULL)) {
546 eap_aka_add_checkcode(data, msg);
554 if (data->eap_method == EAP_TYPE_AKA) {
584 return eap_sim_msg_finish(msg, data->eap_method, data->k_aut, NULL, 0);
589 struct eap_aka_data *data, u8 id)
596 if (random_get_bytes(data->nonce_s, EAP_SIM_NONCE_S_LEN))
599 data->nonce_s, EAP_SIM_NONCE_S_LEN);
601 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
602 eap_aka_prime_derive_keys_reauth(data->k_re, data->counter,
605 data->nonce_s,
606 data->msk, data->emsk);
608 eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut,
609 data->msk, data->emsk);
610 eap_sim_derive_keys_reauth(data->counter, sm->identity,
611 sm->identity_len, data->nonce_s,
612 data->mk, data->msk, data->emsk);
615 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
618 if (eap_aka_build_encr(sm, data, msg, data->counter, data->nonce_s)) {
623 eap_aka_add_checkcode(data, msg);
632 buf = eap_sim_msg_finish(msg, data->eap_method, data->k_aut, NULL, 0);
637 os_memcpy(data->reauth_mac,
646 struct eap_aka_data *data,
652 msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
654 wpa_printf(MSG_DEBUG, " AT_NOTIFICATION (%d)", data->notification);
655 eap_sim_msg_add(msg, EAP_SIM_AT_NOTIFICATION, data->notification,
657 if (data->use_result_ind) {
658 if (data->reauth) {
664 data->counter);
665 eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter,
668 if (eap_sim_msg_add_encr_end(msg, data->k_encr,
680 return eap_sim_msg_finish(msg, data->eap_method, data->k_aut, NULL, 0);
686 struct eap_aka_data *data = priv;
688 data->auts_reported = 0;
689 switch (data->state) {
691 return eap_aka_build_identity(sm, data, id);
693 return eap_aka_build_challenge(sm, data, id);
695 return eap_aka_build_reauth(sm, data, id);
697 return eap_aka_build_notification(sm, data, id);
700 "buildReq", data->state);
710 struct eap_aka_data *data = priv;
714 pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, respData,
725 static bool eap_aka_subtype_ok(struct eap_aka_data *data, u8 subtype)
731 switch (data->state) {
763 "processing a response", data->state);
772 struct eap_aka_data *data)
783 if (eap_aka_check_identity_reauth(sm, data, username) > 0) {
788 if (((data->eap_method == EAP_TYPE_AKA_PRIME &&
790 (data->eap_method == EAP_TYPE_AKA &&
792 data->identity_round == 1) {
799 if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
801 (data->eap_method == EAP_TYPE_AKA &&
815 os_strlcpy(data->permanent, permanent,
816 sizeof(data->permanent));
817 } else if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
819 (data->eap_method == EAP_TYPE_AKA &&
823 os_strlcpy(data->permanent, username, sizeof(data->permanent));
889 os_strlcpy(data->permanent, username, sizeof(data->permanent));
900 eap_aka_fullauth(sm, data);
904 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
905 eap_aka_state(data, NOTIFICATION);
909 static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data)
914 res = eap_sim_db_get_aka_auth(sm->cfg->eap_sim_db_priv, data->permanent,
915 data->rand, data->autn, data->ik,
916 data->ck, data->res, &data->res_len, sm);
918 wpa_printf(MSG_DEBUG, "EAP-AKA: AKA authentication data "
924 if (data->permanent[0] == EAP_AKA_PERMANENT_PREFIX ||
925 data->permanent[0] == EAP_AKA_PRIME_PERMANENT_PREFIX)
926 os_strlcpy(sm->imsi, &data->permanent[1], sizeof(sm->imsi));
929 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
932 eap_aka_prime_derive_ck_ik_prime(data->ck, data->ik,
933 data->autn,
934 data->network_name,
935 data->network_name_len);
939 data->reauth = NULL;
940 data->counter = 0; /* reset re-auth counter since this is full auth */
944 "authentication data for the peer");
945 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
946 eap_aka_state(data, NOTIFICATION);
950 wpa_printf(MSG_DEBUG, "EAP-AKA: AKA authentication data "
964 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
965 eap_aka_prime_derive_keys(sm->identity, identity_len, data->ik,
966 data->ck, data->k_encr, data->k_aut,
967 data->k_re, data->msk, data->emsk);
969 eap_aka_derive_mk(sm->identity, identity_len, data->ik,
970 data->ck, data->mk);
971 eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut,
972 data->msk, data->emsk);
975 eap_aka_state(data, CHALLENGE);
980 struct eap_aka_data *data,
991 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
992 eap_aka_state(data, NOTIFICATION);
1003 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1004 eap_aka_state(data, NOTIFICATION);
1010 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1011 eap_aka_state(data, NOTIFICATION);
1019 eap_aka_determine_identity(sm, data);
1020 if (eap_get_id(respData) == data->pending_id) {
1021 data->pending_id = -1;
1022 eap_aka_add_id_msg(data, respData);
1027 static int eap_aka_verify_mac(struct eap_aka_data *data,
1032 if (data->eap_method == EAP_TYPE_AKA_PRIME)
1033 return eap_sim_verify_mac_sha256(data->k_aut, req, mac, extra,
1035 return eap_sim_verify_mac(data->k_aut, req, mac, extra, extra_len);
1040 struct eap_aka_data *data,
1050 if (data->eap_method == EAP_TYPE_AKA_PRIME &&
1055 data->notification =
1057 eap_aka_state(data, NOTIFICATION);
1061 data->kdf = attr->kdf[0];
1065 wpa_printf(MSG_DEBUG, "EAP-AKA': KDF %d selected", data->kdf);
1072 eap_aka_verify_checkcode(data, attr->checkcode,
1076 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1077 eap_aka_state(data, NOTIFICATION);
1081 eap_aka_verify_mac(data, respData, attr->mac, NULL, 0)) {
1084 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1085 eap_aka_state(data, NOTIFICATION);
1093 if (attr->res == NULL || attr->res_len < data->res_len ||
1094 attr->res_len_bits != data->res_len * 8 ||
1095 os_memcmp_const(attr->res, data->res, data->res_len) != 0) {
1101 (unsigned long) data->res_len * 8);
1102 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1103 eap_aka_state(data, NOTIFICATION);
1110 data->use_result_ind = 1;
1111 data->notification = EAP_SIM_SUCCESS;
1112 eap_aka_state(data, NOTIFICATION);
1114 eap_aka_state(data, SUCCESS);
1116 if (data->next_pseudonym) {
1118 data->permanent,
1119 data->next_pseudonym);
1120 data->next_pseudonym = NULL;
1122 if (data->next_reauth_id) {
1123 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
1126 data->permanent,
1127 data->next_reauth_id,
1128 data->counter + 1,
1129 data->k_encr, data->k_aut,
1130 data->k_re);
1134 data->permanent,
1135 data->next_reauth_id,
1136 data->counter + 1,
1137 data->mk);
1139 data->next_reauth_id = NULL;
1145 struct eap_aka_data *data,
1154 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1155 eap_aka_state(data, NOTIFICATION);
1162 if (!data->auts_reported &&
1163 eap_sim_db_resynchronize(sm->cfg->eap_sim_db_priv, data->permanent,
1164 attr->auts, data->rand)) {
1166 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1167 eap_aka_state(data, NOTIFICATION);
1170 data->auts_reported = 1;
1173 eap_aka_fullauth(sm, data);
1178 struct eap_aka_data *data,
1188 eap_aka_verify_mac(data, respData, attr->mac, data->nonce_s,
1197 "message did not include encrypted data");
1201 decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
1206 "data from reauthentication message");
1210 if (eattr.counter != data->counter) {
1213 eattr.counter, data->counter);
1226 eap_aka_fullauth(sm, data);
1231 data->use_result_ind = 1;
1232 data->notification = EAP_SIM_SUCCESS;
1233 eap_aka_state(data, NOTIFICATION);
1235 eap_aka_state(data, SUCCESS);
1237 if (data->next_reauth_id) {
1238 if (data->eap_method == EAP_TYPE_AKA_PRIME) {
1241 data->permanent,
1242 data->next_reauth_id,
1243 data->counter + 1,
1244 data->k_encr, data->k_aut,
1245 data->k_re);
1249 data->permanent,
1250 data->next_reauth_id,
1251 data->counter + 1,
1252 data->mk);
1254 data->next_reauth_id = NULL;
1257 data->reauth);
1258 data->reauth = NULL;
1264 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1265 eap_aka_state(data, NOTIFICATION);
1266 eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, data->reauth);
1267 data->reauth = NULL;
1273 struct eap_aka_data *data,
1279 if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind)
1280 eap_aka_state(data, SUCCESS);
1282 eap_aka_state(data, FAILURE);
1287 struct eap_sm *sm, struct eap_aka_data *data,
1291 eap_aka_state(data, FAILURE);
1296 struct eap_aka_data *data,
1301 if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind)
1302 eap_aka_state(data, SUCCESS);
1304 eap_aka_state(data, FAILURE);
1311 struct eap_aka_data *data = priv;
1317 pos = eap_hdr_validate(EAP_VENDOR_IETF, data->eap_method, respData,
1326 if (eap_aka_subtype_ok(data, subtype)) {
1329 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1330 eap_aka_state(data, NOTIFICATION);
1335 data->eap_method == EAP_TYPE_AKA_PRIME ? 2 : 1,
1338 data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
1339 eap_aka_state(data, NOTIFICATION);
1344 eap_aka_process_client_error(sm, data, respData, &attr);
1349 eap_aka_process_authentication_reject(sm, data, respData,
1354 switch (data->state) {
1356 eap_aka_process_identity(sm, data, respData, &attr);
1360 eap_aka_process_sync_failure(sm, data, respData,
1363 eap_aka_process_challenge(sm, data, respData, &attr);
1367 eap_aka_process_reauth(sm, data, respData, &attr);
1370 eap_aka_process_notification(sm, data, respData, &attr);
1374 "process", data->state);
1382 struct eap_aka_data *data = priv;
1383 return data->state == SUCCESS || data->state == FAILURE;
1389 struct eap_aka_data *data = priv;
1392 if (data->state != SUCCESS)
1395 key = os_memdup(data->msk, EAP_SIM_KEYING_DATA_LEN);
1405 struct eap_aka_data *data = priv;
1408 if (data->state != SUCCESS)
1411 key = os_memdup(data->emsk, EAP_EMSK_LEN);
1421 struct eap_aka_data *data = priv;
1422 return data->state == SUCCESS;
1428 struct eap_aka_data *data = priv;
1431 if (data->state != SUCCESS)
1434 if (!data->reauth)
1442 id[0] = data->eap_method;
1443 if (!data->reauth) {
1444 os_memcpy(id + 1, data->rand, EAP_AKA_RAND_LEN);
1445 os_memcpy(id + 1 + EAP_AKA_RAND_LEN, data->autn,
1448 os_memcpy(id + 1, data->nonce_s, EAP_SIM_NONCE_S_LEN);
1449 os_memcpy(id + 1 + EAP_SIM_NONCE_S_LEN, data->reauth_mac,