2 * hostapd / EAP-AKA (RFC 4187) and EAP-AKA' (RFC 5448)
3 * Copyright (c) 2005-2012, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/sha256.h"
13 #include "crypto/crypto.h"
14 #include "crypto/random.h"
15 #include "eap_common/eap_sim_common.h"
16 #include "eap_server/eap_i.h"
17 #include "eap_server/eap_sim_db.h"
21 u8 mk
[EAP_SIM_MK_LEN
];
22 u8 nonce_s
[EAP_SIM_NONCE_S_LEN
];
23 u8 k_aut
[EAP_AKA_PRIME_K_AUT_LEN
];
24 u8 k_encr
[EAP_SIM_K_ENCR_LEN
];
25 u8 k_re
[EAP_AKA_PRIME_K_RE_LEN
]; /* EAP-AKA' only */
26 u8 msk
[EAP_SIM_KEYING_DATA_LEN
];
27 u8 emsk
[EAP_EMSK_LEN
];
28 u8 rand
[EAP_AKA_RAND_LEN
];
29 u8 autn
[EAP_AKA_AUTN_LEN
];
30 u8 ck
[EAP_AKA_CK_LEN
];
31 u8 ik
[EAP_AKA_IK_LEN
];
32 u8 res
[EAP_AKA_RES_MAX_LEN
];
35 IDENTITY
, CHALLENGE
, REAUTH
, NOTIFICATION
, SUCCESS
, FAILURE
40 struct eap_sim_reauth
*reauth
;
41 int auts_reported
; /* whether the current AUTS has been reported to the
46 struct wpabuf
*id_msgs
;
50 size_t network_name_len
;
53 char permanent
[20]; /* Permanent username */
57 static void eap_aka_fullauth(struct eap_sm
*sm
, struct eap_aka_data
*data
);
60 static const char * eap_aka_state_txt(int state
)
74 return "NOTIFICATION";
81 static void eap_aka_state(struct eap_aka_data
*data
, int state
)
83 wpa_printf(MSG_DEBUG
, "EAP-AKA: %s -> %s",
84 eap_aka_state_txt(data
->state
),
85 eap_aka_state_txt(state
));
90 static int eap_aka_check_identity_reauth(struct eap_sm
*sm
,
91 struct eap_aka_data
*data
,
94 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
95 username
[0] != EAP_AKA_PRIME_REAUTH_ID_PREFIX
)
97 if (data
->eap_method
== EAP_TYPE_AKA
&&
98 username
[0] != EAP_AKA_REAUTH_ID_PREFIX
)
101 wpa_printf(MSG_DEBUG
, "EAP-AKA: Reauth username '%s'", username
);
102 data
->reauth
= eap_sim_db_get_reauth_entry(sm
->eap_sim_db_priv
,
104 if (data
->reauth
== NULL
) {
105 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown reauth identity - "
106 "request full auth identity");
107 /* Remain in IDENTITY state for another round */
111 wpa_printf(MSG_DEBUG
, "EAP-AKA: Using fast re-authentication");
112 os_strlcpy(data
->permanent
, data
->reauth
->permanent
,
113 sizeof(data
->permanent
));
114 data
->counter
= data
->reauth
->counter
;
115 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
116 os_memcpy(data
->k_encr
, data
->reauth
->k_encr
,
118 os_memcpy(data
->k_aut
, data
->reauth
->k_aut
,
119 EAP_AKA_PRIME_K_AUT_LEN
);
120 os_memcpy(data
->k_re
, data
->reauth
->k_re
,
121 EAP_AKA_PRIME_K_RE_LEN
);
123 os_memcpy(data
->mk
, data
->reauth
->mk
, EAP_SIM_MK_LEN
);
126 eap_aka_state(data
, REAUTH
);
131 static void eap_aka_check_identity(struct eap_sm
*sm
,
132 struct eap_aka_data
*data
)
136 /* Check if we already know the identity from EAP-Response/Identity */
138 username
= sim_get_username(sm
->identity
, sm
->identity_len
);
139 if (username
== NULL
)
142 if (eap_aka_check_identity_reauth(sm
, data
, username
) > 0) {
145 * Since re-auth username was recognized, skip AKA/Identity
151 if ((data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
152 username
[0] == EAP_AKA_PRIME_PSEUDONYM_PREFIX
) ||
153 (data
->eap_method
== EAP_TYPE_AKA
&&
154 username
[0] == EAP_AKA_PSEUDONYM_PREFIX
)) {
155 const char *permanent
;
156 wpa_printf(MSG_DEBUG
, "EAP-AKA: Pseudonym username '%s'",
158 permanent
= eap_sim_db_get_permanent(
159 sm
->eap_sim_db_priv
, username
);
160 if (permanent
== NULL
) {
162 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown pseudonym "
163 "identity - request permanent identity");
164 /* Remain in IDENTITY state for another round */
167 os_strlcpy(data
->permanent
, permanent
,
168 sizeof(data
->permanent
));
170 * Since pseudonym username was recognized, skip AKA/Identity
173 eap_aka_fullauth(sm
, data
);
180 static void * eap_aka_init(struct eap_sm
*sm
)
182 struct eap_aka_data
*data
;
184 if (sm
->eap_sim_db_priv
== NULL
) {
185 wpa_printf(MSG_WARNING
, "EAP-AKA: eap_sim_db not configured");
189 data
= os_zalloc(sizeof(*data
));
193 data
->eap_method
= EAP_TYPE_AKA
;
195 data
->state
= IDENTITY
;
196 data
->pending_id
= -1;
197 eap_aka_check_identity(sm
, data
);
203 #ifdef EAP_SERVER_AKA_PRIME
204 static void * eap_aka_prime_init(struct eap_sm
*sm
)
206 struct eap_aka_data
*data
;
207 /* TODO: make ANID configurable; see 3GPP TS 24.302 */
208 char *network_name
= "WLAN";
210 if (sm
->eap_sim_db_priv
== NULL
) {
211 wpa_printf(MSG_WARNING
, "EAP-AKA: eap_sim_db not configured");
215 data
= os_zalloc(sizeof(*data
));
219 data
->eap_method
= EAP_TYPE_AKA_PRIME
;
220 data
->network_name
= (u8
*) os_strdup(network_name
);
221 if (data
->network_name
== NULL
) {
226 data
->network_name_len
= os_strlen(network_name
);
228 data
->state
= IDENTITY
;
229 data
->pending_id
= -1;
230 eap_aka_check_identity(sm
, data
);
234 #endif /* EAP_SERVER_AKA_PRIME */
237 static void eap_aka_reset(struct eap_sm
*sm
, void *priv
)
239 struct eap_aka_data
*data
= priv
;
240 os_free(data
->next_pseudonym
);
241 os_free(data
->next_reauth_id
);
242 wpabuf_free(data
->id_msgs
);
243 os_free(data
->network_name
);
244 bin_clear_free(data
, sizeof(*data
));
248 static int eap_aka_add_id_msg(struct eap_aka_data
*data
,
249 const struct wpabuf
*msg
)
254 if (data
->id_msgs
== NULL
) {
255 data
->id_msgs
= wpabuf_dup(msg
);
256 return data
->id_msgs
== NULL
? -1 : 0;
259 if (wpabuf_resize(&data
->id_msgs
, wpabuf_len(msg
)) < 0)
261 wpabuf_put_buf(data
->id_msgs
, msg
);
267 static void eap_aka_add_checkcode(struct eap_aka_data
*data
,
268 struct eap_sim_msg
*msg
)
272 u8 hash
[SHA256_MAC_LEN
];
274 wpa_printf(MSG_DEBUG
, " AT_CHECKCODE");
276 if (data
->id_msgs
== NULL
) {
278 * No EAP-AKA/Identity packets were exchanged - send empty
281 eap_sim_msg_add(msg
, EAP_SIM_AT_CHECKCODE
, 0, NULL
, 0);
285 /* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
286 addr
= wpabuf_head(data
->id_msgs
);
287 len
= wpabuf_len(data
->id_msgs
);
288 wpa_hexdump(MSG_MSGDUMP
, "EAP-AKA: AT_CHECKCODE data", addr
, len
);
289 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
)
290 sha256_vector(1, &addr
, &len
, hash
);
292 sha1_vector(1, &addr
, &len
, hash
);
294 eap_sim_msg_add(msg
, EAP_SIM_AT_CHECKCODE
, 0, hash
,
295 data
->eap_method
== EAP_TYPE_AKA_PRIME
?
296 EAP_AKA_PRIME_CHECKCODE_LEN
: EAP_AKA_CHECKCODE_LEN
);
300 static int eap_aka_verify_checkcode(struct eap_aka_data
*data
,
301 const u8
*checkcode
, size_t checkcode_len
)
305 u8 hash
[SHA256_MAC_LEN
];
308 if (checkcode
== NULL
)
311 if (data
->id_msgs
== NULL
) {
312 if (checkcode_len
!= 0) {
313 wpa_printf(MSG_DEBUG
, "EAP-AKA: Checkcode from peer "
314 "indicates that AKA/Identity messages were "
315 "used, but they were not");
321 hash_len
= data
->eap_method
== EAP_TYPE_AKA_PRIME
?
322 EAP_AKA_PRIME_CHECKCODE_LEN
: EAP_AKA_CHECKCODE_LEN
;
324 if (checkcode_len
!= hash_len
) {
325 wpa_printf(MSG_DEBUG
, "EAP-AKA: Checkcode from peer indicates "
326 "that AKA/Identity message were not used, but they "
331 /* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
332 addr
= wpabuf_head(data
->id_msgs
);
333 len
= wpabuf_len(data
->id_msgs
);
334 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
)
335 sha256_vector(1, &addr
, &len
, hash
);
337 sha1_vector(1, &addr
, &len
, hash
);
339 if (os_memcmp_const(hash
, checkcode
, hash_len
) != 0) {
340 wpa_printf(MSG_DEBUG
, "EAP-AKA: Mismatch in AT_CHECKCODE");
348 static struct wpabuf
* eap_aka_build_identity(struct eap_sm
*sm
,
349 struct eap_aka_data
*data
, u8 id
)
351 struct eap_sim_msg
*msg
;
354 wpa_printf(MSG_DEBUG
, "EAP-AKA: Generating Identity");
355 msg
= eap_sim_msg_init(EAP_CODE_REQUEST
, id
, data
->eap_method
,
356 EAP_AKA_SUBTYPE_IDENTITY
);
357 data
->identity_round
++;
358 if (data
->identity_round
== 1) {
360 * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is
361 * ignored and the AKA/Identity is used to request the
364 wpa_printf(MSG_DEBUG
, " AT_ANY_ID_REQ");
365 eap_sim_msg_add(msg
, EAP_SIM_AT_ANY_ID_REQ
, 0, NULL
, 0);
366 } else if (data
->identity_round
> 3) {
367 /* Cannot use more than three rounds of Identity messages */
368 eap_sim_msg_free(msg
);
370 } else if (sm
->identity
&& sm
->identity_len
> 0 &&
371 (sm
->identity
[0] == EAP_AKA_REAUTH_ID_PREFIX
||
372 sm
->identity
[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX
)) {
373 /* Reauth id may have expired - try fullauth */
374 wpa_printf(MSG_DEBUG
, " AT_FULLAUTH_ID_REQ");
375 eap_sim_msg_add(msg
, EAP_SIM_AT_FULLAUTH_ID_REQ
, 0, NULL
, 0);
377 wpa_printf(MSG_DEBUG
, " AT_PERMANENT_ID_REQ");
378 eap_sim_msg_add(msg
, EAP_SIM_AT_PERMANENT_ID_REQ
, 0, NULL
, 0);
380 buf
= eap_sim_msg_finish(msg
, data
->eap_method
, NULL
, NULL
, 0);
381 if (eap_aka_add_id_msg(data
, buf
) < 0) {
385 data
->pending_id
= id
;
390 static int eap_aka_build_encr(struct eap_sm
*sm
, struct eap_aka_data
*data
,
391 struct eap_sim_msg
*msg
, u16 counter
,
394 os_free(data
->next_pseudonym
);
395 if (nonce_s
== NULL
) {
396 data
->next_pseudonym
=
397 eap_sim_db_get_next_pseudonym(
399 data
->eap_method
== EAP_TYPE_AKA_PRIME
?
400 EAP_SIM_DB_AKA_PRIME
: EAP_SIM_DB_AKA
);
402 /* Do not update pseudonym during re-authentication */
403 data
->next_pseudonym
= NULL
;
405 os_free(data
->next_reauth_id
);
406 if (data
->counter
<= EAP_AKA_MAX_FAST_REAUTHS
) {
407 data
->next_reauth_id
=
408 eap_sim_db_get_next_reauth_id(
410 data
->eap_method
== EAP_TYPE_AKA_PRIME
?
411 EAP_SIM_DB_AKA_PRIME
: EAP_SIM_DB_AKA
);
413 wpa_printf(MSG_DEBUG
, "EAP-AKA: Max fast re-authentication "
414 "count exceeded - force full authentication");
415 data
->next_reauth_id
= NULL
;
418 if (data
->next_pseudonym
== NULL
&& data
->next_reauth_id
== NULL
&&
419 counter
== 0 && nonce_s
== NULL
)
422 wpa_printf(MSG_DEBUG
, " AT_IV");
423 wpa_printf(MSG_DEBUG
, " AT_ENCR_DATA");
424 eap_sim_msg_add_encr_start(msg
, EAP_SIM_AT_IV
, EAP_SIM_AT_ENCR_DATA
);
427 wpa_printf(MSG_DEBUG
, " *AT_COUNTER (%u)", counter
);
428 eap_sim_msg_add(msg
, EAP_SIM_AT_COUNTER
, counter
, NULL
, 0);
432 wpa_printf(MSG_DEBUG
, " *AT_NONCE_S");
433 eap_sim_msg_add(msg
, EAP_SIM_AT_NONCE_S
, 0, nonce_s
,
434 EAP_SIM_NONCE_S_LEN
);
437 if (data
->next_pseudonym
) {
438 wpa_printf(MSG_DEBUG
, " *AT_NEXT_PSEUDONYM (%s)",
439 data
->next_pseudonym
);
440 eap_sim_msg_add(msg
, EAP_SIM_AT_NEXT_PSEUDONYM
,
441 os_strlen(data
->next_pseudonym
),
442 (u8
*) data
->next_pseudonym
,
443 os_strlen(data
->next_pseudonym
));
446 if (data
->next_reauth_id
) {
447 wpa_printf(MSG_DEBUG
, " *AT_NEXT_REAUTH_ID (%s)",
448 data
->next_reauth_id
);
449 eap_sim_msg_add(msg
, EAP_SIM_AT_NEXT_REAUTH_ID
,
450 os_strlen(data
->next_reauth_id
),
451 (u8
*) data
->next_reauth_id
,
452 os_strlen(data
->next_reauth_id
));
455 if (eap_sim_msg_add_encr_end(msg
, data
->k_encr
, EAP_SIM_AT_PADDING
)) {
456 wpa_printf(MSG_WARNING
, "EAP-AKA: Failed to encrypt "
465 static struct wpabuf
* eap_aka_build_challenge(struct eap_sm
*sm
,
466 struct eap_aka_data
*data
,
469 struct eap_sim_msg
*msg
;
471 wpa_printf(MSG_DEBUG
, "EAP-AKA: Generating Challenge");
472 msg
= eap_sim_msg_init(EAP_CODE_REQUEST
, id
, data
->eap_method
,
473 EAP_AKA_SUBTYPE_CHALLENGE
);
474 wpa_printf(MSG_DEBUG
, " AT_RAND");
475 eap_sim_msg_add(msg
, EAP_SIM_AT_RAND
, 0, data
->rand
, EAP_AKA_RAND_LEN
);
476 wpa_printf(MSG_DEBUG
, " AT_AUTN");
477 eap_sim_msg_add(msg
, EAP_SIM_AT_AUTN
, 0, data
->autn
, EAP_AKA_AUTN_LEN
);
478 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
480 /* Add the selected KDF into the beginning */
481 wpa_printf(MSG_DEBUG
, " AT_KDF");
482 eap_sim_msg_add(msg
, EAP_SIM_AT_KDF
, data
->kdf
,
485 wpa_printf(MSG_DEBUG
, " AT_KDF");
486 eap_sim_msg_add(msg
, EAP_SIM_AT_KDF
, EAP_AKA_PRIME_KDF
,
488 wpa_printf(MSG_DEBUG
, " AT_KDF_INPUT");
489 eap_sim_msg_add(msg
, EAP_SIM_AT_KDF_INPUT
,
490 data
->network_name_len
,
491 data
->network_name
, data
->network_name_len
);
494 if (eap_aka_build_encr(sm
, data
, msg
, 0, NULL
)) {
495 eap_sim_msg_free(msg
);
499 eap_aka_add_checkcode(data
, msg
);
501 if (sm
->eap_sim_aka_result_ind
) {
502 wpa_printf(MSG_DEBUG
, " AT_RESULT_IND");
503 eap_sim_msg_add(msg
, EAP_SIM_AT_RESULT_IND
, 0, NULL
, 0);
506 #ifdef EAP_SERVER_AKA_PRIME
507 if (data
->eap_method
== EAP_TYPE_AKA
) {
510 int aka_prime_preferred
= 0;
513 while (sm
->user
&& i
< EAP_MAX_METHODS
&&
514 (sm
->user
->methods
[i
].vendor
!= EAP_VENDOR_IETF
||
515 sm
->user
->methods
[i
].method
!= EAP_TYPE_NONE
)) {
516 if (sm
->user
->methods
[i
].vendor
== EAP_VENDOR_IETF
) {
517 if (sm
->user
->methods
[i
].method
==
520 if (sm
->user
->methods
[i
].method
==
521 EAP_TYPE_AKA_PRIME
) {
522 aka_prime_preferred
= 1;
529 if (aka_prime_preferred
)
530 flags
|= EAP_AKA_BIDDING_FLAG_D
;
531 eap_sim_msg_add(msg
, EAP_SIM_AT_BIDDING
, flags
, NULL
, 0);
533 #endif /* EAP_SERVER_AKA_PRIME */
535 wpa_printf(MSG_DEBUG
, " AT_MAC");
536 eap_sim_msg_add_mac(msg
, EAP_SIM_AT_MAC
);
537 return eap_sim_msg_finish(msg
, data
->eap_method
, data
->k_aut
, NULL
, 0);
541 static struct wpabuf
* eap_aka_build_reauth(struct eap_sm
*sm
,
542 struct eap_aka_data
*data
, u8 id
)
544 struct eap_sim_msg
*msg
;
546 wpa_printf(MSG_DEBUG
, "EAP-AKA: Generating Re-authentication");
548 if (random_get_bytes(data
->nonce_s
, EAP_SIM_NONCE_S_LEN
))
550 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-AKA: NONCE_S",
551 data
->nonce_s
, EAP_SIM_NONCE_S_LEN
);
553 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
554 eap_aka_prime_derive_keys_reauth(data
->k_re
, data
->counter
,
558 data
->msk
, data
->emsk
);
560 eap_sim_derive_keys(data
->mk
, data
->k_encr
, data
->k_aut
,
561 data
->msk
, data
->emsk
);
562 eap_sim_derive_keys_reauth(data
->counter
, sm
->identity
,
563 sm
->identity_len
, data
->nonce_s
,
564 data
->mk
, data
->msk
, data
->emsk
);
567 msg
= eap_sim_msg_init(EAP_CODE_REQUEST
, id
, data
->eap_method
,
568 EAP_AKA_SUBTYPE_REAUTHENTICATION
);
570 if (eap_aka_build_encr(sm
, data
, msg
, data
->counter
, data
->nonce_s
)) {
571 eap_sim_msg_free(msg
);
575 eap_aka_add_checkcode(data
, msg
);
577 if (sm
->eap_sim_aka_result_ind
) {
578 wpa_printf(MSG_DEBUG
, " AT_RESULT_IND");
579 eap_sim_msg_add(msg
, EAP_SIM_AT_RESULT_IND
, 0, NULL
, 0);
582 wpa_printf(MSG_DEBUG
, " AT_MAC");
583 eap_sim_msg_add_mac(msg
, EAP_SIM_AT_MAC
);
584 return eap_sim_msg_finish(msg
, data
->eap_method
, data
->k_aut
, NULL
, 0);
588 static struct wpabuf
* eap_aka_build_notification(struct eap_sm
*sm
,
589 struct eap_aka_data
*data
,
592 struct eap_sim_msg
*msg
;
594 wpa_printf(MSG_DEBUG
, "EAP-AKA: Generating Notification");
595 msg
= eap_sim_msg_init(EAP_CODE_REQUEST
, id
, data
->eap_method
,
596 EAP_AKA_SUBTYPE_NOTIFICATION
);
597 wpa_printf(MSG_DEBUG
, " AT_NOTIFICATION (%d)", data
->notification
);
598 eap_sim_msg_add(msg
, EAP_SIM_AT_NOTIFICATION
, data
->notification
,
600 if (data
->use_result_ind
) {
602 wpa_printf(MSG_DEBUG
, " AT_IV");
603 wpa_printf(MSG_DEBUG
, " AT_ENCR_DATA");
604 eap_sim_msg_add_encr_start(msg
, EAP_SIM_AT_IV
,
605 EAP_SIM_AT_ENCR_DATA
);
606 wpa_printf(MSG_DEBUG
, " *AT_COUNTER (%u)",
608 eap_sim_msg_add(msg
, EAP_SIM_AT_COUNTER
, data
->counter
,
611 if (eap_sim_msg_add_encr_end(msg
, data
->k_encr
,
612 EAP_SIM_AT_PADDING
)) {
613 wpa_printf(MSG_WARNING
, "EAP-AKA: Failed to "
614 "encrypt AT_ENCR_DATA");
615 eap_sim_msg_free(msg
);
620 wpa_printf(MSG_DEBUG
, " AT_MAC");
621 eap_sim_msg_add_mac(msg
, EAP_SIM_AT_MAC
);
623 return eap_sim_msg_finish(msg
, data
->eap_method
, data
->k_aut
, NULL
, 0);
627 static struct wpabuf
* eap_aka_buildReq(struct eap_sm
*sm
, void *priv
, u8 id
)
629 struct eap_aka_data
*data
= priv
;
631 data
->auts_reported
= 0;
632 switch (data
->state
) {
634 return eap_aka_build_identity(sm
, data
, id
);
636 return eap_aka_build_challenge(sm
, data
, id
);
638 return eap_aka_build_reauth(sm
, data
, id
);
640 return eap_aka_build_notification(sm
, data
, id
);
642 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown state %d in "
643 "buildReq", data
->state
);
650 static Boolean
eap_aka_check(struct eap_sm
*sm
, void *priv
,
651 struct wpabuf
*respData
)
653 struct eap_aka_data
*data
= priv
;
657 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, data
->eap_method
, respData
,
659 if (pos
== NULL
|| len
< 3) {
660 wpa_printf(MSG_INFO
, "EAP-AKA: Invalid frame");
668 static Boolean
eap_aka_subtype_ok(struct eap_aka_data
*data
, u8 subtype
)
670 if (subtype
== EAP_AKA_SUBTYPE_CLIENT_ERROR
||
671 subtype
== EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT
)
674 switch (data
->state
) {
676 if (subtype
!= EAP_AKA_SUBTYPE_IDENTITY
) {
677 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected response "
678 "subtype %d", subtype
);
683 if (subtype
!= EAP_AKA_SUBTYPE_CHALLENGE
&&
684 subtype
!= EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE
) {
685 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected response "
686 "subtype %d", subtype
);
691 if (subtype
!= EAP_AKA_SUBTYPE_REAUTHENTICATION
) {
692 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected response "
693 "subtype %d", subtype
);
698 if (subtype
!= EAP_AKA_SUBTYPE_NOTIFICATION
) {
699 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected response "
700 "subtype %d", subtype
);
705 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected state (%d) for "
706 "processing a response", data
->state
);
714 static void eap_aka_determine_identity(struct eap_sm
*sm
,
715 struct eap_aka_data
*data
)
719 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-AKA: Identity",
720 sm
->identity
, sm
->identity_len
);
722 username
= sim_get_username(sm
->identity
, sm
->identity_len
);
723 if (username
== NULL
) {
724 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
725 eap_aka_state(data
, NOTIFICATION
);
729 if (eap_aka_check_identity_reauth(sm
, data
, username
) > 0) {
734 if (((data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
735 username
[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX
) ||
736 (data
->eap_method
== EAP_TYPE_AKA
&&
737 username
[0] == EAP_AKA_REAUTH_ID_PREFIX
)) &&
738 data
->identity_round
== 1) {
739 /* Remain in IDENTITY state for another round to request full
740 * auth identity since we did not recognize reauth id */
745 if ((data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
746 username
[0] == EAP_AKA_PRIME_PSEUDONYM_PREFIX
) ||
747 (data
->eap_method
== EAP_TYPE_AKA
&&
748 username
[0] == EAP_AKA_PSEUDONYM_PREFIX
)) {
749 const char *permanent
;
750 wpa_printf(MSG_DEBUG
, "EAP-AKA: Pseudonym username '%s'",
752 permanent
= eap_sim_db_get_permanent(
753 sm
->eap_sim_db_priv
, username
);
755 if (permanent
== NULL
) {
756 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown pseudonym "
757 "identity - request permanent identity");
758 /* Remain in IDENTITY state for another round */
761 os_strlcpy(data
->permanent
, permanent
,
762 sizeof(data
->permanent
));
763 } else if ((data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
764 username
[0] == EAP_AKA_PRIME_PERMANENT_PREFIX
) ||
765 (data
->eap_method
== EAP_TYPE_AKA
&&
766 username
[0] == EAP_AKA_PERMANENT_PREFIX
)) {
767 wpa_printf(MSG_DEBUG
, "EAP-AKA: Permanent username '%s'",
769 os_strlcpy(data
->permanent
, username
, sizeof(data
->permanent
));
772 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unrecognized username '%s'",
775 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
776 eap_aka_state(data
, NOTIFICATION
);
780 eap_aka_fullauth(sm
, data
);
784 static void eap_aka_fullauth(struct eap_sm
*sm
, struct eap_aka_data
*data
)
789 res
= eap_sim_db_get_aka_auth(sm
->eap_sim_db_priv
, data
->permanent
,
790 data
->rand
, data
->autn
, data
->ik
,
791 data
->ck
, data
->res
, &data
->res_len
, sm
);
792 if (res
== EAP_SIM_DB_PENDING
) {
793 wpa_printf(MSG_DEBUG
, "EAP-AKA: AKA authentication data "
794 "not yet available - pending request");
795 sm
->method_pending
= METHOD_PENDING_WAIT
;
799 #ifdef EAP_SERVER_AKA_PRIME
800 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
801 /* Note: AUTN = (SQN ^ AK) || AMF || MAC which gives us the
802 * needed 6-octet SQN ^AK for CK',IK' derivation */
803 eap_aka_prime_derive_ck_ik_prime(data
->ck
, data
->ik
,
806 data
->network_name_len
);
808 #endif /* EAP_SERVER_AKA_PRIME */
811 data
->counter
= 0; /* reset re-auth counter since this is full auth */
814 wpa_printf(MSG_INFO
, "EAP-AKA: Failed to get AKA "
815 "authentication data for the peer");
816 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
817 eap_aka_state(data
, NOTIFICATION
);
820 if (sm
->method_pending
== METHOD_PENDING_WAIT
) {
821 wpa_printf(MSG_DEBUG
, "EAP-AKA: AKA authentication data "
822 "available - abort pending wait");
823 sm
->method_pending
= METHOD_PENDING_NONE
;
826 identity_len
= sm
->identity_len
;
827 while (identity_len
> 0 && sm
->identity
[identity_len
- 1] == '\0') {
828 wpa_printf(MSG_DEBUG
, "EAP-AKA: Workaround - drop last null "
829 "character from identity");
832 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-AKA: Identity for MK derivation",
833 sm
->identity
, identity_len
);
835 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
836 eap_aka_prime_derive_keys(sm
->identity
, identity_len
, data
->ik
,
837 data
->ck
, data
->k_encr
, data
->k_aut
,
838 data
->k_re
, data
->msk
, data
->emsk
);
840 eap_aka_derive_mk(sm
->identity
, identity_len
, data
->ik
,
842 eap_sim_derive_keys(data
->mk
, data
->k_encr
, data
->k_aut
,
843 data
->msk
, data
->emsk
);
846 eap_aka_state(data
, CHALLENGE
);
850 static void eap_aka_process_identity(struct eap_sm
*sm
,
851 struct eap_aka_data
*data
,
852 struct wpabuf
*respData
,
853 struct eap_sim_attrs
*attr
)
857 wpa_printf(MSG_DEBUG
, "EAP-AKA: Processing Identity");
859 if (attr
->mac
|| attr
->iv
|| attr
->encr_data
) {
860 wpa_printf(MSG_WARNING
, "EAP-AKA: Unexpected attribute "
861 "received in EAP-Response/AKA-Identity");
862 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
863 eap_aka_state(data
, NOTIFICATION
);
868 * We always request identity with AKA/Identity, so the peer is
869 * required to have replied with one.
871 if (!attr
->identity
|| attr
->identity_len
== 0) {
872 wpa_printf(MSG_DEBUG
, "EAP-AKA: Peer did not provide any "
874 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
875 eap_aka_state(data
, NOTIFICATION
);
879 new_identity
= os_malloc(attr
->identity_len
);
880 if (new_identity
== NULL
) {
881 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
882 eap_aka_state(data
, NOTIFICATION
);
885 os_free(sm
->identity
);
886 sm
->identity
= new_identity
;
887 os_memcpy(sm
->identity
, attr
->identity
, attr
->identity_len
);
888 sm
->identity_len
= attr
->identity_len
;
890 eap_aka_determine_identity(sm
, data
);
891 if (eap_get_id(respData
) == data
->pending_id
) {
892 data
->pending_id
= -1;
893 eap_aka_add_id_msg(data
, respData
);
898 static int eap_aka_verify_mac(struct eap_aka_data
*data
,
899 const struct wpabuf
*req
,
900 const u8
*mac
, const u8
*extra
,
903 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
)
904 return eap_sim_verify_mac_sha256(data
->k_aut
, req
, mac
, extra
,
906 return eap_sim_verify_mac(data
->k_aut
, req
, mac
, extra
, extra_len
);
910 static void eap_aka_process_challenge(struct eap_sm
*sm
,
911 struct eap_aka_data
*data
,
912 struct wpabuf
*respData
,
913 struct eap_sim_attrs
*attr
)
915 wpa_printf(MSG_DEBUG
, "EAP-AKA: Processing Challenge");
917 #ifdef EAP_SERVER_AKA_PRIME
919 /* KDF negotiation; to be enabled only after more than one KDF is
921 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
922 attr
->kdf_count
== 1 && attr
->mac
== NULL
) {
923 if (attr
->kdf
[0] != EAP_AKA_PRIME_KDF
) {
924 wpa_printf(MSG_WARNING
, "EAP-AKA': Peer selected "
927 EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
928 eap_aka_state(data
, NOTIFICATION
);
932 data
->kdf
= attr
->kdf
[0];
934 /* Allow negotiation to continue with the selected KDF by
935 * sending another Challenge message */
936 wpa_printf(MSG_DEBUG
, "EAP-AKA': KDF %d selected", data
->kdf
);
940 #endif /* EAP_SERVER_AKA_PRIME */
942 if (attr
->checkcode
&&
943 eap_aka_verify_checkcode(data
, attr
->checkcode
,
944 attr
->checkcode_len
)) {
945 wpa_printf(MSG_WARNING
, "EAP-AKA: Invalid AT_CHECKCODE in the "
947 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
948 eap_aka_state(data
, NOTIFICATION
);
951 if (attr
->mac
== NULL
||
952 eap_aka_verify_mac(data
, respData
, attr
->mac
, NULL
, 0)) {
953 wpa_printf(MSG_WARNING
, "EAP-AKA: Challenge message "
954 "did not include valid AT_MAC");
955 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
956 eap_aka_state(data
, NOTIFICATION
);
961 * AT_RES is padded, so verify that there is enough room for RES and
962 * that the RES length in bits matches with the expected RES.
964 if (attr
->res
== NULL
|| attr
->res_len
< data
->res_len
||
965 attr
->res_len_bits
!= data
->res_len
* 8 ||
966 os_memcmp_const(attr
->res
, data
->res
, data
->res_len
) != 0) {
967 wpa_printf(MSG_WARNING
, "EAP-AKA: Challenge message did not "
968 "include valid AT_RES (attr len=%lu, res len=%lu "
969 "bits, expected %lu bits)",
970 (unsigned long) attr
->res_len
,
971 (unsigned long) attr
->res_len_bits
,
972 (unsigned long) data
->res_len
* 8);
973 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
974 eap_aka_state(data
, NOTIFICATION
);
978 wpa_printf(MSG_DEBUG
, "EAP-AKA: Challenge response includes the "
980 if (sm
->eap_sim_aka_result_ind
&& attr
->result_ind
) {
981 data
->use_result_ind
= 1;
982 data
->notification
= EAP_SIM_SUCCESS
;
983 eap_aka_state(data
, NOTIFICATION
);
985 eap_aka_state(data
, SUCCESS
);
987 if (data
->next_pseudonym
) {
988 eap_sim_db_add_pseudonym(sm
->eap_sim_db_priv
, data
->permanent
,
989 data
->next_pseudonym
);
990 data
->next_pseudonym
= NULL
;
992 if (data
->next_reauth_id
) {
993 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
994 #ifdef EAP_SERVER_AKA_PRIME
995 eap_sim_db_add_reauth_prime(sm
->eap_sim_db_priv
,
997 data
->next_reauth_id
,
999 data
->k_encr
, data
->k_aut
,
1001 #endif /* EAP_SERVER_AKA_PRIME */
1003 eap_sim_db_add_reauth(sm
->eap_sim_db_priv
,
1005 data
->next_reauth_id
,
1009 data
->next_reauth_id
= NULL
;
1014 static void eap_aka_process_sync_failure(struct eap_sm
*sm
,
1015 struct eap_aka_data
*data
,
1016 struct wpabuf
*respData
,
1017 struct eap_sim_attrs
*attr
)
1019 wpa_printf(MSG_DEBUG
, "EAP-AKA: Processing Synchronization-Failure");
1021 if (attr
->auts
== NULL
) {
1022 wpa_printf(MSG_WARNING
, "EAP-AKA: Synchronization-Failure "
1023 "message did not include valid AT_AUTS");
1024 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1025 eap_aka_state(data
, NOTIFICATION
);
1029 /* Avoid re-reporting AUTS when processing pending EAP packet by
1030 * maintaining a local flag stating whether this AUTS has already been
1032 if (!data
->auts_reported
&&
1033 eap_sim_db_resynchronize(sm
->eap_sim_db_priv
, data
->permanent
,
1034 attr
->auts
, data
->rand
)) {
1035 wpa_printf(MSG_WARNING
, "EAP-AKA: Resynchronization failed");
1036 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1037 eap_aka_state(data
, NOTIFICATION
);
1040 data
->auts_reported
= 1;
1042 /* Remain in CHALLENGE state to re-try after resynchronization */
1043 eap_aka_fullauth(sm
, data
);
1047 static void eap_aka_process_reauth(struct eap_sm
*sm
,
1048 struct eap_aka_data
*data
,
1049 struct wpabuf
*respData
,
1050 struct eap_sim_attrs
*attr
)
1052 struct eap_sim_attrs eattr
;
1053 u8
*decrypted
= NULL
;
1055 wpa_printf(MSG_DEBUG
, "EAP-AKA: Processing Reauthentication");
1057 if (attr
->mac
== NULL
||
1058 eap_aka_verify_mac(data
, respData
, attr
->mac
, data
->nonce_s
,
1059 EAP_SIM_NONCE_S_LEN
)) {
1060 wpa_printf(MSG_WARNING
, "EAP-AKA: Re-authentication message "
1061 "did not include valid AT_MAC");
1065 if (attr
->encr_data
== NULL
|| attr
->iv
== NULL
) {
1066 wpa_printf(MSG_WARNING
, "EAP-AKA: Reauthentication "
1067 "message did not include encrypted data");
1071 decrypted
= eap_sim_parse_encr(data
->k_encr
, attr
->encr_data
,
1072 attr
->encr_data_len
, attr
->iv
, &eattr
,
1074 if (decrypted
== NULL
) {
1075 wpa_printf(MSG_WARNING
, "EAP-AKA: Failed to parse encrypted "
1076 "data from reauthentication message");
1080 if (eattr
.counter
!= data
->counter
) {
1081 wpa_printf(MSG_WARNING
, "EAP-AKA: Re-authentication message "
1082 "used incorrect counter %u, expected %u",
1083 eattr
.counter
, data
->counter
);
1089 wpa_printf(MSG_DEBUG
, "EAP-AKA: Re-authentication response includes "
1090 "the correct AT_MAC");
1092 if (eattr
.counter_too_small
) {
1093 wpa_printf(MSG_DEBUG
, "EAP-AKA: Re-authentication response "
1094 "included AT_COUNTER_TOO_SMALL - starting full "
1096 eap_aka_fullauth(sm
, data
);
1100 if (sm
->eap_sim_aka_result_ind
&& attr
->result_ind
) {
1101 data
->use_result_ind
= 1;
1102 data
->notification
= EAP_SIM_SUCCESS
;
1103 eap_aka_state(data
, NOTIFICATION
);
1105 eap_aka_state(data
, SUCCESS
);
1107 if (data
->next_reauth_id
) {
1108 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
1109 #ifdef EAP_SERVER_AKA_PRIME
1110 eap_sim_db_add_reauth_prime(sm
->eap_sim_db_priv
,
1112 data
->next_reauth_id
,
1114 data
->k_encr
, data
->k_aut
,
1116 #endif /* EAP_SERVER_AKA_PRIME */
1118 eap_sim_db_add_reauth(sm
->eap_sim_db_priv
,
1120 data
->next_reauth_id
,
1124 data
->next_reauth_id
= NULL
;
1126 eap_sim_db_remove_reauth(sm
->eap_sim_db_priv
, data
->reauth
);
1127 data
->reauth
= NULL
;
1133 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1134 eap_aka_state(data
, NOTIFICATION
);
1135 eap_sim_db_remove_reauth(sm
->eap_sim_db_priv
, data
->reauth
);
1136 data
->reauth
= NULL
;
1141 static void eap_aka_process_client_error(struct eap_sm
*sm
,
1142 struct eap_aka_data
*data
,
1143 struct wpabuf
*respData
,
1144 struct eap_sim_attrs
*attr
)
1146 wpa_printf(MSG_DEBUG
, "EAP-AKA: Client reported error %d",
1147 attr
->client_error_code
);
1148 if (data
->notification
== EAP_SIM_SUCCESS
&& data
->use_result_ind
)
1149 eap_aka_state(data
, SUCCESS
);
1151 eap_aka_state(data
, FAILURE
);
1155 static void eap_aka_process_authentication_reject(
1156 struct eap_sm
*sm
, struct eap_aka_data
*data
,
1157 struct wpabuf
*respData
, struct eap_sim_attrs
*attr
)
1159 wpa_printf(MSG_DEBUG
, "EAP-AKA: Client rejected authentication");
1160 eap_aka_state(data
, FAILURE
);
1164 static void eap_aka_process_notification(struct eap_sm
*sm
,
1165 struct eap_aka_data
*data
,
1166 struct wpabuf
*respData
,
1167 struct eap_sim_attrs
*attr
)
1169 wpa_printf(MSG_DEBUG
, "EAP-AKA: Client replied to notification");
1170 if (data
->notification
== EAP_SIM_SUCCESS
&& data
->use_result_ind
)
1171 eap_aka_state(data
, SUCCESS
);
1173 eap_aka_state(data
, FAILURE
);
1177 static void eap_aka_process(struct eap_sm
*sm
, void *priv
,
1178 struct wpabuf
*respData
)
1180 struct eap_aka_data
*data
= priv
;
1181 const u8
*pos
, *end
;
1184 struct eap_sim_attrs attr
;
1186 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, data
->eap_method
, respData
,
1188 if (pos
== NULL
|| len
< 3)
1195 if (eap_aka_subtype_ok(data
, subtype
)) {
1196 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unrecognized or unexpected "
1197 "EAP-AKA Subtype in EAP Response");
1198 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1199 eap_aka_state(data
, NOTIFICATION
);
1203 if (eap_sim_parse_attr(pos
, end
, &attr
,
1204 data
->eap_method
== EAP_TYPE_AKA_PRIME
? 2 : 1,
1206 wpa_printf(MSG_DEBUG
, "EAP-AKA: Failed to parse attributes");
1207 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1208 eap_aka_state(data
, NOTIFICATION
);
1212 if (subtype
== EAP_AKA_SUBTYPE_CLIENT_ERROR
) {
1213 eap_aka_process_client_error(sm
, data
, respData
, &attr
);
1217 if (subtype
== EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT
) {
1218 eap_aka_process_authentication_reject(sm
, data
, respData
,
1223 switch (data
->state
) {
1225 eap_aka_process_identity(sm
, data
, respData
, &attr
);
1228 if (subtype
== EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE
) {
1229 eap_aka_process_sync_failure(sm
, data
, respData
,
1232 eap_aka_process_challenge(sm
, data
, respData
, &attr
);
1236 eap_aka_process_reauth(sm
, data
, respData
, &attr
);
1239 eap_aka_process_notification(sm
, data
, respData
, &attr
);
1242 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown state %d in "
1243 "process", data
->state
);
1249 static Boolean
eap_aka_isDone(struct eap_sm
*sm
, void *priv
)
1251 struct eap_aka_data
*data
= priv
;
1252 return data
->state
== SUCCESS
|| data
->state
== FAILURE
;
1256 static u8
* eap_aka_getKey(struct eap_sm
*sm
, void *priv
, size_t *len
)
1258 struct eap_aka_data
*data
= priv
;
1261 if (data
->state
!= SUCCESS
)
1264 key
= os_malloc(EAP_SIM_KEYING_DATA_LEN
);
1267 os_memcpy(key
, data
->msk
, EAP_SIM_KEYING_DATA_LEN
);
1268 *len
= EAP_SIM_KEYING_DATA_LEN
;
1273 static u8
* eap_aka_get_emsk(struct eap_sm
*sm
, void *priv
, size_t *len
)
1275 struct eap_aka_data
*data
= priv
;
1278 if (data
->state
!= SUCCESS
)
1281 key
= os_malloc(EAP_EMSK_LEN
);
1284 os_memcpy(key
, data
->emsk
, EAP_EMSK_LEN
);
1285 *len
= EAP_EMSK_LEN
;
1290 static Boolean
eap_aka_isSuccess(struct eap_sm
*sm
, void *priv
)
1292 struct eap_aka_data
*data
= priv
;
1293 return data
->state
== SUCCESS
;
1297 static u8
* eap_aka_get_session_id(struct eap_sm
*sm
, void *priv
, size_t *len
)
1299 struct eap_aka_data
*data
= priv
;
1302 if (data
->state
!= SUCCESS
)
1305 *len
= 1 + EAP_AKA_RAND_LEN
+ EAP_AKA_AUTN_LEN
;
1306 id
= os_malloc(*len
);
1310 id
[0] = data
->eap_method
;
1311 os_memcpy(id
+ 1, data
->rand
, EAP_AKA_RAND_LEN
);
1312 os_memcpy(id
+ 1 + EAP_AKA_RAND_LEN
, data
->autn
, EAP_AKA_AUTN_LEN
);
1313 wpa_hexdump(MSG_DEBUG
, "EAP-AKA: Derived Session-Id", id
, *len
);
1319 int eap_server_aka_register(void)
1321 struct eap_method
*eap
;
1323 eap
= eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION
,
1324 EAP_VENDOR_IETF
, EAP_TYPE_AKA
, "AKA");
1328 eap
->init
= eap_aka_init
;
1329 eap
->reset
= eap_aka_reset
;
1330 eap
->buildReq
= eap_aka_buildReq
;
1331 eap
->check
= eap_aka_check
;
1332 eap
->process
= eap_aka_process
;
1333 eap
->isDone
= eap_aka_isDone
;
1334 eap
->getKey
= eap_aka_getKey
;
1335 eap
->isSuccess
= eap_aka_isSuccess
;
1336 eap
->get_emsk
= eap_aka_get_emsk
;
1337 eap
->getSessionId
= eap_aka_get_session_id
;
1339 return eap_server_method_register(eap
);
1343 #ifdef EAP_SERVER_AKA_PRIME
1344 int eap_server_aka_prime_register(void)
1346 struct eap_method
*eap
;
1348 eap
= eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION
,
1349 EAP_VENDOR_IETF
, EAP_TYPE_AKA_PRIME
,
1354 eap
->init
= eap_aka_prime_init
;
1355 eap
->reset
= eap_aka_reset
;
1356 eap
->buildReq
= eap_aka_buildReq
;
1357 eap
->check
= eap_aka_check
;
1358 eap
->process
= eap_aka_process
;
1359 eap
->isDone
= eap_aka_isDone
;
1360 eap
->getKey
= eap_aka_getKey
;
1361 eap
->isSuccess
= eap_aka_isSuccess
;
1362 eap
->get_emsk
= eap_aka_get_emsk
;
1363 eap
->getSessionId
= eap_aka_get_session_id
;
1365 return eap_server_method_register(eap
);
1367 #endif /* EAP_SERVER_AKA_PRIME */