]> git.ipfire.org Git - thirdparty/hostap.git/blob - hostapd/hlr_auc_gw.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
hlr_auc_gw: Remove unnecessary assignment
[thirdparty/hostap.git] / hostapd / hlr_auc_gw.c
1 /*
2 * HLR/AuC testing gateway for hostapd EAP-SIM/AKA database/authenticator
3 * Copyright (c) 2005-2007, 2012-2013, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 *
8 * This is an example implementation of the EAP-SIM/AKA database/authentication
9 * gateway interface to HLR/AuC. It is expected to be replaced with an
10 * implementation of SS7 gateway to GSM/UMTS authentication center (HLR/AuC) or
11 * a local implementation of SIM triplet and AKA authentication data generator.
12 *
13 * hostapd will send SIM/AKA authentication queries over a UNIX domain socket
14 * to and external program, e.g., this hlr_auc_gw. This interface uses simple
15 * text-based format:
16 *
17 * EAP-SIM / GSM triplet query/response:
18 * SIM-REQ-AUTH <IMSI> <max_chal>
19 * SIM-RESP-AUTH <IMSI> Kc1:SRES1:RAND1 Kc2:SRES2:RAND2 [Kc3:SRES3:RAND3]
20 * SIM-RESP-AUTH <IMSI> FAILURE
21 * GSM-AUTH-REQ <IMSI> RAND1:RAND2[:RAND3]
22 * GSM-AUTH-RESP <IMSI> Kc1:SRES1:Kc2:SRES2[:Kc3:SRES3]
23 * GSM-AUTH-RESP <IMSI> FAILURE
24 *
25 * EAP-AKA / UMTS query/response:
26 * AKA-REQ-AUTH <IMSI>
27 * AKA-RESP-AUTH <IMSI> <RAND> <AUTN> <IK> <CK> <RES>
28 * AKA-RESP-AUTH <IMSI> FAILURE
29 *
30 * EAP-AKA / UMTS AUTS (re-synchronization):
31 * AKA-AUTS <IMSI> <AUTS> <RAND>
32 *
33 * IMSI and max_chal are sent as an ASCII string,
34 * Kc/SRES/RAND/AUTN/IK/CK/RES/AUTS as hex strings.
35 *
36 * An example implementation here reads GSM authentication triplets from a
37 * text file in IMSI:Kc:SRES:RAND format, IMSI in ASCII, other fields as hex
38 * strings. This is used to simulate an HLR/AuC. As such, it is not very useful
39 * for real life authentication, but it is useful both as an example
40 * implementation and for EAP-SIM/AKA/AKA' testing.
41 *
42 * For a stronger example design, Milenage and GSM-Milenage algorithms can be
43 * used to dynamically generate authenticatipn information for EAP-AKA/AKA' and
44 * EAP-SIM, respectively, if Ki is known.
45 *
46 * SQN generation follows the not time-based Profile 2 described in
47 * 3GPP TS 33.102 Annex C.3.2. The length of IND is 5 bits by default, but this
48 * can be changed with a command line options if needed.
49 */
50
51 #include "includes.h"
52 #include <sys/un.h>
53 #ifdef CONFIG_SQLITE
54 #include <sqlite3.h>
55 #endif /* CONFIG_SQLITE */
56
57 #include "common.h"
58 #include "crypto/milenage.h"
59 #include "crypto/random.h"
60
61 static const char *default_socket_path = "/tmp/hlr_auc_gw.sock";
62 static const char *socket_path;
63 static int serv_sock = -1;
64 static char *milenage_file = NULL;
65 static int update_milenage = 0;
66 static int sqn_changes = 0;
67 static int ind_len = 5;
68 static int stdout_debug = 1;
69
70 /* GSM triplets */
71 struct gsm_triplet {
72 struct gsm_triplet *next;
73 char imsi[20];
74 u8 kc[8];
75 u8 sres[4];
76 u8 _rand[16];
77 };
78
79 static struct gsm_triplet *gsm_db = NULL, *gsm_db_pos = NULL;
80
81 /* OPc and AMF parameters for Milenage (Example algorithms for AKA). */
82 struct milenage_parameters {
83 struct milenage_parameters *next;
84 char imsi[20];
85 u8 ki[16];
86 u8 opc[16];
87 u8 amf[2];
88 u8 sqn[6];
89 int set;
90 size_t res_len;
91 };
92
93 static struct milenage_parameters *milenage_db = NULL;
94
95 #define EAP_SIM_MAX_CHAL 3
96
97 #define EAP_AKA_RAND_LEN 16
98 #define EAP_AKA_AUTN_LEN 16
99 #define EAP_AKA_AUTS_LEN 14
100 #define EAP_AKA_RES_MIN_LEN 4
101 #define EAP_AKA_RES_MAX_LEN 16
102 #define EAP_AKA_IK_LEN 16
103 #define EAP_AKA_CK_LEN 16
104
105
106 #ifdef CONFIG_SQLITE
107
108 static sqlite3 *sqlite_db = NULL;
109 static struct milenage_parameters db_tmp_milenage;
110
111
112 static int db_table_exists(sqlite3 *db, const char *name)
113 {
114 char cmd[128];
115 os_snprintf(cmd, sizeof(cmd), "SELECT 1 FROM %s;", name);
116 return sqlite3_exec(db, cmd, NULL, NULL, NULL) == SQLITE_OK;
117 }
118
119
120 static int db_table_create_milenage(sqlite3 *db)
121 {
122 char *err = NULL;
123 const char *sql =
124 "CREATE TABLE milenage("
125 " imsi INTEGER PRIMARY KEY NOT NULL,"
126 " ki CHAR(32) NOT NULL,"
127 " opc CHAR(32) NOT NULL,"
128 " amf CHAR(4) NOT NULL,"
129 " sqn CHAR(12) NOT NULL,"
130 " res_len INTEGER"
131 ");";
132
133 printf("Adding database table for milenage information\n");
134 if (sqlite3_exec(db, sql, NULL, NULL, &err) != SQLITE_OK) {
135 printf("SQLite error: %s\n", err);
136 sqlite3_free(err);
137 return -1;
138 }
139
140 return 0;
141 }
142
143
144 static sqlite3 * db_open(const char *db_file)
145 {
146 sqlite3 *db;
147
148 if (sqlite3_open(db_file, &db)) {
149 printf("Failed to open database %s: %s\n",
150 db_file, sqlite3_errmsg(db));
151 sqlite3_close(db);
152 return NULL;
153 }
154
155 if (!db_table_exists(db, "milenage") &&
156 db_table_create_milenage(db) < 0) {
157 sqlite3_close(db);
158 return NULL;
159 }
160
161 return db;
162 }
163
164
165 static int get_milenage_cb(void *ctx, int argc, char *argv[], char *col[])
166 {
167 struct milenage_parameters *m = ctx;
168 int i;
169
170 m->set = 1;
171
172 for (i = 0; i < argc; i++) {
173 if (os_strcmp(col[i], "ki") == 0 && argv[i] &&
174 hexstr2bin(argv[i], m->ki, sizeof(m->ki))) {
175 printf("Invalid ki value in database\n");
176 return -1;
177 }
178
179 if (os_strcmp(col[i], "opc") == 0 && argv[i] &&
180 hexstr2bin(argv[i], m->opc, sizeof(m->opc))) {
181 printf("Invalid opcvalue in database\n");
182 return -1;
183 }
184
185 if (os_strcmp(col[i], "amf") == 0 && argv[i] &&
186 hexstr2bin(argv[i], m->amf, sizeof(m->amf))) {
187 printf("Invalid amf value in database\n");
188 return -1;
189 }
190
191 if (os_strcmp(col[i], "sqn") == 0 && argv[i] &&
192 hexstr2bin(argv[i], m->sqn, sizeof(m->sqn))) {
193 printf("Invalid sqn value in database\n");
194 return -1;
195 }
196
197 if (os_strcmp(col[i], "res_len") == 0 && argv[i]) {
198 m->res_len = atoi(argv[i]);
199 }
200 }
201
202 return 0;
203 }
204
205
206 static struct milenage_parameters * db_get_milenage(const char *imsi_txt)
207 {
208 char cmd[128];
209 unsigned long long imsi;
210
211 os_memset(&db_tmp_milenage, 0, sizeof(db_tmp_milenage));
212 imsi = atoll(imsi_txt);
213 os_snprintf(db_tmp_milenage.imsi, sizeof(db_tmp_milenage.imsi),
214 "%llu", imsi);
215 os_snprintf(cmd, sizeof(cmd),
216 "SELECT * FROM milenage WHERE imsi=%llu;", imsi);
217 if (sqlite3_exec(sqlite_db, cmd, get_milenage_cb, &db_tmp_milenage,
218 NULL) != SQLITE_OK)
219 return NULL;
220
221 if (!db_tmp_milenage.set)
222 return NULL;
223 return &db_tmp_milenage;
224 }
225
226
227 static int db_update_milenage_sqn(struct milenage_parameters *m)
228 {
229 char cmd[128], val[13], *pos;
230
231 if (sqlite_db == NULL)
232 return 0;
233
234 pos = val;
235 pos += wpa_snprintf_hex(pos, sizeof(val), m->sqn, 6);
236 *pos = '\0';
237 os_snprintf(cmd, sizeof(cmd),
238 "UPDATE milenage SET sqn='%s' WHERE imsi=%s;",
239 val, m->imsi);
240 if (sqlite3_exec(sqlite_db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
241 printf("Failed to update SQN in database for IMSI %s\n",
242 m->imsi);
243 return -1;
244 }
245 return 0;
246 }
247
248 #endif /* CONFIG_SQLITE */
249
250
251 static int open_socket(const char *path)
252 {
253 struct sockaddr_un addr;
254 int s;
255
256 s = socket(PF_UNIX, SOCK_DGRAM, 0);
257 if (s < 0) {
258 perror("socket(PF_UNIX)");
259 return -1;
260 }
261
262 memset(&addr, 0, sizeof(addr));
263 addr.sun_family = AF_UNIX;
264 os_strlcpy(addr.sun_path, path, sizeof(addr.sun_path));
265 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
266 perror("hlr-auc-gw: bind(PF_UNIX)");
267 close(s);
268 return -1;
269 }
270
271 return s;
272 }
273
274
275 static int read_gsm_triplets(const char *fname)
276 {
277 FILE *f;
278 char buf[200], *pos, *pos2;
279 struct gsm_triplet *g = NULL;
280 int line, ret = 0;
281
282 if (fname == NULL)
283 return -1;
284
285 f = fopen(fname, "r");
286 if (f == NULL) {
287 printf("Could not open GSM tripler data file '%s'\n", fname);
288 return -1;
289 }
290
291 line = 0;
292 while (fgets(buf, sizeof(buf), f)) {
293 line++;
294
295 /* Parse IMSI:Kc:SRES:RAND */
296 buf[sizeof(buf) - 1] = '\0';
297 if (buf[0] == '#')
298 continue;
299 pos = buf;
300 while (*pos != '\0' && *pos != '\n')
301 pos++;
302 if (*pos == '\n')
303 *pos = '\0';
304 pos = buf;
305 if (*pos == '\0')
306 continue;
307
308 g = os_zalloc(sizeof(*g));
309 if (g == NULL) {
310 ret = -1;
311 break;
312 }
313
314 /* IMSI */
315 pos2 = strchr(pos, ':');
316 if (pos2 == NULL) {
317 printf("%s:%d - Invalid IMSI (%s)\n",
318 fname, line, pos);
319 ret = -1;
320 break;
321 }
322 *pos2 = '\0';
323 if (strlen(pos) >= sizeof(g->imsi)) {
324 printf("%s:%d - Too long IMSI (%s)\n",
325 fname, line, pos);
326 ret = -1;
327 break;
328 }
329 os_strlcpy(g->imsi, pos, sizeof(g->imsi));
330 pos = pos2 + 1;
331
332 /* Kc */
333 pos2 = strchr(pos, ':');
334 if (pos2 == NULL) {
335 printf("%s:%d - Invalid Kc (%s)\n", fname, line, pos);
336 ret = -1;
337 break;
338 }
339 *pos2 = '\0';
340 if (strlen(pos) != 16 || hexstr2bin(pos, g->kc, 8)) {
341 printf("%s:%d - Invalid Kc (%s)\n", fname, line, pos);
342 ret = -1;
343 break;
344 }
345 pos = pos2 + 1;
346
347 /* SRES */
348 pos2 = strchr(pos, ':');
349 if (pos2 == NULL) {
350 printf("%s:%d - Invalid SRES (%s)\n", fname, line,
351 pos);
352 ret = -1;
353 break;
354 }
355 *pos2 = '\0';
356 if (strlen(pos) != 8 || hexstr2bin(pos, g->sres, 4)) {
357 printf("%s:%d - Invalid SRES (%s)\n", fname, line,
358 pos);
359 ret = -1;
360 break;
361 }
362 pos = pos2 + 1;
363
364 /* RAND */
365 pos2 = strchr(pos, ':');
366 if (pos2)
367 *pos2 = '\0';
368 if (strlen(pos) != 32 || hexstr2bin(pos, g->_rand, 16)) {
369 printf("%s:%d - Invalid RAND (%s)\n", fname, line,
370 pos);
371 ret = -1;
372 break;
373 }
374
375 g->next = gsm_db;
376 gsm_db = g;
377 g = NULL;
378 }
379 os_free(g);
380
381 fclose(f);
382
383 return ret;
384 }
385
386
387 static struct gsm_triplet * get_gsm_triplet(const char *imsi)
388 {
389 struct gsm_triplet *g = gsm_db_pos;
390
391 while (g) {
392 if (strcmp(g->imsi, imsi) == 0) {
393 gsm_db_pos = g->next;
394 return g;
395 }
396 g = g->next;
397 }
398
399 g = gsm_db;
400 while (g && g != gsm_db_pos) {
401 if (strcmp(g->imsi, imsi) == 0) {
402 gsm_db_pos = g->next;
403 return g;
404 }
405 g = g->next;
406 }
407
408 return NULL;
409 }
410
411
412 static int read_milenage(const char *fname)
413 {
414 FILE *f;
415 char buf[200], *pos, *pos2;
416 struct milenage_parameters *m = NULL;
417 int line, ret = 0;
418
419 if (fname == NULL)
420 return -1;
421
422 f = fopen(fname, "r");
423 if (f == NULL) {
424 printf("Could not open Milenage data file '%s'\n", fname);
425 return -1;
426 }
427
428 line = 0;
429 while (fgets(buf, sizeof(buf), f)) {
430 line++;
431
432 /* Parse IMSI Ki OPc AMF SQN [RES_len] */
433 buf[sizeof(buf) - 1] = '\0';
434 if (buf[0] == '#')
435 continue;
436 pos = buf;
437 while (*pos != '\0' && *pos != '\n')
438 pos++;
439 if (*pos == '\n')
440 *pos = '\0';
441 pos = buf;
442 if (*pos == '\0')
443 continue;
444
445 m = os_zalloc(sizeof(*m));
446 if (m == NULL) {
447 ret = -1;
448 break;
449 }
450
451 /* IMSI */
452 pos2 = strchr(pos, ' ');
453 if (pos2 == NULL) {
454 printf("%s:%d - Invalid IMSI (%s)\n",
455 fname, line, pos);
456 ret = -1;
457 break;
458 }
459 *pos2 = '\0';
460 if (strlen(pos) >= sizeof(m->imsi)) {
461 printf("%s:%d - Too long IMSI (%s)\n",
462 fname, line, pos);
463 ret = -1;
464 break;
465 }
466 os_strlcpy(m->imsi, pos, sizeof(m->imsi));
467 pos = pos2 + 1;
468
469 /* Ki */
470 pos2 = strchr(pos, ' ');
471 if (pos2 == NULL) {
472 printf("%s:%d - Invalid Ki (%s)\n", fname, line, pos);
473 ret = -1;
474 break;
475 }
476 *pos2 = '\0';
477 if (strlen(pos) != 32 || hexstr2bin(pos, m->ki, 16)) {
478 printf("%s:%d - Invalid Ki (%s)\n", fname, line, pos);
479 ret = -1;
480 break;
481 }
482 pos = pos2 + 1;
483
484 /* OPc */
485 pos2 = strchr(pos, ' ');
486 if (pos2 == NULL) {
487 printf("%s:%d - Invalid OPc (%s)\n", fname, line, pos);
488 ret = -1;
489 break;
490 }
491 *pos2 = '\0';
492 if (strlen(pos) != 32 || hexstr2bin(pos, m->opc, 16)) {
493 printf("%s:%d - Invalid OPc (%s)\n", fname, line, pos);
494 ret = -1;
495 break;
496 }
497 pos = pos2 + 1;
498
499 /* AMF */
500 pos2 = strchr(pos, ' ');
501 if (pos2 == NULL) {
502 printf("%s:%d - Invalid AMF (%s)\n", fname, line, pos);
503 ret = -1;
504 break;
505 }
506 *pos2 = '\0';
507 if (strlen(pos) != 4 || hexstr2bin(pos, m->amf, 2)) {
508 printf("%s:%d - Invalid AMF (%s)\n", fname, line, pos);
509 ret = -1;
510 break;
511 }
512 pos = pos2 + 1;
513
514 /* SQN */
515 pos2 = strchr(pos, ' ');
516 if (pos2)
517 *pos2 = '\0';
518 if (strlen(pos) != 12 || hexstr2bin(pos, m->sqn, 6)) {
519 printf("%s:%d - Invalid SEQ (%s)\n", fname, line, pos);
520 ret = -1;
521 break;
522 }
523
524 if (pos2) {
525 pos = pos2 + 1;
526 m->res_len = atoi(pos);
527 if (m->res_len &&
528 (m->res_len < EAP_AKA_RES_MIN_LEN ||
529 m->res_len > EAP_AKA_RES_MAX_LEN)) {
530 printf("%s:%d - Invalid RES_len (%s)\n",
531 fname, line, pos);
532 ret = -1;
533 break;
534 }
535 }
536
537 m->next = milenage_db;
538 milenage_db = m;
539 m = NULL;
540 }
541 os_free(m);
542
543 fclose(f);
544
545 return ret;
546 }
547
548
549 static void update_milenage_file(const char *fname)
550 {
551 FILE *f, *f2;
552 char name[500], buf[500], *pos;
553 char *end = buf + sizeof(buf);
554 struct milenage_parameters *m;
555 size_t imsi_len;
556
557 f = fopen(fname, "r");
558 if (f == NULL) {
559 printf("Could not open Milenage data file '%s'\n", fname);
560 return;
561 }
562
563 snprintf(name, sizeof(name), "%s.new", fname);
564 f2 = fopen(name, "w");
565 if (f2 == NULL) {
566 printf("Could not write Milenage data file '%s'\n", name);
567 fclose(f);
568 return;
569 }
570
571 while (fgets(buf, sizeof(buf), f)) {
572 /* IMSI Ki OPc AMF SQN */
573 buf[sizeof(buf) - 1] = '\0';
574
575 pos = strchr(buf, ' ');
576 if (buf[0] == '#' || pos == NULL || pos - buf >= 20)
577 goto no_update;
578
579 imsi_len = pos - buf;
580
581 for (m = milenage_db; m; m = m->next) {
582 if (strncmp(buf, m->imsi, imsi_len) == 0 &&
583 m->imsi[imsi_len] == '\0')
584 break;
585 }
586
587 if (!m)
588 goto no_update;
589
590 pos = buf;
591 pos += snprintf(pos, end - pos, "%s ", m->imsi);
592 pos += wpa_snprintf_hex(pos, end - pos, m->ki, 16);
593 *pos++ = ' ';
594 pos += wpa_snprintf_hex(pos, end - pos, m->opc, 16);
595 *pos++ = ' ';
596 pos += wpa_snprintf_hex(pos, end - pos, m->amf, 2);
597 *pos++ = ' ';
598 pos += wpa_snprintf_hex(pos, end - pos, m->sqn, 6);
599 *pos++ = '\n';
600
601 no_update:
602 fprintf(f2, "%s", buf);
603 }
604
605 fclose(f2);
606 fclose(f);
607
608 snprintf(name, sizeof(name), "%s.bak", fname);
609 if (rename(fname, name) < 0) {
610 perror("rename");
611 return;
612 }
613
614 snprintf(name, sizeof(name), "%s.new", fname);
615 if (rename(name, fname) < 0) {
616 perror("rename");
617 return;
618 }
619
620 }
621
622
623 static struct milenage_parameters * get_milenage(const char *imsi)
624 {
625 struct milenage_parameters *m = milenage_db;
626
627 while (m) {
628 if (strcmp(m->imsi, imsi) == 0)
629 break;
630 m = m->next;
631 }
632
633 #ifdef CONFIG_SQLITE
634 if (!m)
635 m = db_get_milenage(imsi);
636 #endif /* CONFIG_SQLITE */
637
638 return m;
639 }
640
641
642 static int sim_req_auth(char *imsi, char *resp, size_t resp_len)
643 {
644 int count, max_chal, ret;
645 char *pos;
646 char *rpos, *rend;
647 struct milenage_parameters *m;
648 struct gsm_triplet *g;
649
650 resp[0] = '\0';
651
652 pos = strchr(imsi, ' ');
653 if (pos) {
654 *pos++ = '\0';
655 max_chal = atoi(pos);
656 if (max_chal < 1 || max_chal > EAP_SIM_MAX_CHAL)
657 max_chal = EAP_SIM_MAX_CHAL;
658 } else
659 max_chal = EAP_SIM_MAX_CHAL;
660
661 rend = resp + resp_len;
662 rpos = resp;
663 ret = snprintf(rpos, rend - rpos, "SIM-RESP-AUTH %s", imsi);
664 if (ret < 0 || ret >= rend - rpos)
665 return -1;
666 rpos += ret;
667
668 m = get_milenage(imsi);
669 if (m) {
670 u8 _rand[16], sres[4], kc[8];
671 for (count = 0; count < max_chal; count++) {
672 if (random_get_bytes(_rand, 16) < 0)
673 return -1;
674 gsm_milenage(m->opc, m->ki, _rand, sres, kc);
675 *rpos++ = ' ';
676 rpos += wpa_snprintf_hex(rpos, rend - rpos, kc, 8);
677 *rpos++ = ':';
678 rpos += wpa_snprintf_hex(rpos, rend - rpos, sres, 4);
679 *rpos++ = ':';
680 rpos += wpa_snprintf_hex(rpos, rend - rpos, _rand, 16);
681 }
682 *rpos = '\0';
683 return 0;
684 }
685
686 count = 0;
687 while (count < max_chal && (g = get_gsm_triplet(imsi))) {
688 if (strcmp(g->imsi, imsi) != 0)
689 continue;
690
691 if (rpos < rend)
692 *rpos++ = ' ';
693 rpos += wpa_snprintf_hex(rpos, rend - rpos, g->kc, 8);
694 if (rpos < rend)
695 *rpos++ = ':';
696 rpos += wpa_snprintf_hex(rpos, rend - rpos, g->sres, 4);
697 if (rpos < rend)
698 *rpos++ = ':';
699 rpos += wpa_snprintf_hex(rpos, rend - rpos, g->_rand, 16);
700 count++;
701 }
702
703 if (count == 0) {
704 printf("No GSM triplets found for %s\n", imsi);
705 ret = snprintf(rpos, rend - rpos, " FAILURE");
706 if (ret < 0 || ret >= rend - rpos)
707 return -1;
708 rpos += ret;
709 }
710
711 return 0;
712 }
713
714
715 static int gsm_auth_req(char *imsi, char *resp, size_t resp_len)
716 {
717 int count, ret;
718 char *pos, *rpos, *rend;
719 struct milenage_parameters *m;
720
721 resp[0] = '\0';
722
723 pos = os_strchr(imsi, ' ');
724 if (!pos)
725 return -1;
726 *pos++ = '\0';
727
728 rend = resp + resp_len;
729 rpos = resp;
730 ret = os_snprintf(rpos, rend - rpos, "GSM-AUTH-RESP %s", imsi);
731 if (os_snprintf_error(rend - rpos, ret))
732 return -1;
733 rpos += ret;
734
735 m = get_milenage(imsi);
736 if (m) {
737 u8 _rand[16], sres[4], kc[8];
738 for (count = 0; count < EAP_SIM_MAX_CHAL; count++) {
739 if (hexstr2bin(pos, _rand, 16) != 0)
740 return -1;
741 gsm_milenage(m->opc, m->ki, _rand, sres, kc);
742 *rpos++ = count == 0 ? ' ' : ':';
743 rpos += wpa_snprintf_hex(rpos, rend - rpos, kc, 8);
744 *rpos++ = ':';
745 rpos += wpa_snprintf_hex(rpos, rend - rpos, sres, 4);
746 pos += 16 * 2;
747 if (*pos != ':')
748 break;
749 pos++;
750 }
751 *rpos = '\0';
752 return 0;
753 }
754
755 printf("No GSM triplets found for %s\n", imsi);
756 ret = os_snprintf(rpos, rend - rpos, " FAILURE");
757 if (os_snprintf_error(rend - rpos, ret))
758 return -1;
759 rpos += ret;
760
761 return 0;
762 }
763
764
765 static void inc_sqn(u8 *sqn)
766 {
767 u64 val, seq, ind;
768
769 /*
770 * SQN = SEQ | IND = SEQ1 | SEQ2 | IND
771 *
772 * The mechanism used here is not time-based, so SEQ2 is void and
773 * SQN = SEQ1 | IND. The length of IND is ind_len bits and the length
774 * of SEQ1 is 48 - ind_len bits.
775 */
776
777 /* Increment both SEQ and IND by one */
778 val = ((u64) WPA_GET_BE32(sqn) << 16) | ((u64) WPA_GET_BE16(sqn + 4));
779 seq = (val >> ind_len) + 1;
780 ind = (val + 1) & ((1 << ind_len) - 1);
781 val = (seq << ind_len) | ind;
782 WPA_PUT_BE32(sqn, val >> 16);
783 WPA_PUT_BE16(sqn + 4, val & 0xffff);
784 }
785
786
787 static int aka_req_auth(char *imsi, char *resp, size_t resp_len)
788 {
789 /* AKA-RESP-AUTH <IMSI> <RAND> <AUTN> <IK> <CK> <RES> */
790 char *pos, *end;
791 u8 _rand[EAP_AKA_RAND_LEN];
792 u8 autn[EAP_AKA_AUTN_LEN];
793 u8 ik[EAP_AKA_IK_LEN];
794 u8 ck[EAP_AKA_CK_LEN];
795 u8 res[EAP_AKA_RES_MAX_LEN];
796 size_t res_len;
797 int ret;
798 struct milenage_parameters *m;
799 int failed = 0;
800
801 m = get_milenage(imsi);
802 if (m) {
803 if (random_get_bytes(_rand, EAP_AKA_RAND_LEN) < 0)
804 return -1;
805 res_len = EAP_AKA_RES_MAX_LEN;
806 inc_sqn(m->sqn);
807 #ifdef CONFIG_SQLITE
808 db_update_milenage_sqn(m);
809 #endif /* CONFIG_SQLITE */
810 sqn_changes = 1;
811 if (stdout_debug) {
812 printf("AKA: Milenage with SQN=%02x%02x%02x%02x%02x%02x\n",
813 m->sqn[0], m->sqn[1], m->sqn[2],
814 m->sqn[3], m->sqn[4], m->sqn[5]);
815 }
816 milenage_generate(m->opc, m->amf, m->ki, m->sqn, _rand,
817 autn, ik, ck, res, &res_len);
818 if (m->res_len >= EAP_AKA_RES_MIN_LEN &&
819 m->res_len <= EAP_AKA_RES_MAX_LEN &&
820 m->res_len < res_len)
821 res_len = m->res_len;
822 } else {
823 printf("Unknown IMSI: %s\n", imsi);
824 #ifdef AKA_USE_FIXED_TEST_VALUES
825 printf("Using fixed test values for AKA\n");
826 memset(_rand, '0', EAP_AKA_RAND_LEN);
827 memset(autn, '1', EAP_AKA_AUTN_LEN);
828 memset(ik, '3', EAP_AKA_IK_LEN);
829 memset(ck, '4', EAP_AKA_CK_LEN);
830 memset(res, '2', EAP_AKA_RES_MAX_LEN);
831 res_len = EAP_AKA_RES_MAX_LEN;
832 #else /* AKA_USE_FIXED_TEST_VALUES */
833 failed = 1;
834 #endif /* AKA_USE_FIXED_TEST_VALUES */
835 }
836
837 pos = resp;
838 end = resp + resp_len;
839 ret = snprintf(pos, end - pos, "AKA-RESP-AUTH %s ", imsi);
840 if (ret < 0 || ret >= end - pos)
841 return -1;
842 pos += ret;
843 if (failed) {
844 ret = snprintf(pos, end - pos, "FAILURE");
845 if (ret < 0 || ret >= end - pos)
846 return -1;
847 pos += ret;
848 return 0;
849 }
850 pos += wpa_snprintf_hex(pos, end - pos, _rand, EAP_AKA_RAND_LEN);
851 *pos++ = ' ';
852 pos += wpa_snprintf_hex(pos, end - pos, autn, EAP_AKA_AUTN_LEN);
853 *pos++ = ' ';
854 pos += wpa_snprintf_hex(pos, end - pos, ik, EAP_AKA_IK_LEN);
855 *pos++ = ' ';
856 pos += wpa_snprintf_hex(pos, end - pos, ck, EAP_AKA_CK_LEN);
857 *pos++ = ' ';
858 pos += wpa_snprintf_hex(pos, end - pos, res, res_len);
859
860 return 0;
861 }
862
863
864 static int aka_auts(char *imsi, char *resp, size_t resp_len)
865 {
866 char *auts, *__rand;
867 u8 _auts[EAP_AKA_AUTS_LEN], _rand[EAP_AKA_RAND_LEN], sqn[6];
868 struct milenage_parameters *m;
869
870 resp[0] = '\0';
871
872 /* AKA-AUTS <IMSI> <AUTS> <RAND> */
873
874 auts = strchr(imsi, ' ');
875 if (auts == NULL)
876 return -1;
877 *auts++ = '\0';
878
879 __rand = strchr(auts, ' ');
880 if (__rand == NULL)
881 return -1;
882 *__rand++ = '\0';
883
884 if (stdout_debug) {
885 printf("AKA-AUTS: IMSI=%s AUTS=%s RAND=%s\n",
886 imsi, auts, __rand);
887 }
888 if (hexstr2bin(auts, _auts, EAP_AKA_AUTS_LEN) ||
889 hexstr2bin(__rand, _rand, EAP_AKA_RAND_LEN)) {
890 printf("Could not parse AUTS/RAND\n");
891 return -1;
892 }
893
894 m = get_milenage(imsi);
895 if (m == NULL) {
896 printf("Unknown IMSI: %s\n", imsi);
897 return -1;
898 }
899
900 if (milenage_auts(m->opc, m->ki, _rand, _auts, sqn)) {
901 printf("AKA-AUTS: Incorrect MAC-S\n");
902 } else {
903 memcpy(m->sqn, sqn, 6);
904 if (stdout_debug) {
905 printf("AKA-AUTS: Re-synchronized: "
906 "SQN=%02x%02x%02x%02x%02x%02x\n",
907 sqn[0], sqn[1], sqn[2], sqn[3], sqn[4], sqn[5]);
908 }
909 #ifdef CONFIG_SQLITE
910 db_update_milenage_sqn(m);
911 #endif /* CONFIG_SQLITE */
912 sqn_changes = 1;
913 }
914
915 return 0;
916 }
917
918
919 static int process_cmd(char *cmd, char *resp, size_t resp_len)
920 {
921 if (os_strncmp(cmd, "SIM-REQ-AUTH ", 13) == 0)
922 return sim_req_auth(cmd + 13, resp, resp_len);
923
924 if (os_strncmp(cmd, "GSM-AUTH-REQ ", 13) == 0)
925 return gsm_auth_req(cmd + 13, resp, resp_len);
926
927 if (os_strncmp(cmd, "AKA-REQ-AUTH ", 13) == 0)
928 return aka_req_auth(cmd + 13, resp, resp_len);
929
930 if (os_strncmp(cmd, "AKA-AUTS ", 9) == 0)
931 return aka_auts(cmd + 9, resp, resp_len);
932
933 printf("Unknown request: %s\n", cmd);
934 return -1;
935 }
936
937
938 static int process(int s)
939 {
940 char buf[1000], resp[1000];
941 struct sockaddr_un from;
942 socklen_t fromlen;
943 ssize_t res;
944
945 fromlen = sizeof(from);
946 res = recvfrom(s, buf, sizeof(buf), 0, (struct sockaddr *) &from,
947 &fromlen);
948 if (res < 0) {
949 perror("recvfrom");
950 return -1;
951 }
952
953 if (res == 0)
954 return 0;
955
956 if ((size_t) res >= sizeof(buf))
957 res = sizeof(buf) - 1;
958 buf[res] = '\0';
959
960 printf("Received: %s\n", buf);
961
962 if (process_cmd(buf, resp, sizeof(resp)) < 0) {
963 printf("Failed to process request\n");
964 return -1;
965 }
966
967 if (resp[0] == '\0') {
968 printf("No response\n");
969 return 0;
970 }
971
972 printf("Send: %s\n", resp);
973
974 if (sendto(s, resp, os_strlen(resp), 0, (struct sockaddr *) &from,
975 fromlen) < 0)
976 perror("send");
977
978 return 0;
979 }
980
981
982 static void cleanup(void)
983 {
984 struct gsm_triplet *g, *gprev;
985 struct milenage_parameters *m, *prev;
986
987 if (update_milenage && milenage_file && sqn_changes)
988 update_milenage_file(milenage_file);
989
990 g = gsm_db;
991 while (g) {
992 gprev = g;
993 g = g->next;
994 os_free(gprev);
995 }
996
997 m = milenage_db;
998 while (m) {
999 prev = m;
1000 m = m->next;
1001 os_free(prev);
1002 }
1003
1004 if (serv_sock >= 0)
1005 close(serv_sock);
1006 if (socket_path)
1007 unlink(socket_path);
1008
1009 #ifdef CONFIG_SQLITE
1010 if (sqlite_db) {
1011 sqlite3_close(sqlite_db);
1012 sqlite_db = NULL;
1013 }
1014 #endif /* CONFIG_SQLITE */
1015 }
1016
1017
1018 static void handle_term(int sig)
1019 {
1020 printf("Signal %d - terminate\n", sig);
1021 exit(0);
1022 }
1023
1024
1025 static void usage(void)
1026 {
1027 printf("HLR/AuC testing gateway for hostapd EAP-SIM/AKA "
1028 "database/authenticator\n"
1029 "Copyright (c) 2005-2007, 2012-2013, Jouni Malinen <j@w1.fi>\n"
1030 "\n"
1031 "usage:\n"
1032 "hlr_auc_gw [-hu] [-s<socket path>] [-g<triplet file>] "
1033 "[-m<milenage file>] \\\n"
1034 " [-D<DB file>] [-i<IND len in bits>] [command]\n"
1035 "\n"
1036 "options:\n"
1037 " -h = show this usage help\n"
1038 " -u = update SQN in Milenage file on exit\n"
1039 " -s<socket path> = path for UNIX domain socket\n"
1040 " (default: %s)\n"
1041 " -g<triplet file> = path for GSM authentication triplets\n"
1042 " -m<milenage file> = path for Milenage keys\n"
1043 " -D<DB file> = path to SQLite database\n"
1044 " -i<IND len in bits> = IND length for SQN (default: 5)\n"
1045 "\n"
1046 "If the optional command argument, like "
1047 "\"AKA-REQ-AUTH <IMSI>\" is used, a single\n"
1048 "command is processed with response sent to stdout. Otherwise, "
1049 "hlr_auc_gw opens\n"
1050 "a control interface and processes commands sent through it "
1051 "(e.g., by EAP server\n"
1052 "in hostapd).\n",
1053 default_socket_path);
1054 }
1055
1056
1057 int main(int argc, char *argv[])
1058 {
1059 int c;
1060 char *gsm_triplet_file = NULL;
1061 char *sqlite_db_file = NULL;
1062 int ret = 0;
1063
1064 if (os_program_init())
1065 return -1;
1066
1067 socket_path = default_socket_path;
1068
1069 for (;;) {
1070 c = getopt(argc, argv, "D:g:hi:m:s:u");
1071 if (c < 0)
1072 break;
1073 switch (c) {
1074 case 'D':
1075 #ifdef CONFIG_SQLITE
1076 sqlite_db_file = optarg;
1077 break;
1078 #else /* CONFIG_SQLITE */
1079 printf("No SQLite support included in the build\n");
1080 return -1;
1081 #endif /* CONFIG_SQLITE */
1082 case 'g':
1083 gsm_triplet_file = optarg;
1084 break;
1085 case 'h':
1086 usage();
1087 return 0;
1088 case 'i':
1089 ind_len = atoi(optarg);
1090 if (ind_len < 0 || ind_len > 32) {
1091 printf("Invalid IND length\n");
1092 return -1;
1093 }
1094 break;
1095 case 'm':
1096 milenage_file = optarg;
1097 break;
1098 case 's':
1099 socket_path = optarg;
1100 break;
1101 case 'u':
1102 update_milenage = 1;
1103 break;
1104 default:
1105 usage();
1106 return -1;
1107 }
1108 }
1109
1110 if (!gsm_triplet_file && !milenage_file && !sqlite_db_file) {
1111 usage();
1112 return -1;
1113 }
1114
1115 #ifdef CONFIG_SQLITE
1116 if (sqlite_db_file && (sqlite_db = db_open(sqlite_db_file)) == NULL)
1117 return -1;
1118 #endif /* CONFIG_SQLITE */
1119
1120 if (gsm_triplet_file && read_gsm_triplets(gsm_triplet_file) < 0)
1121 return -1;
1122
1123 if (milenage_file && read_milenage(milenage_file) < 0)
1124 return -1;
1125
1126 if (optind == argc) {
1127 serv_sock = open_socket(socket_path);
1128 if (serv_sock < 0)
1129 return -1;
1130
1131 printf("Listening for requests on %s\n", socket_path);
1132
1133 atexit(cleanup);
1134 signal(SIGTERM, handle_term);
1135 signal(SIGINT, handle_term);
1136
1137 for (;;)
1138 process(serv_sock);
1139 } else {
1140 char buf[1000];
1141 socket_path = NULL;
1142 stdout_debug = 0;
1143 if (process_cmd(argv[optind], buf, sizeof(buf)) < 0) {
1144 printf("FAIL\n");
1145 ret = -1;
1146 } else {
1147 printf("%s\n", buf);
1148 }
1149 cleanup();
1150 }
1151
1152 #ifdef CONFIG_SQLITE
1153 if (sqlite_db) {
1154 sqlite3_close(sqlite_db);
1155 sqlite_db = NULL;
1156 }
1157 #endif /* CONFIG_SQLITE */
1158
1159 os_program_deinit();
1160
1161 return ret;
1162 }
Unnamed repository; edit this file 'description' to name the repository.