2 * hostapd / EAP-AKA (RFC 4187) and EAP-AKA' (RFC 5448)
3 * Copyright (c) 2005-2012, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/sha256.h"
13 #include "crypto/crypto.h"
14 #include "crypto/random.h"
15 #include "eap_common/eap_sim_common.h"
16 #include "eap_server/eap_i.h"
17 #include "eap_server/eap_sim_db.h"
21 u8 mk
[EAP_SIM_MK_LEN
];
22 u8 nonce_s
[EAP_SIM_NONCE_S_LEN
];
23 u8 k_aut
[EAP_AKA_PRIME_K_AUT_LEN
];
24 u8 k_encr
[EAP_SIM_K_ENCR_LEN
];
25 u8 k_re
[EAP_AKA_PRIME_K_RE_LEN
]; /* EAP-AKA' only */
26 u8 msk
[EAP_SIM_KEYING_DATA_LEN
];
27 u8 emsk
[EAP_EMSK_LEN
];
28 u8 rand
[EAP_AKA_RAND_LEN
];
29 u8 autn
[EAP_AKA_AUTN_LEN
];
30 u8 ck
[EAP_AKA_CK_LEN
];
31 u8 ik
[EAP_AKA_IK_LEN
];
32 u8 res
[EAP_AKA_RES_MAX_LEN
];
33 u8 reauth_mac
[EAP_SIM_MAC_LEN
];
36 IDENTITY
, CHALLENGE
, REAUTH
, NOTIFICATION
, SUCCESS
, FAILURE
41 struct eap_sim_reauth
*reauth
;
42 int auts_reported
; /* whether the current AUTS has been reported to the
47 struct wpabuf
*id_msgs
;
51 size_t network_name_len
;
54 char permanent
[20]; /* Permanent username */
58 static void eap_aka_fullauth(struct eap_sm
*sm
, struct eap_aka_data
*data
);
61 static const char * eap_aka_state_txt(int state
)
75 return "NOTIFICATION";
82 static void eap_aka_state(struct eap_aka_data
*data
, int state
)
84 wpa_printf(MSG_DEBUG
, "EAP-AKA: %s -> %s",
85 eap_aka_state_txt(data
->state
),
86 eap_aka_state_txt(state
));
91 static int eap_aka_check_identity_reauth(struct eap_sm
*sm
,
92 struct eap_aka_data
*data
,
95 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
96 username
[0] != EAP_AKA_PRIME_REAUTH_ID_PREFIX
)
98 if (data
->eap_method
== EAP_TYPE_AKA
&&
99 username
[0] != EAP_AKA_REAUTH_ID_PREFIX
)
102 wpa_printf(MSG_DEBUG
, "EAP-AKA: Reauth username '%s'", username
);
103 data
->reauth
= eap_sim_db_get_reauth_entry(sm
->eap_sim_db_priv
,
105 if (data
->reauth
== NULL
) {
106 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown reauth identity - "
107 "request full auth identity");
108 /* Remain in IDENTITY state for another round */
112 wpa_printf(MSG_DEBUG
, "EAP-AKA: Using fast re-authentication");
113 os_strlcpy(data
->permanent
, data
->reauth
->permanent
,
114 sizeof(data
->permanent
));
115 data
->counter
= data
->reauth
->counter
;
116 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
117 os_memcpy(data
->k_encr
, data
->reauth
->k_encr
,
119 os_memcpy(data
->k_aut
, data
->reauth
->k_aut
,
120 EAP_AKA_PRIME_K_AUT_LEN
);
121 os_memcpy(data
->k_re
, data
->reauth
->k_re
,
122 EAP_AKA_PRIME_K_RE_LEN
);
124 os_memcpy(data
->mk
, data
->reauth
->mk
, EAP_SIM_MK_LEN
);
127 eap_aka_state(data
, REAUTH
);
132 static void eap_aka_check_identity(struct eap_sm
*sm
,
133 struct eap_aka_data
*data
)
137 /* Check if we already know the identity from EAP-Response/Identity */
139 username
= sim_get_username(sm
->identity
, sm
->identity_len
);
140 if (username
== NULL
)
143 if (eap_aka_check_identity_reauth(sm
, data
, username
) > 0) {
146 * Since re-auth username was recognized, skip AKA/Identity
152 if ((data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
153 username
[0] == EAP_AKA_PRIME_PSEUDONYM_PREFIX
) ||
154 (data
->eap_method
== EAP_TYPE_AKA
&&
155 username
[0] == EAP_AKA_PSEUDONYM_PREFIX
)) {
156 const char *permanent
;
157 wpa_printf(MSG_DEBUG
, "EAP-AKA: Pseudonym username '%s'",
159 permanent
= eap_sim_db_get_permanent(
160 sm
->eap_sim_db_priv
, username
);
161 if (permanent
== NULL
) {
163 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown pseudonym "
164 "identity - request permanent identity");
165 /* Remain in IDENTITY state for another round */
168 os_strlcpy(data
->permanent
, permanent
,
169 sizeof(data
->permanent
));
171 * Since pseudonym username was recognized, skip AKA/Identity
174 eap_aka_fullauth(sm
, data
);
181 static void * eap_aka_init(struct eap_sm
*sm
)
183 struct eap_aka_data
*data
;
185 if (sm
->eap_sim_db_priv
== NULL
) {
186 wpa_printf(MSG_WARNING
, "EAP-AKA: eap_sim_db not configured");
190 data
= os_zalloc(sizeof(*data
));
194 data
->eap_method
= EAP_TYPE_AKA
;
196 data
->state
= IDENTITY
;
197 data
->pending_id
= -1;
198 eap_aka_check_identity(sm
, data
);
204 #ifdef EAP_SERVER_AKA_PRIME
205 static void * eap_aka_prime_init(struct eap_sm
*sm
)
207 struct eap_aka_data
*data
;
208 /* TODO: make ANID configurable; see 3GPP TS 24.302 */
209 char *network_name
= "WLAN";
211 if (sm
->eap_sim_db_priv
== NULL
) {
212 wpa_printf(MSG_WARNING
, "EAP-AKA: eap_sim_db not configured");
216 data
= os_zalloc(sizeof(*data
));
220 data
->eap_method
= EAP_TYPE_AKA_PRIME
;
221 data
->network_name
= (u8
*) os_strdup(network_name
);
222 if (data
->network_name
== NULL
) {
227 data
->network_name_len
= os_strlen(network_name
);
229 data
->state
= IDENTITY
;
230 data
->pending_id
= -1;
231 eap_aka_check_identity(sm
, data
);
235 #endif /* EAP_SERVER_AKA_PRIME */
238 static void eap_aka_reset(struct eap_sm
*sm
, void *priv
)
240 struct eap_aka_data
*data
= priv
;
241 os_free(data
->next_pseudonym
);
242 os_free(data
->next_reauth_id
);
243 wpabuf_free(data
->id_msgs
);
244 os_free(data
->network_name
);
245 bin_clear_free(data
, sizeof(*data
));
249 static int eap_aka_add_id_msg(struct eap_aka_data
*data
,
250 const struct wpabuf
*msg
)
255 if (data
->id_msgs
== NULL
) {
256 data
->id_msgs
= wpabuf_dup(msg
);
257 return data
->id_msgs
== NULL
? -1 : 0;
260 if (wpabuf_resize(&data
->id_msgs
, wpabuf_len(msg
)) < 0)
262 wpabuf_put_buf(data
->id_msgs
, msg
);
268 static void eap_aka_add_checkcode(struct eap_aka_data
*data
,
269 struct eap_sim_msg
*msg
)
273 u8 hash
[SHA256_MAC_LEN
];
275 wpa_printf(MSG_DEBUG
, " AT_CHECKCODE");
277 if (data
->id_msgs
== NULL
) {
279 * No EAP-AKA/Identity packets were exchanged - send empty
282 eap_sim_msg_add(msg
, EAP_SIM_AT_CHECKCODE
, 0, NULL
, 0);
286 /* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
287 addr
= wpabuf_head(data
->id_msgs
);
288 len
= wpabuf_len(data
->id_msgs
);
289 wpa_hexdump(MSG_MSGDUMP
, "EAP-AKA: AT_CHECKCODE data", addr
, len
);
290 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
)
291 sha256_vector(1, &addr
, &len
, hash
);
293 sha1_vector(1, &addr
, &len
, hash
);
295 eap_sim_msg_add(msg
, EAP_SIM_AT_CHECKCODE
, 0, hash
,
296 data
->eap_method
== EAP_TYPE_AKA_PRIME
?
297 EAP_AKA_PRIME_CHECKCODE_LEN
: EAP_AKA_CHECKCODE_LEN
);
301 static int eap_aka_verify_checkcode(struct eap_aka_data
*data
,
302 const u8
*checkcode
, size_t checkcode_len
)
306 u8 hash
[SHA256_MAC_LEN
];
309 if (checkcode
== NULL
)
312 if (data
->id_msgs
== NULL
) {
313 if (checkcode_len
!= 0) {
314 wpa_printf(MSG_DEBUG
, "EAP-AKA: Checkcode from peer "
315 "indicates that AKA/Identity messages were "
316 "used, but they were not");
322 hash_len
= data
->eap_method
== EAP_TYPE_AKA_PRIME
?
323 EAP_AKA_PRIME_CHECKCODE_LEN
: EAP_AKA_CHECKCODE_LEN
;
325 if (checkcode_len
!= hash_len
) {
326 wpa_printf(MSG_DEBUG
, "EAP-AKA: Checkcode from peer indicates "
327 "that AKA/Identity message were not used, but they "
332 /* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
333 addr
= wpabuf_head(data
->id_msgs
);
334 len
= wpabuf_len(data
->id_msgs
);
335 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
)
336 sha256_vector(1, &addr
, &len
, hash
);
338 sha1_vector(1, &addr
, &len
, hash
);
340 if (os_memcmp_const(hash
, checkcode
, hash_len
) != 0) {
341 wpa_printf(MSG_DEBUG
, "EAP-AKA: Mismatch in AT_CHECKCODE");
349 static struct wpabuf
* eap_aka_build_identity(struct eap_sm
*sm
,
350 struct eap_aka_data
*data
, u8 id
)
352 struct eap_sim_msg
*msg
;
355 wpa_printf(MSG_DEBUG
, "EAP-AKA: Generating Identity");
356 msg
= eap_sim_msg_init(EAP_CODE_REQUEST
, id
, data
->eap_method
,
357 EAP_AKA_SUBTYPE_IDENTITY
);
358 data
->identity_round
++;
359 if (data
->identity_round
== 1) {
361 * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is
362 * ignored and the AKA/Identity is used to request the
365 wpa_printf(MSG_DEBUG
, " AT_ANY_ID_REQ");
366 eap_sim_msg_add(msg
, EAP_SIM_AT_ANY_ID_REQ
, 0, NULL
, 0);
367 } else if (data
->identity_round
> 3) {
368 /* Cannot use more than three rounds of Identity messages */
369 eap_sim_msg_free(msg
);
371 } else if (sm
->identity
&& sm
->identity_len
> 0 &&
372 (sm
->identity
[0] == EAP_AKA_REAUTH_ID_PREFIX
||
373 sm
->identity
[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX
)) {
374 /* Reauth id may have expired - try fullauth */
375 wpa_printf(MSG_DEBUG
, " AT_FULLAUTH_ID_REQ");
376 eap_sim_msg_add(msg
, EAP_SIM_AT_FULLAUTH_ID_REQ
, 0, NULL
, 0);
378 wpa_printf(MSG_DEBUG
, " AT_PERMANENT_ID_REQ");
379 eap_sim_msg_add(msg
, EAP_SIM_AT_PERMANENT_ID_REQ
, 0, NULL
, 0);
381 buf
= eap_sim_msg_finish(msg
, data
->eap_method
, NULL
, NULL
, 0);
382 if (eap_aka_add_id_msg(data
, buf
) < 0) {
386 data
->pending_id
= id
;
391 static int eap_aka_build_encr(struct eap_sm
*sm
, struct eap_aka_data
*data
,
392 struct eap_sim_msg
*msg
, u16 counter
,
395 os_free(data
->next_pseudonym
);
396 if (nonce_s
== NULL
) {
397 data
->next_pseudonym
=
398 eap_sim_db_get_next_pseudonym(
400 data
->eap_method
== EAP_TYPE_AKA_PRIME
?
401 EAP_SIM_DB_AKA_PRIME
: EAP_SIM_DB_AKA
);
403 /* Do not update pseudonym during re-authentication */
404 data
->next_pseudonym
= NULL
;
406 os_free(data
->next_reauth_id
);
407 if (data
->counter
<= EAP_AKA_MAX_FAST_REAUTHS
) {
408 data
->next_reauth_id
=
409 eap_sim_db_get_next_reauth_id(
411 data
->eap_method
== EAP_TYPE_AKA_PRIME
?
412 EAP_SIM_DB_AKA_PRIME
: EAP_SIM_DB_AKA
);
414 wpa_printf(MSG_DEBUG
, "EAP-AKA: Max fast re-authentication "
415 "count exceeded - force full authentication");
416 data
->next_reauth_id
= NULL
;
419 if (data
->next_pseudonym
== NULL
&& data
->next_reauth_id
== NULL
&&
420 counter
== 0 && nonce_s
== NULL
)
423 wpa_printf(MSG_DEBUG
, " AT_IV");
424 wpa_printf(MSG_DEBUG
, " AT_ENCR_DATA");
425 eap_sim_msg_add_encr_start(msg
, EAP_SIM_AT_IV
, EAP_SIM_AT_ENCR_DATA
);
428 wpa_printf(MSG_DEBUG
, " *AT_COUNTER (%u)", counter
);
429 eap_sim_msg_add(msg
, EAP_SIM_AT_COUNTER
, counter
, NULL
, 0);
433 wpa_printf(MSG_DEBUG
, " *AT_NONCE_S");
434 eap_sim_msg_add(msg
, EAP_SIM_AT_NONCE_S
, 0, nonce_s
,
435 EAP_SIM_NONCE_S_LEN
);
438 if (data
->next_pseudonym
) {
439 wpa_printf(MSG_DEBUG
, " *AT_NEXT_PSEUDONYM (%s)",
440 data
->next_pseudonym
);
441 eap_sim_msg_add(msg
, EAP_SIM_AT_NEXT_PSEUDONYM
,
442 os_strlen(data
->next_pseudonym
),
443 (u8
*) data
->next_pseudonym
,
444 os_strlen(data
->next_pseudonym
));
447 if (data
->next_reauth_id
) {
448 wpa_printf(MSG_DEBUG
, " *AT_NEXT_REAUTH_ID (%s)",
449 data
->next_reauth_id
);
450 eap_sim_msg_add(msg
, EAP_SIM_AT_NEXT_REAUTH_ID
,
451 os_strlen(data
->next_reauth_id
),
452 (u8
*) data
->next_reauth_id
,
453 os_strlen(data
->next_reauth_id
));
456 if (eap_sim_msg_add_encr_end(msg
, data
->k_encr
, EAP_SIM_AT_PADDING
)) {
457 wpa_printf(MSG_WARNING
, "EAP-AKA: Failed to encrypt "
466 static struct wpabuf
* eap_aka_build_challenge(struct eap_sm
*sm
,
467 struct eap_aka_data
*data
,
470 struct eap_sim_msg
*msg
;
472 wpa_printf(MSG_DEBUG
, "EAP-AKA: Generating Challenge");
473 msg
= eap_sim_msg_init(EAP_CODE_REQUEST
, id
, data
->eap_method
,
474 EAP_AKA_SUBTYPE_CHALLENGE
);
475 wpa_printf(MSG_DEBUG
, " AT_RAND");
476 eap_sim_msg_add(msg
, EAP_SIM_AT_RAND
, 0, data
->rand
, EAP_AKA_RAND_LEN
);
477 wpa_printf(MSG_DEBUG
, " AT_AUTN");
478 eap_sim_msg_add(msg
, EAP_SIM_AT_AUTN
, 0, data
->autn
, EAP_AKA_AUTN_LEN
);
479 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
481 /* Add the selected KDF into the beginning */
482 wpa_printf(MSG_DEBUG
, " AT_KDF");
483 eap_sim_msg_add(msg
, EAP_SIM_AT_KDF
, data
->kdf
,
486 wpa_printf(MSG_DEBUG
, " AT_KDF");
487 eap_sim_msg_add(msg
, EAP_SIM_AT_KDF
, EAP_AKA_PRIME_KDF
,
489 wpa_printf(MSG_DEBUG
, " AT_KDF_INPUT");
490 eap_sim_msg_add(msg
, EAP_SIM_AT_KDF_INPUT
,
491 data
->network_name_len
,
492 data
->network_name
, data
->network_name_len
);
495 if (eap_aka_build_encr(sm
, data
, msg
, 0, NULL
)) {
496 eap_sim_msg_free(msg
);
500 eap_aka_add_checkcode(data
, msg
);
502 if (sm
->eap_sim_aka_result_ind
) {
503 wpa_printf(MSG_DEBUG
, " AT_RESULT_IND");
504 eap_sim_msg_add(msg
, EAP_SIM_AT_RESULT_IND
, 0, NULL
, 0);
507 #ifdef EAP_SERVER_AKA_PRIME
508 if (data
->eap_method
== EAP_TYPE_AKA
) {
511 int aka_prime_preferred
= 0;
514 while (sm
->user
&& i
< EAP_MAX_METHODS
&&
515 (sm
->user
->methods
[i
].vendor
!= EAP_VENDOR_IETF
||
516 sm
->user
->methods
[i
].method
!= EAP_TYPE_NONE
)) {
517 if (sm
->user
->methods
[i
].vendor
== EAP_VENDOR_IETF
) {
518 if (sm
->user
->methods
[i
].method
==
521 if (sm
->user
->methods
[i
].method
==
522 EAP_TYPE_AKA_PRIME
) {
523 aka_prime_preferred
= 1;
530 if (aka_prime_preferred
)
531 flags
|= EAP_AKA_BIDDING_FLAG_D
;
532 eap_sim_msg_add(msg
, EAP_SIM_AT_BIDDING
, flags
, NULL
, 0);
534 #endif /* EAP_SERVER_AKA_PRIME */
536 wpa_printf(MSG_DEBUG
, " AT_MAC");
537 eap_sim_msg_add_mac(msg
, EAP_SIM_AT_MAC
);
538 return eap_sim_msg_finish(msg
, data
->eap_method
, data
->k_aut
, NULL
, 0);
542 static struct wpabuf
* eap_aka_build_reauth(struct eap_sm
*sm
,
543 struct eap_aka_data
*data
, u8 id
)
545 struct eap_sim_msg
*msg
;
548 wpa_printf(MSG_DEBUG
, "EAP-AKA: Generating Re-authentication");
550 if (random_get_bytes(data
->nonce_s
, EAP_SIM_NONCE_S_LEN
))
552 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-AKA: NONCE_S",
553 data
->nonce_s
, EAP_SIM_NONCE_S_LEN
);
555 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
556 eap_aka_prime_derive_keys_reauth(data
->k_re
, data
->counter
,
560 data
->msk
, data
->emsk
);
562 eap_sim_derive_keys(data
->mk
, data
->k_encr
, data
->k_aut
,
563 data
->msk
, data
->emsk
);
564 eap_sim_derive_keys_reauth(data
->counter
, sm
->identity
,
565 sm
->identity_len
, data
->nonce_s
,
566 data
->mk
, data
->msk
, data
->emsk
);
569 msg
= eap_sim_msg_init(EAP_CODE_REQUEST
, id
, data
->eap_method
,
570 EAP_AKA_SUBTYPE_REAUTHENTICATION
);
572 if (eap_aka_build_encr(sm
, data
, msg
, data
->counter
, data
->nonce_s
)) {
573 eap_sim_msg_free(msg
);
577 eap_aka_add_checkcode(data
, msg
);
579 if (sm
->eap_sim_aka_result_ind
) {
580 wpa_printf(MSG_DEBUG
, " AT_RESULT_IND");
581 eap_sim_msg_add(msg
, EAP_SIM_AT_RESULT_IND
, 0, NULL
, 0);
584 wpa_printf(MSG_DEBUG
, " AT_MAC");
585 eap_sim_msg_add_mac(msg
, EAP_SIM_AT_MAC
);
586 buf
= eap_sim_msg_finish(msg
, data
->eap_method
, data
->k_aut
, NULL
, 0);
588 /* Remember this MAC before sending it to the peer. This MAC is used for
589 * Session-Id calculation after receiving response from the peer and
590 * after all other checks pass. */
591 os_memcpy(data
->reauth_mac
,
592 wpabuf_head_u8(buf
) + wpabuf_len(buf
) - EAP_SIM_MAC_LEN
,
599 static struct wpabuf
* eap_aka_build_notification(struct eap_sm
*sm
,
600 struct eap_aka_data
*data
,
603 struct eap_sim_msg
*msg
;
605 wpa_printf(MSG_DEBUG
, "EAP-AKA: Generating Notification");
606 msg
= eap_sim_msg_init(EAP_CODE_REQUEST
, id
, data
->eap_method
,
607 EAP_AKA_SUBTYPE_NOTIFICATION
);
608 wpa_printf(MSG_DEBUG
, " AT_NOTIFICATION (%d)", data
->notification
);
609 eap_sim_msg_add(msg
, EAP_SIM_AT_NOTIFICATION
, data
->notification
,
611 if (data
->use_result_ind
) {
613 wpa_printf(MSG_DEBUG
, " AT_IV");
614 wpa_printf(MSG_DEBUG
, " AT_ENCR_DATA");
615 eap_sim_msg_add_encr_start(msg
, EAP_SIM_AT_IV
,
616 EAP_SIM_AT_ENCR_DATA
);
617 wpa_printf(MSG_DEBUG
, " *AT_COUNTER (%u)",
619 eap_sim_msg_add(msg
, EAP_SIM_AT_COUNTER
, data
->counter
,
622 if (eap_sim_msg_add_encr_end(msg
, data
->k_encr
,
623 EAP_SIM_AT_PADDING
)) {
624 wpa_printf(MSG_WARNING
, "EAP-AKA: Failed to "
625 "encrypt AT_ENCR_DATA");
626 eap_sim_msg_free(msg
);
631 wpa_printf(MSG_DEBUG
, " AT_MAC");
632 eap_sim_msg_add_mac(msg
, EAP_SIM_AT_MAC
);
634 return eap_sim_msg_finish(msg
, data
->eap_method
, data
->k_aut
, NULL
, 0);
638 static struct wpabuf
* eap_aka_buildReq(struct eap_sm
*sm
, void *priv
, u8 id
)
640 struct eap_aka_data
*data
= priv
;
642 data
->auts_reported
= 0;
643 switch (data
->state
) {
645 return eap_aka_build_identity(sm
, data
, id
);
647 return eap_aka_build_challenge(sm
, data
, id
);
649 return eap_aka_build_reauth(sm
, data
, id
);
651 return eap_aka_build_notification(sm
, data
, id
);
653 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown state %d in "
654 "buildReq", data
->state
);
661 static Boolean
eap_aka_check(struct eap_sm
*sm
, void *priv
,
662 struct wpabuf
*respData
)
664 struct eap_aka_data
*data
= priv
;
668 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, data
->eap_method
, respData
,
670 if (pos
== NULL
|| len
< 3) {
671 wpa_printf(MSG_INFO
, "EAP-AKA: Invalid frame");
679 static Boolean
eap_aka_subtype_ok(struct eap_aka_data
*data
, u8 subtype
)
681 if (subtype
== EAP_AKA_SUBTYPE_CLIENT_ERROR
||
682 subtype
== EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT
)
685 switch (data
->state
) {
687 if (subtype
!= EAP_AKA_SUBTYPE_IDENTITY
) {
688 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected response "
689 "subtype %d", subtype
);
694 if (subtype
!= EAP_AKA_SUBTYPE_CHALLENGE
&&
695 subtype
!= EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE
) {
696 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected response "
697 "subtype %d", subtype
);
702 if (subtype
!= EAP_AKA_SUBTYPE_REAUTHENTICATION
) {
703 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected response "
704 "subtype %d", subtype
);
709 if (subtype
!= EAP_AKA_SUBTYPE_NOTIFICATION
) {
710 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected response "
711 "subtype %d", subtype
);
716 wpa_printf(MSG_INFO
, "EAP-AKA: Unexpected state (%d) for "
717 "processing a response", data
->state
);
725 static void eap_aka_determine_identity(struct eap_sm
*sm
,
726 struct eap_aka_data
*data
)
730 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-AKA: Identity",
731 sm
->identity
, sm
->identity_len
);
733 username
= sim_get_username(sm
->identity
, sm
->identity_len
);
734 if (username
== NULL
) {
735 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
736 eap_aka_state(data
, NOTIFICATION
);
740 if (eap_aka_check_identity_reauth(sm
, data
, username
) > 0) {
745 if (((data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
746 username
[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX
) ||
747 (data
->eap_method
== EAP_TYPE_AKA
&&
748 username
[0] == EAP_AKA_REAUTH_ID_PREFIX
)) &&
749 data
->identity_round
== 1) {
750 /* Remain in IDENTITY state for another round to request full
751 * auth identity since we did not recognize reauth id */
756 if ((data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
757 username
[0] == EAP_AKA_PRIME_PSEUDONYM_PREFIX
) ||
758 (data
->eap_method
== EAP_TYPE_AKA
&&
759 username
[0] == EAP_AKA_PSEUDONYM_PREFIX
)) {
760 const char *permanent
;
761 wpa_printf(MSG_DEBUG
, "EAP-AKA: Pseudonym username '%s'",
763 permanent
= eap_sim_db_get_permanent(
764 sm
->eap_sim_db_priv
, username
);
766 if (permanent
== NULL
) {
767 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown pseudonym "
768 "identity - request permanent identity");
769 /* Remain in IDENTITY state for another round */
772 os_strlcpy(data
->permanent
, permanent
,
773 sizeof(data
->permanent
));
774 } else if ((data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
775 username
[0] == EAP_AKA_PRIME_PERMANENT_PREFIX
) ||
776 (data
->eap_method
== EAP_TYPE_AKA
&&
777 username
[0] == EAP_AKA_PERMANENT_PREFIX
)) {
778 wpa_printf(MSG_DEBUG
, "EAP-AKA: Permanent username '%s'",
780 os_strlcpy(data
->permanent
, username
, sizeof(data
->permanent
));
783 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unrecognized username '%s'",
786 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
787 eap_aka_state(data
, NOTIFICATION
);
791 eap_aka_fullauth(sm
, data
);
795 static void eap_aka_fullauth(struct eap_sm
*sm
, struct eap_aka_data
*data
)
800 res
= eap_sim_db_get_aka_auth(sm
->eap_sim_db_priv
, data
->permanent
,
801 data
->rand
, data
->autn
, data
->ik
,
802 data
->ck
, data
->res
, &data
->res_len
, sm
);
803 if (res
== EAP_SIM_DB_PENDING
) {
804 wpa_printf(MSG_DEBUG
, "EAP-AKA: AKA authentication data "
805 "not yet available - pending request");
806 sm
->method_pending
= METHOD_PENDING_WAIT
;
810 if (data
->permanent
[0] == EAP_AKA_PERMANENT_PREFIX
||
811 data
->permanent
[0] == EAP_AKA_PRIME_PERMANENT_PREFIX
)
812 os_strlcpy(sm
->imsi
, &data
->permanent
[1], sizeof(sm
->imsi
));
814 #ifdef EAP_SERVER_AKA_PRIME
815 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
816 /* Note: AUTN = (SQN ^ AK) || AMF || MAC which gives us the
817 * needed 6-octet SQN ^AK for CK',IK' derivation */
818 eap_aka_prime_derive_ck_ik_prime(data
->ck
, data
->ik
,
821 data
->network_name_len
);
823 #endif /* EAP_SERVER_AKA_PRIME */
826 data
->counter
= 0; /* reset re-auth counter since this is full auth */
829 wpa_printf(MSG_INFO
, "EAP-AKA: Failed to get AKA "
830 "authentication data for the peer");
831 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
832 eap_aka_state(data
, NOTIFICATION
);
835 if (sm
->method_pending
== METHOD_PENDING_WAIT
) {
836 wpa_printf(MSG_DEBUG
, "EAP-AKA: AKA authentication data "
837 "available - abort pending wait");
838 sm
->method_pending
= METHOD_PENDING_NONE
;
841 identity_len
= sm
->identity_len
;
842 while (identity_len
> 0 && sm
->identity
[identity_len
- 1] == '\0') {
843 wpa_printf(MSG_DEBUG
, "EAP-AKA: Workaround - drop last null "
844 "character from identity");
847 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-AKA: Identity for MK derivation",
848 sm
->identity
, identity_len
);
850 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
851 eap_aka_prime_derive_keys(sm
->identity
, identity_len
, data
->ik
,
852 data
->ck
, data
->k_encr
, data
->k_aut
,
853 data
->k_re
, data
->msk
, data
->emsk
);
855 eap_aka_derive_mk(sm
->identity
, identity_len
, data
->ik
,
857 eap_sim_derive_keys(data
->mk
, data
->k_encr
, data
->k_aut
,
858 data
->msk
, data
->emsk
);
861 eap_aka_state(data
, CHALLENGE
);
865 static void eap_aka_process_identity(struct eap_sm
*sm
,
866 struct eap_aka_data
*data
,
867 struct wpabuf
*respData
,
868 struct eap_sim_attrs
*attr
)
872 wpa_printf(MSG_DEBUG
, "EAP-AKA: Processing Identity");
874 if (attr
->mac
|| attr
->iv
|| attr
->encr_data
) {
875 wpa_printf(MSG_WARNING
, "EAP-AKA: Unexpected attribute "
876 "received in EAP-Response/AKA-Identity");
877 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
878 eap_aka_state(data
, NOTIFICATION
);
883 * We always request identity with AKA/Identity, so the peer is
884 * required to have replied with one.
886 if (!attr
->identity
|| attr
->identity_len
== 0) {
887 wpa_printf(MSG_DEBUG
, "EAP-AKA: Peer did not provide any "
889 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
890 eap_aka_state(data
, NOTIFICATION
);
894 new_identity
= os_malloc(attr
->identity_len
);
895 if (new_identity
== NULL
) {
896 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
897 eap_aka_state(data
, NOTIFICATION
);
900 os_free(sm
->identity
);
901 sm
->identity
= new_identity
;
902 os_memcpy(sm
->identity
, attr
->identity
, attr
->identity_len
);
903 sm
->identity_len
= attr
->identity_len
;
905 eap_aka_determine_identity(sm
, data
);
906 if (eap_get_id(respData
) == data
->pending_id
) {
907 data
->pending_id
= -1;
908 eap_aka_add_id_msg(data
, respData
);
913 static int eap_aka_verify_mac(struct eap_aka_data
*data
,
914 const struct wpabuf
*req
,
915 const u8
*mac
, const u8
*extra
,
918 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
)
919 return eap_sim_verify_mac_sha256(data
->k_aut
, req
, mac
, extra
,
921 return eap_sim_verify_mac(data
->k_aut
, req
, mac
, extra
, extra_len
);
925 static void eap_aka_process_challenge(struct eap_sm
*sm
,
926 struct eap_aka_data
*data
,
927 struct wpabuf
*respData
,
928 struct eap_sim_attrs
*attr
)
930 wpa_printf(MSG_DEBUG
, "EAP-AKA: Processing Challenge");
932 #ifdef EAP_SERVER_AKA_PRIME
934 /* KDF negotiation; to be enabled only after more than one KDF is
936 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
&&
937 attr
->kdf_count
== 1 && attr
->mac
== NULL
) {
938 if (attr
->kdf
[0] != EAP_AKA_PRIME_KDF
) {
939 wpa_printf(MSG_WARNING
, "EAP-AKA': Peer selected "
942 EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
943 eap_aka_state(data
, NOTIFICATION
);
947 data
->kdf
= attr
->kdf
[0];
949 /* Allow negotiation to continue with the selected KDF by
950 * sending another Challenge message */
951 wpa_printf(MSG_DEBUG
, "EAP-AKA': KDF %d selected", data
->kdf
);
955 #endif /* EAP_SERVER_AKA_PRIME */
957 if (attr
->checkcode
&&
958 eap_aka_verify_checkcode(data
, attr
->checkcode
,
959 attr
->checkcode_len
)) {
960 wpa_printf(MSG_WARNING
, "EAP-AKA: Invalid AT_CHECKCODE in the "
962 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
963 eap_aka_state(data
, NOTIFICATION
);
966 if (attr
->mac
== NULL
||
967 eap_aka_verify_mac(data
, respData
, attr
->mac
, NULL
, 0)) {
968 wpa_printf(MSG_WARNING
, "EAP-AKA: Challenge message "
969 "did not include valid AT_MAC");
970 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
971 eap_aka_state(data
, NOTIFICATION
);
976 * AT_RES is padded, so verify that there is enough room for RES and
977 * that the RES length in bits matches with the expected RES.
979 if (attr
->res
== NULL
|| attr
->res_len
< data
->res_len
||
980 attr
->res_len_bits
!= data
->res_len
* 8 ||
981 os_memcmp_const(attr
->res
, data
->res
, data
->res_len
) != 0) {
982 wpa_printf(MSG_WARNING
, "EAP-AKA: Challenge message did not "
983 "include valid AT_RES (attr len=%lu, res len=%lu "
984 "bits, expected %lu bits)",
985 (unsigned long) attr
->res_len
,
986 (unsigned long) attr
->res_len_bits
,
987 (unsigned long) data
->res_len
* 8);
988 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
989 eap_aka_state(data
, NOTIFICATION
);
993 wpa_printf(MSG_DEBUG
, "EAP-AKA: Challenge response includes the "
995 if (sm
->eap_sim_aka_result_ind
&& attr
->result_ind
) {
996 data
->use_result_ind
= 1;
997 data
->notification
= EAP_SIM_SUCCESS
;
998 eap_aka_state(data
, NOTIFICATION
);
1000 eap_aka_state(data
, SUCCESS
);
1002 if (data
->next_pseudonym
) {
1003 eap_sim_db_add_pseudonym(sm
->eap_sim_db_priv
, data
->permanent
,
1004 data
->next_pseudonym
);
1005 data
->next_pseudonym
= NULL
;
1007 if (data
->next_reauth_id
) {
1008 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
1009 #ifdef EAP_SERVER_AKA_PRIME
1010 eap_sim_db_add_reauth_prime(sm
->eap_sim_db_priv
,
1012 data
->next_reauth_id
,
1014 data
->k_encr
, data
->k_aut
,
1016 #endif /* EAP_SERVER_AKA_PRIME */
1018 eap_sim_db_add_reauth(sm
->eap_sim_db_priv
,
1020 data
->next_reauth_id
,
1024 data
->next_reauth_id
= NULL
;
1029 static void eap_aka_process_sync_failure(struct eap_sm
*sm
,
1030 struct eap_aka_data
*data
,
1031 struct wpabuf
*respData
,
1032 struct eap_sim_attrs
*attr
)
1034 wpa_printf(MSG_DEBUG
, "EAP-AKA: Processing Synchronization-Failure");
1036 if (attr
->auts
== NULL
) {
1037 wpa_printf(MSG_WARNING
, "EAP-AKA: Synchronization-Failure "
1038 "message did not include valid AT_AUTS");
1039 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1040 eap_aka_state(data
, NOTIFICATION
);
1044 /* Avoid re-reporting AUTS when processing pending EAP packet by
1045 * maintaining a local flag stating whether this AUTS has already been
1047 if (!data
->auts_reported
&&
1048 eap_sim_db_resynchronize(sm
->eap_sim_db_priv
, data
->permanent
,
1049 attr
->auts
, data
->rand
)) {
1050 wpa_printf(MSG_WARNING
, "EAP-AKA: Resynchronization failed");
1051 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1052 eap_aka_state(data
, NOTIFICATION
);
1055 data
->auts_reported
= 1;
1057 /* Remain in CHALLENGE state to re-try after resynchronization */
1058 eap_aka_fullauth(sm
, data
);
1062 static void eap_aka_process_reauth(struct eap_sm
*sm
,
1063 struct eap_aka_data
*data
,
1064 struct wpabuf
*respData
,
1065 struct eap_sim_attrs
*attr
)
1067 struct eap_sim_attrs eattr
;
1068 u8
*decrypted
= NULL
;
1070 wpa_printf(MSG_DEBUG
, "EAP-AKA: Processing Reauthentication");
1072 if (attr
->mac
== NULL
||
1073 eap_aka_verify_mac(data
, respData
, attr
->mac
, data
->nonce_s
,
1074 EAP_SIM_NONCE_S_LEN
)) {
1075 wpa_printf(MSG_WARNING
, "EAP-AKA: Re-authentication message "
1076 "did not include valid AT_MAC");
1080 if (attr
->encr_data
== NULL
|| attr
->iv
== NULL
) {
1081 wpa_printf(MSG_WARNING
, "EAP-AKA: Reauthentication "
1082 "message did not include encrypted data");
1086 decrypted
= eap_sim_parse_encr(data
->k_encr
, attr
->encr_data
,
1087 attr
->encr_data_len
, attr
->iv
, &eattr
,
1089 if (decrypted
== NULL
) {
1090 wpa_printf(MSG_WARNING
, "EAP-AKA: Failed to parse encrypted "
1091 "data from reauthentication message");
1095 if (eattr
.counter
!= data
->counter
) {
1096 wpa_printf(MSG_WARNING
, "EAP-AKA: Re-authentication message "
1097 "used incorrect counter %u, expected %u",
1098 eattr
.counter
, data
->counter
);
1104 wpa_printf(MSG_DEBUG
, "EAP-AKA: Re-authentication response includes "
1105 "the correct AT_MAC");
1107 if (eattr
.counter_too_small
) {
1108 wpa_printf(MSG_DEBUG
, "EAP-AKA: Re-authentication response "
1109 "included AT_COUNTER_TOO_SMALL - starting full "
1111 eap_aka_fullauth(sm
, data
);
1115 if (sm
->eap_sim_aka_result_ind
&& attr
->result_ind
) {
1116 data
->use_result_ind
= 1;
1117 data
->notification
= EAP_SIM_SUCCESS
;
1118 eap_aka_state(data
, NOTIFICATION
);
1120 eap_aka_state(data
, SUCCESS
);
1122 if (data
->next_reauth_id
) {
1123 if (data
->eap_method
== EAP_TYPE_AKA_PRIME
) {
1124 #ifdef EAP_SERVER_AKA_PRIME
1125 eap_sim_db_add_reauth_prime(sm
->eap_sim_db_priv
,
1127 data
->next_reauth_id
,
1129 data
->k_encr
, data
->k_aut
,
1131 #endif /* EAP_SERVER_AKA_PRIME */
1133 eap_sim_db_add_reauth(sm
->eap_sim_db_priv
,
1135 data
->next_reauth_id
,
1139 data
->next_reauth_id
= NULL
;
1141 eap_sim_db_remove_reauth(sm
->eap_sim_db_priv
, data
->reauth
);
1142 data
->reauth
= NULL
;
1148 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1149 eap_aka_state(data
, NOTIFICATION
);
1150 eap_sim_db_remove_reauth(sm
->eap_sim_db_priv
, data
->reauth
);
1151 data
->reauth
= NULL
;
1156 static void eap_aka_process_client_error(struct eap_sm
*sm
,
1157 struct eap_aka_data
*data
,
1158 struct wpabuf
*respData
,
1159 struct eap_sim_attrs
*attr
)
1161 wpa_printf(MSG_DEBUG
, "EAP-AKA: Client reported error %d",
1162 attr
->client_error_code
);
1163 if (data
->notification
== EAP_SIM_SUCCESS
&& data
->use_result_ind
)
1164 eap_aka_state(data
, SUCCESS
);
1166 eap_aka_state(data
, FAILURE
);
1170 static void eap_aka_process_authentication_reject(
1171 struct eap_sm
*sm
, struct eap_aka_data
*data
,
1172 struct wpabuf
*respData
, struct eap_sim_attrs
*attr
)
1174 wpa_printf(MSG_DEBUG
, "EAP-AKA: Client rejected authentication");
1175 eap_aka_state(data
, FAILURE
);
1179 static void eap_aka_process_notification(struct eap_sm
*sm
,
1180 struct eap_aka_data
*data
,
1181 struct wpabuf
*respData
,
1182 struct eap_sim_attrs
*attr
)
1184 wpa_printf(MSG_DEBUG
, "EAP-AKA: Client replied to notification");
1185 if (data
->notification
== EAP_SIM_SUCCESS
&& data
->use_result_ind
)
1186 eap_aka_state(data
, SUCCESS
);
1188 eap_aka_state(data
, FAILURE
);
1192 static void eap_aka_process(struct eap_sm
*sm
, void *priv
,
1193 struct wpabuf
*respData
)
1195 struct eap_aka_data
*data
= priv
;
1196 const u8
*pos
, *end
;
1199 struct eap_sim_attrs attr
;
1201 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, data
->eap_method
, respData
,
1203 if (pos
== NULL
|| len
< 3)
1210 if (eap_aka_subtype_ok(data
, subtype
)) {
1211 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unrecognized or unexpected "
1212 "EAP-AKA Subtype in EAP Response");
1213 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1214 eap_aka_state(data
, NOTIFICATION
);
1218 if (eap_sim_parse_attr(pos
, end
, &attr
,
1219 data
->eap_method
== EAP_TYPE_AKA_PRIME
? 2 : 1,
1221 wpa_printf(MSG_DEBUG
, "EAP-AKA: Failed to parse attributes");
1222 data
->notification
= EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH
;
1223 eap_aka_state(data
, NOTIFICATION
);
1227 if (subtype
== EAP_AKA_SUBTYPE_CLIENT_ERROR
) {
1228 eap_aka_process_client_error(sm
, data
, respData
, &attr
);
1232 if (subtype
== EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT
) {
1233 eap_aka_process_authentication_reject(sm
, data
, respData
,
1238 switch (data
->state
) {
1240 eap_aka_process_identity(sm
, data
, respData
, &attr
);
1243 if (subtype
== EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE
) {
1244 eap_aka_process_sync_failure(sm
, data
, respData
,
1247 eap_aka_process_challenge(sm
, data
, respData
, &attr
);
1251 eap_aka_process_reauth(sm
, data
, respData
, &attr
);
1254 eap_aka_process_notification(sm
, data
, respData
, &attr
);
1257 wpa_printf(MSG_DEBUG
, "EAP-AKA: Unknown state %d in "
1258 "process", data
->state
);
1264 static Boolean
eap_aka_isDone(struct eap_sm
*sm
, void *priv
)
1266 struct eap_aka_data
*data
= priv
;
1267 return data
->state
== SUCCESS
|| data
->state
== FAILURE
;
1271 static u8
* eap_aka_getKey(struct eap_sm
*sm
, void *priv
, size_t *len
)
1273 struct eap_aka_data
*data
= priv
;
1276 if (data
->state
!= SUCCESS
)
1279 key
= os_memdup(data
->msk
, EAP_SIM_KEYING_DATA_LEN
);
1282 *len
= EAP_SIM_KEYING_DATA_LEN
;
1287 static u8
* eap_aka_get_emsk(struct eap_sm
*sm
, void *priv
, size_t *len
)
1289 struct eap_aka_data
*data
= priv
;
1292 if (data
->state
!= SUCCESS
)
1295 key
= os_memdup(data
->emsk
, EAP_EMSK_LEN
);
1298 *len
= EAP_EMSK_LEN
;
1303 static Boolean
eap_aka_isSuccess(struct eap_sm
*sm
, void *priv
)
1305 struct eap_aka_data
*data
= priv
;
1306 return data
->state
== SUCCESS
;
1310 static u8
* eap_aka_get_session_id(struct eap_sm
*sm
, void *priv
, size_t *len
)
1312 struct eap_aka_data
*data
= priv
;
1315 if (data
->state
!= SUCCESS
)
1319 *len
= 1 + EAP_AKA_RAND_LEN
+ EAP_AKA_AUTN_LEN
;
1321 *len
= 1 + EAP_SIM_NONCE_S_LEN
+ EAP_SIM_MAC_LEN
;
1322 id
= os_malloc(*len
);
1326 id
[0] = data
->eap_method
;
1327 if (!data
->reauth
) {
1328 os_memcpy(id
+ 1, data
->rand
, EAP_AKA_RAND_LEN
);
1329 os_memcpy(id
+ 1 + EAP_AKA_RAND_LEN
, data
->autn
,
1332 os_memcpy(id
+ 1, data
->nonce_s
, EAP_SIM_NONCE_S_LEN
);
1333 os_memcpy(id
+ 1 + EAP_SIM_NONCE_S_LEN
, data
->reauth_mac
,
1336 wpa_hexdump(MSG_DEBUG
, "EAP-AKA: Derived Session-Id", id
, *len
);
1342 int eap_server_aka_register(void)
1344 struct eap_method
*eap
;
1346 eap
= eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION
,
1347 EAP_VENDOR_IETF
, EAP_TYPE_AKA
, "AKA");
1351 eap
->init
= eap_aka_init
;
1352 eap
->reset
= eap_aka_reset
;
1353 eap
->buildReq
= eap_aka_buildReq
;
1354 eap
->check
= eap_aka_check
;
1355 eap
->process
= eap_aka_process
;
1356 eap
->isDone
= eap_aka_isDone
;
1357 eap
->getKey
= eap_aka_getKey
;
1358 eap
->isSuccess
= eap_aka_isSuccess
;
1359 eap
->get_emsk
= eap_aka_get_emsk
;
1360 eap
->getSessionId
= eap_aka_get_session_id
;
1362 return eap_server_method_register(eap
);
1366 #ifdef EAP_SERVER_AKA_PRIME
1367 int eap_server_aka_prime_register(void)
1369 struct eap_method
*eap
;
1371 eap
= eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION
,
1372 EAP_VENDOR_IETF
, EAP_TYPE_AKA_PRIME
,
1377 eap
->init
= eap_aka_prime_init
;
1378 eap
->reset
= eap_aka_reset
;
1379 eap
->buildReq
= eap_aka_buildReq
;
1380 eap
->check
= eap_aka_check
;
1381 eap
->process
= eap_aka_process
;
1382 eap
->isDone
= eap_aka_isDone
;
1383 eap
->getKey
= eap_aka_getKey
;
1384 eap
->isSuccess
= eap_aka_isSuccess
;
1385 eap
->get_emsk
= eap_aka_get_emsk
;
1386 eap
->getSessionId
= eap_aka_get_session_id
;
1388 return eap_server_method_register(eap
);
1390 #endif /* EAP_SERVER_AKA_PRIME */