Add a starting point for EAP-AKA' (draft-arkko-eap-aka-kdf-10)

This is just making an as-is copy of EAP-AKA server and peer
implementation into a new file and by using the different EAP method
type that is allocated for EAP-AKA' (50). None of the other differences
between EAP-AKA and EAP-AKA' are not yet included.

It is likely that once EAP-AKA' implementation is done and is found to
work correctly, large part of the EAP-AKA and EAP-AKA' code will be
shared. However, it is not reasonable to destabilize EAP-AKA
implementation at this point before it is clearer what the final
differences will be.

hostapd/Makefile

@@ -212,6 +212,12 @@ OBJS += ../src/eap_server/eap_aka.o
 CONFIG_EAP_SIM_COMMON=y
 endif
 
+ifdef CONFIG_EAP_AKA_PRIME
+CFLAGS += -DEAP_AKA_PRIME
+OBJS += ../src/eap_server/eap_aka_prime.o
+CONFIG_EAP_SIM_COMMON=y
+endif
+
 ifdef CONFIG_EAP_SIM_COMMON
 OBJS += ../src/eap_common/eap_sim_common.o
 # Example EAP-SIM/AKA interface for GSM/UMTS authentication. This can be

src/eap_common/eap_defs.h

@@ -66,6 +66,7 @@ typedef enum {
 	EAP_TYPE_PSK = 47 /* RFC 4764 */,
 	EAP_TYPE_SAKE = 48 /* RFC 4763 */,
 	EAP_TYPE_IKEV2 = 49 /* RFC 5106 */,
+	EAP_TYPE_AKA_PRIME = 50 /* draft-arkko-eap-aka-kdf-10.txt */,
 	EAP_TYPE_EXPANDED = 254 /* RFC 3748 */,
 	EAP_TYPE_GPSK = 255 /* EXPERIMENTAL - type not yet allocated
 			     * draft-ietf-emu-eap-gpsk-01.txt */

src/eap_peer/eap_aka_prime.c

@@ -0,0 +1,1156 @@
+/*
+ * EAP peer method: EAP-AKA' (draft-arkko-eap-aka-kdf-10.txt)
+ * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Alternatively, this software may be distributed under the terms of BSD
+ * license.
+ *
+ * See README and COPYING for more details.
+ */
+
+#include "includes.h"
+
+#include "common.h"
+#include "eap_peer/eap_i.h"
+#include "pcsc_funcs.h"
+#include "eap_common/eap_sim_common.h"
+#include "sha1.h"
+#include "crypto.h"
+#include "eap_peer/eap_config.h"
+#ifdef CONFIG_USIM_SIMULATOR
+#include "hlr_auc_gw/milenage.h"
+#endif /* CONFIG_USIM_SIMULATOR */
+
+
+struct eap_aka_data {
+	u8 ik[EAP_AKA_IK_LEN], ck[EAP_AKA_CK_LEN], res[EAP_AKA_RES_MAX_LEN];
+	size_t res_len;
+	u8 nonce_s[EAP_SIM_NONCE_S_LEN];
+	u8 mk[EAP_SIM_MK_LEN];
+	u8 k_aut[EAP_SIM_K_AUT_LEN];
+	u8 k_encr[EAP_SIM_K_ENCR_LEN];
+	u8 msk[EAP_SIM_KEYING_DATA_LEN];
+	u8 emsk[EAP_EMSK_LEN];
+	u8 rand[EAP_AKA_RAND_LEN], autn[EAP_AKA_AUTN_LEN];
+	u8 auts[EAP_AKA_AUTS_LEN];
+
+	int num_id_req, num_notification;
+	u8 *pseudonym;
+	size_t pseudonym_len;
+	u8 *reauth_id;
+	size_t reauth_id_len;
+	int reauth;
+	unsigned int counter, counter_too_small;
+	u8 *last_eap_identity;
+	size_t last_eap_identity_len;
+	enum {
+		CONTINUE, RESULT_SUCCESS, RESULT_FAILURE, SUCCESS, FAILURE
+	} state;
+
+	struct wpabuf *id_msgs;
+	int prev_id;
+	int result_ind, use_result_ind;
+};
+
+
+#ifndef CONFIG_NO_STDOUT_DEBUG
+static const char * eap_aka_state_txt(int state)
+{
+	switch (state) {
+	case CONTINUE:
+		return "CONTINUE";
+	case RESULT_SUCCESS:
+		return "RESULT_SUCCESS";
+	case RESULT_FAILURE:
+		return "RESULT_FAILURE";
+	case SUCCESS:
+		return "SUCCESS";
+	case FAILURE:
+		return "FAILURE";
+	default:
+		return "?";
+	}
+}
+#endif /* CONFIG_NO_STDOUT_DEBUG */
+
+
+static void eap_aka_state(struct eap_aka_data *data, int state)
+{
+	wpa_printf(MSG_DEBUG, "EAP-AKA: %s -> %s",
+		   eap_aka_state_txt(data->state),
+		   eap_aka_state_txt(state));
+	data->state = state;
+}
+
+
+static void * eap_aka_init(struct eap_sm *sm)
+{
+	struct eap_aka_data *data;
+	const char *phase1 = eap_get_config_phase1(sm);
+
+	data = os_zalloc(sizeof(*data));
+	if (data == NULL)
+		return NULL;
+
+	eap_aka_state(data, CONTINUE);
+	data->prev_id = -1;
+
+	data->result_ind = phase1 && os_strstr(phase1, "result_ind=1") != NULL;
+
+	return data;
+}
+
+
+static void eap_aka_deinit(struct eap_sm *sm, void *priv)
+{
+	struct eap_aka_data *data = priv;
+	if (data) {
+		os_free(data->pseudonym);
+		os_free(data->reauth_id);
+		os_free(data->last_eap_identity);
+		wpabuf_free(data->id_msgs);
+		os_free(data);
+	}
+}
+
+
+static int eap_aka_umts_auth(struct eap_sm *sm, struct eap_aka_data *data)
+{
+	struct eap_peer_config *conf;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: UMTS authentication algorithm");
+
+	conf = eap_get_config(sm);
+	if (conf == NULL)
+		return -1;
+	if (conf->pcsc) {
+		return scard_umts_auth(sm->scard_ctx, data->rand,
+				       data->autn, data->res, &data->res_len,
+				       data->ik, data->ck, data->auts);
+	}
+
+#ifdef CONFIG_USIM_SIMULATOR
+	if (conf->password) {
+		u8 opc[16], k[16], sqn[6];
+		const char *pos;
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Use internal Milenage "
+			   "implementation for UMTS authentication");
+		if (conf->password_len < 78) {
+			wpa_printf(MSG_DEBUG, "EAP-AKA: invalid Milenage "
+				   "password");
+			return -1;
+		}
+		pos = (const char *) conf->password;
+		if (hexstr2bin(pos, k, 16))
+			return -1;
+		pos += 32;
+		if (*pos != ':')
+			return -1;
+		pos++;
+
+		if (hexstr2bin(pos, opc, 16))
+			return -1;
+		pos += 32;
+		if (*pos != ':')
+			return -1;
+		pos++;
+
+		if (hexstr2bin(pos, sqn, 6))
+			return -1;
+
+		return milenage_check(opc, k, sqn, data->rand, data->autn,
+				      data->ik, data->ck,
+				      data->res, &data->res_len, data->auts);
+	}
+#endif /* CONFIG_USIM_SIMULATOR */
+
+#ifdef CONFIG_USIM_HARDCODED
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Use hardcoded Kc and SRES values for "
+		   "testing");
+
+	/* These hardcoded Kc and SRES values are used for testing.
+	 * Could consider making them configurable. */
+	os_memset(data->res, '2', EAP_AKA_RES_MAX_LEN);
+	data->res_len = EAP_AKA_RES_MAX_LEN;
+	os_memset(data->ik, '3', EAP_AKA_IK_LEN);
+	os_memset(data->ck, '4', EAP_AKA_CK_LEN);
+	{
+		u8 autn[EAP_AKA_AUTN_LEN];
+		os_memset(autn, '1', EAP_AKA_AUTN_LEN);
+		if (os_memcmp(autn, data->autn, EAP_AKA_AUTN_LEN) != 0) {
+			wpa_printf(MSG_WARNING, "EAP-AKA: AUTN did not match "
+				   "with expected value");
+			return -1;
+		}
+	}
+#if 0
+	{
+		static int test_resync = 1;
+		if (test_resync) {
+			/* Test Resynchronization */
+			test_resync = 0;
+			return -2;
+		}
+	}
+#endif
+	return 0;
+
+#else /* CONFIG_USIM_HARDCODED */
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: No UMTS authentication algorith "
+		   "enabled");
+	return -1;
+
+#endif /* CONFIG_USIM_HARDCODED */
+}
+
+
+#define CLEAR_PSEUDONYM	0x01
+#define CLEAR_REAUTH_ID	0x02
+#define CLEAR_EAP_ID	0x04
+
+static void eap_aka_clear_identities(struct eap_aka_data *data, int id)
+{
+	wpa_printf(MSG_DEBUG, "EAP-AKA: forgetting old%s%s%s",
+		   id & CLEAR_PSEUDONYM ? " pseudonym" : "",
+		   id & CLEAR_REAUTH_ID ? " reauth_id" : "",
+		   id & CLEAR_EAP_ID ? " eap_id" : "");
+	if (id & CLEAR_PSEUDONYM) {
+		os_free(data->pseudonym);
+		data->pseudonym = NULL;
+		data->pseudonym_len = 0;
+	}
+	if (id & CLEAR_REAUTH_ID) {
+		os_free(data->reauth_id);
+		data->reauth_id = NULL;
+		data->reauth_id_len = 0;
+	}
+	if (id & CLEAR_EAP_ID) {
+		os_free(data->last_eap_identity);
+		data->last_eap_identity = NULL;
+		data->last_eap_identity_len = 0;
+	}
+}
+
+
+static int eap_aka_learn_ids(struct eap_aka_data *data,
+			     struct eap_sim_attrs *attr)
+{
+	if (attr->next_pseudonym) {
+		os_free(data->pseudonym);
+		data->pseudonym = os_malloc(attr->next_pseudonym_len);
+		if (data->pseudonym == NULL) {
+			wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for "
+				   "next pseudonym");
+			return -1;
+		}
+		os_memcpy(data->pseudonym, attr->next_pseudonym,
+			  attr->next_pseudonym_len);
+		data->pseudonym_len = attr->next_pseudonym_len;
+		wpa_hexdump_ascii(MSG_DEBUG,
+				  "EAP-AKA: (encr) AT_NEXT_PSEUDONYM",
+				  data->pseudonym,
+				  data->pseudonym_len);
+	}
+
+	if (attr->next_reauth_id) {
+		os_free(data->reauth_id);
+		data->reauth_id = os_malloc(attr->next_reauth_id_len);
+		if (data->reauth_id == NULL) {
+			wpa_printf(MSG_INFO, "EAP-AKA: (encr) No memory for "
+				   "next reauth_id");
+			return -1;
+		}
+		os_memcpy(data->reauth_id, attr->next_reauth_id,
+			  attr->next_reauth_id_len);
+		data->reauth_id_len = attr->next_reauth_id_len;
+		wpa_hexdump_ascii(MSG_DEBUG,
+				  "EAP-AKA: (encr) AT_NEXT_REAUTH_ID",
+				  data->reauth_id,
+				  data->reauth_id_len);
+	}
+
+	return 0;
+}
+
+
+static int eap_aka_add_id_msg(struct eap_aka_data *data,
+			      const struct wpabuf *msg)
+{
+	if (msg == NULL)
+		return -1;
+
+	if (data->id_msgs == NULL) {
+		data->id_msgs = wpabuf_dup(msg);
+		return data->id_msgs == NULL ? -1 : 0;
+	}
+
+	if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0)
+		return -1;
+	wpabuf_put_buf(data->id_msgs, msg);
+
+	return 0;
+}
+
+
+static void eap_aka_add_checkcode(struct eap_aka_data *data,
+				  struct eap_sim_msg *msg)
+{
+	const u8 *addr;
+	size_t len;
+	u8 hash[SHA1_MAC_LEN];
+
+	wpa_printf(MSG_DEBUG, "   AT_CHECKCODE");
+
+	if (data->id_msgs == NULL) {
+		/*
+		 * No EAP-AKA/Identity packets were exchanged - send empty
+		 * checkcode.
+		 */
+		eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, NULL, 0);
+		return;
+	}
+
+	/* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
+	addr = wpabuf_head(data->id_msgs);
+	len = wpabuf_len(data->id_msgs);
+	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len);
+	sha1_vector(1, &addr, &len, hash);
+
+	eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash,
+			EAP_AKA_CHECKCODE_LEN);
+}
+
+
+static int eap_aka_verify_checkcode(struct eap_aka_data *data,
+				    const u8 *checkcode, size_t checkcode_len)
+{
+	const u8 *addr;
+	size_t len;
+	u8 hash[SHA1_MAC_LEN];
+
+	if (checkcode == NULL)
+		return -1;
+
+	if (data->id_msgs == NULL) {
+		if (checkcode_len != 0) {
+			wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server "
+				   "indicates that AKA/Identity messages were "
+				   "used, but they were not");
+			return -1;
+		}
+		return 0;
+	}
+
+	if (checkcode_len != EAP_AKA_CHECKCODE_LEN) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from server "
+			   "indicates that AKA/Identity message were not "
+			   "used, but they were");
+		return -1;
+	}
+
+	/* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
+	addr = wpabuf_head(data->id_msgs);
+	len = wpabuf_len(data->id_msgs);
+	sha1_vector(1, &addr, &len, hash);
+
+	if (os_memcmp(hash, checkcode, EAP_AKA_CHECKCODE_LEN) != 0) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE");
+		return -1;
+	}
+
+	return 0;
+}
+
+
+static struct wpabuf * eap_aka_client_error(struct eap_aka_data *data, u8 id,
+					    int err)
+{
+	struct eap_sim_msg *msg;
+
+	eap_aka_state(data, FAILURE);
+	data->num_id_req = 0;
+	data->num_notification = 0;
+
+	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_CLIENT_ERROR);
+	eap_sim_msg_add(msg, EAP_SIM_AT_CLIENT_ERROR_CODE, err, NULL, 0);
+	return eap_sim_msg_finish(msg, NULL, NULL, 0);
+}
+
+
+static struct wpabuf * eap_aka_authentication_reject(struct eap_aka_data *data,
+						     u8 id)
+{
+	struct eap_sim_msg *msg;
+
+	eap_aka_state(data, FAILURE);
+	data->num_id_req = 0;
+	data->num_notification = 0;
+
+	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Authentication-Reject "
+		   "(id=%d)", id);
+	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT);
+	return eap_sim_msg_finish(msg, NULL, NULL, 0);
+}
+
+
+static struct wpabuf * eap_aka_synchronization_failure(
+	struct eap_aka_data *data, u8 id)
+{
+	struct eap_sim_msg *msg;
+
+	data->num_id_req = 0;
+	data->num_notification = 0;
+
+	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Synchronization-Failure "
+		   "(id=%d)", id);
+	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE);
+	wpa_printf(MSG_DEBUG, "   AT_AUTS");
+	eap_sim_msg_add_full(msg, EAP_SIM_AT_AUTS, data->auts,
+			     EAP_AKA_AUTS_LEN);
+	return eap_sim_msg_finish(msg, NULL, NULL, 0);
+}
+
+
+static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm,
+						 struct eap_aka_data *data,
+						 u8 id,
+						 enum eap_sim_id_req id_req)
+{
+	const u8 *identity = NULL;
+	size_t identity_len = 0;
+	struct eap_sim_msg *msg;
+
+	data->reauth = 0;
+	if (id_req == ANY_ID && data->reauth_id) {
+		identity = data->reauth_id;
+		identity_len = data->reauth_id_len;
+		data->reauth = 1;
+	} else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) &&
+		   data->pseudonym) {
+		identity = data->pseudonym;
+		identity_len = data->pseudonym_len;
+		eap_aka_clear_identities(data, CLEAR_REAUTH_ID);
+	} else if (id_req != NO_ID_REQ) {
+		identity = eap_get_config_identity(sm, &identity_len);
+		if (identity) {
+			eap_aka_clear_identities(data, CLEAR_PSEUDONYM |
+						 CLEAR_REAUTH_ID);
+		}
+	}
+	if (id_req != NO_ID_REQ)
+		eap_aka_clear_identities(data, CLEAR_EAP_ID);
+
+	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Identity (id=%d)", id);
+	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_IDENTITY);
+
+	if (identity) {
+		wpa_hexdump_ascii(MSG_DEBUG, "   AT_IDENTITY",
+				  identity, identity_len);
+		eap_sim_msg_add(msg, EAP_SIM_AT_IDENTITY, identity_len,
+				identity, identity_len);
+	}
+
+	return eap_sim_msg_finish(msg, NULL, NULL, 0);
+}
+
+
+static struct wpabuf * eap_aka_response_challenge(struct eap_aka_data *data,
+						  u8 id)
+{
+	struct eap_sim_msg *msg;
+
+	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d)", id);
+	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_CHALLENGE);
+	wpa_printf(MSG_DEBUG, "   AT_RES");
+	eap_sim_msg_add(msg, EAP_SIM_AT_RES, data->res_len * 8,
+			data->res, data->res_len);
+	eap_aka_add_checkcode(data, msg);
+	if (data->use_result_ind) {
+		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
+		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
+	}
+	wpa_printf(MSG_DEBUG, "   AT_MAC");
+	eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
+	return eap_sim_msg_finish(msg, data->k_aut, (u8 *) "", 0);
+}
+
+
+static struct wpabuf * eap_aka_response_reauth(struct eap_aka_data *data,
+					       u8 id, int counter_too_small,
+					       const u8 *nonce_s)
+{
+	struct eap_sim_msg *msg;
+	unsigned int counter;
+
+	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Reauthentication (id=%d)",
+		   id);
+	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_REAUTHENTICATION);
+	wpa_printf(MSG_DEBUG, "   AT_IV");
+	wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
+	eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA);
+
+	if (counter_too_small) {
+		wpa_printf(MSG_DEBUG, "   *AT_COUNTER_TOO_SMALL");
+		eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER_TOO_SMALL, 0, NULL, 0);
+		counter = data->counter_too_small;
+	} else
+		counter = data->counter;
+
+	wpa_printf(MSG_DEBUG, "   *AT_COUNTER %d", counter);
+	eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0);
+
+	if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt "
+			   "AT_ENCR_DATA");
+		eap_sim_msg_free(msg);
+		return NULL;
+	}
+	eap_aka_add_checkcode(data, msg);
+	if (data->use_result_ind) {
+		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
+		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
+	}
+	wpa_printf(MSG_DEBUG, "   AT_MAC");
+	eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
+	return eap_sim_msg_finish(msg, data->k_aut, nonce_s,
+				  EAP_SIM_NONCE_S_LEN);
+}
+
+
+static struct wpabuf * eap_aka_response_notification(struct eap_aka_data *data,
+						     u8 id, u16 notification)
+{
+	struct eap_sim_msg *msg;
+	u8 *k_aut = (notification & 0x4000) == 0 ? data->k_aut : NULL;
+
+	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Notification (id=%d)", id);
+	msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_NOTIFICATION);
+	if (k_aut && data->reauth) {
+		wpa_printf(MSG_DEBUG, "   AT_IV");
+		wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
+		eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV,
+					   EAP_SIM_AT_ENCR_DATA);
+		wpa_printf(MSG_DEBUG, "   *AT_COUNTER %d", data->counter);
+		eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter,
+				NULL, 0);
+		if (eap_sim_msg_add_encr_end(msg, data->k_encr,
+					     EAP_SIM_AT_PADDING)) {
+			wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt "
+				   "AT_ENCR_DATA");
+			eap_sim_msg_free(msg);
+			return NULL;
+		}
+	}
+	if (k_aut) {
+		wpa_printf(MSG_DEBUG, "   AT_MAC");
+		eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
+	}
+	return eap_sim_msg_finish(msg, k_aut, (u8 *) "", 0);
+}
+
+
+static struct wpabuf * eap_aka_process_identity(struct eap_sm *sm,
+						struct eap_aka_data *data,
+						u8 id,
+						const struct wpabuf *reqData,
+						struct eap_sim_attrs *attr)
+{
+	int id_error;
+	struct wpabuf *buf;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Identity");
+
+	id_error = 0;
+	switch (attr->id_req) {
+	case NO_ID_REQ:
+		break;
+	case ANY_ID:
+		if (data->num_id_req > 0)
+			id_error++;
+		data->num_id_req++;
+		break;
+	case FULLAUTH_ID:
+		if (data->num_id_req > 1)
+			id_error++;
+		data->num_id_req++;
+		break;
+	case PERMANENT_ID:
+		if (data->num_id_req > 2)
+			id_error++;
+		data->num_id_req++;
+		break;
+	}
+	if (id_error) {
+		wpa_printf(MSG_INFO, "EAP-AKA: Too many ID requests "
+			   "used within one authentication");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	buf = eap_aka_response_identity(sm, data, id, attr->id_req);
+
+	if (data->prev_id != id) {
+		eap_aka_add_id_msg(data, reqData);
+		eap_aka_add_id_msg(data, buf);
+		data->prev_id = id;
+	}
+
+	return buf;
+}
+
+
+static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
+						 struct eap_aka_data *data,
+						 u8 id,
+						 const struct wpabuf *reqData,
+						 struct eap_sim_attrs *attr)
+{
+	const u8 *identity;
+	size_t identity_len;
+	int res;
+	struct eap_sim_attrs eattr;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Challenge");
+
+	if (attr->checkcode &&
+	    eap_aka_verify_checkcode(data, attr->checkcode,
+				     attr->checkcode_len)) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the "
+			   "message");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	data->reauth = 0;
+	if (!attr->mac || !attr->rand || !attr->autn) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
+			   "did not include%s%s%s",
+			   !attr->mac ? " AT_MAC" : "",
+			   !attr->rand ? " AT_RAND" : "",
+			   !attr->autn ? " AT_AUTN" : "");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+	os_memcpy(data->rand, attr->rand, EAP_AKA_RAND_LEN);
+	os_memcpy(data->autn, attr->autn, EAP_AKA_AUTN_LEN);
+
+	res = eap_aka_umts_auth(sm, data);
+	if (res == -1) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication "
+			   "failed (AUTN)");
+		return eap_aka_authentication_reject(data, id);
+	} else if (res == -2) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication "
+			   "failed (AUTN seq# -> AUTS)");
+		return eap_aka_synchronization_failure(data, id);
+	} else if (res) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: UMTS authentication failed");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+	if (data->last_eap_identity) {
+		identity = data->last_eap_identity;
+		identity_len = data->last_eap_identity_len;
+	} else if (data->pseudonym) {
+		identity = data->pseudonym;
+		identity_len = data->pseudonym_len;
+	} else
+		identity = eap_get_config_identity(sm, &identity_len);
+	wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Selected identity for MK "
+			  "derivation", identity, identity_len);
+	eap_aka_derive_mk(identity, identity_len, data->ik, data->ck,
+			  data->mk);
+	eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk,
+			    data->emsk);
+	if (eap_sim_verify_mac(data->k_aut, reqData, attr->mac, (u8 *) "", 0))
+	{
+		wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
+			   "used invalid AT_MAC");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	/* Old reauthentication and pseudonym identities must not be used
+	 * anymore. In other words, if no new identities are received, full
+	 * authentication will be used on next reauthentication. */
+	eap_aka_clear_identities(data, CLEAR_PSEUDONYM | CLEAR_REAUTH_ID |
+				 CLEAR_EAP_ID);
+
+	if (attr->encr_data) {
+		u8 *decrypted;
+		decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
+					       attr->encr_data_len, attr->iv,
+					       &eattr, 0);
+		if (decrypted == NULL) {
+			return eap_aka_client_error(
+				data, id, EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+		}
+		eap_aka_learn_ids(data, &eattr);
+		os_free(decrypted);
+	}
+
+	if (data->result_ind && attr->result_ind)
+		data->use_result_ind = 1;
+
+	if (data->state != FAILURE && data->state != RESULT_FAILURE) {
+		eap_aka_state(data, data->use_result_ind ?
+			      RESULT_SUCCESS : SUCCESS);
+	}
+
+	data->num_id_req = 0;
+	data->num_notification = 0;
+	/* RFC 4187 specifies that counter is initialized to one after
+	 * fullauth, but initializing it to zero makes it easier to implement
+	 * reauth verification. */
+	data->counter = 0;
+	return eap_aka_response_challenge(data, id);
+}
+
+
+static int eap_aka_process_notification_reauth(struct eap_aka_data *data,
+					       struct eap_sim_attrs *attr)
+{
+	struct eap_sim_attrs eattr;
+	u8 *decrypted;
+
+	if (attr->encr_data == NULL || attr->iv == NULL) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Notification message after "
+			   "reauth did not include encrypted data");
+		return -1;
+	}
+
+	decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
+				       attr->encr_data_len, attr->iv, &eattr,
+				       0);
+	if (decrypted == NULL) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted "
+			   "data from notification message");
+		return -1;
+	}
+
+	if (eattr.counter < 0 || (size_t) eattr.counter != data->counter) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Counter in notification "
+			   "message does not match with counter in reauth "
+			   "message");
+		os_free(decrypted);
+		return -1;
+	}
+
+	os_free(decrypted);
+	return 0;
+}
+
+
+static int eap_aka_process_notification_auth(struct eap_aka_data *data,
+					     const struct wpabuf *reqData,
+					     struct eap_sim_attrs *attr)
+{
+	if (attr->mac == NULL) {
+		wpa_printf(MSG_INFO, "EAP-AKA: no AT_MAC in after_auth "
+			   "Notification message");
+		return -1;
+	}
+
+	if (eap_sim_verify_mac(data->k_aut, reqData, attr->mac, (u8 *) "", 0))
+	{
+		wpa_printf(MSG_WARNING, "EAP-AKA: Notification message "
+			   "used invalid AT_MAC");
+		return -1;
+	}
+
+	if (data->reauth &&
+	    eap_aka_process_notification_reauth(data, attr)) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Invalid notification "
+			   "message after reauth");
+		return -1;
+	}
+
+	return 0;
+}
+
+
+static struct wpabuf * eap_aka_process_notification(
+	struct eap_sm *sm, struct eap_aka_data *data, u8 id,
+	const struct wpabuf *reqData, struct eap_sim_attrs *attr)
+{
+	wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Notification");
+	if (data->num_notification > 0) {
+		wpa_printf(MSG_INFO, "EAP-AKA: too many notification "
+			   "rounds (only one allowed)");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+	data->num_notification++;
+	if (attr->notification == -1) {
+		wpa_printf(MSG_INFO, "EAP-AKA: no AT_NOTIFICATION in "
+			   "Notification message");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	if ((attr->notification & 0x4000) == 0 &&
+	    eap_aka_process_notification_auth(data, reqData, attr)) {
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	eap_sim_report_notification(sm->msg_ctx, attr->notification, 1);
+	if (attr->notification >= 0 && attr->notification < 32768) {
+		eap_aka_state(data, FAILURE);
+	} else if (attr->notification == EAP_SIM_SUCCESS &&
+		   data->state == RESULT_SUCCESS)
+		eap_aka_state(data, SUCCESS);
+	return eap_aka_response_notification(data, id, attr->notification);
+}
+
+
+static struct wpabuf * eap_aka_process_reauthentication(
+	struct eap_sm *sm, struct eap_aka_data *data, u8 id,
+	const struct wpabuf *reqData, struct eap_sim_attrs *attr)
+{
+	struct eap_sim_attrs eattr;
+	u8 *decrypted;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Reauthentication");
+
+	if (attr->checkcode &&
+	    eap_aka_verify_checkcode(data, attr->checkcode,
+				     attr->checkcode_len)) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the "
+			   "message");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	if (data->reauth_id == NULL) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Server is trying "
+			   "reauthentication, but no reauth_id available");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	data->reauth = 1;
+	if (eap_sim_verify_mac(data->k_aut, reqData, attr->mac, (u8 *) "", 0))
+	{
+		wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication "
+			   "did not have valid AT_MAC");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	if (attr->encr_data == NULL || attr->iv == NULL) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication "
+			   "message did not include encrypted data");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
+				       attr->encr_data_len, attr->iv, &eattr,
+				       0);
+	if (decrypted == NULL) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted "
+			   "data from reauthentication message");
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	if (eattr.nonce_s == NULL || eattr.counter < 0) {
+		wpa_printf(MSG_INFO, "EAP-AKA: (encr) No%s%s in reauth packet",
+			   !eattr.nonce_s ? " AT_NONCE_S" : "",
+			   eattr.counter < 0 ? " AT_COUNTER" : "");
+		os_free(decrypted);
+		return eap_aka_client_error(data, id,
+					    EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+	}
+
+	if (eattr.counter < 0 || (size_t) eattr.counter <= data->counter) {
+		struct wpabuf *res;
+		wpa_printf(MSG_INFO, "EAP-AKA: (encr) Invalid counter "
+			   "(%d <= %d)", eattr.counter, data->counter);
+		data->counter_too_small = eattr.counter;
+
+		eap_sim_derive_keys_reauth(eattr.counter, data->reauth_id,
+					   data->reauth_id_len, eattr.nonce_s,
+					   data->mk, NULL, NULL);
+
+		/* Reply using Re-auth w/ AT_COUNTER_TOO_SMALL. The current
+		 * reauth_id must not be used to start a new reauthentication.
+		 * However, since it was used in the last EAP-Response-Identity
+		 * packet, it has to saved for the following fullauth to be
+		 * used in MK derivation. */
+		os_free(data->last_eap_identity);
+		data->last_eap_identity = data->reauth_id;
+		data->last_eap_identity_len = data->reauth_id_len;
+		data->reauth_id = NULL;
+		data->reauth_id_len = 0;
+
+		res = eap_aka_response_reauth(data, id, 1, eattr.nonce_s);
+		os_free(decrypted);
+
+		return res;
+	}
+	data->counter = eattr.counter;
+
+	os_memcpy(data->nonce_s, eattr.nonce_s, EAP_SIM_NONCE_S_LEN);
+	wpa_hexdump(MSG_DEBUG, "EAP-AKA: (encr) AT_NONCE_S",
+		    data->nonce_s, EAP_SIM_NONCE_S_LEN);
+
+	eap_sim_derive_keys_reauth(data->counter,
+				   data->reauth_id, data->reauth_id_len,
+				   data->nonce_s, data->mk, data->msk,
+				   data->emsk);
+	eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID);
+	eap_aka_learn_ids(data, &eattr);
+
+	if (data->result_ind && attr->result_ind)
+		data->use_result_ind = 1;
+
+	if (data->state != FAILURE && data->state != RESULT_FAILURE) {
+		eap_aka_state(data, data->use_result_ind ?
+			      RESULT_SUCCESS : SUCCESS);
+	}
+
+	data->num_id_req = 0;
+	data->num_notification = 0;
+	if (data->counter > EAP_AKA_MAX_FAST_REAUTHS) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Maximum number of "
+			   "fast reauths performed - force fullauth");
+		eap_aka_clear_identities(data, CLEAR_REAUTH_ID | CLEAR_EAP_ID);
+	}
+	os_free(decrypted);
+	return eap_aka_response_reauth(data, id, 0, data->nonce_s);
+}
+
+
+static struct wpabuf * eap_aka_process(struct eap_sm *sm, void *priv,
+				       struct eap_method_ret *ret,
+				       const struct wpabuf *reqData)
+{
+	struct eap_aka_data *data = priv;
+	const struct eap_hdr *req;
+	u8 subtype, id;
+	struct wpabuf *res;
+	const u8 *pos;
+	struct eap_sim_attrs attr;
+	size_t len;
+
+	wpa_hexdump_buf(MSG_DEBUG, "EAP-AKA: EAP data", reqData);
+	if (eap_get_config_identity(sm, &len) == NULL) {
+		wpa_printf(MSG_INFO, "EAP-AKA: Identity not configured");
+		eap_sm_request_identity(sm);
+		ret->ignore = TRUE;
+		return NULL;
+	}
+
+	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME, reqData,
+			       &len);
+	if (pos == NULL || len < 1) {
+		ret->ignore = TRUE;
+		return NULL;
+	}
+	req = wpabuf_head(reqData);
+	id = req->identifier;
+	len = be_to_host16(req->length);
+
+	ret->ignore = FALSE;
+	ret->methodState = METHOD_MAY_CONT;
+	ret->decision = DECISION_FAIL;
+	ret->allowNotifications = TRUE;
+
+	subtype = *pos++;
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Subtype=%d", subtype);
+	pos += 2; /* Reserved */
+
+	if (eap_sim_parse_attr(pos, wpabuf_head_u8(reqData) + len, &attr, 1,
+			       0)) {
+		res = eap_aka_client_error(data, id,
+					   EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+		goto done;
+	}
+
+	switch (subtype) {
+	case EAP_AKA_SUBTYPE_IDENTITY:
+		res = eap_aka_process_identity(sm, data, id, reqData, &attr);
+		break;
+	case EAP_AKA_SUBTYPE_CHALLENGE:
+		res = eap_aka_process_challenge(sm, data, id, reqData, &attr);
+		break;
+	case EAP_AKA_SUBTYPE_NOTIFICATION:
+		res = eap_aka_process_notification(sm, data, id, reqData,
+						   &attr);
+		break;
+	case EAP_AKA_SUBTYPE_REAUTHENTICATION:
+		res = eap_aka_process_reauthentication(sm, data, id, reqData,
+						       &attr);
+		break;
+	case EAP_AKA_SUBTYPE_CLIENT_ERROR:
+		wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Client-Error");
+		res = eap_aka_client_error(data, id,
+					   EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+		break;
+	default:
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown subtype=%d", subtype);
+		res = eap_aka_client_error(data, id,
+					   EAP_AKA_UNABLE_TO_PROCESS_PACKET);
+		break;
+	}
+
+done:
+	if (data->state == FAILURE) {
+		ret->decision = DECISION_FAIL;
+		ret->methodState = METHOD_DONE;
+	} else if (data->state == SUCCESS) {
+		ret->decision = data->use_result_ind ?
+			DECISION_UNCOND_SUCC : DECISION_COND_SUCC;
+		/*
+		 * It is possible for the server to reply with AKA
+		 * Notification, so we must allow the method to continue and
+		 * not only accept EAP-Success at this point.
+		 */
+		ret->methodState = data->use_result_ind ?
+			METHOD_DONE : METHOD_MAY_CONT;
+	} else if (data->state == RESULT_FAILURE)
+		ret->methodState = METHOD_CONT;
+	else if (data->state == RESULT_SUCCESS)
+		ret->methodState = METHOD_CONT;
+
+	if (ret->methodState == METHOD_DONE) {
+		ret->allowNotifications = FALSE;
+	}
+
+	return res;
+}
+
+
+static Boolean eap_aka_has_reauth_data(struct eap_sm *sm, void *priv)
+{
+	struct eap_aka_data *data = priv;
+	return data->pseudonym || data->reauth_id;
+}
+
+
+static void eap_aka_deinit_for_reauth(struct eap_sm *sm, void *priv)
+{
+	struct eap_aka_data *data = priv;
+	eap_aka_clear_identities(data, CLEAR_EAP_ID);
+	data->prev_id = -1;
+	wpabuf_free(data->id_msgs);
+	data->id_msgs = NULL;
+	data->use_result_ind = 0;
+}
+
+
+static void * eap_aka_init_for_reauth(struct eap_sm *sm, void *priv)
+{
+	struct eap_aka_data *data = priv;
+	data->num_id_req = 0;
+	data->num_notification = 0;
+	eap_aka_state(data, CONTINUE);
+	return priv;
+}
+
+
+static const u8 * eap_aka_get_identity(struct eap_sm *sm, void *priv,
+				       size_t *len)
+{
+	struct eap_aka_data *data = priv;
+
+	if (data->reauth_id) {
+		*len = data->reauth_id_len;
+		return data->reauth_id;
+	}
+
+	if (data->pseudonym) {
+		*len = data->pseudonym_len;
+		return data->pseudonym;
+	}
+
+	return NULL;
+}
+
+
+static Boolean eap_aka_isKeyAvailable(struct eap_sm *sm, void *priv)
+{
+	struct eap_aka_data *data = priv;
+	return data->state == SUCCESS;
+}
+
+
+static u8 * eap_aka_getKey(struct eap_sm *sm, void *priv, size_t *len)
+{
+	struct eap_aka_data *data = priv;
+	u8 *key;
+
+	if (data->state != SUCCESS)
+		return NULL;
+
+	key = os_malloc(EAP_SIM_KEYING_DATA_LEN);
+	if (key == NULL)
+		return NULL;
+
+	*len = EAP_SIM_KEYING_DATA_LEN;
+	os_memcpy(key, data->msk, EAP_SIM_KEYING_DATA_LEN);
+
+	return key;
+}
+
+
+static u8 * eap_aka_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
+{
+	struct eap_aka_data *data = priv;
+	u8 *key;
+
+	if (data->state != SUCCESS)
+		return NULL;
+
+	key = os_malloc(EAP_EMSK_LEN);
+	if (key == NULL)
+		return NULL;
+
+	*len = EAP_EMSK_LEN;
+	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
+
+	return key;
+}
+
+
+int eap_peer_aka_prime_register(void)
+{
+	struct eap_method *eap;
+	int ret;
+
+	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
+				    EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME,
+				    "AKA'");
+	if (eap == NULL)
+		return -1;
+
+	eap->init = eap_aka_init;
+	eap->deinit = eap_aka_deinit;
+	eap->process = eap_aka_process;
+	eap->isKeyAvailable = eap_aka_isKeyAvailable;
+	eap->getKey = eap_aka_getKey;
+	eap->has_reauth_data = eap_aka_has_reauth_data;
+	eap->deinit_for_reauth = eap_aka_deinit_for_reauth;
+	eap->init_for_reauth = eap_aka_init_for_reauth;
+	eap->get_identity = eap_aka_get_identity;
+	eap->get_emsk = eap_aka_get_emsk;
+
+	ret = eap_peer_method_register(eap);
+	if (ret)
+		eap_peer_method_free(eap);
+	return ret;
+}

src/eap_peer/eap_methods.c

@@ -427,6 +427,13 @@ int eap_peer_register_methods(void)
 	}
 #endif /* EAP_AKA */
 
+#ifdef EAP_AKA_PRIME
+	if (ret == 0) {
+		int eap_peer_aka_prime_register(void);
+		ret = eap_peer_aka_prime_register();
+	}
+#endif /* EAP_AKA_PRIME */
+
 #ifdef EAP_FAST
 	if (ret == 0) {
 		int eap_peer_fast_register(void);

src/eap_server/eap_aka_prime.c

@@ -0,0 +1,1036 @@
+/*
+ * hostapd / EAP-AKA' (draft-arkko-eap-aka-kdf-10.txt)
+ * Copyright (c) 2005-2008, Jouni Malinen <j@w1.fi>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Alternatively, this software may be distributed under the terms of BSD
+ * license.
+ *
+ * See README and COPYING for more details.
+ */
+
+#include "includes.h"
+
+#include "common.h"
+#include "eap_server/eap_i.h"
+#include "eap_common/eap_sim_common.h"
+#include "eap_server/eap_sim_db.h"
+#include "sha1.h"
+#include "crypto.h"
+
+
+struct eap_aka_data {
+	u8 mk[EAP_SIM_MK_LEN];
+	u8 nonce_s[EAP_SIM_NONCE_S_LEN];
+	u8 k_aut[EAP_SIM_K_AUT_LEN];
+	u8 k_encr[EAP_SIM_K_ENCR_LEN];
+	u8 msk[EAP_SIM_KEYING_DATA_LEN];
+	u8 emsk[EAP_EMSK_LEN];
+	u8 rand[EAP_AKA_RAND_LEN];
+	u8 autn[EAP_AKA_AUTN_LEN];
+	u8 ck[EAP_AKA_CK_LEN];
+	u8 ik[EAP_AKA_IK_LEN];
+	u8 res[EAP_AKA_RES_MAX_LEN];
+	size_t res_len;
+	enum {
+		IDENTITY, CHALLENGE, REAUTH, NOTIFICATION, SUCCESS, FAILURE
+	} state;
+	char *next_pseudonym;
+	char *next_reauth_id;
+	u16 counter;
+	struct eap_sim_reauth *reauth;
+	int auts_reported; /* whether the current AUTS has been reported to the
+			    * eap_sim_db */
+	u16 notification;
+	int use_result_ind;
+
+	struct wpabuf *id_msgs;
+	int pending_id;
+};
+
+
+static void eap_aka_determine_identity(struct eap_sm *sm,
+				       struct eap_aka_data *data,
+				       int before_identity, int after_reauth);
+
+
+static const char * eap_aka_state_txt(int state)
+{
+	switch (state) {
+	case IDENTITY:
+		return "IDENTITY";
+	case CHALLENGE:
+		return "CHALLENGE";
+	case REAUTH:
+		return "REAUTH";
+	case SUCCESS:
+		return "SUCCESS";
+	case FAILURE:
+		return "FAILURE";
+	case NOTIFICATION:
+		return "NOTIFICATION";
+	default:
+		return "Unknown?!";
+	}
+}
+
+
+static void eap_aka_state(struct eap_aka_data *data, int state)
+{
+	wpa_printf(MSG_DEBUG, "EAP-AKA: %s -> %s",
+		   eap_aka_state_txt(data->state),
+		   eap_aka_state_txt(state));
+	data->state = state;
+}
+
+
+static void * eap_aka_init(struct eap_sm *sm)
+{
+	struct eap_aka_data *data;
+
+	if (sm->eap_sim_db_priv == NULL) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
+		return NULL;
+	}
+
+	data = os_zalloc(sizeof(*data));
+	if (data == NULL)
+		return NULL;
+	data->state = IDENTITY;
+	eap_aka_determine_identity(sm, data, 1, 0);
+	data->pending_id = -1;
+
+	return data;
+}
+
+
+static void eap_aka_reset(struct eap_sm *sm, void *priv)
+{
+	struct eap_aka_data *data = priv;
+	os_free(data->next_pseudonym);
+	os_free(data->next_reauth_id);
+	wpabuf_free(data->id_msgs);
+	os_free(data);
+}
+
+
+static int eap_aka_add_id_msg(struct eap_aka_data *data,
+			      const struct wpabuf *msg)
+{
+	if (msg == NULL)
+		return -1;
+
+	if (data->id_msgs == NULL) {
+		data->id_msgs = wpabuf_dup(msg);
+		return data->id_msgs == NULL ? -1 : 0;
+	}
+
+	if (wpabuf_resize(&data->id_msgs, wpabuf_len(msg)) < 0)
+		return -1;
+	wpabuf_put_buf(data->id_msgs, msg);
+
+	return 0;
+}
+
+
+static void eap_aka_add_checkcode(struct eap_aka_data *data,
+				  struct eap_sim_msg *msg)
+{
+	const u8 *addr;
+	size_t len;
+	u8 hash[SHA1_MAC_LEN];
+
+	wpa_printf(MSG_DEBUG, "   AT_CHECKCODE");
+
+	if (data->id_msgs == NULL) {
+		/*
+		 * No EAP-AKA/Identity packets were exchanged - send empty
+		 * checkcode.
+		 */
+		eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, NULL, 0);
+		return;
+	}
+
+	/* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
+	addr = wpabuf_head(data->id_msgs);
+	len = wpabuf_len(data->id_msgs);
+	wpa_hexdump(MSG_MSGDUMP, "EAP-AKA: AT_CHECKCODE data", addr, len);
+	sha1_vector(1, &addr, &len, hash);
+
+	eap_sim_msg_add(msg, EAP_SIM_AT_CHECKCODE, 0, hash,
+			EAP_AKA_CHECKCODE_LEN);
+}
+
+
+static int eap_aka_verify_checkcode(struct eap_aka_data *data,
+				    const u8 *checkcode, size_t checkcode_len)
+{
+	const u8 *addr;
+	size_t len;
+	u8 hash[SHA1_MAC_LEN];
+
+	if (checkcode == NULL)
+		return -1;
+
+	if (data->id_msgs == NULL) {
+		if (checkcode_len != 0) {
+			wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from peer "
+				   "indicates that AKA/Identity messages were "
+				   "used, but they were not");
+			return -1;
+		}
+		return 0;
+	}
+
+	if (checkcode_len != EAP_AKA_CHECKCODE_LEN) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Checkcode from peer indicates "
+			   "that AKA/Identity message were not used, but they "
+			   "were");
+		return -1;
+	}
+
+	/* Checkcode is SHA1 hash over all EAP-AKA/Identity packets. */
+	addr = wpabuf_head(data->id_msgs);
+	len = wpabuf_len(data->id_msgs);
+	sha1_vector(1, &addr, &len, hash);
+
+	if (os_memcmp(hash, checkcode, EAP_AKA_CHECKCODE_LEN) != 0) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Mismatch in AT_CHECKCODE");
+		return -1;
+	}
+
+	return 0;
+}
+
+
+static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm,
+					      struct eap_aka_data *data, u8 id)
+{
+	struct eap_sim_msg *msg;
+	struct wpabuf *buf;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Identity");
+	msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_IDENTITY);
+	if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity,
+				      sm->identity_len)) {
+		wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
+		eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
+	} else {
+		/*
+		 * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is
+		 * ignored and the AKA/Identity is used to request the
+		 * identity.
+		 */
+		wpa_printf(MSG_DEBUG, "   AT_ANY_ID_REQ");
+		eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0);
+	}
+	buf = eap_sim_msg_finish(msg, NULL, NULL, 0);
+	if (eap_aka_add_id_msg(data, buf) < 0) {
+		wpabuf_free(buf);
+		return NULL;
+	}
+	data->pending_id = id;
+	return buf;
+}
+
+
+static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
+			      struct eap_sim_msg *msg, u16 counter,
+			      const u8 *nonce_s)
+{
+	os_free(data->next_pseudonym);
+	data->next_pseudonym =
+		eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, 1);
+	os_free(data->next_reauth_id);
+	if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
+		data->next_reauth_id =
+			eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv, 1);
+	} else {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Max fast re-authentication "
+			   "count exceeded - force full authentication");
+		data->next_reauth_id = NULL;
+	}
+
+	if (data->next_pseudonym == NULL && data->next_reauth_id == NULL &&
+	    counter == 0 && nonce_s == NULL)
+		return 0;
+
+	wpa_printf(MSG_DEBUG, "   AT_IV");
+	wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
+	eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV, EAP_SIM_AT_ENCR_DATA);
+
+	if (counter > 0) {
+		wpa_printf(MSG_DEBUG, "   *AT_COUNTER (%u)", counter);
+		eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, counter, NULL, 0);
+	}
+
+	if (nonce_s) {
+		wpa_printf(MSG_DEBUG, "   *AT_NONCE_S");
+		eap_sim_msg_add(msg, EAP_SIM_AT_NONCE_S, 0, nonce_s,
+				EAP_SIM_NONCE_S_LEN);
+	}
+
+	if (data->next_pseudonym) {
+		wpa_printf(MSG_DEBUG, "   *AT_NEXT_PSEUDONYM (%s)",
+			   data->next_pseudonym);
+		eap_sim_msg_add(msg, EAP_SIM_AT_NEXT_PSEUDONYM,
+				os_strlen(data->next_pseudonym),
+				(u8 *) data->next_pseudonym,
+				os_strlen(data->next_pseudonym));
+	}
+
+	if (data->next_reauth_id) {
+		wpa_printf(MSG_DEBUG, "   *AT_NEXT_REAUTH_ID (%s)",
+			   data->next_reauth_id);
+		eap_sim_msg_add(msg, EAP_SIM_AT_NEXT_REAUTH_ID,
+				os_strlen(data->next_reauth_id),
+				(u8 *) data->next_reauth_id,
+				os_strlen(data->next_reauth_id));
+	}
+
+	if (eap_sim_msg_add_encr_end(msg, data->k_encr, EAP_SIM_AT_PADDING)) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to encrypt "
+			   "AT_ENCR_DATA");
+		return -1;
+	}
+
+	return 0;
+}
+
+
+static struct wpabuf * eap_aka_build_challenge(struct eap_sm *sm,
+					       struct eap_aka_data *data,
+					       u8 id)
+{
+	struct eap_sim_msg *msg;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Challenge");
+	msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_CHALLENGE);
+	wpa_printf(MSG_DEBUG, "   AT_RAND");
+	eap_sim_msg_add(msg, EAP_SIM_AT_RAND, 0, data->rand, EAP_AKA_RAND_LEN);
+	eap_sim_msg_add(msg, EAP_SIM_AT_AUTN, 0, data->autn, EAP_AKA_AUTN_LEN);
+
+	if (eap_aka_build_encr(sm, data, msg, 0, NULL)) {
+		eap_sim_msg_free(msg);
+		return NULL;
+	}
+
+	eap_aka_add_checkcode(data, msg);
+
+	if (sm->eap_sim_aka_result_ind) {
+		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
+		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
+	}
+
+	wpa_printf(MSG_DEBUG, "   AT_MAC");
+	eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
+	return eap_sim_msg_finish(msg, data->k_aut, NULL, 0);
+}
+
+
+static struct wpabuf * eap_aka_build_reauth(struct eap_sm *sm,
+					    struct eap_aka_data *data, u8 id)
+{
+	struct eap_sim_msg *msg;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Re-authentication");
+
+	if (os_get_random(data->nonce_s, EAP_SIM_NONCE_S_LEN))
+		return NULL;
+	wpa_hexdump_key(MSG_MSGDUMP, "EAP-AKA: NONCE_S",
+			data->nonce_s, EAP_SIM_NONCE_S_LEN);
+
+	eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk,
+			    data->emsk);
+	eap_sim_derive_keys_reauth(data->counter, sm->identity,
+				   sm->identity_len, data->nonce_s, data->mk,
+				   data->msk, data->emsk);
+
+	msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_REAUTHENTICATION);
+
+	if (eap_aka_build_encr(sm, data, msg, data->counter, data->nonce_s)) {
+		eap_sim_msg_free(msg);
+		return NULL;
+	}
+
+	eap_aka_add_checkcode(data, msg);
+
+	if (sm->eap_sim_aka_result_ind) {
+		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
+		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
+	}
+
+	wpa_printf(MSG_DEBUG, "   AT_MAC");
+	eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
+	return eap_sim_msg_finish(msg, data->k_aut, NULL, 0);
+}
+
+
+static struct wpabuf * eap_aka_build_notification(struct eap_sm *sm,
+						  struct eap_aka_data *data,
+						  u8 id)
+{
+	struct eap_sim_msg *msg;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Notification");
+	msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, EAP_TYPE_AKA_PRIME,
+			       EAP_AKA_SUBTYPE_NOTIFICATION);
+	wpa_printf(MSG_DEBUG, "   AT_NOTIFICATION (%d)", data->notification);
+	eap_sim_msg_add(msg, EAP_SIM_AT_NOTIFICATION, data->notification,
+			NULL, 0);
+	if (data->use_result_ind) {
+		if (data->reauth) {
+			wpa_printf(MSG_DEBUG, "   AT_IV");
+			wpa_printf(MSG_DEBUG, "   AT_ENCR_DATA");
+			eap_sim_msg_add_encr_start(msg, EAP_SIM_AT_IV,
+						   EAP_SIM_AT_ENCR_DATA);
+			wpa_printf(MSG_DEBUG, "   *AT_COUNTER (%u)",
+				   data->counter);
+			eap_sim_msg_add(msg, EAP_SIM_AT_COUNTER, data->counter,
+					NULL, 0);
+
+			if (eap_sim_msg_add_encr_end(msg, data->k_encr,
+						     EAP_SIM_AT_PADDING)) {
+				wpa_printf(MSG_WARNING, "EAP-AKA: Failed to "
+					   "encrypt AT_ENCR_DATA");
+				eap_sim_msg_free(msg);
+				return NULL;
+			}
+		}
+
+		wpa_printf(MSG_DEBUG, "   AT_MAC");
+		eap_sim_msg_add_mac(msg, EAP_SIM_AT_MAC);
+	}
+	return eap_sim_msg_finish(msg, data->k_aut, NULL, 0);
+}
+
+
+static struct wpabuf * eap_aka_buildReq(struct eap_sm *sm, void *priv, u8 id)
+{
+	struct eap_aka_data *data = priv;
+
+	data->auts_reported = 0;
+	switch (data->state) {
+	case IDENTITY:
+		return eap_aka_build_identity(sm, data, id);
+	case CHALLENGE:
+		return eap_aka_build_challenge(sm, data, id);
+	case REAUTH:
+		return eap_aka_build_reauth(sm, data, id);
+	case NOTIFICATION:
+		return eap_aka_build_notification(sm, data, id);
+	default:
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown state %d in "
+			   "buildReq", data->state);
+		break;
+	}
+	return NULL;
+}
+
+
+static Boolean eap_aka_check(struct eap_sm *sm, void *priv,
+			     struct wpabuf *respData)
+{
+	const u8 *pos;
+	size_t len;
+
+	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME, respData,
+			       &len);
+	if (pos == NULL || len < 3) {
+		wpa_printf(MSG_INFO, "EAP-AKA: Invalid frame");
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+
+static Boolean eap_aka_subtype_ok(struct eap_aka_data *data, u8 subtype)
+{
+	if (subtype == EAP_AKA_SUBTYPE_CLIENT_ERROR ||
+	    subtype == EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT)
+		return FALSE;
+
+	switch (data->state) {
+	case IDENTITY:
+		if (subtype != EAP_AKA_SUBTYPE_IDENTITY) {
+			wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
+				   "subtype %d", subtype);
+			return TRUE;
+		}
+		break;
+	case CHALLENGE:
+		if (subtype != EAP_AKA_SUBTYPE_CHALLENGE &&
+		    subtype != EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE) {
+			wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
+				   "subtype %d", subtype);
+			return TRUE;
+		}
+		break;
+	case REAUTH:
+		if (subtype != EAP_AKA_SUBTYPE_REAUTHENTICATION) {
+			wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
+				   "subtype %d", subtype);
+			return TRUE;
+		}
+		break;
+	case NOTIFICATION:
+		if (subtype != EAP_AKA_SUBTYPE_NOTIFICATION) {
+			wpa_printf(MSG_INFO, "EAP-AKA: Unexpected response "
+				   "subtype %d", subtype);
+			return TRUE;
+		}
+		break;
+	default:
+		wpa_printf(MSG_INFO, "EAP-AKA: Unexpected state (%d) for "
+			   "processing a response", data->state);
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+
+static void eap_aka_determine_identity(struct eap_sm *sm,
+				       struct eap_aka_data *data,
+				       int before_identity, int after_reauth)
+{
+	const u8 *identity;
+	size_t identity_len;
+	int res;
+
+	identity = NULL;
+	identity_len = 0;
+
+	if (after_reauth && data->reauth) {
+		identity = data->reauth->identity;
+		identity_len = data->reauth->identity_len;
+	} else if (sm->identity && sm->identity_len > 0 &&
+		   sm->identity[0] == EAP_AKA_PERMANENT_PREFIX) {
+		identity = sm->identity;
+		identity_len = sm->identity_len;
+	} else {
+		identity = eap_sim_db_get_permanent(sm->eap_sim_db_priv,
+						    sm->identity,
+						    sm->identity_len,
+						    &identity_len);
+		if (identity == NULL) {
+			data->reauth = eap_sim_db_get_reauth_entry(
+				sm->eap_sim_db_priv, sm->identity,
+				sm->identity_len);
+			if (data->reauth) {
+				wpa_printf(MSG_DEBUG, "EAP-AKA: Using fast "
+					   "re-authentication");
+				identity = data->reauth->identity;
+				identity_len = data->reauth->identity_len;
+				data->counter = data->reauth->counter;
+				os_memcpy(data->mk, data->reauth->mk,
+					  EAP_SIM_MK_LEN);
+			}
+		}
+	}
+
+	if (identity == NULL ||
+	    eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity,
+				      sm->identity_len) < 0) {
+		if (before_identity) {
+			wpa_printf(MSG_DEBUG, "EAP-AKA: Permanent user name "
+				   "not known - send AKA-Identity request");
+			eap_aka_state(data, IDENTITY);
+			return;
+		} else {
+			wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown whether the "
+				   "permanent user name is known; try to use "
+				   "it");
+			/* eap_sim_db_get_aka_auth() will report failure, if
+			 * this identity is not known. */
+		}
+	}
+
+	wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Identity",
+			  identity, identity_len);
+
+	if (!after_reauth && data->reauth) {
+		eap_aka_state(data, REAUTH);
+		return;
+	}
+
+	res = eap_sim_db_get_aka_auth(sm->eap_sim_db_priv, identity,
+				      identity_len, data->rand, data->autn,
+				      data->ik, data->ck, data->res,
+				      &data->res_len, sm);
+	if (res == EAP_SIM_DB_PENDING) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: AKA authentication data "
+			   "not yet available - pending request");
+		sm->method_pending = METHOD_PENDING_WAIT;
+		return;
+	}
+
+	data->reauth = NULL;
+	data->counter = 0; /* reset re-auth counter since this is full auth */
+
+	if (res != 0) {
+		wpa_printf(MSG_INFO, "EAP-AKA: Failed to get AKA "
+			   "authentication data for the peer");
+		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+		eap_aka_state(data, NOTIFICATION);
+		return;
+	}
+	if (sm->method_pending == METHOD_PENDING_WAIT) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: AKA authentication data "
+			   "available - abort pending wait");
+		sm->method_pending = METHOD_PENDING_NONE;
+	}
+
+	identity_len = sm->identity_len;
+	while (identity_len > 0 && sm->identity[identity_len - 1] == '\0') {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Workaround - drop last null "
+			   "character from identity");
+		identity_len--;
+	}
+	wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Identity for MK derivation",
+			  sm->identity, identity_len);
+
+	eap_aka_derive_mk(sm->identity, identity_len, data->ik, data->ck,
+			  data->mk);
+	eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk,
+			    data->emsk);
+
+	eap_aka_state(data, CHALLENGE);
+}
+
+
+static void eap_aka_process_identity(struct eap_sm *sm,
+				     struct eap_aka_data *data,
+				     struct wpabuf *respData,
+				     struct eap_sim_attrs *attr)
+{
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Identity");
+
+	if (attr->mac || attr->iv || attr->encr_data) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Unexpected attribute "
+			   "received in EAP-Response/AKA-Identity");
+		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+		eap_aka_state(data, NOTIFICATION);
+		return;
+	}
+
+	if (attr->identity) {
+		os_free(sm->identity);
+		sm->identity = os_malloc(attr->identity_len);
+		if (sm->identity) {
+			os_memcpy(sm->identity, attr->identity,
+				  attr->identity_len);
+			sm->identity_len = attr->identity_len;
+		}
+	}
+
+	eap_aka_determine_identity(sm, data, 0, 0);
+	if (eap_get_id(respData) == data->pending_id) {
+		data->pending_id = -1;
+		eap_aka_add_id_msg(data, respData);
+	}
+}
+
+
+static void eap_aka_process_challenge(struct eap_sm *sm,
+				      struct eap_aka_data *data,
+				      struct wpabuf *respData,
+				      struct eap_sim_attrs *attr)
+{
+	const u8 *identity;
+	size_t identity_len;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Challenge");
+
+	if (attr->checkcode &&
+	    eap_aka_verify_checkcode(data, attr->checkcode,
+				     attr->checkcode_len)) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Invalid AT_CHECKCODE in the "
+			   "message");
+		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+		eap_aka_state(data, NOTIFICATION);
+		return;
+	}
+	if (attr->mac == NULL ||
+	    eap_sim_verify_mac(data->k_aut, respData, attr->mac, NULL, 0)) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message "
+			   "did not include valid AT_MAC");
+		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+		eap_aka_state(data, NOTIFICATION);
+		return;
+	}
+
+	/*
+	 * AT_RES is padded, so verify that there is enough room for RES and
+	 * that the RES length in bits matches with the expected RES.
+	 */
+	if (attr->res == NULL || attr->res_len < data->res_len ||
+	    attr->res_len_bits != data->res_len * 8 ||
+	    os_memcmp(attr->res, data->res, data->res_len) != 0) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message did not "
+			   "include valid AT_RES (attr len=%lu, res len=%lu "
+			   "bits, expected %lu bits)",
+			   (unsigned long) attr->res_len,
+			   (unsigned long) attr->res_len_bits,
+			   (unsigned long) data->res_len * 8);
+		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+		eap_aka_state(data, NOTIFICATION);
+		return;
+	}
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Challenge response includes the "
+		   "correct AT_MAC");
+	if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+		data->use_result_ind = 1;
+		data->notification = EAP_SIM_SUCCESS;
+		eap_aka_state(data, NOTIFICATION);
+	} else
+		eap_aka_state(data, SUCCESS);
+
+	identity = eap_sim_db_get_permanent(sm->eap_sim_db_priv, sm->identity,
+					    sm->identity_len, &identity_len);
+	if (identity == NULL) {
+		identity = sm->identity;
+		identity_len = sm->identity_len;
+	}
+
+	if (data->next_pseudonym) {
+		eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, identity,
+					 identity_len,
+					 data->next_pseudonym);
+		data->next_pseudonym = NULL;
+	}
+	if (data->next_reauth_id) {
+		eap_sim_db_add_reauth(sm->eap_sim_db_priv, identity,
+				      identity_len,
+				      data->next_reauth_id, data->counter + 1,
+				      data->mk);
+		data->next_reauth_id = NULL;
+	}
+}
+
+
+static void eap_aka_process_sync_failure(struct eap_sm *sm,
+					 struct eap_aka_data *data,
+					 struct wpabuf *respData,
+					 struct eap_sim_attrs *attr)
+{
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Synchronization-Failure");
+
+	if (attr->auts == NULL) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Synchronization-Failure "
+			   "message did not include valid AT_AUTS");
+		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+		eap_aka_state(data, NOTIFICATION);
+		return;
+	}
+
+	/* Avoid re-reporting AUTS when processing pending EAP packet by
+	 * maintaining a local flag stating whether this AUTS has already been
+	 * reported. */
+	if (!data->auts_reported &&
+	    eap_sim_db_resynchronize(sm->eap_sim_db_priv, sm->identity,
+				     sm->identity_len, attr->auts,
+				     data->rand)) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Resynchronization failed");
+		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+		eap_aka_state(data, NOTIFICATION);
+		return;
+	}
+	data->auts_reported = 1;
+
+	/* Try again after resynchronization */
+	eap_aka_determine_identity(sm, data, 0, 0);
+}
+
+
+static void eap_aka_process_reauth(struct eap_sm *sm,
+				   struct eap_aka_data *data,
+				   struct wpabuf *respData,
+				   struct eap_sim_attrs *attr)
+{
+	struct eap_sim_attrs eattr;
+	u8 *decrypted = NULL;
+	const u8 *identity, *id2;
+	size_t identity_len, id2_len;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Reauthentication");
+
+	if (attr->mac == NULL ||
+	    eap_sim_verify_mac(data->k_aut, respData, attr->mac, data->nonce_s,
+			       EAP_SIM_NONCE_S_LEN)) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Re-authentication message "
+			   "did not include valid AT_MAC");
+		goto fail;
+	}
+
+	if (attr->encr_data == NULL || attr->iv == NULL) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Reauthentication "
+			   "message did not include encrypted data");
+		goto fail;
+	}
+
+	decrypted = eap_sim_parse_encr(data->k_encr, attr->encr_data,
+				       attr->encr_data_len, attr->iv, &eattr,
+				       0);
+	if (decrypted == NULL) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Failed to parse encrypted "
+			   "data from reauthentication message");
+		goto fail;
+	}
+
+	if (eattr.counter != data->counter) {
+		wpa_printf(MSG_WARNING, "EAP-AKA: Re-authentication message "
+			   "used incorrect counter %u, expected %u",
+			   eattr.counter, data->counter);
+		goto fail;
+	}
+	os_free(decrypted);
+	decrypted = NULL;
+
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Re-authentication response includes "
+		   "the correct AT_MAC");
+
+	if (eattr.counter_too_small) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Re-authentication response "
+			   "included AT_COUNTER_TOO_SMALL - starting full "
+			   "authentication");
+		eap_aka_determine_identity(sm, data, 0, 1);
+		return;
+	}
+
+	if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+		data->use_result_ind = 1;
+		data->notification = EAP_SIM_SUCCESS;
+		eap_aka_state(data, NOTIFICATION);
+	} else
+		eap_aka_state(data, SUCCESS);
+
+	if (data->reauth) {
+		identity = data->reauth->identity;
+		identity_len = data->reauth->identity_len;
+	} else {
+		identity = sm->identity;
+		identity_len = sm->identity_len;
+	}
+
+	id2 = eap_sim_db_get_permanent(sm->eap_sim_db_priv, identity,
+				       identity_len, &id2_len);
+	if (id2) {
+		identity = id2;
+		identity_len = id2_len;
+	}
+
+	if (data->next_pseudonym) {
+		eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, identity,
+					 identity_len, data->next_pseudonym);
+		data->next_pseudonym = NULL;
+	}
+	if (data->next_reauth_id) {
+		eap_sim_db_add_reauth(sm->eap_sim_db_priv, identity,
+				      identity_len, data->next_reauth_id,
+				      data->counter + 1, data->mk);
+		data->next_reauth_id = NULL;
+	} else {
+		eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+		data->reauth = NULL;
+	}
+
+	return;
+
+fail:
+	data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+	eap_aka_state(data, NOTIFICATION);
+	eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+	data->reauth = NULL;
+	os_free(decrypted);
+}
+
+
+static void eap_aka_process_client_error(struct eap_sm *sm,
+					 struct eap_aka_data *data,
+					 struct wpabuf *respData,
+					 struct eap_sim_attrs *attr)
+{
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Client reported error %d",
+		   attr->client_error_code);
+	if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind)
+		eap_aka_state(data, SUCCESS);
+	else
+		eap_aka_state(data, FAILURE);
+}
+
+
+static void eap_aka_process_authentication_reject(
+	struct eap_sm *sm, struct eap_aka_data *data,
+	struct wpabuf *respData, struct eap_sim_attrs *attr)
+{
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Client rejected authentication");
+	eap_aka_state(data, FAILURE);
+}
+
+
+static void eap_aka_process_notification(struct eap_sm *sm,
+					 struct eap_aka_data *data,
+					 struct wpabuf *respData,
+					 struct eap_sim_attrs *attr)
+{
+	wpa_printf(MSG_DEBUG, "EAP-AKA: Client replied to notification");
+	if (data->notification == EAP_SIM_SUCCESS && data->use_result_ind)
+		eap_aka_state(data, SUCCESS);
+	else
+		eap_aka_state(data, FAILURE);
+}
+
+
+static void eap_aka_process(struct eap_sm *sm, void *priv,
+			    struct wpabuf *respData)
+{
+	struct eap_aka_data *data = priv;
+	const u8 *pos, *end;
+	u8 subtype;
+	size_t len;
+	struct eap_sim_attrs attr;
+
+	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME, respData,
+			       &len);
+	if (pos == NULL || len < 3)
+		return;
+
+	end = pos + len;
+	subtype = *pos;
+	pos += 3;
+
+	if (eap_aka_subtype_ok(data, subtype)) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Unrecognized or unexpected "
+			   "EAP-AKA Subtype in EAP Response");
+		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+		eap_aka_state(data, NOTIFICATION);
+		return;
+	}
+
+	if (eap_sim_parse_attr(pos, end, &attr, 1, 0)) {
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Failed to parse attributes");
+		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+		eap_aka_state(data, NOTIFICATION);
+		return;
+	}
+
+	if (subtype == EAP_AKA_SUBTYPE_CLIENT_ERROR) {
+		eap_aka_process_client_error(sm, data, respData, &attr);
+		return;
+	}
+
+	if (subtype == EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT) {
+		eap_aka_process_authentication_reject(sm, data, respData,
+						      &attr);
+		return;
+	}
+
+	switch (data->state) {
+	case IDENTITY:
+		eap_aka_process_identity(sm, data, respData, &attr);
+		break;
+	case CHALLENGE:
+		if (subtype == EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE) {
+			eap_aka_process_sync_failure(sm, data, respData,
+						     &attr);
+		} else {
+			eap_aka_process_challenge(sm, data, respData, &attr);
+		}
+		break;
+	case REAUTH:
+		eap_aka_process_reauth(sm, data, respData, &attr);
+		break;
+	case NOTIFICATION:
+		eap_aka_process_notification(sm, data, respData, &attr);
+		break;
+	default:
+		wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown state %d in "
+			   "process", data->state);
+		break;
+	}
+}
+
+
+static Boolean eap_aka_isDone(struct eap_sm *sm, void *priv)
+{
+	struct eap_aka_data *data = priv;
+	return data->state == SUCCESS || data->state == FAILURE;
+}
+
+
+static u8 * eap_aka_getKey(struct eap_sm *sm, void *priv, size_t *len)
+{
+	struct eap_aka_data *data = priv;
+	u8 *key;
+
+	if (data->state != SUCCESS)
+		return NULL;
+
+	key = os_malloc(EAP_SIM_KEYING_DATA_LEN);
+	if (key == NULL)
+		return NULL;
+	os_memcpy(key, data->msk, EAP_SIM_KEYING_DATA_LEN);
+	*len = EAP_SIM_KEYING_DATA_LEN;
+	return key;
+}
+
+
+static u8 * eap_aka_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
+{
+	struct eap_aka_data *data = priv;
+	u8 *key;
+
+	if (data->state != SUCCESS)
+		return NULL;
+
+	key = os_malloc(EAP_EMSK_LEN);
+	if (key == NULL)
+		return NULL;
+	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
+	*len = EAP_EMSK_LEN;
+	return key;
+}
+
+
+static Boolean eap_aka_isSuccess(struct eap_sm *sm, void *priv)
+{
+	struct eap_aka_data *data = priv;
+	return data->state == SUCCESS;
+}
+
+
+int eap_server_aka_prime_register(void)
+{
+	struct eap_method *eap;
+	int ret;
+
+	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
+				      EAP_VENDOR_IETF, EAP_TYPE_AKA_PRIME,
+				      "AKA'");
+	if (eap == NULL)
+		return -1;
+
+	eap->init = eap_aka_init;
+	eap->reset = eap_aka_reset;
+	eap->buildReq = eap_aka_buildReq;
+	eap->check = eap_aka_check;
+	eap->process = eap_aka_process;
+	eap->isDone = eap_aka_isDone;
+	eap->getKey = eap_aka_getKey;
+	eap->isSuccess = eap_aka_isSuccess;
+	eap->get_emsk = eap_aka_get_emsk;
+
+	ret = eap_server_method_register(eap);
+	if (ret)
+		eap_server_method_free(eap);
+	return ret;
+}

src/eap_server/eap_methods.c

@@ -212,6 +212,13 @@ int eap_server_register_methods(void)
 	}
 #endif /* EAP_AKA */
 
+#ifdef EAP_AKA_PRIME
+	if (ret == 0) {
+		int eap_server_aka_prime_register(void);
+		ret = eap_server_aka_prime_register();
+	}
+#endif /* EAP_AKA_PRIME */
+
 #ifdef EAP_PAX
 	if (ret == 0) {
 		int eap_server_pax_register(void);

wpa_supplicant/Makefile

@@ -427,6 +427,20 @@ CONFIG_IEEE8021X_EAPOL=y
 CONFIG_EAP_SIM_COMMON=y
 endif
 
+ifdef CONFIG_EAP_AKA_PRIME
+# EAP-AKA'
+ifeq ($(CONFIG_EAP_AKA_PRIME), dyn)
+CFLAGS += -DEAP_AKA_PRIME_DYNAMIC
+EAPDYN += ../src/eap_peer/eap_aka_prime.so
+else
+CFLAGS += -DEAP_AKA_PRIME
+OBJS += ../src/eap_peer/eap_aka_prime.o
+OBJS_h += ../src/eap_server/eap_aka_prime.o
+endif
+CONFIG_IEEE8021X_EAPOL=y
+CONFIG_EAP_SIM_COMMON=y
+endif
+
 ifdef CONFIG_EAP_SIM_COMMON
 OBJS += ../src/eap_common/eap_sim_common.o
 OBJS_h += ../src/eap_server/eap_sim_db.o