2
* HLR/AuC testing gateway for hostapd EAP-SIM/AKA database/authenticator
3
* Copyright (c) 2005-2007, Jouni Malinen <j@w1.fi>
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License version 2 as
7
* published by the Free Software Foundation.
9
* Alternatively, this software may be distributed under the terms of BSD
12
* See README and COPYING for more details.
14
* This is an example implementation of the EAP-SIM/AKA database/authentication
15
* gateway interface to HLR/AuC. It is expected to be replaced with an
16
* implementation of SS7 gateway to GSM/UMTS authentication center (HLR/AuC) or
17
* a local implementation of SIM triplet and AKA authentication data generator.
19
* hostapd will send SIM/AKA authentication queries over a UNIX domain socket
20
* to and external program, e.g., this hlr_auc_gw. This interface uses simple
23
* EAP-SIM / GSM triplet query/response:
24
* SIM-REQ-AUTH <IMSI> <max_chal>
25
* SIM-RESP-AUTH <IMSI> Kc1:SRES1:RAND1 Kc2:SRES2:RAND2 [Kc3:SRES3:RAND3]
26
* SIM-RESP-AUTH <IMSI> FAILURE
28
* EAP-AKA / UMTS query/response:
30
* AKA-RESP-AUTH <IMSI> <RAND> <AUTN> <IK> <CK> <RES>
31
* AKA-RESP-AUTH <IMSI> FAILURE
33
* EAP-AKA / UMTS AUTS (re-synchronization):
34
* AKA-AUTS <IMSI> <AUTS> <RAND>
36
* IMSI and max_chal are sent as an ASCII string,
37
* Kc/SRES/RAND/AUTN/IK/CK/RES/AUTS as hex strings.
39
* The example implementation here reads GSM authentication triplets from a
40
* text file in IMSI:Kc:SRES:RAND format, IMSI in ASCII, other fields as hex
41
* strings. This is used to simulate an HLR/AuC. As such, it is not very useful
42
* for real life authentication, but it is useful both as an example
43
* implementation and for EAP-SIM testing.
52
static const char *default_socket_path = "/tmp/hlr_auc_gw.sock";
53
static const char *socket_path;
54
static int serv_sock = -1;
58
struct gsm_triplet *next;
65
static struct gsm_triplet *gsm_db = NULL, *gsm_db_pos = NULL;
67
/* OPc and AMF parameters for Milenage (Example algorithms for AKA). */
68
struct milenage_parameters {
69
struct milenage_parameters *next;
77
static struct milenage_parameters *milenage_db = NULL;
79
#define EAP_SIM_MAX_CHAL 3
81
#define EAP_AKA_RAND_LEN 16
82
#define EAP_AKA_AUTN_LEN 16
83
#define EAP_AKA_AUTS_LEN 14
84
#define EAP_AKA_RES_MAX_LEN 16
85
#define EAP_AKA_IK_LEN 16
86
#define EAP_AKA_CK_LEN 16
89
static int open_socket(const char *path)
91
struct sockaddr_un addr;
94
s = socket(PF_UNIX, SOCK_DGRAM, 0);
96
perror("socket(PF_UNIX)");
100
memset(&addr, 0, sizeof(addr));
101
addr.sun_family = AF_UNIX;
102
os_strlcpy(addr.sun_path, path, sizeof(addr.sun_path));
103
if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
104
perror("bind(PF_UNIX)");
113
static int read_gsm_triplets(const char *fname)
116
char buf[200], *pos, *pos2;
117
struct gsm_triplet *g = NULL;
123
f = fopen(fname, "r");
125
printf("Could not open GSM tripler data file '%s'\n", fname);
130
while (fgets(buf, sizeof(buf), f)) {
133
/* Parse IMSI:Kc:SRES:RAND */
134
buf[sizeof(buf) - 1] = '\0';
138
while (*pos != '\0' && *pos != '\n')
146
g = os_zalloc(sizeof(*g));
153
pos2 = strchr(pos, ':');
155
printf("%s:%d - Invalid IMSI (%s)\n",
161
if (strlen(pos) >= sizeof(g->imsi)) {
162
printf("%s:%d - Too long IMSI (%s)\n",
167
os_strlcpy(g->imsi, pos, sizeof(g->imsi));
171
pos2 = strchr(pos, ':');
173
printf("%s:%d - Invalid Kc (%s)\n", fname, line, pos);
178
if (strlen(pos) != 16 || hexstr2bin(pos, g->kc, 8)) {
179
printf("%s:%d - Invalid Kc (%s)\n", fname, line, pos);
186
pos2 = strchr(pos, ':');
188
printf("%s:%d - Invalid SRES (%s)\n", fname, line,
194
if (strlen(pos) != 8 || hexstr2bin(pos, g->sres, 4)) {
195
printf("%s:%d - Invalid SRES (%s)\n", fname, line,
203
pos2 = strchr(pos, ':');
206
if (strlen(pos) != 32 || hexstr2bin(pos, g->_rand, 16)) {
207
printf("%s:%d - Invalid RAND (%s)\n", fname, line,
226
static struct gsm_triplet * get_gsm_triplet(const char *imsi)
228
struct gsm_triplet *g = gsm_db_pos;
231
if (strcmp(g->imsi, imsi) == 0) {
232
gsm_db_pos = g->next;
239
while (g && g != gsm_db_pos) {
240
if (strcmp(g->imsi, imsi) == 0) {
241
gsm_db_pos = g->next;
251
static int read_milenage(const char *fname)
254
char buf[200], *pos, *pos2;
255
struct milenage_parameters *m = NULL;
261
f = fopen(fname, "r");
263
printf("Could not open Milenage data file '%s'\n", fname);
268
while (fgets(buf, sizeof(buf), f)) {
271
/* Parse IMSI Ki OPc AMF SQN */
272
buf[sizeof(buf) - 1] = '\0';
276
while (*pos != '\0' && *pos != '\n')
284
m = os_zalloc(sizeof(*m));
291
pos2 = strchr(pos, ' ');
293
printf("%s:%d - Invalid IMSI (%s)\n",
299
if (strlen(pos) >= sizeof(m->imsi)) {
300
printf("%s:%d - Too long IMSI (%s)\n",
305
os_strlcpy(m->imsi, pos, sizeof(m->imsi));
309
pos2 = strchr(pos, ' ');
311
printf("%s:%d - Invalid Ki (%s)\n", fname, line, pos);
316
if (strlen(pos) != 32 || hexstr2bin(pos, m->ki, 16)) {
317
printf("%s:%d - Invalid Ki (%s)\n", fname, line, pos);
324
pos2 = strchr(pos, ' ');
326
printf("%s:%d - Invalid OPc (%s)\n", fname, line, pos);
331
if (strlen(pos) != 32 || hexstr2bin(pos, m->opc, 16)) {
332
printf("%s:%d - Invalid OPc (%s)\n", fname, line, pos);
339
pos2 = strchr(pos, ' ');
341
printf("%s:%d - Invalid AMF (%s)\n", fname, line, pos);
346
if (strlen(pos) != 4 || hexstr2bin(pos, m->amf, 2)) {
347
printf("%s:%d - Invalid AMF (%s)\n", fname, line, pos);
354
pos2 = strchr(pos, ' ');
357
if (strlen(pos) != 12 || hexstr2bin(pos, m->sqn, 6)) {
358
printf("%s:%d - Invalid SEQ (%s)\n", fname, line, pos);
364
m->next = milenage_db;
376
static struct milenage_parameters * get_milenage(const char *imsi)
378
struct milenage_parameters *m = milenage_db;
381
if (strcmp(m->imsi, imsi) == 0)
390
static void sim_req_auth(int s, struct sockaddr_un *from, socklen_t fromlen,
393
int count, max_chal, ret;
395
char reply[1000], *rpos, *rend;
396
struct milenage_parameters *m;
397
struct gsm_triplet *g;
401
pos = strchr(imsi, ' ');
404
max_chal = atoi(pos);
405
if (max_chal < 1 || max_chal < EAP_SIM_MAX_CHAL)
406
max_chal = EAP_SIM_MAX_CHAL;
408
max_chal = EAP_SIM_MAX_CHAL;
410
rend = &reply[sizeof(reply)];
412
ret = snprintf(rpos, rend - rpos, "SIM-RESP-AUTH %s", imsi);
413
if (ret < 0 || ret >= rend - rpos)
417
m = get_milenage(imsi);
419
u8 _rand[16], sres[4], kc[8];
420
for (count = 0; count < max_chal; count++) {
421
if (os_get_random(_rand, 16) < 0)
423
gsm_milenage(m->opc, m->ki, _rand, sres, kc);
425
rpos += wpa_snprintf_hex(rpos, rend - rpos, kc, 8);
427
rpos += wpa_snprintf_hex(rpos, rend - rpos, sres, 4);
429
rpos += wpa_snprintf_hex(rpos, rend - rpos, _rand, 16);
436
while (count < max_chal && (g = get_gsm_triplet(imsi))) {
437
if (strcmp(g->imsi, imsi) != 0)
442
rpos += wpa_snprintf_hex(rpos, rend - rpos, g->kc, 8);
445
rpos += wpa_snprintf_hex(rpos, rend - rpos, g->sres, 4);
448
rpos += wpa_snprintf_hex(rpos, rend - rpos, g->_rand, 16);
453
printf("No GSM triplets found for %s\n", imsi);
454
ret = snprintf(rpos, rend - rpos, " FAILURE");
455
if (ret < 0 || ret >= rend - rpos)
461
printf("Send: %s\n", reply);
462
if (sendto(s, reply, rpos - reply, 0,
463
(struct sockaddr *) from, fromlen) < 0)
468
static void aka_req_auth(int s, struct sockaddr_un *from, socklen_t fromlen,
471
/* AKA-RESP-AUTH <IMSI> <RAND> <AUTN> <IK> <CK> <RES> */
472
char reply[1000], *pos, *end;
473
u8 _rand[EAP_AKA_RAND_LEN];
474
u8 autn[EAP_AKA_AUTN_LEN];
475
u8 ik[EAP_AKA_IK_LEN];
476
u8 ck[EAP_AKA_CK_LEN];
477
u8 res[EAP_AKA_RES_MAX_LEN];
480
struct milenage_parameters *m;
482
m = get_milenage(imsi);
484
if (os_get_random(_rand, EAP_AKA_RAND_LEN) < 0)
486
res_len = EAP_AKA_RES_MAX_LEN;
487
inc_byte_array(m->sqn, 6);
488
printf("AKA: Milenage with SQN=%02x%02x%02x%02x%02x%02x\n",
489
m->sqn[0], m->sqn[1], m->sqn[2],
490
m->sqn[3], m->sqn[4], m->sqn[5]);
491
milenage_generate(m->opc, m->amf, m->ki, m->sqn, _rand,
492
autn, ik, ck, res, &res_len);
494
printf("Unknown IMSI: %s\n", imsi);
495
#ifdef AKA_USE_FIXED_TEST_VALUES
496
printf("Using fixed test values for AKA\n");
497
memset(_rand, '0', EAP_AKA_RAND_LEN);
498
memset(autn, '1', EAP_AKA_AUTN_LEN);
499
memset(ik, '3', EAP_AKA_IK_LEN);
500
memset(ck, '4', EAP_AKA_CK_LEN);
501
memset(res, '2', EAP_AKA_RES_MAX_LEN);
502
res_len = EAP_AKA_RES_MAX_LEN;
503
#else /* AKA_USE_FIXED_TEST_VALUES */
505
#endif /* AKA_USE_FIXED_TEST_VALUES */
509
end = &reply[sizeof(reply)];
510
ret = snprintf(pos, end - pos, "AKA-RESP-AUTH %s ", imsi);
511
if (ret < 0 || ret >= end - pos)
514
pos += wpa_snprintf_hex(pos, end - pos, _rand, EAP_AKA_RAND_LEN);
516
pos += wpa_snprintf_hex(pos, end - pos, autn, EAP_AKA_AUTN_LEN);
518
pos += wpa_snprintf_hex(pos, end - pos, ik, EAP_AKA_IK_LEN);
520
pos += wpa_snprintf_hex(pos, end - pos, ck, EAP_AKA_CK_LEN);
522
pos += wpa_snprintf_hex(pos, end - pos, res, res_len);
524
printf("Send: %s\n", reply);
526
if (sendto(s, reply, pos - reply, 0, (struct sockaddr *) from,
532
static void aka_auts(int s, struct sockaddr_un *from, socklen_t fromlen,
536
u8 _auts[EAP_AKA_AUTS_LEN], _rand[EAP_AKA_RAND_LEN], sqn[6];
537
struct milenage_parameters *m;
539
/* AKA-AUTS <IMSI> <AUTS> <RAND> */
541
auts = strchr(imsi, ' ');
546
rand = strchr(auts, ' ');
551
printf("AKA-AUTS: IMSI=%s AUTS=%s RAND=%s\n", imsi, auts, rand);
552
if (hexstr2bin(auts, _auts, EAP_AKA_AUTS_LEN) ||
553
hexstr2bin(rand, _rand, EAP_AKA_RAND_LEN)) {
554
printf("Could not parse AUTS/RAND\n");
558
m = get_milenage(imsi);
560
printf("Unknown IMSI: %s\n", imsi);
564
if (milenage_auts(m->opc, m->ki, _rand, _auts, sqn)) {
565
printf("AKA-AUTS: Incorrect MAC-S\n");
567
memcpy(m->sqn, sqn, 6);
568
printf("AKA-AUTS: Re-synchronized: "
569
"SQN=%02x%02x%02x%02x%02x%02x\n",
570
sqn[0], sqn[1], sqn[2], sqn[3], sqn[4], sqn[5]);
575
static int process(int s)
578
struct sockaddr_un from;
582
fromlen = sizeof(from);
583
res = recvfrom(s, buf, sizeof(buf), 0, (struct sockaddr *) &from,
593
if ((size_t) res >= sizeof(buf))
594
res = sizeof(buf) - 1;
597
printf("Received: %s\n", buf);
599
if (strncmp(buf, "SIM-REQ-AUTH ", 13) == 0)
600
sim_req_auth(s, &from, fromlen, buf + 13);
601
else if (strncmp(buf, "AKA-REQ-AUTH ", 13) == 0)
602
aka_req_auth(s, &from, fromlen, buf + 13);
603
else if (strncmp(buf, "AKA-AUTS ", 9) == 0)
604
aka_auts(s, &from, fromlen, buf + 9);
606
printf("Unknown request: %s\n", buf);
612
static void cleanup(void)
614
struct gsm_triplet *g, *gprev;
615
struct milenage_parameters *m, *prev;
636
static void handle_term(int sig)
638
printf("Signal %d - terminate\n", sig);
643
static void usage(void)
645
printf("HLR/AuC testing gateway for hostapd EAP-SIM/AKA "
646
"database/authenticator\n"
647
"Copyright (c) 2005-2007, Jouni Malinen <j@w1.fi>\n"
650
"hlr_auc_gw [-h] [-s<socket path>] [-g<triplet file>] "
651
"[-m<milenage file>]\n"
654
" -h = show this usage help\n"
655
" -s<socket path> = path for UNIX domain socket\n"
657
" -g<triplet file> = path for GSM authentication triplets\n"
658
" -m<milenage file> = path for Milenage keys\n",
659
default_socket_path);
663
int main(int argc, char *argv[])
666
char *milenage_file = NULL;
667
char *gsm_triplet_file = NULL;
669
socket_path = default_socket_path;
672
c = getopt(argc, argv, "g:hm:s:");
677
gsm_triplet_file = optarg;
683
milenage_file = optarg;
686
socket_path = optarg;
694
if (gsm_triplet_file && read_gsm_triplets(gsm_triplet_file) < 0)
697
if (milenage_file && read_milenage(milenage_file) < 0)
700
serv_sock = open_socket(socket_path);
704
printf("Listening for requests on %s\n", socket_path);
707
signal(SIGTERM, handle_term);
708
signal(SIGINT, handle_term);
added
removed
src/hlr_auc_gw/hlr_auc_gw.c
