EAP-SIM with sim card?

Zoltán Faigl zfaigl at gmail.com
Thu Oct 9 06:37:56 EDT 2008


Dear All,

I am trying to test the IKEv2 daemon from IKEv2 project with EAP
authentication methods. This daemon uses a wpa supplicant compiled as a
library, i.e., there is a Makefile that the developper of ikev2 provides .
This makefile must be used to compile the libsupplicant library from
wpasupplicant-0.4.x. Then this library is used during the configuration and
compilation of ikev2.
I attach that Makefile at the end of my email. I know that this is an old
version of wpa supplicant, but their makefile works only with this version
(wpasupplicant-0.4.10)


Their daemon is said to support EAP methods. And this is true, I tried out
many EAP methods on the top of IKEv2, like EAP-MD5, EAP-TLS, EAP-TTLS/MD5,
EAP-PEAv0/MSCHAPv2, together with freeradius. In every case I need to give
an eap.conf file on the user side, that is exactly the same as in the case
of using wpasuplicant for 802.11i, just using less fields.
E.g my eap.conf for eap-md5 looks like the following:
network={
        key_mgmt=IEEE8021X
        eap=MD5
        identity="initiator at example.org"
        password="leonardo"
        eapol_flags=0
}


I also managed to run successfully EAP-SIM with the test RAND, Kc, and SRES
values, i.e.,  I saw the hardcoded triplets in eap_sim.c, and after
configuring those one on freeradius side, the authentication ran
successfully. The hardcoded values can be seen in the eap_sim_gsm_auth
function of eap-sim.c:


static int eap_sim_gsm_auth(struct eap_sm *sm, struct eap_sim_data *data)
{
        wpa_printf(MSG_DEBUG, "EAP-SIM: GSM authentication algorithm");
#ifdef PCSC_FUNCS
        if (scard_gsm_auth(sm->scard_ctx, data->rand[0],
                           data->sres[0], data->kc[0]) ||
            scard_gsm_auth(sm->scard_ctx, data->rand[1],
                           data->sres[1], data->kc[1]) ||
            (data->num_chal > 2 &&
             scard_gsm_auth(sm->scard_ctx, data->rand[2],
                            data->sres[2], data->kc[2]))) {
                wpa_printf(MSG_DEBUG, "EAP-SIM: GSM SIM authentication could
"
                           "not be completed");
                return -1;
        }


#else /* PCSC_FUNCS */
        /* These hardcoded Kc and SRES values are used for testing. RAND to
         * KC/SREC mapping is very bogus as far as real authentication is
         * concerned, but it is quite useful for cases where the AS is
rotating
         * the order of pre-configured values. */
        {
                int i;
                for (i = 0; i < data->num_chal; i++) {
                        if (data->rand[i][0] == 0xaa) {
                                memcpy(data->kc[i],
                                       "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7",
                                       KC_LEN);
                                memcpy(data->sres[i], "\xd1\xd2\xd3\xd4",
                                       SRES_LEN);
                        } else if (data->rand[i][0] == 0xbb) {
                                memcpy(data->kc[i],
                                       "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7",
                                       KC_LEN);
                                memcpy(data->sres[i], "\xe1\xe2\xe3\xe4",
                                       SRES_LEN);
                        } else {
                                memcpy(data->kc[i],
                                       "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7",
                                       KC_LEN);
                                memcpy(data->sres[i], "\xf1\xf2\xf3\xf4",
                                       SRES_LEN);
                        }
                }
        }
#endif /* PCSC_FUNCS */
        return 0;
}


My eap.conf file in this case is the following:
network={
        identity="1216702011992055 at example.org" //I have added this user on
freeradius side with the hardcoded triplets.
        key_mgmt=WPA-EAP
        eap=SIM
        pin="1253"
        pcsc=""
}


Now comes the part I don't know:

I bought an omnikey cardman 3121 reader that supports PC/SC, and I have two
GSM test sim cards, which support COMP 128 V1, COMP 128 V2 gsm
authentication.

I installed pcsc-lite on my ubuntu, and when I insert a card in the reader,
I can see in /var/log/messages
Oct  8 16:58:36 anemone-mnn2 pcscd: Card ATR: 3B 3B 94 00 6A 38 20 00 00 17
80 33 33 90 00
I concluded, that pcsc sees the card.

Now, if I change the triplet from the hardcoded one to non-hardcoded one on
radius side, e.g. I modify the first byte of RAND values to not to be the
expected one, then I would like to see, that the supplicant looks into my
simcard, and calls the rungsm algorithm, and gets back diffrent Kc and RES
values

However this does not happen, and I don't know where is the problem. How to
test easily, that the supplicant library can see my SIM card, and call the
run gsm algorithm?

I attach a logfile of the supplicant library:
   I did not set Identity="..." in eap.conf

1st case: Identity not configured:
eap.conf of the supplicant is:
network={
        #identity="1001011111111111 at example.org"
        key_mgmt=WPA-EAP
        eap=SIM
        pin="1111"
        pcsc=""
}

1223377938.860 supplicant INFO - CTRL-EVENT-EAP-METHOD EAP method 18 (SIM)
selected
1223377938.860 supplicant TRACE - get_bool: 321: called get_bool for
variable EAPOL_eapRestart (0)
1223377938.860 supplicant TRACE - get_bool: 346: called get_bool for
variable EAPOL_portEnabled (1)
1223377938.860 supplicant DEBUG - EAP: EAP entering state METHOD
1223377938.860 supplicant DEBUG - Entering get_eapReqData: 497
1223377938.860 supplicant DEBUG - Leaving get_eapReqData: 501
1223377938.860 supplicant DEBUG - Entering get_config: 301
1223377938.860 supplicant DEBUG - _wpa_hexdump:  92: EAP-SIM: EAP data -
hexdump(len=20):
1223377938.860 supplicant DEBUG - Dumping buffer at 0x80bdcc9 size 20
1223377938.860 supplicant DEBUG - 01 12 00 14 12 0A 00 00 0F 02 00 02 00 01
00 00
1223377938.860 supplicant DEBUG - 11 01 01 00
1223377938.860 supplicant INFO - EAP-SIM: Identity not configured
1223377938.860 supplicant INFO - CTRL-REQ-IDENTITY-0:Identity needed for
SSID
1223377938.860 supplicant DEBUG - EAP: method process -> ignore=TRUE
methodState=INIT decision=FAIL
1223377938.860 supplicant TRACE - get_bool: 321: called get_bool for
variable EAPOL_eapRestart (0)
1223377938.860 supplicant TRACE - get_bool: 346: called get_bool for
variable EAPOL_portEnabled (1)
1223377938.860 supplicant DEBUG - EAP: EAP entering state DISCARD
1223377938.860 supplicant TRACE - set_bool: 407: called set_bool for
variable EAPOL_eapReq (0)
1223377938.860 supplicant TRACE - set_bool: 401: called set_bool for
variable EAPOL_eapNoResp (1)
1223377938.860 supplicant TRACE - get_bool: 321: called get_bool for
variable EAPOL_eapRestart (0)
1223377938.860 supplicant TRACE - get_bool: 346: called get_bool for
variable EAPOL_portEnabled (1)
1223377938.860 supplicant DEBUG - EAP: EAP entering state IDLE


I think that it fails because it can not get the IMSI from the sim card.
This should possibly answer my problem.
1223377938.860 supplicant INFO - EAP-SIM: Identity not configured
1223377938.860 supplicant INFO - CTRL-REQ-IDENTITY-0:Identity needed for
SSID
1223377938.860 supplicant DEBUG - EAP: method process -> ignore=TRUE
methodState=INIT decision=FAIL

Could you help me to find the solution to use the SIM card for
authentication?

This is the Makefile used to compile libsupplicant library from
wpasupplicant-0.4.10

# Name of final library
LIBNAME=libsupplicant.so

# Major and minor versions of library
MJVER=1
MINVER=0

# CPP, C and linker flags
CPPFLAGS=-I../hostapd
CFLAGS=-ggdb -fPIC -c -Wall
LDFLAGS=-ggdb -shared -Wl,-soname,$(LIBNAME).$(MJVER)

# Destination directories for installation
DSTLIBDIR=/usr/local/lib
DSTINCDIR=/usr/local/include/wpa

# Include files to install
INCLUDES=common.h eap.h crypto.h wpa_supplicant.h defs.h eap_defs.h config.h
config_ssid.h

# Object files to put into library
OBJS=md5.o eap.o crypto.o eap_tls.o eap_tls_common.o tls_openssl.o config.o
config_file.o base64.o eap_tlv.o sha1.o rc4.o aes_wrap.o

# Defines

# If I'm taking generic EAP, why should I define this?
CPPFLAGS += -DIEEE8021X_EAPOL

# Also, why would use define
CPPFLAGS += -DEAP_TLS_FUNCS

# Also, why would use define
# This was added here so that macros wpa_msg at al. are properly
# defined!
#CPPFLAGS += -DCONFIG_NO_STDOUT_DEBUG

# EAP Methods that should be included in libraries...
CPPFLAGS += -DEAP_TLS

CPPFLAGS += -DEAP_TTLS
OBJS += eap_ttls.o ms_funcs.o

CPPFLAGS += -DEAP_PEAP
OBJS += eap_peap.o

CPPFLAGS += -DEAP_PSK
OBJS += eap_psk.o eap_psk_common.o

CPPFLAGS += -DEAP_SIM
OBJS += eap_sim.o eap_sim_common.o

CPPFLAGS += -DEAP_MD5
OBJS += eap_md5.o

# Targets

all: $(LIBNAME)

$(LIBNAME): $(OBJS)
        gcc -o $(LIBNAME).$(MJVER).$(MINVER) $(OBJS) $(LDFLAGS)

%.o:    %.c
        gcc $(CPPFLAGS) $(CFLAGS) -o $*.o $*.c

install:
        mkdir -p $(DSTINCDIR)
        cp $(LIBNAME).$(MJVER).$(MINVER) $(DSTLIBDIR)/
        cp $(INCLUDES) $(DSTINCDIR)
        ( cd $(DSTLIBDIR) && rm -f $(LIBNAME).$(MJVER) && ln -s
$(LIBNAME).$(MJVER).$(MINVER) $(LIBNAME).$(MJVER) )
        ( cd $(DSTLIBDIR) && rm -f $(LIBNAME) && ln -s
$(LIBNAME).$(MJVER).$(MINVER) $(LIBNAME) )

clean:
        rm -f $(OBJS) $(LIBNAME).$(MJVER).$(MINVER)


BR,
Zoltan Faigl
Mobile Innovation Center, Hungary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20081009/d0260d1d/attachment-0001.htm 


More information about the HostAP mailing list