1/* 2 * EAP peer method: EAP-EKE (RFC 6124) 3 * Copyright (c) 2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/random.h" 13#include "eap_peer/eap_i.h" 14#include "eap_common/eap_eke_common.h" 15 16struct eap_eke_data { 17 enum { 18 IDENTITY, COMMIT, CONFIRM, SUCCESS, FAILURE 19 } state; 20 u8 msk[EAP_MSK_LEN]; 21 u8 emsk[EAP_EMSK_LEN]; 22 u8 *peerid; 23 size_t peerid_len; 24 u8 *serverid; 25 size_t serverid_len; 26 u8 dh_priv[EAP_EKE_MAX_DH_LEN]; 27 struct eap_eke_session sess; 28 u8 nonce_p[EAP_EKE_MAX_NONCE_LEN]; 29 u8 nonce_s[EAP_EKE_MAX_NONCE_LEN]; 30 struct wpabuf *msgs; 31 u8 dhgroup; /* forced DH group or 0 to allow all supported */ 32 u8 encr; /* forced encryption algorithm or 0 to allow all supported */ 33 u8 prf; /* forced PRF or 0 to allow all supported */ 34 u8 mac; /* forced MAC or 0 to allow all supported */ 35}; 36 37 38static const char * eap_eke_state_txt(int state) 39{ 40 switch (state) { 41 case IDENTITY: 42 return "IDENTITY"; 43 case COMMIT: 44 return "COMMIT"; 45 case CONFIRM: 46 return "CONFIRM"; 47 case SUCCESS: 48 return "SUCCESS"; 49 case FAILURE: 50 return "FAILURE"; 51 default: 52 return "?"; 53 } 54} 55 56 57static void eap_eke_state(struct eap_eke_data *data, int state) 58{ 59 wpa_printf(MSG_DEBUG, "EAP-EKE: %s -> %s", 60 eap_eke_state_txt(data->state), eap_eke_state_txt(state)); 61 data->state = state; 62} 63 64 65static void eap_eke_deinit(struct eap_sm *sm, void *priv); 66 67 68static void * eap_eke_init(struct eap_sm *sm) 69{ 70 struct eap_eke_data *data; 71 const u8 *identity, *password; 72 size_t identity_len, password_len; 73 const char *phase1; 74 75 password = eap_get_config_password(sm, &password_len); 76 if (!password) { 77 wpa_printf(MSG_INFO, "EAP-EKE: No password configured"); 78 return NULL; 79 } 80 81 data = os_zalloc(sizeof(*data)); 82 if (data == NULL) 83 return NULL; 84 eap_eke_state(data, IDENTITY); 85 86 identity = eap_get_config_identity(sm, &identity_len); 87 if (identity) { 88 data->peerid = os_malloc(identity_len); 89 if (data->peerid == NULL) { 90 eap_eke_deinit(sm, data); 91 return NULL; 92 } 93 os_memcpy(data->peerid, identity, identity_len); 94 data->peerid_len = identity_len; 95 } 96 97 phase1 = eap_get_config_phase1(sm); 98 if (phase1) { 99 const char *pos; 100 101 pos = os_strstr(phase1, "dhgroup="); 102 if (pos) { 103 data->dhgroup = atoi(pos + 8); 104 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced dhgroup %u", 105 data->dhgroup); 106 } 107 108 pos = os_strstr(phase1, "encr="); 109 if (pos) { 110 data->encr = atoi(pos + 5); 111 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced encr %u", 112 data->encr); 113 } 114 115 pos = os_strstr(phase1, "prf="); 116 if (pos) { 117 data->prf = atoi(pos + 4); 118 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced prf %u", 119 data->prf); 120 } 121 122 pos = os_strstr(phase1, "mac="); 123 if (pos) { 124 data->mac = atoi(pos + 4); 125 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced mac %u", 126 data->mac); 127 } 128 } 129 130 return data; 131} 132 133 134static void eap_eke_deinit(struct eap_sm *sm, void *priv) 135{ 136 struct eap_eke_data *data = priv; 137 eap_eke_session_clean(&data->sess); 138 os_free(data->serverid); 139 os_free(data->peerid); 140 wpabuf_free(data->msgs); 141 bin_clear_free(data, sizeof(*data)); 142} 143 144 145static struct wpabuf * eap_eke_build_msg(struct eap_eke_data *data, int id, 146 size_t length, u8 eke_exch) 147{ 148 struct wpabuf *msg; 149 size_t plen; 150 151 plen = 1 + length; 152 153 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_EKE, plen, 154 EAP_CODE_RESPONSE, id); 155 if (msg == NULL) { 156 wpa_printf(MSG_ERROR, "EAP-EKE: Failed to allocate memory"); 157 return NULL; 158 } 159 160 wpabuf_put_u8(msg, eke_exch); 161 162 return msg; 163} 164 165 166static int eap_eke_supp_dhgroup(u8 dhgroup) 167{ 168 return dhgroup == EAP_EKE_DHGROUP_EKE_2 || 169 dhgroup == EAP_EKE_DHGROUP_EKE_5 || 170 dhgroup == EAP_EKE_DHGROUP_EKE_14 || 171 dhgroup == EAP_EKE_DHGROUP_EKE_15 || 172 dhgroup == EAP_EKE_DHGROUP_EKE_16; 173} 174 175 176static int eap_eke_supp_encr(u8 encr) 177{ 178 return encr == EAP_EKE_ENCR_AES128_CBC; 179} 180 181 182static int eap_eke_supp_prf(u8 prf) 183{ 184 return prf == EAP_EKE_PRF_HMAC_SHA1 || 185 prf == EAP_EKE_PRF_HMAC_SHA2_256; 186} 187 188 189static int eap_eke_supp_mac(u8 mac) 190{ 191 return mac == EAP_EKE_MAC_HMAC_SHA1 || 192 mac == EAP_EKE_MAC_HMAC_SHA2_256; 193} 194 195 196static struct wpabuf * eap_eke_build_fail(struct eap_eke_data *data, 197 struct eap_method_ret *ret, 198 u8 id, u32 failure_code) 199{ 200 struct wpabuf *resp; 201 202 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Failure/Response - code=0x%x", 203 failure_code); 204 205 resp = eap_eke_build_msg(data, id, 4, EAP_EKE_FAILURE); 206 if (resp) 207 wpabuf_put_be32(resp, failure_code); 208 209 os_memset(data->dh_priv, 0, sizeof(data->dh_priv)); 210 eap_eke_session_clean(&data->sess); 211 212 eap_eke_state(data, FAILURE); 213 ret->methodState = METHOD_DONE; 214 ret->decision = DECISION_FAIL; 215 ret->allowNotifications = FALSE; 216 217 return resp; 218} 219 220 221static struct wpabuf * eap_eke_process_id(struct eap_eke_data *data, 222 struct eap_method_ret *ret, 223 const struct wpabuf *reqData, 224 const u8 *payload, 225 size_t payload_len) 226{ 227 struct wpabuf *resp; 228 unsigned num_prop, i; 229 const u8 *pos, *end; 230 const u8 *prop = NULL; 231 u8 idtype; 232 u8 id = eap_get_id(reqData); 233 234 if (data->state != IDENTITY) { 235 return eap_eke_build_fail(data, ret, id, 236 EAP_EKE_FAIL_PROTO_ERROR); 237 } 238 239 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-ID/Request"); 240 241 if (payload_len < 2 + 4) { 242 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data"); 243 return eap_eke_build_fail(data, ret, id, 244 EAP_EKE_FAIL_PROTO_ERROR); 245 } 246 247 pos = payload; 248 end = payload + payload_len; 249 250 num_prop = *pos++; 251 pos++; /* Ignore Reserved field */ 252 253 if (pos + num_prop * 4 > end) { 254 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data (num_prop=%u)", 255 num_prop); 256 return eap_eke_build_fail(data, ret, id, 257 EAP_EKE_FAIL_PROTO_ERROR); 258 } 259 260 for (i = 0; i < num_prop; i++) { 261 const u8 *tmp = pos; 262 263 wpa_printf(MSG_DEBUG, "EAP-EKE: Proposal #%u: dh=%u encr=%u prf=%u mac=%u", 264 i, pos[0], pos[1], pos[2], pos[3]); 265 pos += 4; 266 267 if ((data->dhgroup && data->dhgroup != *tmp) || 268 !eap_eke_supp_dhgroup(*tmp)) 269 continue; 270 tmp++; 271 if ((data->encr && data->encr != *tmp) || 272 !eap_eke_supp_encr(*tmp)) 273 continue; 274 tmp++; 275 if ((data->prf && data->prf != *tmp) || 276 !eap_eke_supp_prf(*tmp)) 277 continue; 278 tmp++; 279 if ((data->mac && data->mac != *tmp) || 280 !eap_eke_supp_mac(*tmp)) 281 continue; 282 283 prop = tmp - 3; 284 if (eap_eke_session_init(&data->sess, prop[0], prop[1], prop[2], 285 prop[3]) < 0) { 286 prop = NULL; 287 continue; 288 } 289 290 wpa_printf(MSG_DEBUG, "EAP-EKE: Selected proposal"); 291 break; 292 } 293 294 if (prop == NULL) { 295 wpa_printf(MSG_DEBUG, "EAP-EKE: No acceptable proposal found"); 296 return eap_eke_build_fail(data, ret, id, 297 EAP_EKE_FAIL_NO_PROPOSAL_CHOSEN); 298 } 299 300 pos += (num_prop - i - 1) * 4; 301 302 if (pos == end) { 303 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data to include IDType/Identity"); 304 return eap_eke_build_fail(data, ret, id, 305 EAP_EKE_FAIL_PROTO_ERROR); 306 } 307 308 idtype = *pos++; 309 wpa_printf(MSG_DEBUG, "EAP-EKE: Server IDType %u", idtype); 310 wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: Server Identity", 311 pos, end - pos); 312 os_free(data->serverid); 313 data->serverid = os_malloc(end - pos); 314 if (data->serverid == NULL) { 315 return eap_eke_build_fail(data, ret, id, 316 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 317 } 318 os_memcpy(data->serverid, pos, end - pos); 319 data->serverid_len = end - pos; 320 321 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-ID/Response"); 322 323 resp = eap_eke_build_msg(data, id, 324 2 + 4 + 1 + data->peerid_len, 325 EAP_EKE_ID); 326 if (resp == NULL) { 327 return eap_eke_build_fail(data, ret, id, 328 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 329 } 330 331 wpabuf_put_u8(resp, 1); /* NumProposals */ 332 wpabuf_put_u8(resp, 0); /* Reserved */ 333 wpabuf_put_data(resp, prop, 4); /* Selected Proposal */ 334 wpabuf_put_u8(resp, EAP_EKE_ID_NAI); 335 if (data->peerid) 336 wpabuf_put_data(resp, data->peerid, data->peerid_len); 337 338 wpabuf_free(data->msgs); 339 data->msgs = wpabuf_alloc(wpabuf_len(reqData) + wpabuf_len(resp)); 340 if (data->msgs == NULL) { 341 wpabuf_free(resp); 342 return eap_eke_build_fail(data, ret, id, 343 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 344 } 345 wpabuf_put_buf(data->msgs, reqData); 346 wpabuf_put_buf(data->msgs, resp); 347 348 eap_eke_state(data, COMMIT); 349 350 return resp; 351} 352 353 354static struct wpabuf * eap_eke_process_commit(struct eap_sm *sm, 355 struct eap_eke_data *data, 356 struct eap_method_ret *ret, 357 const struct wpabuf *reqData, 358 const u8 *payload, 359 size_t payload_len) 360{ 361 struct wpabuf *resp; 362 const u8 *pos, *end, *dhcomp; 363 size_t prot_len; 364 u8 *rpos; 365 u8 key[EAP_EKE_MAX_KEY_LEN]; 366 u8 pub[EAP_EKE_MAX_DH_LEN]; 367 const u8 *password; 368 size_t password_len; 369 u8 id = eap_get_id(reqData); 370 371 if (data->state != COMMIT) { 372 wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Commit/Request received in unexpected state (%d)", data->state); 373 return eap_eke_build_fail(data, ret, id, 374 EAP_EKE_FAIL_PROTO_ERROR); 375 } 376 377 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Commit/Request"); 378 379 password = eap_get_config_password(sm, &password_len); 380 if (password == NULL) { 381 wpa_printf(MSG_INFO, "EAP-EKE: No password configured!"); 382 return eap_eke_build_fail(data, ret, id, 383 EAP_EKE_FAIL_PASSWD_NOT_FOUND); 384 } 385 386 pos = payload; 387 end = payload + payload_len; 388 389 if (pos + data->sess.dhcomp_len > end) { 390 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Commit"); 391 return eap_eke_build_fail(data, ret, id, 392 EAP_EKE_FAIL_PROTO_ERROR); 393 } 394 395 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_S", 396 pos, data->sess.dhcomp_len); 397 dhcomp = pos; 398 pos += data->sess.dhcomp_len; 399 wpa_hexdump(MSG_DEBUG, "EAP-EKE: CBValue", pos, end - pos); 400 401 /* 402 * temp = prf(0+, password) 403 * key = prf+(temp, ID_S | ID_P) 404 */ 405 if (eap_eke_derive_key(&data->sess, password, password_len, 406 data->serverid, data->serverid_len, 407 data->peerid, data->peerid_len, key) < 0) { 408 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key"); 409 return eap_eke_build_fail(data, ret, id, 410 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 411 } 412 413 /* 414 * y_p = g ^ x_p (mod p) 415 * x_p = random number 2 .. p-1 416 */ 417 if (eap_eke_dh_init(data->sess.dhgroup, data->dh_priv, pub) < 0) { 418 wpa_printf(MSG_INFO, "EAP-EKE: Failed to initialize DH"); 419 os_memset(key, 0, sizeof(key)); 420 return eap_eke_build_fail(data, ret, id, 421 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 422 } 423 424 if (eap_eke_shared_secret(&data->sess, key, data->dh_priv, dhcomp) < 0) 425 { 426 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive shared secret"); 427 os_memset(key, 0, sizeof(key)); 428 return eap_eke_build_fail(data, ret, id, 429 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 430 } 431 432 if (eap_eke_derive_ke_ki(&data->sess, 433 data->serverid, data->serverid_len, 434 data->peerid, data->peerid_len) < 0) { 435 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki"); 436 os_memset(key, 0, sizeof(key)); 437 return eap_eke_build_fail(data, ret, id, 438 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 439 } 440 441 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Commit/Response"); 442 443 resp = eap_eke_build_msg(data, id, 444 data->sess.dhcomp_len + data->sess.pnonce_len, 445 EAP_EKE_COMMIT); 446 if (resp == NULL) { 447 os_memset(key, 0, sizeof(key)); 448 return eap_eke_build_fail(data, ret, id, 449 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 450 } 451 452 /* DHComponent_P = Encr(key, y_p) */ 453 rpos = wpabuf_put(resp, data->sess.dhcomp_len); 454 if (eap_eke_dhcomp(&data->sess, key, pub, rpos) < 0) { 455 wpa_printf(MSG_INFO, "EAP-EKE: Failed to build DHComponent_P"); 456 os_memset(key, 0, sizeof(key)); 457 return eap_eke_build_fail(data, ret, id, 458 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 459 } 460 os_memset(key, 0, sizeof(key)); 461 462 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_P", 463 rpos, data->sess.dhcomp_len); 464 465 if (random_get_bytes(data->nonce_p, data->sess.nonce_len)) { 466 wpabuf_free(resp); 467 return eap_eke_build_fail(data, ret, id, 468 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 469 } 470 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_P", 471 data->nonce_p, data->sess.nonce_len); 472 prot_len = wpabuf_tailroom(resp); 473 if (eap_eke_prot(&data->sess, data->nonce_p, data->sess.nonce_len, 474 wpabuf_put(resp, 0), &prot_len) < 0) { 475 wpabuf_free(resp); 476 return eap_eke_build_fail(data, ret, id, 477 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 478 } 479 wpa_hexdump(MSG_DEBUG, "EAP-EKE: PNonce_P", 480 wpabuf_put(resp, 0), prot_len); 481 wpabuf_put(resp, prot_len); 482 483 /* TODO: CBValue */ 484 485 if (wpabuf_resize(&data->msgs, wpabuf_len(reqData) + wpabuf_len(resp)) 486 < 0) { 487 wpabuf_free(resp); 488 return eap_eke_build_fail(data, ret, id, 489 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 490 } 491 wpabuf_put_buf(data->msgs, reqData); 492 wpabuf_put_buf(data->msgs, resp); 493 494 eap_eke_state(data, CONFIRM); 495 496 return resp; 497} 498 499 500static struct wpabuf * eap_eke_process_confirm(struct eap_eke_data *data, 501 struct eap_method_ret *ret, 502 const struct wpabuf *reqData, 503 const u8 *payload, 504 size_t payload_len) 505{ 506 struct wpabuf *resp; 507 const u8 *pos, *end; 508 size_t prot_len; 509 u8 nonces[2 * EAP_EKE_MAX_NONCE_LEN]; 510 u8 auth_s[EAP_EKE_MAX_HASH_LEN]; 511 size_t decrypt_len; 512 u8 *auth; 513 u8 id = eap_get_id(reqData); 514 515 if (data->state != CONFIRM) { 516 wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Confirm/Request received in unexpected state (%d)", 517 data->state); 518 return eap_eke_build_fail(data, ret, id, 519 EAP_EKE_FAIL_PROTO_ERROR); 520 } 521 522 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Confirm/Request"); 523 524 pos = payload; 525 end = payload + payload_len; 526 527 if (pos + data->sess.pnonce_ps_len + data->sess.prf_len > end) { 528 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Confirm"); 529 return eap_eke_build_fail(data, ret, id, 530 EAP_EKE_FAIL_PROTO_ERROR); 531 } 532 533 decrypt_len = sizeof(nonces); 534 if (eap_eke_decrypt_prot(&data->sess, pos, data->sess.pnonce_ps_len, 535 nonces, &decrypt_len) < 0) { 536 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt PNonce_PS"); 537 return eap_eke_build_fail(data, ret, id, 538 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 539 } 540 if (decrypt_len != (size_t) 2 * data->sess.nonce_len) { 541 wpa_printf(MSG_INFO, "EAP-EKE: PNonce_PS protected data length does not match length of Nonce_P and Nonce_S"); 542 return eap_eke_build_fail(data, ret, id, 543 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 544 } 545 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Received Nonce_P | Nonce_S", 546 nonces, 2 * data->sess.nonce_len); 547 if (os_memcmp(data->nonce_p, nonces, data->sess.nonce_len) != 0) { 548 wpa_printf(MSG_INFO, "EAP-EKE: Received Nonce_P does not match transmitted Nonce_P"); 549 return eap_eke_build_fail(data, ret, id, 550 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 551 } 552 553 os_memcpy(data->nonce_s, nonces + data->sess.nonce_len, 554 data->sess.nonce_len); 555 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_S", 556 data->nonce_s, data->sess.nonce_len); 557 558 if (eap_eke_derive_ka(&data->sess, data->serverid, data->serverid_len, 559 data->peerid, data->peerid_len, 560 data->nonce_p, data->nonce_s) < 0) { 561 return eap_eke_build_fail(data, ret, id, 562 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 563 } 564 565 if (eap_eke_auth(&data->sess, "EAP-EKE server", data->msgs, auth_s) < 0) 566 { 567 return eap_eke_build_fail(data, ret, id, 568 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 569 } 570 wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_S", auth_s, data->sess.prf_len); 571 if (os_memcmp_const(auth_s, pos + data->sess.pnonce_ps_len, 572 data->sess.prf_len) != 0) { 573 wpa_printf(MSG_INFO, "EAP-EKE: Auth_S does not match"); 574 return eap_eke_build_fail(data, ret, id, 575 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 576 } 577 578 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Confirm/Response"); 579 580 resp = eap_eke_build_msg(data, id, 581 data->sess.pnonce_len + data->sess.prf_len, 582 EAP_EKE_CONFIRM); 583 if (resp == NULL) { 584 return eap_eke_build_fail(data, ret, id, 585 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 586 } 587 588 prot_len = wpabuf_tailroom(resp); 589 if (eap_eke_prot(&data->sess, data->nonce_s, data->sess.nonce_len, 590 wpabuf_put(resp, 0), &prot_len) < 0) { 591 wpabuf_free(resp); 592 return eap_eke_build_fail(data, ret, id, 593 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 594 } 595 wpabuf_put(resp, prot_len); 596 597 auth = wpabuf_put(resp, data->sess.prf_len); 598 if (eap_eke_auth(&data->sess, "EAP-EKE peer", data->msgs, auth) < 0) { 599 wpabuf_free(resp); 600 return eap_eke_build_fail(data, ret, id, 601 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 602 } 603 wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_P", auth, data->sess.prf_len); 604 605 if (eap_eke_derive_msk(&data->sess, data->serverid, data->serverid_len, 606 data->peerid, data->peerid_len, 607 data->nonce_s, data->nonce_p, 608 data->msk, data->emsk) < 0) { 609 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive MSK/EMSK"); 610 wpabuf_free(resp); 611 return eap_eke_build_fail(data, ret, id, 612 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 613 } 614 615 os_memset(data->dh_priv, 0, sizeof(data->dh_priv)); 616 eap_eke_session_clean(&data->sess); 617 618 eap_eke_state(data, SUCCESS); 619 ret->methodState = METHOD_MAY_CONT; 620 ret->decision = DECISION_COND_SUCC; 621 ret->allowNotifications = FALSE; 622 623 return resp; 624} 625 626 627static struct wpabuf * eap_eke_process_failure(struct eap_eke_data *data, 628 struct eap_method_ret *ret, 629 const struct wpabuf *reqData, 630 const u8 *payload, 631 size_t payload_len) 632{ 633 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Failure/Request"); 634 635 if (payload_len < 4) { 636 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Failure"); 637 } else { 638 u32 code; 639 code = WPA_GET_BE32(payload); 640 wpa_printf(MSG_INFO, "EAP-EKE: Failure-Code 0x%x", code); 641 } 642 643 return eap_eke_build_fail(data, ret, eap_get_id(reqData), 644 EAP_EKE_FAIL_NO_ERROR); 645} 646 647 648static struct wpabuf * eap_eke_process(struct eap_sm *sm, void *priv, 649 struct eap_method_ret *ret, 650 const struct wpabuf *reqData) 651{ 652 struct eap_eke_data *data = priv; 653 struct wpabuf *resp; 654 const u8 *pos, *end; 655 size_t len; 656 u8 eke_exch; 657 658 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_EKE, reqData, &len); 659 if (pos == NULL || len < 1) { 660 ret->ignore = TRUE; 661 return NULL; 662 } 663 664 end = pos + len; 665 eke_exch = *pos++; 666 667 wpa_printf(MSG_DEBUG, "EAP-EKE: Received frame: exch %d", eke_exch); 668 wpa_hexdump(MSG_DEBUG, "EAP-EKE: Received Data", pos, end - pos); 669 670 ret->ignore = FALSE; 671 ret->methodState = METHOD_MAY_CONT; 672 ret->decision = DECISION_FAIL; 673 ret->allowNotifications = TRUE; 674 675 switch (eke_exch) { 676 case EAP_EKE_ID: 677 resp = eap_eke_process_id(data, ret, reqData, pos, end - pos); 678 break; 679 case EAP_EKE_COMMIT: 680 resp = eap_eke_process_commit(sm, data, ret, reqData, 681 pos, end - pos); 682 break; 683 case EAP_EKE_CONFIRM: 684 resp = eap_eke_process_confirm(data, ret, reqData, 685 pos, end - pos); 686 break; 687 case EAP_EKE_FAILURE: 688 resp = eap_eke_process_failure(data, ret, reqData, 689 pos, end - pos); 690 break; 691 default: 692 wpa_printf(MSG_DEBUG, "EAP-EKE: Ignoring message with unknown EKE-Exch %d", eke_exch); 693 ret->ignore = TRUE; 694 return NULL; 695 } 696 697 if (ret->methodState == METHOD_DONE) 698 ret->allowNotifications = FALSE; 699 700 return resp; 701} 702 703 704static Boolean eap_eke_isKeyAvailable(struct eap_sm *sm, void *priv) 705{ 706 struct eap_eke_data *data = priv; 707 return data->state == SUCCESS; 708} 709 710 711static u8 * eap_eke_getKey(struct eap_sm *sm, void *priv, size_t *len) 712{ 713 struct eap_eke_data *data = priv; 714 u8 *key; 715 716 if (data->state != SUCCESS) 717 return NULL; 718 719 key = os_malloc(EAP_MSK_LEN); 720 if (key == NULL) 721 return NULL; 722 os_memcpy(key, data->msk, EAP_MSK_LEN); 723 *len = EAP_MSK_LEN; 724 725 return key; 726} 727 728 729static u8 * eap_eke_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 730{ 731 struct eap_eke_data *data = priv; 732 u8 *key; 733 734 if (data->state != SUCCESS) 735 return NULL; 736 737 key = os_malloc(EAP_EMSK_LEN); 738 if (key == NULL) 739 return NULL; 740 os_memcpy(key, data->emsk, EAP_EMSK_LEN); 741 *len = EAP_EMSK_LEN; 742 743 return key; 744} 745 746 747static u8 * eap_eke_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 748{ 749 struct eap_eke_data *data = priv; 750 u8 *sid; 751 size_t sid_len; 752 753 if (data->state != SUCCESS) 754 return NULL; 755 756 sid_len = 1 + 2 * data->sess.nonce_len; 757 sid = os_malloc(sid_len); 758 if (sid == NULL) 759 return NULL; 760 sid[0] = EAP_TYPE_EKE; 761 os_memcpy(sid + 1, data->nonce_p, data->sess.nonce_len); 762 os_memcpy(sid + 1 + data->sess.nonce_len, data->nonce_s, 763 data->sess.nonce_len); 764 *len = sid_len; 765 766 return sid; 767} 768 769 770int eap_peer_eke_register(void) 771{ 772 struct eap_method *eap; 773 int ret; 774 775 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 776 EAP_VENDOR_IETF, EAP_TYPE_EKE, "EKE"); 777 if (eap == NULL) 778 return -1; 779 780 eap->init = eap_eke_init; 781 eap->deinit = eap_eke_deinit; 782 eap->process = eap_eke_process; 783 eap->isKeyAvailable = eap_eke_isKeyAvailable; 784 eap->getKey = eap_eke_getKey; 785 eap->get_emsk = eap_eke_get_emsk; 786 eap->getSessionId = eap_eke_get_session_id; 787 788 ret = eap_peer_method_register(eap); 789 if (ret) 790 eap_peer_method_free(eap); 791 return ret; 792} 793