1 /* 2 * EAP peer method: EAP-EKE (RFC 6124) 3 * Copyright (c) 2013, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/random.h" 13 #include "eap_peer/eap_i.h" 14 #include "eap_common/eap_eke_common.h" 15 16 struct eap_eke_data { 17 enum { 18 IDENTITY, COMMIT, CONFIRM, SUCCESS, FAILURE 19 } state; 20 u8 msk[EAP_MSK_LEN]; 21 u8 emsk[EAP_EMSK_LEN]; 22 u8 *peerid; 23 size_t peerid_len; 24 u8 *serverid; 25 size_t serverid_len; 26 u8 dh_priv[EAP_EKE_MAX_DH_LEN]; 27 struct eap_eke_session sess; 28 u8 nonce_p[EAP_EKE_MAX_NONCE_LEN]; 29 u8 nonce_s[EAP_EKE_MAX_NONCE_LEN]; 30 struct wpabuf *msgs; 31 u8 dhgroup; /* forced DH group or 0 to allow all supported */ 32 u8 encr; /* forced encryption algorithm or 0 to allow all supported */ 33 u8 prf; /* forced PRF or 0 to allow all supported */ 34 u8 mac; /* forced MAC or 0 to allow all supported */ 35 }; 36 37 38 static const char * eap_eke_state_txt(int state) 39 { 40 switch (state) { 41 case IDENTITY: 42 return "IDENTITY"; 43 case COMMIT: 44 return "COMMIT"; 45 case CONFIRM: 46 return "CONFIRM"; 47 case SUCCESS: 48 return "SUCCESS"; 49 case FAILURE: 50 return "FAILURE"; 51 default: 52 return "?"; 53 } 54 } 55 56 57 static void eap_eke_state(struct eap_eke_data *data, int state) 58 { 59 wpa_printf(MSG_DEBUG, "EAP-EKE: %s -> %s", 60 eap_eke_state_txt(data->state), eap_eke_state_txt(state)); 61 data->state = state; 62 } 63 64 65 static void eap_eke_deinit(struct eap_sm *sm, void *priv); 66 67 68 static void * eap_eke_init(struct eap_sm *sm) 69 { 70 struct eap_eke_data *data; 71 const u8 *identity, *password; 72 size_t identity_len, password_len; 73 const char *phase1; 74 75 password = eap_get_config_password(sm, &password_len); 76 if (!password) { 77 wpa_printf(MSG_INFO, "EAP-EKE: No password configured"); 78 return NULL; 79 } 80 81 data = os_zalloc(sizeof(*data)); 82 if (data == NULL) 83 return NULL; 84 eap_eke_state(data, IDENTITY); 85 86 identity = eap_get_config_identity(sm, &identity_len); 87 if (identity) { 88 data->peerid = os_malloc(identity_len); 89 if (data->peerid == NULL) { 90 eap_eke_deinit(sm, data); 91 return NULL; 92 } 93 os_memcpy(data->peerid, identity, identity_len); 94 data->peerid_len = identity_len; 95 } 96 97 phase1 = eap_get_config_phase1(sm); 98 if (phase1) { 99 const char *pos; 100 101 pos = os_strstr(phase1, "dhgroup="); 102 if (pos) { 103 data->dhgroup = atoi(pos + 8); 104 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced dhgroup %u", 105 data->dhgroup); 106 } 107 108 pos = os_strstr(phase1, "encr="); 109 if (pos) { 110 data->encr = atoi(pos + 5); 111 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced encr %u", 112 data->encr); 113 } 114 115 pos = os_strstr(phase1, "prf="); 116 if (pos) { 117 data->prf = atoi(pos + 4); 118 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced prf %u", 119 data->prf); 120 } 121 122 pos = os_strstr(phase1, "mac="); 123 if (pos) { 124 data->mac = atoi(pos + 4); 125 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced mac %u", 126 data->mac); 127 } 128 } 129 130 return data; 131 } 132 133 134 static void eap_eke_deinit(struct eap_sm *sm, void *priv) 135 { 136 struct eap_eke_data *data = priv; 137 eap_eke_session_clean(&data->sess); 138 os_free(data->serverid); 139 os_free(data->peerid); 140 wpabuf_free(data->msgs); 141 bin_clear_free(data, sizeof(*data)); 142 } 143 144 145 static struct wpabuf * eap_eke_build_msg(struct eap_eke_data *data, int id, 146 size_t length, u8 eke_exch) 147 { 148 struct wpabuf *msg; 149 size_t plen; 150 151 plen = 1 + length; 152 153 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_EKE, plen, 154 EAP_CODE_RESPONSE, id); 155 if (msg == NULL) { 156 wpa_printf(MSG_ERROR, "EAP-EKE: Failed to allocate memory"); 157 return NULL; 158 } 159 160 wpabuf_put_u8(msg, eke_exch); 161 162 return msg; 163 } 164 165 166 static int eap_eke_supp_dhgroup(u8 dhgroup) 167 { 168 return dhgroup == EAP_EKE_DHGROUP_EKE_2 || 169 dhgroup == EAP_EKE_DHGROUP_EKE_5 || 170 dhgroup == EAP_EKE_DHGROUP_EKE_14 || 171 dhgroup == EAP_EKE_DHGROUP_EKE_15 || 172 dhgroup == EAP_EKE_DHGROUP_EKE_16; 173 } 174 175 176 static int eap_eke_supp_encr(u8 encr) 177 { 178 return encr == EAP_EKE_ENCR_AES128_CBC; 179 } 180 181 182 static int eap_eke_supp_prf(u8 prf) 183 { 184 return prf == EAP_EKE_PRF_HMAC_SHA1 || 185 prf == EAP_EKE_PRF_HMAC_SHA2_256; 186 } 187 188 189 static int eap_eke_supp_mac(u8 mac) 190 { 191 return mac == EAP_EKE_MAC_HMAC_SHA1 || 192 mac == EAP_EKE_MAC_HMAC_SHA2_256; 193 } 194 195 196 static struct wpabuf * eap_eke_build_fail(struct eap_eke_data *data, 197 struct eap_method_ret *ret, 198 u8 id, u32 failure_code) 199 { 200 struct wpabuf *resp; 201 202 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Failure/Response - code=0x%x", 203 failure_code); 204 205 resp = eap_eke_build_msg(data, id, 4, EAP_EKE_FAILURE); 206 if (resp) 207 wpabuf_put_be32(resp, failure_code); 208 209 os_memset(data->dh_priv, 0, sizeof(data->dh_priv)); 210 eap_eke_session_clean(&data->sess); 211 212 eap_eke_state(data, FAILURE); 213 ret->methodState = METHOD_DONE; 214 ret->decision = DECISION_FAIL; 215 ret->allowNotifications = FALSE; 216 217 return resp; 218 } 219 220 221 static struct wpabuf * eap_eke_process_id(struct eap_eke_data *data, 222 struct eap_method_ret *ret, 223 const struct wpabuf *reqData, 224 const u8 *payload, 225 size_t payload_len) 226 { 227 struct wpabuf *resp; 228 unsigned num_prop, i; 229 const u8 *pos, *end; 230 const u8 *prop = NULL; 231 u8 idtype; 232 u8 id = eap_get_id(reqData); 233 234 if (data->state != IDENTITY) { 235 return eap_eke_build_fail(data, ret, id, 236 EAP_EKE_FAIL_PROTO_ERROR); 237 } 238 239 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-ID/Request"); 240 241 if (payload_len < 2 + 4) { 242 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data"); 243 return eap_eke_build_fail(data, ret, id, 244 EAP_EKE_FAIL_PROTO_ERROR); 245 } 246 247 pos = payload; 248 end = payload + payload_len; 249 250 num_prop = *pos++; 251 pos++; /* Ignore Reserved field */ 252 253 if (pos + num_prop * 4 > end) { 254 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data (num_prop=%u)", 255 num_prop); 256 return eap_eke_build_fail(data, ret, id, 257 EAP_EKE_FAIL_PROTO_ERROR); 258 } 259 260 for (i = 0; i < num_prop; i++) { 261 const u8 *tmp = pos; 262 263 wpa_printf(MSG_DEBUG, "EAP-EKE: Proposal #%u: dh=%u encr=%u prf=%u mac=%u", 264 i, pos[0], pos[1], pos[2], pos[3]); 265 pos += 4; 266 267 if ((data->dhgroup && data->dhgroup != *tmp) || 268 !eap_eke_supp_dhgroup(*tmp)) 269 continue; 270 tmp++; 271 if ((data->encr && data->encr != *tmp) || 272 !eap_eke_supp_encr(*tmp)) 273 continue; 274 tmp++; 275 if ((data->prf && data->prf != *tmp) || 276 !eap_eke_supp_prf(*tmp)) 277 continue; 278 tmp++; 279 if ((data->mac && data->mac != *tmp) || 280 !eap_eke_supp_mac(*tmp)) 281 continue; 282 283 prop = tmp - 3; 284 if (eap_eke_session_init(&data->sess, prop[0], prop[1], prop[2], 285 prop[3]) < 0) { 286 prop = NULL; 287 continue; 288 } 289 290 wpa_printf(MSG_DEBUG, "EAP-EKE: Selected proposal"); 291 break; 292 } 293 294 if (prop == NULL) { 295 wpa_printf(MSG_DEBUG, "EAP-EKE: No acceptable proposal found"); 296 return eap_eke_build_fail(data, ret, id, 297 EAP_EKE_FAIL_NO_PROPOSAL_CHOSEN); 298 } 299 300 pos += (num_prop - i - 1) * 4; 301 302 if (pos == end) { 303 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data to include IDType/Identity"); 304 return eap_eke_build_fail(data, ret, id, 305 EAP_EKE_FAIL_PROTO_ERROR); 306 } 307 308 idtype = *pos++; 309 wpa_printf(MSG_DEBUG, "EAP-EKE: Server IDType %u", idtype); 310 wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: Server Identity", 311 pos, end - pos); 312 os_free(data->serverid); 313 data->serverid = os_malloc(end - pos); 314 if (data->serverid == NULL) { 315 return eap_eke_build_fail(data, ret, id, 316 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 317 } 318 os_memcpy(data->serverid, pos, end - pos); 319 data->serverid_len = end - pos; 320 321 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-ID/Response"); 322 323 resp = eap_eke_build_msg(data, id, 324 2 + 4 + 1 + data->peerid_len, 325 EAP_EKE_ID); 326 if (resp == NULL) { 327 return eap_eke_build_fail(data, ret, id, 328 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 329 } 330 331 wpabuf_put_u8(resp, 1); /* NumProposals */ 332 wpabuf_put_u8(resp, 0); /* Reserved */ 333 wpabuf_put_data(resp, prop, 4); /* Selected Proposal */ 334 wpabuf_put_u8(resp, EAP_EKE_ID_NAI); 335 if (data->peerid) 336 wpabuf_put_data(resp, data->peerid, data->peerid_len); 337 338 wpabuf_free(data->msgs); 339 data->msgs = wpabuf_alloc(wpabuf_len(reqData) + wpabuf_len(resp)); 340 if (data->msgs == NULL) { 341 wpabuf_free(resp); 342 return eap_eke_build_fail(data, ret, id, 343 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 344 } 345 wpabuf_put_buf(data->msgs, reqData); 346 wpabuf_put_buf(data->msgs, resp); 347 348 eap_eke_state(data, COMMIT); 349 350 return resp; 351 } 352 353 354 static struct wpabuf * eap_eke_process_commit(struct eap_sm *sm, 355 struct eap_eke_data *data, 356 struct eap_method_ret *ret, 357 const struct wpabuf *reqData, 358 const u8 *payload, 359 size_t payload_len) 360 { 361 struct wpabuf *resp; 362 const u8 *pos, *end, *dhcomp; 363 size_t prot_len; 364 u8 *rpos; 365 u8 key[EAP_EKE_MAX_KEY_LEN]; 366 u8 pub[EAP_EKE_MAX_DH_LEN]; 367 const u8 *password; 368 size_t password_len; 369 u8 id = eap_get_id(reqData); 370 371 if (data->state != COMMIT) { 372 wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Commit/Request received in unexpected state (%d)", data->state); 373 return eap_eke_build_fail(data, ret, id, 374 EAP_EKE_FAIL_PROTO_ERROR); 375 } 376 377 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Commit/Request"); 378 379 password = eap_get_config_password(sm, &password_len); 380 if (password == NULL) { 381 wpa_printf(MSG_INFO, "EAP-EKE: No password configured!"); 382 return eap_eke_build_fail(data, ret, id, 383 EAP_EKE_FAIL_PASSWD_NOT_FOUND); 384 } 385 386 pos = payload; 387 end = payload + payload_len; 388 389 if (pos + data->sess.dhcomp_len > end) { 390 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Commit"); 391 return eap_eke_build_fail(data, ret, id, 392 EAP_EKE_FAIL_PROTO_ERROR); 393 } 394 395 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_S", 396 pos, data->sess.dhcomp_len); 397 dhcomp = pos; 398 pos += data->sess.dhcomp_len; 399 wpa_hexdump(MSG_DEBUG, "EAP-EKE: CBValue", pos, end - pos); 400 401 /* 402 * temp = prf(0+, password) 403 * key = prf+(temp, ID_S | ID_P) 404 */ 405 if (eap_eke_derive_key(&data->sess, password, password_len, 406 data->serverid, data->serverid_len, 407 data->peerid, data->peerid_len, key) < 0) { 408 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key"); 409 return eap_eke_build_fail(data, ret, id, 410 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 411 } 412 413 /* 414 * y_p = g ^ x_p (mod p) 415 * x_p = random number 2 .. p-1 416 */ 417 if (eap_eke_dh_init(data->sess.dhgroup, data->dh_priv, pub) < 0) { 418 wpa_printf(MSG_INFO, "EAP-EKE: Failed to initialize DH"); 419 os_memset(key, 0, sizeof(key)); 420 return eap_eke_build_fail(data, ret, id, 421 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 422 } 423 424 if (eap_eke_shared_secret(&data->sess, key, data->dh_priv, dhcomp) < 0) 425 { 426 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive shared secret"); 427 os_memset(key, 0, sizeof(key)); 428 return eap_eke_build_fail(data, ret, id, 429 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 430 } 431 432 if (eap_eke_derive_ke_ki(&data->sess, 433 data->serverid, data->serverid_len, 434 data->peerid, data->peerid_len) < 0) { 435 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki"); 436 os_memset(key, 0, sizeof(key)); 437 return eap_eke_build_fail(data, ret, id, 438 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 439 } 440 441 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Commit/Response"); 442 443 resp = eap_eke_build_msg(data, id, 444 data->sess.dhcomp_len + data->sess.pnonce_len, 445 EAP_EKE_COMMIT); 446 if (resp == NULL) { 447 os_memset(key, 0, sizeof(key)); 448 return eap_eke_build_fail(data, ret, id, 449 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 450 } 451 452 /* DHComponent_P = Encr(key, y_p) */ 453 rpos = wpabuf_put(resp, data->sess.dhcomp_len); 454 if (eap_eke_dhcomp(&data->sess, key, pub, rpos) < 0) { 455 wpabuf_free(resp); 456 wpa_printf(MSG_INFO, "EAP-EKE: Failed to build DHComponent_P"); 457 os_memset(key, 0, sizeof(key)); 458 return eap_eke_build_fail(data, ret, id, 459 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 460 } 461 os_memset(key, 0, sizeof(key)); 462 463 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_P", 464 rpos, data->sess.dhcomp_len); 465 466 if (random_get_bytes(data->nonce_p, data->sess.nonce_len)) { 467 wpabuf_free(resp); 468 return eap_eke_build_fail(data, ret, id, 469 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 470 } 471 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_P", 472 data->nonce_p, data->sess.nonce_len); 473 prot_len = wpabuf_tailroom(resp); 474 if (eap_eke_prot(&data->sess, data->nonce_p, data->sess.nonce_len, 475 wpabuf_put(resp, 0), &prot_len) < 0) { 476 wpabuf_free(resp); 477 return eap_eke_build_fail(data, ret, id, 478 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 479 } 480 wpa_hexdump(MSG_DEBUG, "EAP-EKE: PNonce_P", 481 wpabuf_put(resp, 0), prot_len); 482 wpabuf_put(resp, prot_len); 483 484 /* TODO: CBValue */ 485 486 if (wpabuf_resize(&data->msgs, wpabuf_len(reqData) + wpabuf_len(resp)) 487 < 0) { 488 wpabuf_free(resp); 489 return eap_eke_build_fail(data, ret, id, 490 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 491 } 492 wpabuf_put_buf(data->msgs, reqData); 493 wpabuf_put_buf(data->msgs, resp); 494 495 eap_eke_state(data, CONFIRM); 496 497 return resp; 498 } 499 500 501 static struct wpabuf * eap_eke_process_confirm(struct eap_eke_data *data, 502 struct eap_method_ret *ret, 503 const struct wpabuf *reqData, 504 const u8 *payload, 505 size_t payload_len) 506 { 507 struct wpabuf *resp; 508 const u8 *pos, *end; 509 size_t prot_len; 510 u8 nonces[2 * EAP_EKE_MAX_NONCE_LEN]; 511 u8 auth_s[EAP_EKE_MAX_HASH_LEN]; 512 size_t decrypt_len; 513 u8 *auth; 514 u8 id = eap_get_id(reqData); 515 516 if (data->state != CONFIRM) { 517 wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Confirm/Request received in unexpected state (%d)", 518 data->state); 519 return eap_eke_build_fail(data, ret, id, 520 EAP_EKE_FAIL_PROTO_ERROR); 521 } 522 523 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Confirm/Request"); 524 525 pos = payload; 526 end = payload + payload_len; 527 528 if (pos + data->sess.pnonce_ps_len + data->sess.prf_len > end) { 529 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Confirm"); 530 return eap_eke_build_fail(data, ret, id, 531 EAP_EKE_FAIL_PROTO_ERROR); 532 } 533 534 decrypt_len = sizeof(nonces); 535 if (eap_eke_decrypt_prot(&data->sess, pos, data->sess.pnonce_ps_len, 536 nonces, &decrypt_len) < 0) { 537 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt PNonce_PS"); 538 return eap_eke_build_fail(data, ret, id, 539 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 540 } 541 if (decrypt_len != (size_t) 2 * data->sess.nonce_len) { 542 wpa_printf(MSG_INFO, "EAP-EKE: PNonce_PS protected data length does not match length of Nonce_P and Nonce_S"); 543 return eap_eke_build_fail(data, ret, id, 544 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 545 } 546 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Received Nonce_P | Nonce_S", 547 nonces, 2 * data->sess.nonce_len); 548 if (os_memcmp(data->nonce_p, nonces, data->sess.nonce_len) != 0) { 549 wpa_printf(MSG_INFO, "EAP-EKE: Received Nonce_P does not match transmitted Nonce_P"); 550 return eap_eke_build_fail(data, ret, id, 551 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 552 } 553 554 os_memcpy(data->nonce_s, nonces + data->sess.nonce_len, 555 data->sess.nonce_len); 556 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_S", 557 data->nonce_s, data->sess.nonce_len); 558 559 if (eap_eke_derive_ka(&data->sess, data->serverid, data->serverid_len, 560 data->peerid, data->peerid_len, 561 data->nonce_p, data->nonce_s) < 0) { 562 return eap_eke_build_fail(data, ret, id, 563 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 564 } 565 566 if (eap_eke_auth(&data->sess, "EAP-EKE server", data->msgs, auth_s) < 0) 567 { 568 return eap_eke_build_fail(data, ret, id, 569 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 570 } 571 wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_S", auth_s, data->sess.prf_len); 572 if (os_memcmp_const(auth_s, pos + data->sess.pnonce_ps_len, 573 data->sess.prf_len) != 0) { 574 wpa_printf(MSG_INFO, "EAP-EKE: Auth_S does not match"); 575 return eap_eke_build_fail(data, ret, id, 576 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 577 } 578 579 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Confirm/Response"); 580 581 resp = eap_eke_build_msg(data, id, 582 data->sess.pnonce_len + data->sess.prf_len, 583 EAP_EKE_CONFIRM); 584 if (resp == NULL) { 585 return eap_eke_build_fail(data, ret, id, 586 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 587 } 588 589 prot_len = wpabuf_tailroom(resp); 590 if (eap_eke_prot(&data->sess, data->nonce_s, data->sess.nonce_len, 591 wpabuf_put(resp, 0), &prot_len) < 0) { 592 wpabuf_free(resp); 593 return eap_eke_build_fail(data, ret, id, 594 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 595 } 596 wpabuf_put(resp, prot_len); 597 598 auth = wpabuf_put(resp, data->sess.prf_len); 599 if (eap_eke_auth(&data->sess, "EAP-EKE peer", data->msgs, auth) < 0) { 600 wpabuf_free(resp); 601 return eap_eke_build_fail(data, ret, id, 602 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 603 } 604 wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_P", auth, data->sess.prf_len); 605 606 if (eap_eke_derive_msk(&data->sess, data->serverid, data->serverid_len, 607 data->peerid, data->peerid_len, 608 data->nonce_s, data->nonce_p, 609 data->msk, data->emsk) < 0) { 610 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive MSK/EMSK"); 611 wpabuf_free(resp); 612 return eap_eke_build_fail(data, ret, id, 613 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 614 } 615 616 os_memset(data->dh_priv, 0, sizeof(data->dh_priv)); 617 eap_eke_session_clean(&data->sess); 618 619 eap_eke_state(data, SUCCESS); 620 ret->methodState = METHOD_MAY_CONT; 621 ret->decision = DECISION_COND_SUCC; 622 ret->allowNotifications = FALSE; 623 624 return resp; 625 } 626 627 628 static struct wpabuf * eap_eke_process_failure(struct eap_eke_data *data, 629 struct eap_method_ret *ret, 630 const struct wpabuf *reqData, 631 const u8 *payload, 632 size_t payload_len) 633 { 634 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Failure/Request"); 635 636 if (payload_len < 4) { 637 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Failure"); 638 } else { 639 u32 code; 640 code = WPA_GET_BE32(payload); 641 wpa_printf(MSG_INFO, "EAP-EKE: Failure-Code 0x%x", code); 642 } 643 644 return eap_eke_build_fail(data, ret, eap_get_id(reqData), 645 EAP_EKE_FAIL_NO_ERROR); 646 } 647 648 649 static struct wpabuf * eap_eke_process(struct eap_sm *sm, void *priv, 650 struct eap_method_ret *ret, 651 const struct wpabuf *reqData) 652 { 653 struct eap_eke_data *data = priv; 654 struct wpabuf *resp; 655 const u8 *pos, *end; 656 size_t len; 657 u8 eke_exch; 658 659 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_EKE, reqData, &len); 660 if (pos == NULL || len < 1) { 661 ret->ignore = TRUE; 662 return NULL; 663 } 664 665 end = pos + len; 666 eke_exch = *pos++; 667 668 wpa_printf(MSG_DEBUG, "EAP-EKE: Received frame: exch %d", eke_exch); 669 wpa_hexdump(MSG_DEBUG, "EAP-EKE: Received Data", pos, end - pos); 670 671 ret->ignore = FALSE; 672 ret->methodState = METHOD_MAY_CONT; 673 ret->decision = DECISION_FAIL; 674 ret->allowNotifications = TRUE; 675 676 switch (eke_exch) { 677 case EAP_EKE_ID: 678 resp = eap_eke_process_id(data, ret, reqData, pos, end - pos); 679 break; 680 case EAP_EKE_COMMIT: 681 resp = eap_eke_process_commit(sm, data, ret, reqData, 682 pos, end - pos); 683 break; 684 case EAP_EKE_CONFIRM: 685 resp = eap_eke_process_confirm(data, ret, reqData, 686 pos, end - pos); 687 break; 688 case EAP_EKE_FAILURE: 689 resp = eap_eke_process_failure(data, ret, reqData, 690 pos, end - pos); 691 break; 692 default: 693 wpa_printf(MSG_DEBUG, "EAP-EKE: Ignoring message with unknown EKE-Exch %d", eke_exch); 694 ret->ignore = TRUE; 695 return NULL; 696 } 697 698 if (ret->methodState == METHOD_DONE) 699 ret->allowNotifications = FALSE; 700 701 return resp; 702 } 703 704 705 static Boolean eap_eke_isKeyAvailable(struct eap_sm *sm, void *priv) 706 { 707 struct eap_eke_data *data = priv; 708 return data->state == SUCCESS; 709 } 710 711 712 static u8 * eap_eke_getKey(struct eap_sm *sm, void *priv, size_t *len) 713 { 714 struct eap_eke_data *data = priv; 715 u8 *key; 716 717 if (data->state != SUCCESS) 718 return NULL; 719 720 key = os_malloc(EAP_MSK_LEN); 721 if (key == NULL) 722 return NULL; 723 os_memcpy(key, data->msk, EAP_MSK_LEN); 724 *len = EAP_MSK_LEN; 725 726 return key; 727 } 728 729 730 static u8 * eap_eke_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 731 { 732 struct eap_eke_data *data = priv; 733 u8 *key; 734 735 if (data->state != SUCCESS) 736 return NULL; 737 738 key = os_malloc(EAP_EMSK_LEN); 739 if (key == NULL) 740 return NULL; 741 os_memcpy(key, data->emsk, EAP_EMSK_LEN); 742 *len = EAP_EMSK_LEN; 743 744 return key; 745 } 746 747 748 static u8 * eap_eke_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 749 { 750 struct eap_eke_data *data = priv; 751 u8 *sid; 752 size_t sid_len; 753 754 if (data->state != SUCCESS) 755 return NULL; 756 757 sid_len = 1 + 2 * data->sess.nonce_len; 758 sid = os_malloc(sid_len); 759 if (sid == NULL) 760 return NULL; 761 sid[0] = EAP_TYPE_EKE; 762 os_memcpy(sid + 1, data->nonce_p, data->sess.nonce_len); 763 os_memcpy(sid + 1 + data->sess.nonce_len, data->nonce_s, 764 data->sess.nonce_len); 765 *len = sid_len; 766 767 return sid; 768 } 769 770 771 int eap_peer_eke_register(void) 772 { 773 struct eap_method *eap; 774 775 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 776 EAP_VENDOR_IETF, EAP_TYPE_EKE, "EKE"); 777 if (eap == NULL) 778 return -1; 779 780 eap->init = eap_eke_init; 781 eap->deinit = eap_eke_deinit; 782 eap->process = eap_eke_process; 783 eap->isKeyAvailable = eap_eke_isKeyAvailable; 784 eap->getKey = eap_eke_getKey; 785 eap->get_emsk = eap_eke_get_emsk; 786 eap->getSessionId = eap_eke_get_session_id; 787 788 return eap_peer_method_register(eap); 789 } 790