Home | History | Annotate | Download | only in eap_server
      1 /*
      2  * hostapd / EAP-EKE (RFC 6124) server
      3  * Copyright (c) 2013, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "crypto/random.h"
     13 #include "eap_server/eap_i.h"
     14 #include "eap_common/eap_eke_common.h"
     15 
     16 
     17 struct eap_eke_data {
     18 	enum {
     19 		IDENTITY, COMMIT, CONFIRM, FAILURE_REPORT, SUCCESS, FAILURE
     20 	} state;
     21 	u8 msk[EAP_MSK_LEN];
     22 	u8 emsk[EAP_EMSK_LEN];
     23 	u8 *peerid;
     24 	size_t peerid_len;
     25 	u8 peerid_type;
     26 	u8 serverid_type;
     27 	u8 dh_priv[EAP_EKE_MAX_DH_LEN];
     28 	u8 key[EAP_EKE_MAX_KEY_LEN];
     29 	struct eap_eke_session sess;
     30 	u8 nonce_p[EAP_EKE_MAX_NONCE_LEN];
     31 	u8 nonce_s[EAP_EKE_MAX_NONCE_LEN];
     32 	struct wpabuf *msgs;
     33 	int phase2;
     34 	u32 failure_code;
     35 };
     36 
     37 
     38 static const char * eap_eke_state_txt(int state)
     39 {
     40 	switch (state) {
     41 	case IDENTITY:
     42 		return "IDENTITY";
     43 	case COMMIT:
     44 		return "COMMIT";
     45 	case CONFIRM:
     46 		return "CONFIRM";
     47 	case FAILURE_REPORT:
     48 		return "FAILURE_REPORT";
     49 	case SUCCESS:
     50 		return "SUCCESS";
     51 	case FAILURE:
     52 		return "FAILURE";
     53 	default:
     54 		return "?";
     55 	}
     56 }
     57 
     58 
     59 static void eap_eke_state(struct eap_eke_data *data, int state)
     60 {
     61 	wpa_printf(MSG_DEBUG, "EAP-EKE: %s -> %s",
     62 		   eap_eke_state_txt(data->state),
     63 		   eap_eke_state_txt(state));
     64 	data->state = state;
     65 }
     66 
     67 
     68 static void eap_eke_fail(struct eap_eke_data *data, u32 code)
     69 {
     70 	wpa_printf(MSG_DEBUG, "EAP-EKE: Failure - code 0x%x", code);
     71 	data->failure_code = code;
     72 	eap_eke_state(data, FAILURE_REPORT);
     73 }
     74 
     75 
     76 static void * eap_eke_init(struct eap_sm *sm)
     77 {
     78 	struct eap_eke_data *data;
     79 	size_t i;
     80 
     81 	data = os_zalloc(sizeof(*data));
     82 	if (data == NULL)
     83 		return NULL;
     84 	eap_eke_state(data, IDENTITY);
     85 
     86 	data->serverid_type = EAP_EKE_ID_OPAQUE;
     87 	for (i = 0; i < sm->server_id_len; i++) {
     88 		if (sm->server_id[i] == '.' &&
     89 		    data->serverid_type == EAP_EKE_ID_OPAQUE)
     90 			data->serverid_type = EAP_EKE_ID_FQDN;
     91 		if (sm->server_id[i] == '@')
     92 			data->serverid_type = EAP_EKE_ID_NAI;
     93 	}
     94 
     95 	data->phase2 = sm->init_phase2;
     96 
     97 	return data;
     98 }
     99 
    100 
    101 static void eap_eke_reset(struct eap_sm *sm, void *priv)
    102 {
    103 	struct eap_eke_data *data = priv;
    104 	eap_eke_session_clean(&data->sess);
    105 	os_free(data->peerid);
    106 	wpabuf_free(data->msgs);
    107 	bin_clear_free(data, sizeof(*data));
    108 }
    109 
    110 
    111 static struct wpabuf * eap_eke_build_msg(struct eap_eke_data *data,
    112 					 u8 id, size_t length, u8 eke_exch)
    113 {
    114 	struct wpabuf *msg;
    115 	size_t plen;
    116 
    117 	plen = 1 + length;
    118 
    119 	msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_EKE, plen,
    120 			    EAP_CODE_REQUEST, id);
    121 	if (msg == NULL) {
    122 		wpa_printf(MSG_ERROR, "EAP-EKE: Failed to allocate memory");
    123 		return NULL;
    124 	}
    125 
    126 	wpabuf_put_u8(msg, eke_exch);
    127 
    128 	return msg;
    129 }
    130 
    131 
    132 static int supported_proposal(const u8 *pos)
    133 {
    134 	if (pos[0] == EAP_EKE_DHGROUP_EKE_16 &&
    135 	    pos[1] == EAP_EKE_ENCR_AES128_CBC &&
    136 	    pos[2] == EAP_EKE_PRF_HMAC_SHA2_256 &&
    137 	    pos[3] == EAP_EKE_MAC_HMAC_SHA2_256)
    138 		return 1;
    139 
    140 	if (pos[0] == EAP_EKE_DHGROUP_EKE_15 &&
    141 	    pos[1] == EAP_EKE_ENCR_AES128_CBC &&
    142 	    pos[2] == EAP_EKE_PRF_HMAC_SHA2_256 &&
    143 	    pos[3] == EAP_EKE_MAC_HMAC_SHA2_256)
    144 		return 1;
    145 
    146 	if (pos[0] == EAP_EKE_DHGROUP_EKE_14 &&
    147 	    pos[1] == EAP_EKE_ENCR_AES128_CBC &&
    148 	    pos[2] == EAP_EKE_PRF_HMAC_SHA2_256 &&
    149 	    pos[3] == EAP_EKE_MAC_HMAC_SHA2_256)
    150 		return 1;
    151 
    152 	if (pos[0] == EAP_EKE_DHGROUP_EKE_14 &&
    153 	    pos[1] == EAP_EKE_ENCR_AES128_CBC &&
    154 	    pos[2] == EAP_EKE_PRF_HMAC_SHA1 &&
    155 	    pos[3] == EAP_EKE_MAC_HMAC_SHA1)
    156 		return 1;
    157 
    158 	return 0;
    159 }
    160 
    161 
    162 static struct wpabuf * eap_eke_build_failure(struct eap_eke_data *data, u8 id)
    163 {
    164 	struct wpabuf *msg;
    165 
    166 	wpa_printf(MSG_DEBUG, "EAP-EKE: Request/Failure: Failure-Code=0x%x",
    167 		   data->failure_code);
    168 
    169 	msg = eap_eke_build_msg(data, id, 4, EAP_EKE_FAILURE);
    170 	if (msg == NULL) {
    171 		eap_eke_state(data, FAILURE);
    172 		return NULL;
    173 	}
    174 	wpabuf_put_be32(msg, data->failure_code);
    175 
    176 	return msg;
    177 }
    178 
    179 
    180 static struct wpabuf * eap_eke_build_identity(struct eap_sm *sm,
    181 					      struct eap_eke_data *data,
    182 					      u8 id)
    183 {
    184 	struct wpabuf *msg;
    185 	size_t plen;
    186 
    187 	wpa_printf(MSG_DEBUG, "EAP-EKE: Request/Identity");
    188 
    189 	plen = 2 + 4 * 4 + 1 + sm->server_id_len;
    190 	msg = eap_eke_build_msg(data, id, plen, EAP_EKE_ID);
    191 	if (msg == NULL)
    192 		return NULL;
    193 
    194 	wpabuf_put_u8(msg, 4); /* NumProposals */
    195 	wpabuf_put_u8(msg, 0); /* Reserved */
    196 
    197 	/* Proposal - DH Group 16 with AES128-CBC and SHA256 */
    198 	wpabuf_put_u8(msg, EAP_EKE_DHGROUP_EKE_16); /* Group Description */
    199 	wpabuf_put_u8(msg, EAP_EKE_ENCR_AES128_CBC); /* Encryption */
    200 	wpabuf_put_u8(msg, EAP_EKE_PRF_HMAC_SHA2_256); /* PRF */
    201 	wpabuf_put_u8(msg, EAP_EKE_MAC_HMAC_SHA2_256); /* MAC */
    202 
    203 	/* Proposal - DH Group 15 with AES128-CBC and SHA256 */
    204 	wpabuf_put_u8(msg, EAP_EKE_DHGROUP_EKE_15); /* Group Description */
    205 	wpabuf_put_u8(msg, EAP_EKE_ENCR_AES128_CBC); /* Encryption */
    206 	wpabuf_put_u8(msg, EAP_EKE_PRF_HMAC_SHA2_256); /* PRF */
    207 	wpabuf_put_u8(msg, EAP_EKE_MAC_HMAC_SHA2_256); /* MAC */
    208 
    209 	/* Proposal - DH Group 14 with AES128-CBC and SHA256 */
    210 	wpabuf_put_u8(msg, EAP_EKE_DHGROUP_EKE_14); /* Group Description */
    211 	wpabuf_put_u8(msg, EAP_EKE_ENCR_AES128_CBC); /* Encryption */
    212 	wpabuf_put_u8(msg, EAP_EKE_PRF_HMAC_SHA2_256); /* PRF */
    213 	wpabuf_put_u8(msg, EAP_EKE_MAC_HMAC_SHA2_256); /* MAC */
    214 
    215 	/*
    216 	 * Proposal - DH Group 14 with AES128-CBC and SHA1
    217 	 * (mandatory to implement algorithms)
    218 	 */
    219 	wpabuf_put_u8(msg, EAP_EKE_DHGROUP_EKE_14); /* Group Description */
    220 	wpabuf_put_u8(msg, EAP_EKE_ENCR_AES128_CBC); /* Encryption */
    221 	wpabuf_put_u8(msg, EAP_EKE_PRF_HMAC_SHA1); /* PRF */
    222 	wpabuf_put_u8(msg, EAP_EKE_MAC_HMAC_SHA1); /* MAC */
    223 
    224 	/* Server IDType + Identity */
    225 	wpabuf_put_u8(msg, data->serverid_type);
    226 	wpabuf_put_data(msg, sm->server_id, sm->server_id_len);
    227 
    228 	wpabuf_free(data->msgs);
    229 	data->msgs = wpabuf_dup(msg);
    230 	if (data->msgs == NULL) {
    231 		wpabuf_free(msg);
    232 		return NULL;
    233 	}
    234 
    235 	return msg;
    236 }
    237 
    238 
    239 static struct wpabuf * eap_eke_build_commit(struct eap_sm *sm,
    240 					    struct eap_eke_data *data, u8 id)
    241 {
    242 	struct wpabuf *msg;
    243 	u8 pub[EAP_EKE_MAX_DH_LEN];
    244 
    245 	wpa_printf(MSG_DEBUG, "EAP-EKE: Request/Commit");
    246 
    247 	if (sm->user == NULL || sm->user->password == NULL) {
    248 		wpa_printf(MSG_INFO, "EAP-EKE: Password with not configured");
    249 		eap_eke_fail(data, EAP_EKE_FAIL_PASSWD_NOT_FOUND);
    250 		return eap_eke_build_failure(data, id);
    251 	}
    252 
    253 	if (eap_eke_derive_key(&data->sess, sm->user->password,
    254 			       sm->user->password_len,
    255 			       sm->server_id, sm->server_id_len,
    256 			       data->peerid, data->peerid_len, data->key) < 0) {
    257 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key");
    258 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    259 		return eap_eke_build_failure(data, id);
    260 	}
    261 
    262 	msg = eap_eke_build_msg(data, id, data->sess.dhcomp_len,
    263 				EAP_EKE_COMMIT);
    264 	if (msg == NULL) {
    265 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    266 		return eap_eke_build_failure(data, id);
    267 	}
    268 
    269 	/*
    270 	 * y_s = g ^ x_s (mod p)
    271 	 * x_s = random number 2 .. p-1
    272 	 * temp = prf(0+, password)
    273 	 * key = prf+(temp, ID_S | ID_P)
    274 	 * DHComponent_S = Encr(key, y_s)
    275 	 */
    276 
    277 	if (eap_eke_dh_init(data->sess.dhgroup, data->dh_priv, pub) < 0) {
    278 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to initialize DH");
    279 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    280 		return eap_eke_build_failure(data, id);
    281 	}
    282 
    283 	if (eap_eke_dhcomp(&data->sess, data->key, pub,
    284 			   wpabuf_put(msg, data->sess.dhcomp_len))
    285 	    < 0) {
    286 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to build DHComponent_S");
    287 		wpabuf_free(msg);
    288 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    289 		return eap_eke_build_failure(data, id);
    290 	}
    291 
    292 	if (wpabuf_resize(&data->msgs, wpabuf_len(msg)) < 0) {
    293 		wpabuf_free(msg);
    294 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    295 		return eap_eke_build_failure(data, id);
    296 	}
    297 	wpabuf_put_buf(data->msgs, msg);
    298 
    299 	return msg;
    300 }
    301 
    302 
    303 static struct wpabuf * eap_eke_build_confirm(struct eap_sm *sm,
    304 					     struct eap_eke_data *data, u8 id)
    305 {
    306 	struct wpabuf *msg;
    307 	size_t plen, prot_len;
    308 	u8 nonces[2 * EAP_EKE_MAX_NONCE_LEN];
    309 	u8 *auth;
    310 
    311 	wpa_printf(MSG_DEBUG, "EAP-EKE: Request/Confirm");
    312 
    313 	plen = data->sess.pnonce_ps_len + data->sess.prf_len;
    314 	msg = eap_eke_build_msg(data, id, plen, EAP_EKE_CONFIRM);
    315 	if (msg == NULL) {
    316 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    317 		return eap_eke_build_failure(data, id);
    318 	}
    319 
    320 	if (random_get_bytes(data->nonce_s, data->sess.nonce_len)) {
    321 		wpabuf_free(msg);
    322 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    323 		return eap_eke_build_failure(data, id);
    324 	}
    325 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_S",
    326 			data->nonce_s, data->sess.nonce_len);
    327 
    328 	os_memcpy(nonces, data->nonce_p, data->sess.nonce_len);
    329 	os_memcpy(nonces + data->sess.nonce_len, data->nonce_s,
    330 		  data->sess.nonce_len);
    331 	prot_len = wpabuf_tailroom(msg);
    332 	if (eap_eke_prot(&data->sess, nonces, 2 * data->sess.nonce_len,
    333 			 wpabuf_put(msg, 0), &prot_len) < 0) {
    334 		wpabuf_free(msg);
    335 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    336 		return eap_eke_build_failure(data, id);
    337 	}
    338 	wpabuf_put(msg, prot_len);
    339 
    340 	if (eap_eke_derive_ka(&data->sess,
    341 			      sm->server_id, sm->server_id_len,
    342 			      data->peerid, data->peerid_len,
    343 			      data->nonce_p, data->nonce_s) < 0) {
    344 		wpabuf_free(msg);
    345 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    346 		return eap_eke_build_failure(data, id);
    347 	}
    348 
    349 	auth = wpabuf_put(msg, data->sess.prf_len);
    350 	if (eap_eke_auth(&data->sess, "EAP-EKE server", data->msgs, auth) < 0) {
    351 		wpabuf_free(msg);
    352 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    353 		return eap_eke_build_failure(data, id);
    354 	}
    355 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_S", auth, data->sess.prf_len);
    356 
    357 	return msg;
    358 }
    359 
    360 
    361 static struct wpabuf * eap_eke_buildReq(struct eap_sm *sm, void *priv, u8 id)
    362 {
    363 	struct eap_eke_data *data = priv;
    364 
    365 	switch (data->state) {
    366 	case IDENTITY:
    367 		return eap_eke_build_identity(sm, data, id);
    368 	case COMMIT:
    369 		return eap_eke_build_commit(sm, data, id);
    370 	case CONFIRM:
    371 		return eap_eke_build_confirm(sm, data, id);
    372 	case FAILURE_REPORT:
    373 		return eap_eke_build_failure(data, id);
    374 	default:
    375 		wpa_printf(MSG_DEBUG, "EAP-EKE: Unknown state %d in buildReq",
    376 			   data->state);
    377 		break;
    378 	}
    379 	return NULL;
    380 }
    381 
    382 
    383 static Boolean eap_eke_check(struct eap_sm *sm, void *priv,
    384 			     struct wpabuf *respData)
    385 {
    386 	struct eap_eke_data *data = priv;
    387 	size_t len;
    388 	const u8 *pos;
    389 	u8 eke_exch;
    390 
    391 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_EKE, respData, &len);
    392 	if (pos == NULL || len < 1) {
    393 		wpa_printf(MSG_INFO, "EAP-EKE: Invalid frame");
    394 		return TRUE;
    395 	}
    396 
    397 	eke_exch = *pos;
    398 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received frame: EKE-Exch=%d", eke_exch);
    399 
    400 	if (data->state == IDENTITY && eke_exch == EAP_EKE_ID)
    401 		return FALSE;
    402 
    403 	if (data->state == COMMIT && eke_exch == EAP_EKE_COMMIT)
    404 		return FALSE;
    405 
    406 	if (data->state == CONFIRM && eke_exch == EAP_EKE_CONFIRM)
    407 		return FALSE;
    408 
    409 	if (eke_exch == EAP_EKE_FAILURE)
    410 		return FALSE;
    411 
    412 	wpa_printf(MSG_INFO, "EAP-EKE: Unexpected EKE-Exch=%d in state=%d",
    413 		   eke_exch, data->state);
    414 
    415 	return TRUE;
    416 }
    417 
    418 
    419 static void eap_eke_process_identity(struct eap_sm *sm,
    420 				     struct eap_eke_data *data,
    421 				     const struct wpabuf *respData,
    422 				     const u8 *payload, size_t payloadlen)
    423 {
    424 	const u8 *pos, *end;
    425 	int i;
    426 
    427 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received Response/Identity");
    428 
    429 	if (data->state != IDENTITY) {
    430 		eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
    431 		return;
    432 	}
    433 
    434 	pos = payload;
    435 	end = payload + payloadlen;
    436 
    437 	if (pos + 2 + 4 + 1 > end) {
    438 		wpa_printf(MSG_INFO, "EAP-EKE: Too short EAP-EKE-ID payload");
    439 		eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
    440 		return;
    441 	}
    442 
    443 	if (*pos != 1) {
    444 		wpa_printf(MSG_INFO, "EAP-EKE: Unexpected NumProposals %d (expected 1)",
    445 			   *pos);
    446 		eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
    447 		return;
    448 	}
    449 
    450 	pos += 2;
    451 
    452 	if (!supported_proposal(pos)) {
    453 		wpa_printf(MSG_INFO, "EAP-EKE: Unexpected Proposal (%u:%u:%u:%u)",
    454 			   pos[0], pos[1], pos[2], pos[3]);
    455 		eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
    456 		return;
    457 	}
    458 
    459 	wpa_printf(MSG_DEBUG, "EAP-EKE: Selected Proposal (%u:%u:%u:%u)",
    460 		   pos[0], pos[1], pos[2], pos[3]);
    461 	if (eap_eke_session_init(&data->sess, pos[0], pos[1], pos[2], pos[3]) <
    462 	    0) {
    463 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    464 		return;
    465 	}
    466 	pos += 4;
    467 
    468 	data->peerid_type = *pos++;
    469 	os_free(data->peerid);
    470 	data->peerid = os_malloc(end - pos);
    471 	if (data->peerid == NULL) {
    472 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to allocate memory for peerid");
    473 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    474 		return;
    475 	}
    476 	os_memcpy(data->peerid, pos, end - pos);
    477 	data->peerid_len = end - pos;
    478 	wpa_printf(MSG_DEBUG, "EAP-EKE: Peer IDType %u", data->peerid_type);
    479 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: Peer Identity",
    480 			  data->peerid, data->peerid_len);
    481 
    482 	if (eap_user_get(sm, data->peerid, data->peerid_len, data->phase2)) {
    483 		wpa_printf(MSG_INFO, "EAP-EKE: Peer Identity not found from user database");
    484 		eap_eke_fail(data, EAP_EKE_FAIL_PASSWD_NOT_FOUND);
    485 		return;
    486 	}
    487 
    488 	for (i = 0; i < EAP_MAX_METHODS; i++) {
    489 		if (sm->user->methods[i].vendor == EAP_VENDOR_IETF &&
    490 		    sm->user->methods[i].method == EAP_TYPE_EKE)
    491 			break;
    492 	}
    493 	if (i == EAP_MAX_METHODS) {
    494 		wpa_printf(MSG_INFO, "EAP-EKE: Matching user entry does not allow EAP-EKE");
    495 		eap_eke_fail(data, EAP_EKE_FAIL_PASSWD_NOT_FOUND);
    496 		return;
    497 	}
    498 
    499 	if (sm->user->password == NULL || sm->user->password_len == 0) {
    500 		wpa_printf(MSG_INFO, "EAP-EKE: No password configured for peer");
    501 		eap_eke_fail(data, EAP_EKE_FAIL_PASSWD_NOT_FOUND);
    502 		return;
    503 	}
    504 
    505 	if (wpabuf_resize(&data->msgs, wpabuf_len(respData)) < 0) {
    506 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    507 		return;
    508 	}
    509 	wpabuf_put_buf(data->msgs, respData);
    510 
    511 	eap_eke_state(data, COMMIT);
    512 }
    513 
    514 
    515 static void eap_eke_process_commit(struct eap_sm *sm,
    516 				   struct eap_eke_data *data,
    517 				   const struct wpabuf *respData,
    518 				   const u8 *payload, size_t payloadlen)
    519 {
    520 	const u8 *pos, *end, *dhcomp, *pnonce;
    521 	size_t decrypt_len;
    522 
    523 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received Response/Commit");
    524 
    525 	if (data->state != COMMIT) {
    526 		eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
    527 		return;
    528 	}
    529 
    530 	pos = payload;
    531 	end = payload + payloadlen;
    532 
    533 	if (pos + data->sess.dhcomp_len + data->sess.pnonce_len > end) {
    534 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Commit");
    535 		eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
    536 		return;
    537 	}
    538 
    539 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_P",
    540 		    pos, data->sess.dhcomp_len);
    541 	dhcomp = pos;
    542 	pos += data->sess.dhcomp_len;
    543 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: PNonce_P", pos, data->sess.pnonce_len);
    544 	pnonce = pos;
    545 	pos += data->sess.pnonce_len;
    546 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: CBValue", pos, end - pos);
    547 
    548 	if (eap_eke_shared_secret(&data->sess, data->key, data->dh_priv, dhcomp)
    549 	    < 0) {
    550 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive shared secret");
    551 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    552 		return;
    553 	}
    554 
    555 	if (eap_eke_derive_ke_ki(&data->sess,
    556 				 sm->server_id, sm->server_id_len,
    557 				 data->peerid, data->peerid_len) < 0) {
    558 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki");
    559 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    560 		return;
    561 	}
    562 
    563 	decrypt_len = sizeof(data->nonce_p);
    564 	if (eap_eke_decrypt_prot(&data->sess, pnonce, data->sess.pnonce_len,
    565 				 data->nonce_p, &decrypt_len) < 0) {
    566 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt PNonce_P");
    567 		eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
    568 		return;
    569 	}
    570 	if (decrypt_len < (size_t) data->sess.nonce_len) {
    571 		wpa_printf(MSG_INFO, "EAP-EKE: PNonce_P protected data too short to include Nonce_P");
    572 		eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
    573 		return;
    574 	}
    575 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_P",
    576 			data->nonce_p, data->sess.nonce_len);
    577 
    578 	if (wpabuf_resize(&data->msgs, wpabuf_len(respData)) < 0) {
    579 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    580 		return;
    581 	}
    582 	wpabuf_put_buf(data->msgs, respData);
    583 
    584 	eap_eke_state(data, CONFIRM);
    585 }
    586 
    587 
    588 static void eap_eke_process_confirm(struct eap_sm *sm,
    589 				    struct eap_eke_data *data,
    590 				    const struct wpabuf *respData,
    591 				    const u8 *payload, size_t payloadlen)
    592 {
    593 	size_t decrypt_len;
    594 	u8 nonce[EAP_EKE_MAX_NONCE_LEN];
    595 	u8 auth_p[EAP_EKE_MAX_HASH_LEN];
    596 
    597 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received Response/Confirm");
    598 
    599 	if (data->state != CONFIRM) {
    600 		eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
    601 		return;
    602 	}
    603 
    604 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received Response/Confirm");
    605 
    606 	if (payloadlen < (size_t) data->sess.pnonce_len + data->sess.prf_len) {
    607 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Confirm");
    608 		eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
    609 		return;
    610 	}
    611 
    612 	decrypt_len = sizeof(nonce);
    613 	if (eap_eke_decrypt_prot(&data->sess, payload, data->sess.pnonce_len,
    614 				 nonce, &decrypt_len) < 0) {
    615 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt PNonce_S");
    616 		eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
    617 		return;
    618 	}
    619 	if (decrypt_len < (size_t) data->sess.nonce_len) {
    620 		wpa_printf(MSG_INFO, "EAP-EKE: PNonce_S protected data too short to include Nonce_S");
    621 		eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
    622 		return;
    623 	}
    624 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Received Nonce_S",
    625 			nonce, data->sess.nonce_len);
    626 	if (os_memcmp(nonce, data->nonce_s, data->sess.nonce_len) != 0) {
    627 		wpa_printf(MSG_INFO, "EAP-EKE: Received Nonce_S does not match previously sent Nonce_S");
    628 		eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
    629 		return;
    630 	}
    631 
    632 	if (eap_eke_auth(&data->sess, "EAP-EKE peer", data->msgs, auth_p) < 0) {
    633 		wpa_printf(MSG_INFO, "EAP-EKE: Could not derive Auth_P");
    634 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    635 		return;
    636 	}
    637 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_P", auth_p, data->sess.prf_len);
    638 	if (os_memcmp_const(auth_p, payload + data->sess.pnonce_len,
    639 			    data->sess.prf_len) != 0) {
    640 		wpa_printf(MSG_INFO, "EAP-EKE: Auth_P does not match");
    641 		eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
    642 		return;
    643 	}
    644 
    645 	if (eap_eke_derive_msk(&data->sess, sm->server_id, sm->server_id_len,
    646 			       data->peerid, data->peerid_len,
    647 			       data->nonce_s, data->nonce_p,
    648 			       data->msk, data->emsk) < 0) {
    649 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive MSK/EMSK");
    650 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
    651 		return;
    652 	}
    653 
    654 	os_memset(data->dh_priv, 0, sizeof(data->dh_priv));
    655 	os_memset(data->key, 0, sizeof(data->key));
    656 	eap_eke_session_clean(&data->sess);
    657 
    658 	eap_eke_state(data, SUCCESS);
    659 }
    660 
    661 
    662 static void eap_eke_process_failure(struct eap_sm *sm,
    663 				    struct eap_eke_data *data,
    664 				    const struct wpabuf *respData,
    665 				    const u8 *payload, size_t payloadlen)
    666 {
    667 	u32 code;
    668 
    669 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received Response/Failure");
    670 
    671 	if (payloadlen < 4) {
    672 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Failure");
    673 		eap_eke_state(data, FAILURE);
    674 		return;
    675 	}
    676 
    677 	code = WPA_GET_BE32(payload);
    678 	wpa_printf(MSG_DEBUG, "EAP-EKE: Peer reported failure code 0x%x", code);
    679 
    680 	eap_eke_state(data, FAILURE);
    681 }
    682 
    683 
    684 static void eap_eke_process(struct eap_sm *sm, void *priv,
    685 			     struct wpabuf *respData)
    686 {
    687 	struct eap_eke_data *data = priv;
    688 	u8 eke_exch;
    689 	size_t len;
    690 	const u8 *pos, *end;
    691 
    692 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_EKE, respData, &len);
    693 	if (pos == NULL || len < 1)
    694 		return;
    695 
    696 	eke_exch = *pos;
    697 	end = pos + len;
    698 	pos++;
    699 
    700 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: Received payload", pos, end - pos);
    701 
    702 	switch (eke_exch) {
    703 	case EAP_EKE_ID:
    704 		eap_eke_process_identity(sm, data, respData, pos, end - pos);
    705 		break;
    706 	case EAP_EKE_COMMIT:
    707 		eap_eke_process_commit(sm, data, respData, pos, end - pos);
    708 		break;
    709 	case EAP_EKE_CONFIRM:
    710 		eap_eke_process_confirm(sm, data, respData, pos, end - pos);
    711 		break;
    712 	case EAP_EKE_FAILURE:
    713 		eap_eke_process_failure(sm, data, respData, pos, end - pos);
    714 		break;
    715 	}
    716 }
    717 
    718 
    719 static Boolean eap_eke_isDone(struct eap_sm *sm, void *priv)
    720 {
    721 	struct eap_eke_data *data = priv;
    722 	return data->state == SUCCESS || data->state == FAILURE;
    723 }
    724 
    725 
    726 static u8 * eap_eke_getKey(struct eap_sm *sm, void *priv, size_t *len)
    727 {
    728 	struct eap_eke_data *data = priv;
    729 	u8 *key;
    730 
    731 	if (data->state != SUCCESS)
    732 		return NULL;
    733 
    734 	key = os_malloc(EAP_MSK_LEN);
    735 	if (key == NULL)
    736 		return NULL;
    737 	os_memcpy(key, data->msk, EAP_MSK_LEN);
    738 	*len = EAP_MSK_LEN;
    739 
    740 	return key;
    741 }
    742 
    743 
    744 static u8 * eap_eke_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
    745 {
    746 	struct eap_eke_data *data = priv;
    747 	u8 *key;
    748 
    749 	if (data->state != SUCCESS)
    750 		return NULL;
    751 
    752 	key = os_malloc(EAP_EMSK_LEN);
    753 	if (key == NULL)
    754 		return NULL;
    755 	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
    756 	*len = EAP_EMSK_LEN;
    757 
    758 	return key;
    759 }
    760 
    761 
    762 static Boolean eap_eke_isSuccess(struct eap_sm *sm, void *priv)
    763 {
    764 	struct eap_eke_data *data = priv;
    765 	return data->state == SUCCESS;
    766 }
    767 
    768 
    769 static u8 * eap_eke_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
    770 {
    771 	struct eap_eke_data *data = priv;
    772 	u8 *sid;
    773 	size_t sid_len;
    774 
    775 	if (data->state != SUCCESS)
    776 		return NULL;
    777 
    778 	sid_len = 1 + 2 * data->sess.nonce_len;
    779 	sid = os_malloc(sid_len);
    780 	if (sid == NULL)
    781 		return NULL;
    782 	sid[0] = EAP_TYPE_EKE;
    783 	os_memcpy(sid + 1, data->nonce_p, data->sess.nonce_len);
    784 	os_memcpy(sid + 1 + data->sess.nonce_len, data->nonce_s,
    785 		  data->sess.nonce_len);
    786 	*len = sid_len;
    787 
    788 	return sid;
    789 }
    790 
    791 
    792 int eap_server_eke_register(void)
    793 {
    794 	struct eap_method *eap;
    795 
    796 	eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
    797 				      EAP_VENDOR_IETF, EAP_TYPE_EKE, "EKE");
    798 	if (eap == NULL)
    799 		return -1;
    800 
    801 	eap->init = eap_eke_init;
    802 	eap->reset = eap_eke_reset;
    803 	eap->buildReq = eap_eke_buildReq;
    804 	eap->check = eap_eke_check;
    805 	eap->process = eap_eke_process;
    806 	eap->isDone = eap_eke_isDone;
    807 	eap->getKey = eap_eke_getKey;
    808 	eap->isSuccess = eap_eke_isSuccess;
    809 	eap->get_emsk = eap_eke_get_emsk;
    810 	eap->getSessionId = eap_eke_get_session_id;
    811 
    812 	return eap_server_method_register(eap);
    813 }
    814