xref: /freebsd/contrib/wpa/src/eap_common/eap_eke_common.c (revision f4b37ed0f8b307b1f3f0f630ca725d68f1dff30d)
1 /*
2  * EAP server/peer: EAP-EKE shared routines
3  * Copyright (c) 2011-2013, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/aes.h"
13 #include "crypto/aes_wrap.h"
14 #include "crypto/crypto.h"
15 #include "crypto/dh_groups.h"
16 #include "crypto/random.h"
17 #include "crypto/sha1.h"
18 #include "crypto/sha256.h"
19 #include "eap_common/eap_defs.h"
20 #include "eap_eke_common.h"
21 
22 
23 static int eap_eke_dh_len(u8 group)
24 {
25 	switch (group) {
26 	case EAP_EKE_DHGROUP_EKE_2:
27 		return 128;
28 	case EAP_EKE_DHGROUP_EKE_5:
29 		return 192;
30 	case EAP_EKE_DHGROUP_EKE_14:
31 		return 256;
32 	case EAP_EKE_DHGROUP_EKE_15:
33 		return 384;
34 	case EAP_EKE_DHGROUP_EKE_16:
35 		return 512;
36 	}
37 
38 	return -1;
39 }
40 
41 
42 static int eap_eke_dhcomp_len(u8 dhgroup, u8 encr)
43 {
44 	int dhlen;
45 
46 	dhlen = eap_eke_dh_len(dhgroup);
47 	if (dhlen < 0)
48 		return -1;
49 	if (encr != EAP_EKE_ENCR_AES128_CBC)
50 		return -1;
51 	return AES_BLOCK_SIZE + dhlen;
52 }
53 
54 
55 static const struct dh_group * eap_eke_dh_group(u8 group)
56 {
57 	switch (group) {
58 	case EAP_EKE_DHGROUP_EKE_2:
59 		return dh_groups_get(2);
60 	case EAP_EKE_DHGROUP_EKE_5:
61 		return dh_groups_get(5);
62 	case EAP_EKE_DHGROUP_EKE_14:
63 		return dh_groups_get(14);
64 	case EAP_EKE_DHGROUP_EKE_15:
65 		return dh_groups_get(15);
66 	case EAP_EKE_DHGROUP_EKE_16:
67 		return dh_groups_get(16);
68 	}
69 
70 	return NULL;
71 }
72 
73 
74 static int eap_eke_dh_generator(u8 group)
75 {
76 	switch (group) {
77 	case EAP_EKE_DHGROUP_EKE_2:
78 		return 5;
79 	case EAP_EKE_DHGROUP_EKE_5:
80 		return 31;
81 	case EAP_EKE_DHGROUP_EKE_14:
82 		return 11;
83 	case EAP_EKE_DHGROUP_EKE_15:
84 		return 5;
85 	case EAP_EKE_DHGROUP_EKE_16:
86 		return 5;
87 	}
88 
89 	return -1;
90 }
91 
92 
93 static int eap_eke_pnonce_len(u8 mac)
94 {
95 	int mac_len;
96 
97 	if (mac == EAP_EKE_MAC_HMAC_SHA1)
98 		mac_len = SHA1_MAC_LEN;
99 	else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
100 		mac_len = SHA256_MAC_LEN;
101 	else
102 		return -1;
103 
104 	return AES_BLOCK_SIZE + 16 + mac_len;
105 }
106 
107 
108 static int eap_eke_pnonce_ps_len(u8 mac)
109 {
110 	int mac_len;
111 
112 	if (mac == EAP_EKE_MAC_HMAC_SHA1)
113 		mac_len = SHA1_MAC_LEN;
114 	else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
115 		mac_len = SHA256_MAC_LEN;
116 	else
117 		return -1;
118 
119 	return AES_BLOCK_SIZE + 2 * 16 + mac_len;
120 }
121 
122 
123 static int eap_eke_prf_len(u8 prf)
124 {
125 	if (prf == EAP_EKE_PRF_HMAC_SHA1)
126 		return 20;
127 	if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
128 		return 32;
129 	return -1;
130 }
131 
132 
133 static int eap_eke_nonce_len(u8 prf)
134 {
135 	int prf_len;
136 
137 	prf_len = eap_eke_prf_len(prf);
138 	if (prf_len < 0)
139 		return -1;
140 
141 	if (prf_len > 2 * 16)
142 		return (prf_len + 1) / 2;
143 
144 	return 16;
145 }
146 
147 
148 static int eap_eke_auth_len(u8 prf)
149 {
150 	switch (prf) {
151 	case EAP_EKE_PRF_HMAC_SHA1:
152 		return SHA1_MAC_LEN;
153 	case EAP_EKE_PRF_HMAC_SHA2_256:
154 		return SHA256_MAC_LEN;
155 	}
156 
157 	return -1;
158 }
159 
160 
161 int eap_eke_dh_init(u8 group, u8 *ret_priv, u8 *ret_pub)
162 {
163 	int generator;
164 	u8 gen;
165 	const struct dh_group *dh;
166 	size_t pub_len, i;
167 
168 	generator = eap_eke_dh_generator(group);
169 	if (generator < 0 || generator > 255)
170 		return -1;
171 	gen = generator;
172 
173 	dh = eap_eke_dh_group(group);
174 	if (dh == NULL)
175 		return -1;
176 
177 	/* x = random number 2 .. p-1 */
178 	if (random_get_bytes(ret_priv, dh->prime_len))
179 		return -1;
180 	if (os_memcmp(ret_priv, dh->prime, dh->prime_len) > 0) {
181 		/* Make sure private value is smaller than prime */
182 		ret_priv[0] = 0;
183 	}
184 	for (i = 0; i < dh->prime_len - 1; i++) {
185 		if (ret_priv[i])
186 			break;
187 	}
188 	if (i == dh->prime_len - 1 && (ret_priv[i] == 0 || ret_priv[i] == 1))
189 		return -1;
190 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: DH private value",
191 			ret_priv, dh->prime_len);
192 
193 	/* y = g ^ x (mod p) */
194 	pub_len = dh->prime_len;
195 	if (crypto_mod_exp(&gen, 1, ret_priv, dh->prime_len,
196 			   dh->prime, dh->prime_len, ret_pub, &pub_len) < 0)
197 		return -1;
198 	if (pub_len < dh->prime_len) {
199 		size_t pad = dh->prime_len - pub_len;
200 		os_memmove(ret_pub + pad, ret_pub, pub_len);
201 		os_memset(ret_pub, 0, pad);
202 	}
203 
204 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: DH public value",
205 		    ret_pub, dh->prime_len);
206 
207 	return 0;
208 }
209 
210 
211 static int eap_eke_prf(u8 prf, const u8 *key, size_t key_len, const u8 *data,
212 		       size_t data_len, const u8 *data2, size_t data2_len,
213 		       u8 *res)
214 {
215 	const u8 *addr[2];
216 	size_t len[2];
217 	size_t num_elem = 1;
218 
219 	addr[0] = data;
220 	len[0] = data_len;
221 	if (data2) {
222 		num_elem++;
223 		addr[1] = data2;
224 		len[1] = data2_len;
225 	}
226 
227 	if (prf == EAP_EKE_PRF_HMAC_SHA1)
228 		return hmac_sha1_vector(key, key_len, num_elem, addr, len, res);
229 	if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
230 		return hmac_sha256_vector(key, key_len, num_elem, addr, len,
231 					  res);
232 	return -1;
233 }
234 
235 
236 static int eap_eke_prf_hmac_sha1(const u8 *key, size_t key_len, const u8 *data,
237 				 size_t data_len, u8 *res, size_t len)
238 {
239 	u8 hash[SHA1_MAC_LEN];
240 	u8 idx;
241 	const u8 *addr[3];
242 	size_t vlen[3];
243 	int ret;
244 
245 	idx = 0;
246 	addr[0] = hash;
247 	vlen[0] = SHA1_MAC_LEN;
248 	addr[1] = data;
249 	vlen[1] = data_len;
250 	addr[2] = &idx;
251 	vlen[2] = 1;
252 
253 	while (len > 0) {
254 		idx++;
255 		if (idx == 1)
256 			ret = hmac_sha1_vector(key, key_len, 2, &addr[1],
257 					       &vlen[1], hash);
258 		else
259 			ret = hmac_sha1_vector(key, key_len, 3, addr, vlen,
260 					       hash);
261 		if (ret < 0)
262 			return -1;
263 		if (len > SHA1_MAC_LEN) {
264 			os_memcpy(res, hash, SHA1_MAC_LEN);
265 			res += SHA1_MAC_LEN;
266 			len -= SHA1_MAC_LEN;
267 		} else {
268 			os_memcpy(res, hash, len);
269 			len = 0;
270 		}
271 	}
272 
273 	return 0;
274 }
275 
276 
277 static int eap_eke_prf_hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
278 				   size_t data_len, u8 *res, size_t len)
279 {
280 	u8 hash[SHA256_MAC_LEN];
281 	u8 idx;
282 	const u8 *addr[3];
283 	size_t vlen[3];
284 	int ret;
285 
286 	idx = 0;
287 	addr[0] = hash;
288 	vlen[0] = SHA256_MAC_LEN;
289 	addr[1] = data;
290 	vlen[1] = data_len;
291 	addr[2] = &idx;
292 	vlen[2] = 1;
293 
294 	while (len > 0) {
295 		idx++;
296 		if (idx == 1)
297 			ret = hmac_sha256_vector(key, key_len, 2, &addr[1],
298 						 &vlen[1], hash);
299 		else
300 			ret = hmac_sha256_vector(key, key_len, 3, addr, vlen,
301 						 hash);
302 		if (ret < 0)
303 			return -1;
304 		if (len > SHA256_MAC_LEN) {
305 			os_memcpy(res, hash, SHA256_MAC_LEN);
306 			res += SHA256_MAC_LEN;
307 			len -= SHA256_MAC_LEN;
308 		} else {
309 			os_memcpy(res, hash, len);
310 			len = 0;
311 		}
312 	}
313 
314 	return 0;
315 }
316 
317 
318 static int eap_eke_prfplus(u8 prf, const u8 *key, size_t key_len,
319 			   const u8 *data, size_t data_len, u8 *res, size_t len)
320 {
321 	if (prf == EAP_EKE_PRF_HMAC_SHA1)
322 		return eap_eke_prf_hmac_sha1(key, key_len, data, data_len, res,
323 					     len);
324 	if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
325 		return eap_eke_prf_hmac_sha256(key, key_len, data, data_len,
326 					       res, len);
327 	return -1;
328 }
329 
330 
331 int eap_eke_derive_key(struct eap_eke_session *sess,
332 		       const u8 *password, size_t password_len,
333 		       const u8 *id_s, size_t id_s_len, const u8 *id_p,
334 		       size_t id_p_len, u8 *key)
335 {
336 	u8 zeros[EAP_EKE_MAX_HASH_LEN];
337 	u8 temp[EAP_EKE_MAX_HASH_LEN];
338 	size_t key_len = 16; /* Only AES-128-CBC is used here */
339 	u8 *id;
340 
341 	/* temp = prf(0+, password) */
342 	os_memset(zeros, 0, sess->prf_len);
343 	if (eap_eke_prf(sess->prf, zeros, sess->prf_len,
344 			password, password_len, NULL, 0, temp) < 0)
345 		return -1;
346 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: temp = prf(0+, password)",
347 			temp, sess->prf_len);
348 
349 	/* key = prf+(temp, ID_S | ID_P) */
350 	id = os_malloc(id_s_len + id_p_len);
351 	if (id == NULL)
352 		return -1;
353 	os_memcpy(id, id_s, id_s_len);
354 	os_memcpy(id + id_s_len, id_p, id_p_len);
355 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: ID_S | ID_P",
356 			  id, id_s_len + id_p_len);
357 	if (eap_eke_prfplus(sess->prf, temp, sess->prf_len,
358 			    id, id_s_len + id_p_len, key, key_len) < 0) {
359 		os_free(id);
360 		return -1;
361 	}
362 	os_free(id);
363 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: key = prf+(temp, ID_S | ID_P)",
364 			key, key_len);
365 
366 	return 0;
367 }
368 
369 
370 int eap_eke_dhcomp(struct eap_eke_session *sess, const u8 *key, const u8 *dhpub,
371 		   u8 *ret_dhcomp)
372 {
373 	u8 pub[EAP_EKE_MAX_DH_LEN];
374 	int dh_len;
375 	u8 iv[AES_BLOCK_SIZE];
376 
377 	dh_len = eap_eke_dh_len(sess->dhgroup);
378 	if (dh_len < 0)
379 		return -1;
380 
381 	/*
382 	 * DHComponent = Encr(key, y)
383 	 *
384 	 * All defined DH groups use primes that have length devisible by 16, so
385 	 * no need to do extra padding for y (= pub).
386 	 */
387 	if (sess->encr != EAP_EKE_ENCR_AES128_CBC)
388 		return -1;
389 	if (random_get_bytes(iv, AES_BLOCK_SIZE))
390 		return -1;
391 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Encr(key, y)",
392 		    iv, AES_BLOCK_SIZE);
393 	os_memcpy(pub, dhpub, dh_len);
394 	if (aes_128_cbc_encrypt(key, iv, pub, dh_len) < 0)
395 		return -1;
396 	os_memcpy(ret_dhcomp, iv, AES_BLOCK_SIZE);
397 	os_memcpy(ret_dhcomp + AES_BLOCK_SIZE, pub, dh_len);
398 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent = Encr(key, y)",
399 		    ret_dhcomp, AES_BLOCK_SIZE + dh_len);
400 
401 	return 0;
402 }
403 
404 
405 int eap_eke_shared_secret(struct eap_eke_session *sess, const u8 *key,
406 			  const u8 *dhpriv, const u8 *peer_dhcomp)
407 {
408 	u8 zeros[EAP_EKE_MAX_HASH_LEN];
409 	u8 peer_pub[EAP_EKE_MAX_DH_LEN];
410 	u8 modexp[EAP_EKE_MAX_DH_LEN];
411 	size_t len;
412 	const struct dh_group *dh;
413 
414 	if (sess->encr != EAP_EKE_ENCR_AES128_CBC)
415 		return -1;
416 
417 	dh = eap_eke_dh_group(sess->dhgroup);
418 	if (dh == NULL)
419 		return -1;
420 
421 	/* Decrypt peer DHComponent */
422 	os_memcpy(peer_pub, peer_dhcomp + AES_BLOCK_SIZE, dh->prime_len);
423 	if (aes_128_cbc_decrypt(key, peer_dhcomp, peer_pub, dh->prime_len) < 0) {
424 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt DHComponent");
425 		return -1;
426 	}
427 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted peer DH pubkey",
428 			peer_pub, dh->prime_len);
429 
430 	/* SharedSecret = prf(0+, g ^ (x_s * x_p) (mod p)) */
431 	len = dh->prime_len;
432 	if (crypto_mod_exp(peer_pub, dh->prime_len, dhpriv, dh->prime_len,
433 			   dh->prime, dh->prime_len, modexp, &len) < 0)
434 		return -1;
435 	if (len < dh->prime_len) {
436 		size_t pad = dh->prime_len - len;
437 		os_memmove(modexp + pad, modexp, len);
438 		os_memset(modexp, 0, pad);
439 	}
440 
441 	os_memset(zeros, 0, sess->auth_len);
442 	if (eap_eke_prf(sess->prf, zeros, sess->auth_len, modexp, dh->prime_len,
443 			NULL, 0, sess->shared_secret) < 0)
444 		return -1;
445 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: SharedSecret",
446 			sess->shared_secret, sess->auth_len);
447 
448 	return 0;
449 }
450 
451 
452 int eap_eke_derive_ke_ki(struct eap_eke_session *sess,
453 			 const u8 *id_s, size_t id_s_len,
454 			 const u8 *id_p, size_t id_p_len)
455 {
456 	u8 buf[EAP_EKE_MAX_KE_LEN + EAP_EKE_MAX_KI_LEN];
457 	size_t ke_len, ki_len;
458 	u8 *data;
459 	size_t data_len;
460 	const char *label = "EAP-EKE Keys";
461 	size_t label_len;
462 
463 	/*
464 	 * Ke | Ki = prf+(SharedSecret, "EAP-EKE Keys" | ID_S | ID_P)
465 	 * Ke = encryption key
466 	 * Ki = integrity protection key
467 	 * Length of each key depends on the selected algorithms.
468 	 */
469 
470 	if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
471 		ke_len = 16;
472 	else
473 		return -1;
474 
475 	if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
476 		ki_len = 20;
477 	else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
478 		ki_len = 32;
479 	else
480 		return -1;
481 
482 	label_len = os_strlen(label);
483 	data_len = label_len + id_s_len + id_p_len;
484 	data = os_malloc(data_len);
485 	if (data == NULL)
486 		return -1;
487 	os_memcpy(data, label, label_len);
488 	os_memcpy(data + label_len, id_s, id_s_len);
489 	os_memcpy(data + label_len + id_s_len, id_p, id_p_len);
490 	if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
491 			    data, data_len, buf, ke_len + ki_len) < 0) {
492 		os_free(data);
493 		return -1;
494 	}
495 
496 	os_memcpy(sess->ke, buf, ke_len);
497 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ke", sess->ke, ke_len);
498 	os_memcpy(sess->ki, buf + ke_len, ki_len);
499 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ki", sess->ki, ki_len);
500 
501 	os_free(data);
502 	return 0;
503 }
504 
505 
506 int eap_eke_derive_ka(struct eap_eke_session *sess,
507 		      const u8 *id_s, size_t id_s_len,
508 		      const u8 *id_p, size_t id_p_len,
509 		      const u8 *nonce_p, const u8 *nonce_s)
510 {
511 	u8 *data, *pos;
512 	size_t data_len;
513 	const char *label = "EAP-EKE Ka";
514 	size_t label_len;
515 
516 	/*
517 	 * Ka = prf+(SharedSecret, "EAP-EKE Ka" | ID_S | ID_P | Nonce_P |
518 	 *	     Nonce_S)
519 	 * Ka = authentication key
520 	 * Length of the key depends on the selected algorithms.
521 	 */
522 
523 	label_len = os_strlen(label);
524 	data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
525 	data = os_malloc(data_len);
526 	if (data == NULL)
527 		return -1;
528 	pos = data;
529 	os_memcpy(pos, label, label_len);
530 	pos += label_len;
531 	os_memcpy(pos, id_s, id_s_len);
532 	pos += id_s_len;
533 	os_memcpy(pos, id_p, id_p_len);
534 	pos += id_p_len;
535 	os_memcpy(pos, nonce_p, sess->nonce_len);
536 	pos += sess->nonce_len;
537 	os_memcpy(pos, nonce_s, sess->nonce_len);
538 	if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
539 			    data, data_len, sess->ka, sess->prf_len) < 0) {
540 		os_free(data);
541 		return -1;
542 	}
543 	os_free(data);
544 
545 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka", sess->ka, sess->prf_len);
546 
547 	return 0;
548 }
549 
550 
551 int eap_eke_derive_msk(struct eap_eke_session *sess,
552 		       const u8 *id_s, size_t id_s_len,
553 		       const u8 *id_p, size_t id_p_len,
554 		       const u8 *nonce_p, const u8 *nonce_s,
555 		       u8 *msk, u8 *emsk)
556 {
557 	u8 *data, *pos;
558 	size_t data_len;
559 	const char *label = "EAP-EKE Exported Keys";
560 	size_t label_len;
561 	u8 buf[EAP_MSK_LEN + EAP_EMSK_LEN];
562 
563 	/*
564 	 * MSK | EMSK = prf+(SharedSecret, "EAP-EKE Exported Keys" | ID_S |
565 	 *		     ID_P | Nonce_P | Nonce_S)
566 	 */
567 
568 	label_len = os_strlen(label);
569 	data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
570 	data = os_malloc(data_len);
571 	if (data == NULL)
572 		return -1;
573 	pos = data;
574 	os_memcpy(pos, label, label_len);
575 	pos += label_len;
576 	os_memcpy(pos, id_s, id_s_len);
577 	pos += id_s_len;
578 	os_memcpy(pos, id_p, id_p_len);
579 	pos += id_p_len;
580 	os_memcpy(pos, nonce_p, sess->nonce_len);
581 	pos += sess->nonce_len;
582 	os_memcpy(pos, nonce_s, sess->nonce_len);
583 	if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
584 			    data, data_len, buf, EAP_MSK_LEN + EAP_EMSK_LEN) <
585 	    0) {
586 		os_free(data);
587 		return -1;
588 	}
589 	os_free(data);
590 
591 	os_memcpy(msk, buf, EAP_MSK_LEN);
592 	os_memcpy(emsk, buf + EAP_MSK_LEN, EAP_EMSK_LEN);
593 	os_memset(buf, 0, sizeof(buf));
594 
595 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: MSK", msk, EAP_MSK_LEN);
596 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: EMSK", msk, EAP_EMSK_LEN);
597 
598 	return 0;
599 }
600 
601 
602 static int eap_eke_mac(u8 mac, const u8 *key, const u8 *data, size_t data_len,
603 		       u8 *res)
604 {
605 	if (mac == EAP_EKE_MAC_HMAC_SHA1)
606 		return hmac_sha1(key, SHA1_MAC_LEN, data, data_len, res);
607 	if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
608 		return hmac_sha256(key, SHA256_MAC_LEN, data, data_len, res);
609 	return -1;
610 }
611 
612 
613 int eap_eke_prot(struct eap_eke_session *sess,
614 		 const u8 *data, size_t data_len,
615 		 u8 *prot, size_t *prot_len)
616 {
617 	size_t block_size, icv_len, pad;
618 	u8 *pos, *iv, *e;
619 
620 	if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
621 		block_size = AES_BLOCK_SIZE;
622 	else
623 		return -1;
624 
625 	if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
626 		icv_len = SHA1_MAC_LEN;
627 	else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
628 		icv_len = SHA256_MAC_LEN;
629 	else
630 		return -1;
631 
632 	pad = data_len % block_size;
633 	if (pad)
634 		pad = block_size - pad;
635 
636 	if (*prot_len < block_size + data_len + pad + icv_len) {
637 		wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for Prot() data");
638 	}
639 	pos = prot;
640 
641 	if (random_get_bytes(pos, block_size))
642 		return -1;
643 	iv = pos;
644 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Prot()", iv, block_size);
645 	pos += block_size;
646 
647 	e = pos;
648 	os_memcpy(pos, data, data_len);
649 	pos += data_len;
650 	if (pad) {
651 		if (random_get_bytes(pos, pad))
652 			return -1;
653 		pos += pad;
654 	}
655 
656 	if (aes_128_cbc_encrypt(sess->ke, iv, e, data_len + pad) < 0)
657 		return -1;
658 
659 	if (eap_eke_mac(sess->mac, sess->ki, e, data_len + pad, pos) < 0)
660 		return -1;
661 	pos += icv_len;
662 
663 	*prot_len = pos - prot;
664 	return 0;
665 }
666 
667 
668 int eap_eke_decrypt_prot(struct eap_eke_session *sess,
669 			 const u8 *prot, size_t prot_len,
670 			 u8 *data, size_t *data_len)
671 {
672 	size_t block_size, icv_len;
673 	u8 icv[EAP_EKE_MAX_HASH_LEN];
674 
675 	if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
676 		block_size = AES_BLOCK_SIZE;
677 	else
678 		return -1;
679 
680 	if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
681 		icv_len = SHA1_MAC_LEN;
682 	else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
683 		icv_len = SHA256_MAC_LEN;
684 	else
685 		return -1;
686 
687 	if (prot_len < 2 * block_size + icv_len)
688 		return -1;
689 	if ((prot_len - icv_len) % block_size)
690 		return -1;
691 
692 	if (eap_eke_mac(sess->mac, sess->ki, prot + block_size,
693 			prot_len - block_size - icv_len, icv) < 0)
694 		return -1;
695 	if (os_memcmp_const(icv, prot + prot_len - icv_len, icv_len) != 0) {
696 		wpa_printf(MSG_INFO, "EAP-EKE: ICV mismatch in Prot() data");
697 		return -1;
698 	}
699 
700 	if (*data_len < prot_len - block_size - icv_len) {
701 		wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for decrypted Prot() data");
702 		return -1;
703 	}
704 
705 	*data_len = prot_len - block_size - icv_len;
706 	os_memcpy(data, prot + block_size, *data_len);
707 	if (aes_128_cbc_decrypt(sess->ke, prot, data, *data_len) < 0) {
708 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt Prot() data");
709 		return -1;
710 	}
711 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted Prot() data",
712 			data, *data_len);
713 
714 	return 0;
715 }
716 
717 
718 int eap_eke_auth(struct eap_eke_session *sess, const char *label,
719 		 const struct wpabuf *msgs, u8 *auth)
720 {
721 	wpa_printf(MSG_DEBUG, "EAP-EKE: Auth(%s)", label);
722 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka for Auth",
723 			sess->ka, sess->auth_len);
724 	wpa_hexdump_buf(MSG_MSGDUMP, "EAP-EKE: Messages for Auth", msgs);
725 	return eap_eke_prf(sess->prf, sess->ka, sess->auth_len,
726 			   (const u8 *) label, os_strlen(label),
727 			   wpabuf_head(msgs), wpabuf_len(msgs), auth);
728 }
729 
730 
731 int eap_eke_session_init(struct eap_eke_session *sess, u8 dhgroup, u8 encr,
732 			 u8 prf, u8 mac)
733 {
734 	sess->dhgroup = dhgroup;
735 	sess->encr = encr;
736 	sess->prf = prf;
737 	sess->mac = mac;
738 
739 	sess->prf_len = eap_eke_prf_len(prf);
740 	if (sess->prf_len < 0)
741 		return -1;
742 	sess->nonce_len = eap_eke_nonce_len(prf);
743 	if (sess->nonce_len < 0)
744 		return -1;
745 	sess->auth_len = eap_eke_auth_len(prf);
746 	if (sess->auth_len < 0)
747 		return -1;
748 	sess->dhcomp_len = eap_eke_dhcomp_len(sess->dhgroup, sess->encr);
749 	if (sess->dhcomp_len < 0)
750 		return -1;
751 	sess->pnonce_len = eap_eke_pnonce_len(sess->mac);
752 	if (sess->pnonce_len < 0)
753 		return -1;
754 	sess->pnonce_ps_len = eap_eke_pnonce_ps_len(sess->mac);
755 	if (sess->pnonce_ps_len < 0)
756 		return -1;
757 
758 	return 0;
759 }
760 
761 
762 void eap_eke_session_clean(struct eap_eke_session *sess)
763 {
764 	os_memset(sess->shared_secret, 0, EAP_EKE_MAX_HASH_LEN);
765 	os_memset(sess->ke, 0, EAP_EKE_MAX_KE_LEN);
766 	os_memset(sess->ki, 0, EAP_EKE_MAX_KI_LEN);
767 	os_memset(sess->ka, 0, EAP_EKE_MAX_KA_LEN);
768 }
769