xref: /freebsd/contrib/wpa/src/eap_peer/eap_eke.c (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*
2  * EAP peer method: EAP-EKE (RFC 6124)
3  * Copyright (c) 2013, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/random.h"
13 #include "eap_peer/eap_i.h"
14 #include "eap_common/eap_eke_common.h"
15 
16 struct eap_eke_data {
17 	enum {
18 		IDENTITY, COMMIT, CONFIRM, SUCCESS, FAILURE
19 	} state;
20 	u8 msk[EAP_MSK_LEN];
21 	u8 emsk[EAP_EMSK_LEN];
22 	u8 *peerid;
23 	size_t peerid_len;
24 	u8 *serverid;
25 	size_t serverid_len;
26 	u8 dh_priv[EAP_EKE_MAX_DH_LEN];
27 	struct eap_eke_session sess;
28 	u8 nonce_p[EAP_EKE_MAX_NONCE_LEN];
29 	u8 nonce_s[EAP_EKE_MAX_NONCE_LEN];
30 	struct wpabuf *msgs;
31 	u8 dhgroup; /* forced DH group or 0 to allow all supported */
32 	u8 encr; /* forced encryption algorithm or 0 to allow all supported */
33 	u8 prf; /* forced PRF or 0 to allow all supported */
34 	u8 mac; /* forced MAC or 0 to allow all supported */
35 };
36 
37 
38 static const char * eap_eke_state_txt(int state)
39 {
40 	switch (state) {
41 	case IDENTITY:
42 		return "IDENTITY";
43 	case COMMIT:
44 		return "COMMIT";
45 	case CONFIRM:
46 		return "CONFIRM";
47 	case SUCCESS:
48 		return "SUCCESS";
49 	case FAILURE:
50 		return "FAILURE";
51 	default:
52 		return "?";
53 	}
54 }
55 
56 
57 static void eap_eke_state(struct eap_eke_data *data, int state)
58 {
59 	wpa_printf(MSG_DEBUG, "EAP-EKE: %s -> %s",
60 		   eap_eke_state_txt(data->state), eap_eke_state_txt(state));
61 	data->state = state;
62 }
63 
64 
65 static void eap_eke_deinit(struct eap_sm *sm, void *priv);
66 
67 
68 static void * eap_eke_init(struct eap_sm *sm)
69 {
70 	struct eap_eke_data *data;
71 	const u8 *identity, *password;
72 	size_t identity_len, password_len;
73 	const char *phase1;
74 
75 	password = eap_get_config_password(sm, &password_len);
76 	if (!password) {
77 		wpa_printf(MSG_INFO, "EAP-EKE: No password configured");
78 		return NULL;
79 	}
80 
81 	data = os_zalloc(sizeof(*data));
82 	if (data == NULL)
83 		return NULL;
84 	eap_eke_state(data, IDENTITY);
85 
86 	identity = eap_get_config_identity(sm, &identity_len);
87 	if (identity) {
88 		data->peerid = os_memdup(identity, identity_len);
89 		if (data->peerid == NULL) {
90 			eap_eke_deinit(sm, data);
91 			return NULL;
92 		}
93 		data->peerid_len = identity_len;
94 	}
95 
96 	phase1 = eap_get_config_phase1(sm);
97 	if (phase1) {
98 		const char *pos;
99 
100 		pos = os_strstr(phase1, "dhgroup=");
101 		if (pos) {
102 			data->dhgroup = atoi(pos + 8);
103 			wpa_printf(MSG_DEBUG, "EAP-EKE: Forced dhgroup %u",
104 				   data->dhgroup);
105 		}
106 
107 		pos = os_strstr(phase1, "encr=");
108 		if (pos) {
109 			data->encr = atoi(pos + 5);
110 			wpa_printf(MSG_DEBUG, "EAP-EKE: Forced encr %u",
111 				   data->encr);
112 		}
113 
114 		pos = os_strstr(phase1, "prf=");
115 		if (pos) {
116 			data->prf = atoi(pos + 4);
117 			wpa_printf(MSG_DEBUG, "EAP-EKE: Forced prf %u",
118 				   data->prf);
119 		}
120 
121 		pos = os_strstr(phase1, "mac=");
122 		if (pos) {
123 			data->mac = atoi(pos + 4);
124 			wpa_printf(MSG_DEBUG, "EAP-EKE: Forced mac %u",
125 				   data->mac);
126 		}
127 	}
128 
129 	return data;
130 }
131 
132 
133 static void eap_eke_deinit(struct eap_sm *sm, void *priv)
134 {
135 	struct eap_eke_data *data = priv;
136 	eap_eke_session_clean(&data->sess);
137 	os_free(data->serverid);
138 	os_free(data->peerid);
139 	wpabuf_free(data->msgs);
140 	bin_clear_free(data, sizeof(*data));
141 }
142 
143 
144 static struct wpabuf * eap_eke_build_msg(struct eap_eke_data *data, int id,
145 					 size_t length, u8 eke_exch)
146 {
147 	struct wpabuf *msg;
148 	size_t plen;
149 
150 	plen = 1 + length;
151 
152 	msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_EKE, plen,
153 			    EAP_CODE_RESPONSE, id);
154 	if (msg == NULL) {
155 		wpa_printf(MSG_ERROR, "EAP-EKE: Failed to allocate memory");
156 		return NULL;
157 	}
158 
159 	wpabuf_put_u8(msg, eke_exch);
160 
161 	return msg;
162 }
163 
164 
165 static int eap_eke_supp_dhgroup(u8 dhgroup)
166 {
167 	return dhgroup == EAP_EKE_DHGROUP_EKE_2 ||
168 		dhgroup == EAP_EKE_DHGROUP_EKE_5 ||
169 		dhgroup == EAP_EKE_DHGROUP_EKE_14 ||
170 		dhgroup == EAP_EKE_DHGROUP_EKE_15 ||
171 		dhgroup == EAP_EKE_DHGROUP_EKE_16;
172 }
173 
174 
175 static int eap_eke_supp_encr(u8 encr)
176 {
177 	return encr == EAP_EKE_ENCR_AES128_CBC;
178 }
179 
180 
181 static int eap_eke_supp_prf(u8 prf)
182 {
183 	return prf == EAP_EKE_PRF_HMAC_SHA1 ||
184 		prf == EAP_EKE_PRF_HMAC_SHA2_256;
185 }
186 
187 
188 static int eap_eke_supp_mac(u8 mac)
189 {
190 	return mac == EAP_EKE_MAC_HMAC_SHA1 ||
191 		mac == EAP_EKE_MAC_HMAC_SHA2_256;
192 }
193 
194 
195 static struct wpabuf * eap_eke_build_fail(struct eap_eke_data *data,
196 					  struct eap_method_ret *ret,
197 					  u8 id, u32 failure_code)
198 {
199 	struct wpabuf *resp;
200 
201 	wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Failure/Response - code=0x%x",
202 		   failure_code);
203 
204 	resp = eap_eke_build_msg(data, id, 4, EAP_EKE_FAILURE);
205 	if (resp)
206 		wpabuf_put_be32(resp, failure_code);
207 
208 	os_memset(data->dh_priv, 0, sizeof(data->dh_priv));
209 	eap_eke_session_clean(&data->sess);
210 
211 	eap_eke_state(data, FAILURE);
212 	ret->methodState = METHOD_DONE;
213 	ret->decision = DECISION_FAIL;
214 	ret->allowNotifications = false;
215 
216 	return resp;
217 }
218 
219 
220 static struct wpabuf * eap_eke_process_id(struct eap_eke_data *data,
221 					  struct eap_method_ret *ret,
222 					  const struct wpabuf *reqData,
223 					  const u8 *payload,
224 					  size_t payload_len)
225 {
226 	struct wpabuf *resp;
227 	unsigned num_prop, i;
228 	const u8 *pos, *end;
229 	const u8 *prop = NULL;
230 	u8 idtype;
231 	u8 id = eap_get_id(reqData);
232 
233 	if (data->state != IDENTITY) {
234 		return eap_eke_build_fail(data, ret, id,
235 					  EAP_EKE_FAIL_PROTO_ERROR);
236 	}
237 
238 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-ID/Request");
239 
240 	if (payload_len < 2 + 4) {
241 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data");
242 		return eap_eke_build_fail(data, ret, id,
243 					  EAP_EKE_FAIL_PROTO_ERROR);
244 	}
245 
246 	pos = payload;
247 	end = payload + payload_len;
248 
249 	num_prop = *pos++;
250 	pos++; /* Ignore Reserved field */
251 
252 	if (pos + num_prop * 4 > end) {
253 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data (num_prop=%u)",
254 			   num_prop);
255 		return eap_eke_build_fail(data, ret, id,
256 					  EAP_EKE_FAIL_PROTO_ERROR);
257 	}
258 
259 	for (i = 0; i < num_prop; i++) {
260 		const u8 *tmp = pos;
261 
262 		wpa_printf(MSG_DEBUG, "EAP-EKE: Proposal #%u: dh=%u encr=%u prf=%u mac=%u",
263 			   i, pos[0], pos[1], pos[2], pos[3]);
264 		pos += 4;
265 
266 		if ((data->dhgroup && data->dhgroup != *tmp) ||
267 		    !eap_eke_supp_dhgroup(*tmp))
268 			continue;
269 		tmp++;
270 		if ((data->encr && data->encr != *tmp) ||
271 		    !eap_eke_supp_encr(*tmp))
272 			continue;
273 		tmp++;
274 		if ((data->prf && data->prf != *tmp) ||
275 		    !eap_eke_supp_prf(*tmp))
276 			continue;
277 		tmp++;
278 		if ((data->mac && data->mac != *tmp) ||
279 		    !eap_eke_supp_mac(*tmp))
280 			continue;
281 
282 		prop = tmp - 3;
283 		if (eap_eke_session_init(&data->sess, prop[0], prop[1], prop[2],
284 					 prop[3]) < 0) {
285 			prop = NULL;
286 			continue;
287 		}
288 
289 		wpa_printf(MSG_DEBUG, "EAP-EKE: Selected proposal");
290 		break;
291 	}
292 
293 	if (prop == NULL) {
294 		wpa_printf(MSG_DEBUG, "EAP-EKE: No acceptable proposal found");
295 		return eap_eke_build_fail(data, ret, id,
296 					  EAP_EKE_FAIL_NO_PROPOSAL_CHOSEN);
297 	}
298 
299 	pos += (num_prop - i - 1) * 4;
300 
301 	if (pos == end) {
302 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data to include IDType/Identity");
303 		return eap_eke_build_fail(data, ret, id,
304 					  EAP_EKE_FAIL_PROTO_ERROR);
305 	}
306 
307 	idtype = *pos++;
308 	wpa_printf(MSG_DEBUG, "EAP-EKE: Server IDType %u", idtype);
309 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: Server Identity",
310 			  pos, end - pos);
311 	os_free(data->serverid);
312 	data->serverid = os_memdup(pos, end - pos);
313 	if (data->serverid == NULL) {
314 		return eap_eke_build_fail(data, ret, id,
315 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
316 	}
317 	data->serverid_len = end - pos;
318 
319 	wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-ID/Response");
320 
321 	resp = eap_eke_build_msg(data, id,
322 				 2 + 4 + 1 + data->peerid_len,
323 				 EAP_EKE_ID);
324 	if (resp == NULL) {
325 		return eap_eke_build_fail(data, ret, id,
326 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
327 	}
328 
329 	wpabuf_put_u8(resp, 1); /* NumProposals */
330 	wpabuf_put_u8(resp, 0); /* Reserved */
331 	wpabuf_put_data(resp, prop, 4); /* Selected Proposal */
332 	wpabuf_put_u8(resp, EAP_EKE_ID_NAI);
333 	if (data->peerid)
334 		wpabuf_put_data(resp, data->peerid, data->peerid_len);
335 
336 	wpabuf_free(data->msgs);
337 	data->msgs = wpabuf_alloc(wpabuf_len(reqData) + wpabuf_len(resp));
338 	if (data->msgs == NULL) {
339 		wpabuf_free(resp);
340 		return eap_eke_build_fail(data, ret, id,
341 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
342 	}
343 	wpabuf_put_buf(data->msgs, reqData);
344 	wpabuf_put_buf(data->msgs, resp);
345 
346 	eap_eke_state(data, COMMIT);
347 
348 	return resp;
349 }
350 
351 
352 static struct wpabuf * eap_eke_process_commit(struct eap_sm *sm,
353 					      struct eap_eke_data *data,
354 					      struct eap_method_ret *ret,
355 					      const struct wpabuf *reqData,
356 					      const u8 *payload,
357 					      size_t payload_len)
358 {
359 	struct wpabuf *resp;
360 	const u8 *pos, *end, *dhcomp;
361 	size_t prot_len;
362 	u8 *rpos;
363 	u8 key[EAP_EKE_MAX_KEY_LEN];
364 	u8 pub[EAP_EKE_MAX_DH_LEN];
365 	const u8 *password;
366 	size_t password_len;
367 	u8 id = eap_get_id(reqData);
368 
369 	if (data->state != COMMIT) {
370 		wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Commit/Request received in unexpected state (%d)", data->state);
371 		return eap_eke_build_fail(data, ret, id,
372 					  EAP_EKE_FAIL_PROTO_ERROR);
373 	}
374 
375 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Commit/Request");
376 
377 	password = eap_get_config_password(sm, &password_len);
378 	if (password == NULL) {
379 		wpa_printf(MSG_INFO, "EAP-EKE: No password configured!");
380 		return eap_eke_build_fail(data, ret, id,
381 					  EAP_EKE_FAIL_PASSWD_NOT_FOUND);
382 	}
383 
384 	pos = payload;
385 	end = payload + payload_len;
386 
387 	if (pos + data->sess.dhcomp_len > end) {
388 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Commit");
389 		return eap_eke_build_fail(data, ret, id,
390 					  EAP_EKE_FAIL_PROTO_ERROR);
391 	}
392 
393 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_S",
394 		    pos, data->sess.dhcomp_len);
395 	dhcomp = pos;
396 	pos += data->sess.dhcomp_len;
397 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: CBValue", pos, end - pos);
398 
399 	/*
400 	 * temp = prf(0+, password)
401 	 * key = prf+(temp, ID_S | ID_P)
402 	 */
403 	if (eap_eke_derive_key(&data->sess, password, password_len,
404 			       data->serverid, data->serverid_len,
405 			       data->peerid, data->peerid_len, key) < 0) {
406 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key");
407 		return eap_eke_build_fail(data, ret, id,
408 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
409 	}
410 
411 	/*
412 	 * y_p = g ^ x_p (mod p)
413 	 * x_p = random number 2 .. p-1
414 	 */
415 	if (eap_eke_dh_init(data->sess.dhgroup, data->dh_priv, pub) < 0) {
416 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to initialize DH");
417 		forced_memzero(key, sizeof(key));
418 		return eap_eke_build_fail(data, ret, id,
419 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
420 	}
421 
422 	if (eap_eke_shared_secret(&data->sess, key, data->dh_priv, dhcomp) < 0)
423 	{
424 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive shared secret");
425 		forced_memzero(key, sizeof(key));
426 		return eap_eke_build_fail(data, ret, id,
427 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
428 	}
429 
430 	if (eap_eke_derive_ke_ki(&data->sess,
431 				 data->serverid, data->serverid_len,
432 				 data->peerid, data->peerid_len) < 0) {
433 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki");
434 		forced_memzero(key, sizeof(key));
435 		return eap_eke_build_fail(data, ret, id,
436 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
437 	}
438 
439 	wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Commit/Response");
440 
441 	resp = eap_eke_build_msg(data, id,
442 				 data->sess.dhcomp_len + data->sess.pnonce_len,
443 				 EAP_EKE_COMMIT);
444 	if (resp == NULL) {
445 		forced_memzero(key, sizeof(key));
446 		return eap_eke_build_fail(data, ret, id,
447 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
448 	}
449 
450 	/* DHComponent_P = Encr(key, y_p) */
451 	rpos = wpabuf_put(resp, data->sess.dhcomp_len);
452 	if (eap_eke_dhcomp(&data->sess, key, pub, rpos) < 0) {
453 		wpabuf_free(resp);
454 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to build DHComponent_P");
455 		forced_memzero(key, sizeof(key));
456 		return eap_eke_build_fail(data, ret, id,
457 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
458 	}
459 	forced_memzero(key, sizeof(key));
460 
461 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_P",
462 		    rpos, data->sess.dhcomp_len);
463 
464 	if (random_get_bytes(data->nonce_p, data->sess.nonce_len)) {
465 		wpabuf_free(resp);
466 		return eap_eke_build_fail(data, ret, id,
467 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
468 	}
469 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_P",
470 			data->nonce_p, data->sess.nonce_len);
471 	prot_len = wpabuf_tailroom(resp);
472 	if (eap_eke_prot(&data->sess, data->nonce_p, data->sess.nonce_len,
473 			 wpabuf_put(resp, 0), &prot_len) < 0) {
474 		wpabuf_free(resp);
475 		return eap_eke_build_fail(data, ret, id,
476 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
477 	}
478 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: PNonce_P",
479 		    wpabuf_put(resp, 0), prot_len);
480 	wpabuf_put(resp, prot_len);
481 
482 	/* TODO: CBValue */
483 
484 	if (wpabuf_resize(&data->msgs, wpabuf_len(reqData) + wpabuf_len(resp))
485 	    < 0) {
486 		wpabuf_free(resp);
487 		return eap_eke_build_fail(data, ret, id,
488 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
489 	}
490 	wpabuf_put_buf(data->msgs, reqData);
491 	wpabuf_put_buf(data->msgs, resp);
492 
493 	eap_eke_state(data, CONFIRM);
494 
495 	return resp;
496 }
497 
498 
499 static struct wpabuf * eap_eke_process_confirm(struct eap_eke_data *data,
500 					       struct eap_method_ret *ret,
501 					       const struct wpabuf *reqData,
502 					       const u8 *payload,
503 					       size_t payload_len)
504 {
505 	struct wpabuf *resp;
506 	const u8 *pos, *end;
507 	size_t prot_len;
508 	u8 nonces[2 * EAP_EKE_MAX_NONCE_LEN];
509 	u8 auth_s[EAP_EKE_MAX_HASH_LEN];
510 	size_t decrypt_len;
511 	u8 *auth;
512 	u8 id = eap_get_id(reqData);
513 
514 	if (data->state != CONFIRM) {
515 		wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Confirm/Request received in unexpected state (%d)",
516 			   data->state);
517 		return eap_eke_build_fail(data, ret, id,
518 					  EAP_EKE_FAIL_PROTO_ERROR);
519 	}
520 
521 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Confirm/Request");
522 
523 	pos = payload;
524 	end = payload + payload_len;
525 
526 	if (pos + data->sess.pnonce_ps_len + data->sess.prf_len > end) {
527 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Confirm");
528 		return eap_eke_build_fail(data, ret, id,
529 					  EAP_EKE_FAIL_PROTO_ERROR);
530 	}
531 
532 	decrypt_len = sizeof(nonces);
533 	if (eap_eke_decrypt_prot(&data->sess, pos, data->sess.pnonce_ps_len,
534 				 nonces, &decrypt_len) < 0) {
535 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt PNonce_PS");
536 		return eap_eke_build_fail(data, ret, id,
537 					  EAP_EKE_FAIL_AUTHENTICATION_FAIL);
538 	}
539 	if (decrypt_len != (size_t) 2 * data->sess.nonce_len) {
540 		wpa_printf(MSG_INFO, "EAP-EKE: PNonce_PS protected data length does not match length of Nonce_P and Nonce_S");
541 		return eap_eke_build_fail(data, ret, id,
542 					  EAP_EKE_FAIL_AUTHENTICATION_FAIL);
543 	}
544 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Received Nonce_P | Nonce_S",
545 			nonces, 2 * data->sess.nonce_len);
546 	if (os_memcmp(data->nonce_p, nonces, data->sess.nonce_len) != 0) {
547 		wpa_printf(MSG_INFO, "EAP-EKE: Received Nonce_P does not match transmitted Nonce_P");
548 		return eap_eke_build_fail(data, ret, id,
549 					  EAP_EKE_FAIL_AUTHENTICATION_FAIL);
550 	}
551 
552 	os_memcpy(data->nonce_s, nonces + data->sess.nonce_len,
553 		  data->sess.nonce_len);
554 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_S",
555 			data->nonce_s, data->sess.nonce_len);
556 
557 	if (eap_eke_derive_ka(&data->sess, data->serverid, data->serverid_len,
558 			      data->peerid, data->peerid_len,
559 			      data->nonce_p, data->nonce_s) < 0) {
560 		return eap_eke_build_fail(data, ret, id,
561 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
562 	}
563 
564 	if (eap_eke_auth(&data->sess, "EAP-EKE server", data->msgs, auth_s) < 0)
565 	{
566 		return eap_eke_build_fail(data, ret, id,
567 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
568 	}
569 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_S", auth_s, data->sess.prf_len);
570 	if (os_memcmp_const(auth_s, pos + data->sess.pnonce_ps_len,
571 			    data->sess.prf_len) != 0) {
572 		wpa_printf(MSG_INFO, "EAP-EKE: Auth_S does not match");
573 		return eap_eke_build_fail(data, ret, id,
574 					  EAP_EKE_FAIL_AUTHENTICATION_FAIL);
575 	}
576 
577 	wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Confirm/Response");
578 
579 	resp = eap_eke_build_msg(data, id,
580 				 data->sess.pnonce_len + data->sess.prf_len,
581 				 EAP_EKE_CONFIRM);
582 	if (resp == NULL) {
583 		return eap_eke_build_fail(data, ret, id,
584 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
585 	}
586 
587 	prot_len = wpabuf_tailroom(resp);
588 	if (eap_eke_prot(&data->sess, data->nonce_s, data->sess.nonce_len,
589 			 wpabuf_put(resp, 0), &prot_len) < 0) {
590 		wpabuf_free(resp);
591 		return eap_eke_build_fail(data, ret, id,
592 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
593 	}
594 	wpabuf_put(resp, prot_len);
595 
596 	auth = wpabuf_put(resp, data->sess.prf_len);
597 	if (eap_eke_auth(&data->sess, "EAP-EKE peer", data->msgs, auth) < 0) {
598 		wpabuf_free(resp);
599 		return eap_eke_build_fail(data, ret, id,
600 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
601 	}
602 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_P", auth, data->sess.prf_len);
603 
604 	if (eap_eke_derive_msk(&data->sess, data->serverid, data->serverid_len,
605 			       data->peerid, data->peerid_len,
606 			       data->nonce_s, data->nonce_p,
607 			       data->msk, data->emsk) < 0) {
608 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive MSK/EMSK");
609 		wpabuf_free(resp);
610 		return eap_eke_build_fail(data, ret, id,
611 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
612 	}
613 
614 	os_memset(data->dh_priv, 0, sizeof(data->dh_priv));
615 	eap_eke_session_clean(&data->sess);
616 
617 	eap_eke_state(data, SUCCESS);
618 	ret->methodState = METHOD_MAY_CONT;
619 	ret->decision = DECISION_COND_SUCC;
620 	ret->allowNotifications = false;
621 
622 	return resp;
623 }
624 
625 
626 static struct wpabuf * eap_eke_process_failure(struct eap_eke_data *data,
627 					       struct eap_method_ret *ret,
628 					       const struct wpabuf *reqData,
629 					       const u8 *payload,
630 					       size_t payload_len)
631 {
632 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Failure/Request");
633 
634 	if (payload_len < 4) {
635 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Failure");
636 	} else {
637 		u32 code;
638 		code = WPA_GET_BE32(payload);
639 		wpa_printf(MSG_INFO, "EAP-EKE: Failure-Code 0x%x", code);
640 	}
641 
642 	return eap_eke_build_fail(data, ret, eap_get_id(reqData),
643 				  EAP_EKE_FAIL_NO_ERROR);
644 }
645 
646 
647 static struct wpabuf * eap_eke_process(struct eap_sm *sm, void *priv,
648 				       struct eap_method_ret *ret,
649 				       const struct wpabuf *reqData)
650 {
651 	struct eap_eke_data *data = priv;
652 	struct wpabuf *resp;
653 	const u8 *pos, *end;
654 	size_t len;
655 	u8 eke_exch;
656 
657 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_EKE, reqData, &len);
658 	if (pos == NULL || len < 1) {
659 		ret->ignore = true;
660 		return NULL;
661 	}
662 
663 	end = pos + len;
664 	eke_exch = *pos++;
665 
666 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received frame: exch %d", eke_exch);
667 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: Received Data", pos, end - pos);
668 
669 	ret->ignore = false;
670 	ret->methodState = METHOD_MAY_CONT;
671 	ret->decision = DECISION_FAIL;
672 	ret->allowNotifications = true;
673 
674 	switch (eke_exch) {
675 	case EAP_EKE_ID:
676 		resp = eap_eke_process_id(data, ret, reqData, pos, end - pos);
677 		break;
678 	case EAP_EKE_COMMIT:
679 		resp = eap_eke_process_commit(sm, data, ret, reqData,
680 					      pos, end - pos);
681 		break;
682 	case EAP_EKE_CONFIRM:
683 		resp = eap_eke_process_confirm(data, ret, reqData,
684 					       pos, end - pos);
685 		break;
686 	case EAP_EKE_FAILURE:
687 		resp = eap_eke_process_failure(data, ret, reqData,
688 					       pos, end - pos);
689 		break;
690 	default:
691 		wpa_printf(MSG_DEBUG, "EAP-EKE: Ignoring message with unknown EKE-Exch %d", eke_exch);
692 		ret->ignore = true;
693 		return NULL;
694 	}
695 
696 	if (ret->methodState == METHOD_DONE)
697 		ret->allowNotifications = false;
698 
699 	return resp;
700 }
701 
702 
703 static bool eap_eke_isKeyAvailable(struct eap_sm *sm, void *priv)
704 {
705 	struct eap_eke_data *data = priv;
706 	return data->state == SUCCESS;
707 }
708 
709 
710 static u8 * eap_eke_getKey(struct eap_sm *sm, void *priv, size_t *len)
711 {
712 	struct eap_eke_data *data = priv;
713 	u8 *key;
714 
715 	if (data->state != SUCCESS)
716 		return NULL;
717 
718 	key = os_memdup(data->msk, EAP_MSK_LEN);
719 	if (key == NULL)
720 		return NULL;
721 	*len = EAP_MSK_LEN;
722 
723 	return key;
724 }
725 
726 
727 static u8 * eap_eke_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
728 {
729 	struct eap_eke_data *data = priv;
730 	u8 *key;
731 
732 	if (data->state != SUCCESS)
733 		return NULL;
734 
735 	key = os_memdup(data->emsk, EAP_EMSK_LEN);
736 	if (key == NULL)
737 		return NULL;
738 	*len = EAP_EMSK_LEN;
739 
740 	return key;
741 }
742 
743 
744 static u8 * eap_eke_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
745 {
746 	struct eap_eke_data *data = priv;
747 	u8 *sid;
748 	size_t sid_len;
749 
750 	if (data->state != SUCCESS)
751 		return NULL;
752 
753 	sid_len = 1 + 2 * data->sess.nonce_len;
754 	sid = os_malloc(sid_len);
755 	if (sid == NULL)
756 		return NULL;
757 	sid[0] = EAP_TYPE_EKE;
758 	os_memcpy(sid + 1, data->nonce_p, data->sess.nonce_len);
759 	os_memcpy(sid + 1 + data->sess.nonce_len, data->nonce_s,
760 		  data->sess.nonce_len);
761 	*len = sid_len;
762 
763 	return sid;
764 }
765 
766 
767 int eap_peer_eke_register(void)
768 {
769 	struct eap_method *eap;
770 
771 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
772 				    EAP_VENDOR_IETF, EAP_TYPE_EKE, "EKE");
773 	if (eap == NULL)
774 		return -1;
775 
776 	eap->init = eap_eke_init;
777 	eap->deinit = eap_eke_deinit;
778 	eap->process = eap_eke_process;
779 	eap->isKeyAvailable = eap_eke_isKeyAvailable;
780 	eap->getKey = eap_eke_getKey;
781 	eap->get_emsk = eap_eke_get_emsk;
782 	eap->getSessionId = eap_eke_get_session_id;
783 
784 	return eap_peer_method_register(eap);
785 }
786