1 /* 2 * EAP peer method: EAP-EKE (RFC 6124) 3 * Copyright (c) 2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/random.h" 13 #include "eap_peer/eap_i.h" 14 #include "eap_common/eap_eke_common.h" 15 16 struct eap_eke_data { 17 enum { 18 IDENTITY, COMMIT, CONFIRM, SUCCESS, FAILURE 19 } state; 20 u8 msk[EAP_MSK_LEN]; 21 u8 emsk[EAP_EMSK_LEN]; 22 u8 *peerid; 23 size_t peerid_len; 24 u8 *serverid; 25 size_t serverid_len; 26 u8 dh_priv[EAP_EKE_MAX_DH_LEN]; 27 struct eap_eke_session sess; 28 u8 nonce_p[EAP_EKE_MAX_NONCE_LEN]; 29 u8 nonce_s[EAP_EKE_MAX_NONCE_LEN]; 30 struct wpabuf *msgs; 31 u8 dhgroup; /* forced DH group or 0 to allow all supported */ 32 u8 encr; /* forced encryption algorithm or 0 to allow all supported */ 33 u8 prf; /* forced PRF or 0 to allow all supported */ 34 u8 mac; /* forced MAC or 0 to allow all supported */ 35 }; 36 37 38 static const char * eap_eke_state_txt(int state) 39 { 40 switch (state) { 41 case IDENTITY: 42 return "IDENTITY"; 43 case COMMIT: 44 return "COMMIT"; 45 case CONFIRM: 46 return "CONFIRM"; 47 case SUCCESS: 48 return "SUCCESS"; 49 case FAILURE: 50 return "FAILURE"; 51 default: 52 return "?"; 53 } 54 } 55 56 57 static void eap_eke_state(struct eap_eke_data *data, int state) 58 { 59 wpa_printf(MSG_DEBUG, "EAP-EKE: %s -> %s", 60 eap_eke_state_txt(data->state), eap_eke_state_txt(state)); 61 data->state = state; 62 } 63 64 65 static void eap_eke_deinit(struct eap_sm *sm, void *priv); 66 67 68 static void * eap_eke_init(struct eap_sm *sm) 69 { 70 struct eap_eke_data *data; 71 const u8 *identity, *password; 72 size_t identity_len, password_len; 73 const char *phase1; 74 75 password = eap_get_config_password(sm, &password_len); 76 if (!password) { 77 wpa_printf(MSG_INFO, "EAP-EKE: No password configured"); 78 return NULL; 79 } 80 81 data = os_zalloc(sizeof(*data)); 82 if (data == NULL) 83 return NULL; 84 eap_eke_state(data, IDENTITY); 85 86 identity = eap_get_config_identity(sm, &identity_len); 87 if (identity) { 88 data->peerid = os_memdup(identity, identity_len); 89 if (data->peerid == NULL) { 90 eap_eke_deinit(sm, data); 91 return NULL; 92 } 93 data->peerid_len = identity_len; 94 } 95 96 phase1 = eap_get_config_phase1(sm); 97 if (phase1) { 98 const char *pos; 99 100 pos = os_strstr(phase1, "dhgroup="); 101 if (pos) { 102 data->dhgroup = atoi(pos + 8); 103 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced dhgroup %u", 104 data->dhgroup); 105 } 106 107 pos = os_strstr(phase1, "encr="); 108 if (pos) { 109 data->encr = atoi(pos + 5); 110 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced encr %u", 111 data->encr); 112 } 113 114 pos = os_strstr(phase1, "prf="); 115 if (pos) { 116 data->prf = atoi(pos + 4); 117 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced prf %u", 118 data->prf); 119 } 120 121 pos = os_strstr(phase1, "mac="); 122 if (pos) { 123 data->mac = atoi(pos + 4); 124 wpa_printf(MSG_DEBUG, "EAP-EKE: Forced mac %u", 125 data->mac); 126 } 127 } 128 129 return data; 130 } 131 132 133 static void eap_eke_deinit(struct eap_sm *sm, void *priv) 134 { 135 struct eap_eke_data *data = priv; 136 eap_eke_session_clean(&data->sess); 137 os_free(data->serverid); 138 os_free(data->peerid); 139 wpabuf_free(data->msgs); 140 bin_clear_free(data, sizeof(*data)); 141 } 142 143 144 static struct wpabuf * eap_eke_build_msg(struct eap_eke_data *data, int id, 145 size_t length, u8 eke_exch) 146 { 147 struct wpabuf *msg; 148 size_t plen; 149 150 plen = 1 + length; 151 152 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_EKE, plen, 153 EAP_CODE_RESPONSE, id); 154 if (msg == NULL) { 155 wpa_printf(MSG_ERROR, "EAP-EKE: Failed to allocate memory"); 156 return NULL; 157 } 158 159 wpabuf_put_u8(msg, eke_exch); 160 161 return msg; 162 } 163 164 165 static int eap_eke_supp_dhgroup(u8 dhgroup) 166 { 167 return dhgroup == EAP_EKE_DHGROUP_EKE_2 || 168 dhgroup == EAP_EKE_DHGROUP_EKE_5 || 169 dhgroup == EAP_EKE_DHGROUP_EKE_14 || 170 dhgroup == EAP_EKE_DHGROUP_EKE_15 || 171 dhgroup == EAP_EKE_DHGROUP_EKE_16; 172 } 173 174 175 static int eap_eke_supp_encr(u8 encr) 176 { 177 return encr == EAP_EKE_ENCR_AES128_CBC; 178 } 179 180 181 static int eap_eke_supp_prf(u8 prf) 182 { 183 return prf == EAP_EKE_PRF_HMAC_SHA1 || 184 prf == EAP_EKE_PRF_HMAC_SHA2_256; 185 } 186 187 188 static int eap_eke_supp_mac(u8 mac) 189 { 190 return mac == EAP_EKE_MAC_HMAC_SHA1 || 191 mac == EAP_EKE_MAC_HMAC_SHA2_256; 192 } 193 194 195 static struct wpabuf * eap_eke_build_fail(struct eap_eke_data *data, 196 struct eap_method_ret *ret, 197 u8 id, u32 failure_code) 198 { 199 struct wpabuf *resp; 200 201 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Failure/Response - code=0x%x", 202 failure_code); 203 204 resp = eap_eke_build_msg(data, id, 4, EAP_EKE_FAILURE); 205 if (resp) 206 wpabuf_put_be32(resp, failure_code); 207 208 os_memset(data->dh_priv, 0, sizeof(data->dh_priv)); 209 eap_eke_session_clean(&data->sess); 210 211 eap_eke_state(data, FAILURE); 212 ret->methodState = METHOD_DONE; 213 ret->decision = DECISION_FAIL; 214 ret->allowNotifications = FALSE; 215 216 return resp; 217 } 218 219 220 static struct wpabuf * eap_eke_process_id(struct eap_eke_data *data, 221 struct eap_method_ret *ret, 222 const struct wpabuf *reqData, 223 const u8 *payload, 224 size_t payload_len) 225 { 226 struct wpabuf *resp; 227 unsigned num_prop, i; 228 const u8 *pos, *end; 229 const u8 *prop = NULL; 230 u8 idtype; 231 u8 id = eap_get_id(reqData); 232 233 if (data->state != IDENTITY) { 234 return eap_eke_build_fail(data, ret, id, 235 EAP_EKE_FAIL_PROTO_ERROR); 236 } 237 238 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-ID/Request"); 239 240 if (payload_len < 2 + 4) { 241 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data"); 242 return eap_eke_build_fail(data, ret, id, 243 EAP_EKE_FAIL_PROTO_ERROR); 244 } 245 246 pos = payload; 247 end = payload + payload_len; 248 249 num_prop = *pos++; 250 pos++; /* Ignore Reserved field */ 251 252 if (pos + num_prop * 4 > end) { 253 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data (num_prop=%u)", 254 num_prop); 255 return eap_eke_build_fail(data, ret, id, 256 EAP_EKE_FAIL_PROTO_ERROR); 257 } 258 259 for (i = 0; i < num_prop; i++) { 260 const u8 *tmp = pos; 261 262 wpa_printf(MSG_DEBUG, "EAP-EKE: Proposal #%u: dh=%u encr=%u prf=%u mac=%u", 263 i, pos[0], pos[1], pos[2], pos[3]); 264 pos += 4; 265 266 if ((data->dhgroup && data->dhgroup != *tmp) || 267 !eap_eke_supp_dhgroup(*tmp)) 268 continue; 269 tmp++; 270 if ((data->encr && data->encr != *tmp) || 271 !eap_eke_supp_encr(*tmp)) 272 continue; 273 tmp++; 274 if ((data->prf && data->prf != *tmp) || 275 !eap_eke_supp_prf(*tmp)) 276 continue; 277 tmp++; 278 if ((data->mac && data->mac != *tmp) || 279 !eap_eke_supp_mac(*tmp)) 280 continue; 281 282 prop = tmp - 3; 283 if (eap_eke_session_init(&data->sess, prop[0], prop[1], prop[2], 284 prop[3]) < 0) { 285 prop = NULL; 286 continue; 287 } 288 289 wpa_printf(MSG_DEBUG, "EAP-EKE: Selected proposal"); 290 break; 291 } 292 293 if (prop == NULL) { 294 wpa_printf(MSG_DEBUG, "EAP-EKE: No acceptable proposal found"); 295 return eap_eke_build_fail(data, ret, id, 296 EAP_EKE_FAIL_NO_PROPOSAL_CHOSEN); 297 } 298 299 pos += (num_prop - i - 1) * 4; 300 301 if (pos == end) { 302 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data to include IDType/Identity"); 303 return eap_eke_build_fail(data, ret, id, 304 EAP_EKE_FAIL_PROTO_ERROR); 305 } 306 307 idtype = *pos++; 308 wpa_printf(MSG_DEBUG, "EAP-EKE: Server IDType %u", idtype); 309 wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: Server Identity", 310 pos, end - pos); 311 os_free(data->serverid); 312 data->serverid = os_memdup(pos, end - pos); 313 if (data->serverid == NULL) { 314 return eap_eke_build_fail(data, ret, id, 315 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 316 } 317 data->serverid_len = end - pos; 318 319 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-ID/Response"); 320 321 resp = eap_eke_build_msg(data, id, 322 2 + 4 + 1 + data->peerid_len, 323 EAP_EKE_ID); 324 if (resp == NULL) { 325 return eap_eke_build_fail(data, ret, id, 326 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 327 } 328 329 wpabuf_put_u8(resp, 1); /* NumProposals */ 330 wpabuf_put_u8(resp, 0); /* Reserved */ 331 wpabuf_put_data(resp, prop, 4); /* Selected Proposal */ 332 wpabuf_put_u8(resp, EAP_EKE_ID_NAI); 333 if (data->peerid) 334 wpabuf_put_data(resp, data->peerid, data->peerid_len); 335 336 wpabuf_free(data->msgs); 337 data->msgs = wpabuf_alloc(wpabuf_len(reqData) + wpabuf_len(resp)); 338 if (data->msgs == NULL) { 339 wpabuf_free(resp); 340 return eap_eke_build_fail(data, ret, id, 341 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 342 } 343 wpabuf_put_buf(data->msgs, reqData); 344 wpabuf_put_buf(data->msgs, resp); 345 346 eap_eke_state(data, COMMIT); 347 348 return resp; 349 } 350 351 352 static struct wpabuf * eap_eke_process_commit(struct eap_sm *sm, 353 struct eap_eke_data *data, 354 struct eap_method_ret *ret, 355 const struct wpabuf *reqData, 356 const u8 *payload, 357 size_t payload_len) 358 { 359 struct wpabuf *resp; 360 const u8 *pos, *end, *dhcomp; 361 size_t prot_len; 362 u8 *rpos; 363 u8 key[EAP_EKE_MAX_KEY_LEN]; 364 u8 pub[EAP_EKE_MAX_DH_LEN]; 365 const u8 *password; 366 size_t password_len; 367 u8 id = eap_get_id(reqData); 368 369 if (data->state != COMMIT) { 370 wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Commit/Request received in unexpected state (%d)", data->state); 371 return eap_eke_build_fail(data, ret, id, 372 EAP_EKE_FAIL_PROTO_ERROR); 373 } 374 375 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Commit/Request"); 376 377 password = eap_get_config_password(sm, &password_len); 378 if (password == NULL) { 379 wpa_printf(MSG_INFO, "EAP-EKE: No password configured!"); 380 return eap_eke_build_fail(data, ret, id, 381 EAP_EKE_FAIL_PASSWD_NOT_FOUND); 382 } 383 384 pos = payload; 385 end = payload + payload_len; 386 387 if (pos + data->sess.dhcomp_len > end) { 388 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Commit"); 389 return eap_eke_build_fail(data, ret, id, 390 EAP_EKE_FAIL_PROTO_ERROR); 391 } 392 393 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_S", 394 pos, data->sess.dhcomp_len); 395 dhcomp = pos; 396 pos += data->sess.dhcomp_len; 397 wpa_hexdump(MSG_DEBUG, "EAP-EKE: CBValue", pos, end - pos); 398 399 /* 400 * temp = prf(0+, password) 401 * key = prf+(temp, ID_S | ID_P) 402 */ 403 if (eap_eke_derive_key(&data->sess, password, password_len, 404 data->serverid, data->serverid_len, 405 data->peerid, data->peerid_len, key) < 0) { 406 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key"); 407 return eap_eke_build_fail(data, ret, id, 408 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 409 } 410 411 /* 412 * y_p = g ^ x_p (mod p) 413 * x_p = random number 2 .. p-1 414 */ 415 if (eap_eke_dh_init(data->sess.dhgroup, data->dh_priv, pub) < 0) { 416 wpa_printf(MSG_INFO, "EAP-EKE: Failed to initialize DH"); 417 forced_memzero(key, sizeof(key)); 418 return eap_eke_build_fail(data, ret, id, 419 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 420 } 421 422 if (eap_eke_shared_secret(&data->sess, key, data->dh_priv, dhcomp) < 0) 423 { 424 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive shared secret"); 425 forced_memzero(key, sizeof(key)); 426 return eap_eke_build_fail(data, ret, id, 427 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 428 } 429 430 if (eap_eke_derive_ke_ki(&data->sess, 431 data->serverid, data->serverid_len, 432 data->peerid, data->peerid_len) < 0) { 433 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki"); 434 forced_memzero(key, sizeof(key)); 435 return eap_eke_build_fail(data, ret, id, 436 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 437 } 438 439 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Commit/Response"); 440 441 resp = eap_eke_build_msg(data, id, 442 data->sess.dhcomp_len + data->sess.pnonce_len, 443 EAP_EKE_COMMIT); 444 if (resp == NULL) { 445 forced_memzero(key, sizeof(key)); 446 return eap_eke_build_fail(data, ret, id, 447 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 448 } 449 450 /* DHComponent_P = Encr(key, y_p) */ 451 rpos = wpabuf_put(resp, data->sess.dhcomp_len); 452 if (eap_eke_dhcomp(&data->sess, key, pub, rpos) < 0) { 453 wpabuf_free(resp); 454 wpa_printf(MSG_INFO, "EAP-EKE: Failed to build DHComponent_P"); 455 forced_memzero(key, sizeof(key)); 456 return eap_eke_build_fail(data, ret, id, 457 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 458 } 459 forced_memzero(key, sizeof(key)); 460 461 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_P", 462 rpos, data->sess.dhcomp_len); 463 464 if (random_get_bytes(data->nonce_p, data->sess.nonce_len)) { 465 wpabuf_free(resp); 466 return eap_eke_build_fail(data, ret, id, 467 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 468 } 469 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_P", 470 data->nonce_p, data->sess.nonce_len); 471 prot_len = wpabuf_tailroom(resp); 472 if (eap_eke_prot(&data->sess, data->nonce_p, data->sess.nonce_len, 473 wpabuf_put(resp, 0), &prot_len) < 0) { 474 wpabuf_free(resp); 475 return eap_eke_build_fail(data, ret, id, 476 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 477 } 478 wpa_hexdump(MSG_DEBUG, "EAP-EKE: PNonce_P", 479 wpabuf_put(resp, 0), prot_len); 480 wpabuf_put(resp, prot_len); 481 482 /* TODO: CBValue */ 483 484 if (wpabuf_resize(&data->msgs, wpabuf_len(reqData) + wpabuf_len(resp)) 485 < 0) { 486 wpabuf_free(resp); 487 return eap_eke_build_fail(data, ret, id, 488 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 489 } 490 wpabuf_put_buf(data->msgs, reqData); 491 wpabuf_put_buf(data->msgs, resp); 492 493 eap_eke_state(data, CONFIRM); 494 495 return resp; 496 } 497 498 499 static struct wpabuf * eap_eke_process_confirm(struct eap_eke_data *data, 500 struct eap_method_ret *ret, 501 const struct wpabuf *reqData, 502 const u8 *payload, 503 size_t payload_len) 504 { 505 struct wpabuf *resp; 506 const u8 *pos, *end; 507 size_t prot_len; 508 u8 nonces[2 * EAP_EKE_MAX_NONCE_LEN]; 509 u8 auth_s[EAP_EKE_MAX_HASH_LEN]; 510 size_t decrypt_len; 511 u8 *auth; 512 u8 id = eap_get_id(reqData); 513 514 if (data->state != CONFIRM) { 515 wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Confirm/Request received in unexpected state (%d)", 516 data->state); 517 return eap_eke_build_fail(data, ret, id, 518 EAP_EKE_FAIL_PROTO_ERROR); 519 } 520 521 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Confirm/Request"); 522 523 pos = payload; 524 end = payload + payload_len; 525 526 if (pos + data->sess.pnonce_ps_len + data->sess.prf_len > end) { 527 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Confirm"); 528 return eap_eke_build_fail(data, ret, id, 529 EAP_EKE_FAIL_PROTO_ERROR); 530 } 531 532 decrypt_len = sizeof(nonces); 533 if (eap_eke_decrypt_prot(&data->sess, pos, data->sess.pnonce_ps_len, 534 nonces, &decrypt_len) < 0) { 535 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt PNonce_PS"); 536 return eap_eke_build_fail(data, ret, id, 537 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 538 } 539 if (decrypt_len != (size_t) 2 * data->sess.nonce_len) { 540 wpa_printf(MSG_INFO, "EAP-EKE: PNonce_PS protected data length does not match length of Nonce_P and Nonce_S"); 541 return eap_eke_build_fail(data, ret, id, 542 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 543 } 544 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Received Nonce_P | Nonce_S", 545 nonces, 2 * data->sess.nonce_len); 546 if (os_memcmp(data->nonce_p, nonces, data->sess.nonce_len) != 0) { 547 wpa_printf(MSG_INFO, "EAP-EKE: Received Nonce_P does not match transmitted Nonce_P"); 548 return eap_eke_build_fail(data, ret, id, 549 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 550 } 551 552 os_memcpy(data->nonce_s, nonces + data->sess.nonce_len, 553 data->sess.nonce_len); 554 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_S", 555 data->nonce_s, data->sess.nonce_len); 556 557 if (eap_eke_derive_ka(&data->sess, data->serverid, data->serverid_len, 558 data->peerid, data->peerid_len, 559 data->nonce_p, data->nonce_s) < 0) { 560 return eap_eke_build_fail(data, ret, id, 561 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 562 } 563 564 if (eap_eke_auth(&data->sess, "EAP-EKE server", data->msgs, auth_s) < 0) 565 { 566 return eap_eke_build_fail(data, ret, id, 567 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 568 } 569 wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_S", auth_s, data->sess.prf_len); 570 if (os_memcmp_const(auth_s, pos + data->sess.pnonce_ps_len, 571 data->sess.prf_len) != 0) { 572 wpa_printf(MSG_INFO, "EAP-EKE: Auth_S does not match"); 573 return eap_eke_build_fail(data, ret, id, 574 EAP_EKE_FAIL_AUTHENTICATION_FAIL); 575 } 576 577 wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Confirm/Response"); 578 579 resp = eap_eke_build_msg(data, id, 580 data->sess.pnonce_len + data->sess.prf_len, 581 EAP_EKE_CONFIRM); 582 if (resp == NULL) { 583 return eap_eke_build_fail(data, ret, id, 584 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 585 } 586 587 prot_len = wpabuf_tailroom(resp); 588 if (eap_eke_prot(&data->sess, data->nonce_s, data->sess.nonce_len, 589 wpabuf_put(resp, 0), &prot_len) < 0) { 590 wpabuf_free(resp); 591 return eap_eke_build_fail(data, ret, id, 592 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 593 } 594 wpabuf_put(resp, prot_len); 595 596 auth = wpabuf_put(resp, data->sess.prf_len); 597 if (eap_eke_auth(&data->sess, "EAP-EKE peer", data->msgs, auth) < 0) { 598 wpabuf_free(resp); 599 return eap_eke_build_fail(data, ret, id, 600 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 601 } 602 wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_P", auth, data->sess.prf_len); 603 604 if (eap_eke_derive_msk(&data->sess, data->serverid, data->serverid_len, 605 data->peerid, data->peerid_len, 606 data->nonce_s, data->nonce_p, 607 data->msk, data->emsk) < 0) { 608 wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive MSK/EMSK"); 609 wpabuf_free(resp); 610 return eap_eke_build_fail(data, ret, id, 611 EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR); 612 } 613 614 os_memset(data->dh_priv, 0, sizeof(data->dh_priv)); 615 eap_eke_session_clean(&data->sess); 616 617 eap_eke_state(data, SUCCESS); 618 ret->methodState = METHOD_MAY_CONT; 619 ret->decision = DECISION_COND_SUCC; 620 ret->allowNotifications = FALSE; 621 622 return resp; 623 } 624 625 626 static struct wpabuf * eap_eke_process_failure(struct eap_eke_data *data, 627 struct eap_method_ret *ret, 628 const struct wpabuf *reqData, 629 const u8 *payload, 630 size_t payload_len) 631 { 632 wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Failure/Request"); 633 634 if (payload_len < 4) { 635 wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Failure"); 636 } else { 637 u32 code; 638 code = WPA_GET_BE32(payload); 639 wpa_printf(MSG_INFO, "EAP-EKE: Failure-Code 0x%x", code); 640 } 641 642 return eap_eke_build_fail(data, ret, eap_get_id(reqData), 643 EAP_EKE_FAIL_NO_ERROR); 644 } 645 646 647 static struct wpabuf * eap_eke_process(struct eap_sm *sm, void *priv, 648 struct eap_method_ret *ret, 649 const struct wpabuf *reqData) 650 { 651 struct eap_eke_data *data = priv; 652 struct wpabuf *resp; 653 const u8 *pos, *end; 654 size_t len; 655 u8 eke_exch; 656 657 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_EKE, reqData, &len); 658 if (pos == NULL || len < 1) { 659 ret->ignore = TRUE; 660 return NULL; 661 } 662 663 end = pos + len; 664 eke_exch = *pos++; 665 666 wpa_printf(MSG_DEBUG, "EAP-EKE: Received frame: exch %d", eke_exch); 667 wpa_hexdump(MSG_DEBUG, "EAP-EKE: Received Data", pos, end - pos); 668 669 ret->ignore = FALSE; 670 ret->methodState = METHOD_MAY_CONT; 671 ret->decision = DECISION_FAIL; 672 ret->allowNotifications = TRUE; 673 674 switch (eke_exch) { 675 case EAP_EKE_ID: 676 resp = eap_eke_process_id(data, ret, reqData, pos, end - pos); 677 break; 678 case EAP_EKE_COMMIT: 679 resp = eap_eke_process_commit(sm, data, ret, reqData, 680 pos, end - pos); 681 break; 682 case EAP_EKE_CONFIRM: 683 resp = eap_eke_process_confirm(data, ret, reqData, 684 pos, end - pos); 685 break; 686 case EAP_EKE_FAILURE: 687 resp = eap_eke_process_failure(data, ret, reqData, 688 pos, end - pos); 689 break; 690 default: 691 wpa_printf(MSG_DEBUG, "EAP-EKE: Ignoring message with unknown EKE-Exch %d", eke_exch); 692 ret->ignore = TRUE; 693 return NULL; 694 } 695 696 if (ret->methodState == METHOD_DONE) 697 ret->allowNotifications = FALSE; 698 699 return resp; 700 } 701 702 703 static Boolean eap_eke_isKeyAvailable(struct eap_sm *sm, void *priv) 704 { 705 struct eap_eke_data *data = priv; 706 return data->state == SUCCESS; 707 } 708 709 710 static u8 * eap_eke_getKey(struct eap_sm *sm, void *priv, size_t *len) 711 { 712 struct eap_eke_data *data = priv; 713 u8 *key; 714 715 if (data->state != SUCCESS) 716 return NULL; 717 718 key = os_memdup(data->msk, EAP_MSK_LEN); 719 if (key == NULL) 720 return NULL; 721 *len = EAP_MSK_LEN; 722 723 return key; 724 } 725 726 727 static u8 * eap_eke_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 728 { 729 struct eap_eke_data *data = priv; 730 u8 *key; 731 732 if (data->state != SUCCESS) 733 return NULL; 734 735 key = os_memdup(data->emsk, EAP_EMSK_LEN); 736 if (key == NULL) 737 return NULL; 738 *len = EAP_EMSK_LEN; 739 740 return key; 741 } 742 743 744 static u8 * eap_eke_get_session_id(struct eap_sm *sm, void *priv, size_t *len) 745 { 746 struct eap_eke_data *data = priv; 747 u8 *sid; 748 size_t sid_len; 749 750 if (data->state != SUCCESS) 751 return NULL; 752 753 sid_len = 1 + 2 * data->sess.nonce_len; 754 sid = os_malloc(sid_len); 755 if (sid == NULL) 756 return NULL; 757 sid[0] = EAP_TYPE_EKE; 758 os_memcpy(sid + 1, data->nonce_p, data->sess.nonce_len); 759 os_memcpy(sid + 1 + data->sess.nonce_len, data->nonce_s, 760 data->sess.nonce_len); 761 *len = sid_len; 762 763 return sid; 764 } 765 766 767 int eap_peer_eke_register(void) 768 { 769 struct eap_method *eap; 770 771 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, 772 EAP_VENDOR_IETF, EAP_TYPE_EKE, "EKE"); 773 if (eap == NULL) 774 return -1; 775 776 eap->init = eap_eke_init; 777 eap->deinit = eap_eke_deinit; 778 eap->process = eap_eke_process; 779 eap->isKeyAvailable = eap_eke_isKeyAvailable; 780 eap->getKey = eap_eke_getKey; 781 eap->get_emsk = eap_eke_get_emsk; 782 eap->getSessionId = eap_eke_get_session_id; 783 784 return eap_peer_method_register(eap); 785 } 786