xref: /freebsd/contrib/wpa/src/eap_peer/eap_eke.c (revision f39bffc62c1395bde25d152c7f68fdf7cbaab414)
1 /*
2  * EAP peer method: EAP-EKE (RFC 6124)
3  * Copyright (c) 2013, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/random.h"
13 #include "eap_peer/eap_i.h"
14 #include "eap_common/eap_eke_common.h"
15 
16 struct eap_eke_data {
17 	enum {
18 		IDENTITY, COMMIT, CONFIRM, SUCCESS, FAILURE
19 	} state;
20 	u8 msk[EAP_MSK_LEN];
21 	u8 emsk[EAP_EMSK_LEN];
22 	u8 *peerid;
23 	size_t peerid_len;
24 	u8 *serverid;
25 	size_t serverid_len;
26 	u8 dh_priv[EAP_EKE_MAX_DH_LEN];
27 	struct eap_eke_session sess;
28 	u8 nonce_p[EAP_EKE_MAX_NONCE_LEN];
29 	u8 nonce_s[EAP_EKE_MAX_NONCE_LEN];
30 	struct wpabuf *msgs;
31 	u8 dhgroup; /* forced DH group or 0 to allow all supported */
32 	u8 encr; /* forced encryption algorithm or 0 to allow all supported */
33 	u8 prf; /* forced PRF or 0 to allow all supported */
34 	u8 mac; /* forced MAC or 0 to allow all supported */
35 };
36 
37 
38 static const char * eap_eke_state_txt(int state)
39 {
40 	switch (state) {
41 	case IDENTITY:
42 		return "IDENTITY";
43 	case COMMIT:
44 		return "COMMIT";
45 	case CONFIRM:
46 		return "CONFIRM";
47 	case SUCCESS:
48 		return "SUCCESS";
49 	case FAILURE:
50 		return "FAILURE";
51 	default:
52 		return "?";
53 	}
54 }
55 
56 
57 static void eap_eke_state(struct eap_eke_data *data, int state)
58 {
59 	wpa_printf(MSG_DEBUG, "EAP-EKE: %s -> %s",
60 		   eap_eke_state_txt(data->state), eap_eke_state_txt(state));
61 	data->state = state;
62 }
63 
64 
65 static void eap_eke_deinit(struct eap_sm *sm, void *priv);
66 
67 
68 static void * eap_eke_init(struct eap_sm *sm)
69 {
70 	struct eap_eke_data *data;
71 	const u8 *identity, *password;
72 	size_t identity_len, password_len;
73 	const char *phase1;
74 
75 	password = eap_get_config_password(sm, &password_len);
76 	if (!password) {
77 		wpa_printf(MSG_INFO, "EAP-EKE: No password configured");
78 		return NULL;
79 	}
80 
81 	data = os_zalloc(sizeof(*data));
82 	if (data == NULL)
83 		return NULL;
84 	eap_eke_state(data, IDENTITY);
85 
86 	identity = eap_get_config_identity(sm, &identity_len);
87 	if (identity) {
88 		data->peerid = os_malloc(identity_len);
89 		if (data->peerid == NULL) {
90 			eap_eke_deinit(sm, data);
91 			return NULL;
92 		}
93 		os_memcpy(data->peerid, identity, identity_len);
94 		data->peerid_len = identity_len;
95 	}
96 
97 	phase1 = eap_get_config_phase1(sm);
98 	if (phase1) {
99 		const char *pos;
100 
101 		pos = os_strstr(phase1, "dhgroup=");
102 		if (pos) {
103 			data->dhgroup = atoi(pos + 8);
104 			wpa_printf(MSG_DEBUG, "EAP-EKE: Forced dhgroup %u",
105 				   data->dhgroup);
106 		}
107 
108 		pos = os_strstr(phase1, "encr=");
109 		if (pos) {
110 			data->encr = atoi(pos + 5);
111 			wpa_printf(MSG_DEBUG, "EAP-EKE: Forced encr %u",
112 				   data->encr);
113 		}
114 
115 		pos = os_strstr(phase1, "prf=");
116 		if (pos) {
117 			data->prf = atoi(pos + 4);
118 			wpa_printf(MSG_DEBUG, "EAP-EKE: Forced prf %u",
119 				   data->prf);
120 		}
121 
122 		pos = os_strstr(phase1, "mac=");
123 		if (pos) {
124 			data->mac = atoi(pos + 4);
125 			wpa_printf(MSG_DEBUG, "EAP-EKE: Forced mac %u",
126 				   data->mac);
127 		}
128 	}
129 
130 	return data;
131 }
132 
133 
134 static void eap_eke_deinit(struct eap_sm *sm, void *priv)
135 {
136 	struct eap_eke_data *data = priv;
137 	eap_eke_session_clean(&data->sess);
138 	os_free(data->serverid);
139 	os_free(data->peerid);
140 	wpabuf_free(data->msgs);
141 	bin_clear_free(data, sizeof(*data));
142 }
143 
144 
145 static struct wpabuf * eap_eke_build_msg(struct eap_eke_data *data, int id,
146 					 size_t length, u8 eke_exch)
147 {
148 	struct wpabuf *msg;
149 	size_t plen;
150 
151 	plen = 1 + length;
152 
153 	msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_EKE, plen,
154 			    EAP_CODE_RESPONSE, id);
155 	if (msg == NULL) {
156 		wpa_printf(MSG_ERROR, "EAP-EKE: Failed to allocate memory");
157 		return NULL;
158 	}
159 
160 	wpabuf_put_u8(msg, eke_exch);
161 
162 	return msg;
163 }
164 
165 
166 static int eap_eke_supp_dhgroup(u8 dhgroup)
167 {
168 	return dhgroup == EAP_EKE_DHGROUP_EKE_2 ||
169 		dhgroup == EAP_EKE_DHGROUP_EKE_5 ||
170 		dhgroup == EAP_EKE_DHGROUP_EKE_14 ||
171 		dhgroup == EAP_EKE_DHGROUP_EKE_15 ||
172 		dhgroup == EAP_EKE_DHGROUP_EKE_16;
173 }
174 
175 
176 static int eap_eke_supp_encr(u8 encr)
177 {
178 	return encr == EAP_EKE_ENCR_AES128_CBC;
179 }
180 
181 
182 static int eap_eke_supp_prf(u8 prf)
183 {
184 	return prf == EAP_EKE_PRF_HMAC_SHA1 ||
185 		prf == EAP_EKE_PRF_HMAC_SHA2_256;
186 }
187 
188 
189 static int eap_eke_supp_mac(u8 mac)
190 {
191 	return mac == EAP_EKE_MAC_HMAC_SHA1 ||
192 		mac == EAP_EKE_MAC_HMAC_SHA2_256;
193 }
194 
195 
196 static struct wpabuf * eap_eke_build_fail(struct eap_eke_data *data,
197 					  struct eap_method_ret *ret,
198 					  u8 id, u32 failure_code)
199 {
200 	struct wpabuf *resp;
201 
202 	wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Failure/Response - code=0x%x",
203 		   failure_code);
204 
205 	resp = eap_eke_build_msg(data, id, 4, EAP_EKE_FAILURE);
206 	if (resp)
207 		wpabuf_put_be32(resp, failure_code);
208 
209 	os_memset(data->dh_priv, 0, sizeof(data->dh_priv));
210 	eap_eke_session_clean(&data->sess);
211 
212 	eap_eke_state(data, FAILURE);
213 	ret->methodState = METHOD_DONE;
214 	ret->decision = DECISION_FAIL;
215 	ret->allowNotifications = FALSE;
216 
217 	return resp;
218 }
219 
220 
221 static struct wpabuf * eap_eke_process_id(struct eap_eke_data *data,
222 					  struct eap_method_ret *ret,
223 					  const struct wpabuf *reqData,
224 					  const u8 *payload,
225 					  size_t payload_len)
226 {
227 	struct wpabuf *resp;
228 	unsigned num_prop, i;
229 	const u8 *pos, *end;
230 	const u8 *prop = NULL;
231 	u8 idtype;
232 	u8 id = eap_get_id(reqData);
233 
234 	if (data->state != IDENTITY) {
235 		return eap_eke_build_fail(data, ret, id,
236 					  EAP_EKE_FAIL_PROTO_ERROR);
237 	}
238 
239 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-ID/Request");
240 
241 	if (payload_len < 2 + 4) {
242 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data");
243 		return eap_eke_build_fail(data, ret, id,
244 					  EAP_EKE_FAIL_PROTO_ERROR);
245 	}
246 
247 	pos = payload;
248 	end = payload + payload_len;
249 
250 	num_prop = *pos++;
251 	pos++; /* Ignore Reserved field */
252 
253 	if (pos + num_prop * 4 > end) {
254 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data (num_prop=%u)",
255 			   num_prop);
256 		return eap_eke_build_fail(data, ret, id,
257 					  EAP_EKE_FAIL_PROTO_ERROR);
258 	}
259 
260 	for (i = 0; i < num_prop; i++) {
261 		const u8 *tmp = pos;
262 
263 		wpa_printf(MSG_DEBUG, "EAP-EKE: Proposal #%u: dh=%u encr=%u prf=%u mac=%u",
264 			   i, pos[0], pos[1], pos[2], pos[3]);
265 		pos += 4;
266 
267 		if ((data->dhgroup && data->dhgroup != *tmp) ||
268 		    !eap_eke_supp_dhgroup(*tmp))
269 			continue;
270 		tmp++;
271 		if ((data->encr && data->encr != *tmp) ||
272 		    !eap_eke_supp_encr(*tmp))
273 			continue;
274 		tmp++;
275 		if ((data->prf && data->prf != *tmp) ||
276 		    !eap_eke_supp_prf(*tmp))
277 			continue;
278 		tmp++;
279 		if ((data->mac && data->mac != *tmp) ||
280 		    !eap_eke_supp_mac(*tmp))
281 			continue;
282 
283 		prop = tmp - 3;
284 		if (eap_eke_session_init(&data->sess, prop[0], prop[1], prop[2],
285 					 prop[3]) < 0) {
286 			prop = NULL;
287 			continue;
288 		}
289 
290 		wpa_printf(MSG_DEBUG, "EAP-EKE: Selected proposal");
291 		break;
292 	}
293 
294 	if (prop == NULL) {
295 		wpa_printf(MSG_DEBUG, "EAP-EKE: No acceptable proposal found");
296 		return eap_eke_build_fail(data, ret, id,
297 					  EAP_EKE_FAIL_NO_PROPOSAL_CHOSEN);
298 	}
299 
300 	pos += (num_prop - i - 1) * 4;
301 
302 	if (pos == end) {
303 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short ID/Request Data to include IDType/Identity");
304 		return eap_eke_build_fail(data, ret, id,
305 					  EAP_EKE_FAIL_PROTO_ERROR);
306 	}
307 
308 	idtype = *pos++;
309 	wpa_printf(MSG_DEBUG, "EAP-EKE: Server IDType %u", idtype);
310 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: Server Identity",
311 			  pos, end - pos);
312 	os_free(data->serverid);
313 	data->serverid = os_malloc(end - pos);
314 	if (data->serverid == NULL) {
315 		return eap_eke_build_fail(data, ret, id,
316 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
317 	}
318 	os_memcpy(data->serverid, pos, end - pos);
319 	data->serverid_len = end - pos;
320 
321 	wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-ID/Response");
322 
323 	resp = eap_eke_build_msg(data, id,
324 				 2 + 4 + 1 + data->peerid_len,
325 				 EAP_EKE_ID);
326 	if (resp == NULL) {
327 		return eap_eke_build_fail(data, ret, id,
328 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
329 	}
330 
331 	wpabuf_put_u8(resp, 1); /* NumProposals */
332 	wpabuf_put_u8(resp, 0); /* Reserved */
333 	wpabuf_put_data(resp, prop, 4); /* Selected Proposal */
334 	wpabuf_put_u8(resp, EAP_EKE_ID_NAI);
335 	if (data->peerid)
336 		wpabuf_put_data(resp, data->peerid, data->peerid_len);
337 
338 	wpabuf_free(data->msgs);
339 	data->msgs = wpabuf_alloc(wpabuf_len(reqData) + wpabuf_len(resp));
340 	if (data->msgs == NULL) {
341 		wpabuf_free(resp);
342 		return eap_eke_build_fail(data, ret, id,
343 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
344 	}
345 	wpabuf_put_buf(data->msgs, reqData);
346 	wpabuf_put_buf(data->msgs, resp);
347 
348 	eap_eke_state(data, COMMIT);
349 
350 	return resp;
351 }
352 
353 
354 static struct wpabuf * eap_eke_process_commit(struct eap_sm *sm,
355 					      struct eap_eke_data *data,
356 					      struct eap_method_ret *ret,
357 					      const struct wpabuf *reqData,
358 					      const u8 *payload,
359 					      size_t payload_len)
360 {
361 	struct wpabuf *resp;
362 	const u8 *pos, *end, *dhcomp;
363 	size_t prot_len;
364 	u8 *rpos;
365 	u8 key[EAP_EKE_MAX_KEY_LEN];
366 	u8 pub[EAP_EKE_MAX_DH_LEN];
367 	const u8 *password;
368 	size_t password_len;
369 	u8 id = eap_get_id(reqData);
370 
371 	if (data->state != COMMIT) {
372 		wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Commit/Request received in unexpected state (%d)", data->state);
373 		return eap_eke_build_fail(data, ret, id,
374 					  EAP_EKE_FAIL_PROTO_ERROR);
375 	}
376 
377 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Commit/Request");
378 
379 	password = eap_get_config_password(sm, &password_len);
380 	if (password == NULL) {
381 		wpa_printf(MSG_INFO, "EAP-EKE: No password configured!");
382 		return eap_eke_build_fail(data, ret, id,
383 					  EAP_EKE_FAIL_PASSWD_NOT_FOUND);
384 	}
385 
386 	pos = payload;
387 	end = payload + payload_len;
388 
389 	if (pos + data->sess.dhcomp_len > end) {
390 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Commit");
391 		return eap_eke_build_fail(data, ret, id,
392 					  EAP_EKE_FAIL_PROTO_ERROR);
393 	}
394 
395 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_S",
396 		    pos, data->sess.dhcomp_len);
397 	dhcomp = pos;
398 	pos += data->sess.dhcomp_len;
399 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: CBValue", pos, end - pos);
400 
401 	/*
402 	 * temp = prf(0+, password)
403 	 * key = prf+(temp, ID_S | ID_P)
404 	 */
405 	if (eap_eke_derive_key(&data->sess, password, password_len,
406 			       data->serverid, data->serverid_len,
407 			       data->peerid, data->peerid_len, key) < 0) {
408 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key");
409 		return eap_eke_build_fail(data, ret, id,
410 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
411 	}
412 
413 	/*
414 	 * y_p = g ^ x_p (mod p)
415 	 * x_p = random number 2 .. p-1
416 	 */
417 	if (eap_eke_dh_init(data->sess.dhgroup, data->dh_priv, pub) < 0) {
418 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to initialize DH");
419 		os_memset(key, 0, sizeof(key));
420 		return eap_eke_build_fail(data, ret, id,
421 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
422 	}
423 
424 	if (eap_eke_shared_secret(&data->sess, key, data->dh_priv, dhcomp) < 0)
425 	{
426 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive shared secret");
427 		os_memset(key, 0, sizeof(key));
428 		return eap_eke_build_fail(data, ret, id,
429 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
430 	}
431 
432 	if (eap_eke_derive_ke_ki(&data->sess,
433 				 data->serverid, data->serverid_len,
434 				 data->peerid, data->peerid_len) < 0) {
435 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki");
436 		os_memset(key, 0, sizeof(key));
437 		return eap_eke_build_fail(data, ret, id,
438 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
439 	}
440 
441 	wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Commit/Response");
442 
443 	resp = eap_eke_build_msg(data, id,
444 				 data->sess.dhcomp_len + data->sess.pnonce_len,
445 				 EAP_EKE_COMMIT);
446 	if (resp == NULL) {
447 		os_memset(key, 0, sizeof(key));
448 		return eap_eke_build_fail(data, ret, id,
449 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
450 	}
451 
452 	/* DHComponent_P = Encr(key, y_p) */
453 	rpos = wpabuf_put(resp, data->sess.dhcomp_len);
454 	if (eap_eke_dhcomp(&data->sess, key, pub, rpos) < 0) {
455 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to build DHComponent_P");
456 		os_memset(key, 0, sizeof(key));
457 		return eap_eke_build_fail(data, ret, id,
458 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
459 	}
460 	os_memset(key, 0, sizeof(key));
461 
462 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_P",
463 		    rpos, data->sess.dhcomp_len);
464 
465 	if (random_get_bytes(data->nonce_p, data->sess.nonce_len)) {
466 		wpabuf_free(resp);
467 		return eap_eke_build_fail(data, ret, id,
468 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
469 	}
470 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_P",
471 			data->nonce_p, data->sess.nonce_len);
472 	prot_len = wpabuf_tailroom(resp);
473 	if (eap_eke_prot(&data->sess, data->nonce_p, data->sess.nonce_len,
474 			 wpabuf_put(resp, 0), &prot_len) < 0) {
475 		wpabuf_free(resp);
476 		return eap_eke_build_fail(data, ret, id,
477 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
478 	}
479 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: PNonce_P",
480 		    wpabuf_put(resp, 0), prot_len);
481 	wpabuf_put(resp, prot_len);
482 
483 	/* TODO: CBValue */
484 
485 	if (wpabuf_resize(&data->msgs, wpabuf_len(reqData) + wpabuf_len(resp))
486 	    < 0) {
487 		wpabuf_free(resp);
488 		return eap_eke_build_fail(data, ret, id,
489 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
490 	}
491 	wpabuf_put_buf(data->msgs, reqData);
492 	wpabuf_put_buf(data->msgs, resp);
493 
494 	eap_eke_state(data, CONFIRM);
495 
496 	return resp;
497 }
498 
499 
500 static struct wpabuf * eap_eke_process_confirm(struct eap_eke_data *data,
501 					       struct eap_method_ret *ret,
502 					       const struct wpabuf *reqData,
503 					       const u8 *payload,
504 					       size_t payload_len)
505 {
506 	struct wpabuf *resp;
507 	const u8 *pos, *end;
508 	size_t prot_len;
509 	u8 nonces[2 * EAP_EKE_MAX_NONCE_LEN];
510 	u8 auth_s[EAP_EKE_MAX_HASH_LEN];
511 	size_t decrypt_len;
512 	u8 *auth;
513 	u8 id = eap_get_id(reqData);
514 
515 	if (data->state != CONFIRM) {
516 		wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Confirm/Request received in unexpected state (%d)",
517 			   data->state);
518 		return eap_eke_build_fail(data, ret, id,
519 					  EAP_EKE_FAIL_PROTO_ERROR);
520 	}
521 
522 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Confirm/Request");
523 
524 	pos = payload;
525 	end = payload + payload_len;
526 
527 	if (pos + data->sess.pnonce_ps_len + data->sess.prf_len > end) {
528 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Confirm");
529 		return eap_eke_build_fail(data, ret, id,
530 					  EAP_EKE_FAIL_PROTO_ERROR);
531 	}
532 
533 	decrypt_len = sizeof(nonces);
534 	if (eap_eke_decrypt_prot(&data->sess, pos, data->sess.pnonce_ps_len,
535 				 nonces, &decrypt_len) < 0) {
536 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt PNonce_PS");
537 		return eap_eke_build_fail(data, ret, id,
538 					  EAP_EKE_FAIL_AUTHENTICATION_FAIL);
539 	}
540 	if (decrypt_len != (size_t) 2 * data->sess.nonce_len) {
541 		wpa_printf(MSG_INFO, "EAP-EKE: PNonce_PS protected data length does not match length of Nonce_P and Nonce_S");
542 		return eap_eke_build_fail(data, ret, id,
543 					  EAP_EKE_FAIL_AUTHENTICATION_FAIL);
544 	}
545 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Received Nonce_P | Nonce_S",
546 			nonces, 2 * data->sess.nonce_len);
547 	if (os_memcmp(data->nonce_p, nonces, data->sess.nonce_len) != 0) {
548 		wpa_printf(MSG_INFO, "EAP-EKE: Received Nonce_P does not match transmitted Nonce_P");
549 		return eap_eke_build_fail(data, ret, id,
550 					  EAP_EKE_FAIL_AUTHENTICATION_FAIL);
551 	}
552 
553 	os_memcpy(data->nonce_s, nonces + data->sess.nonce_len,
554 		  data->sess.nonce_len);
555 	wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_S",
556 			data->nonce_s, data->sess.nonce_len);
557 
558 	if (eap_eke_derive_ka(&data->sess, data->serverid, data->serverid_len,
559 			      data->peerid, data->peerid_len,
560 			      data->nonce_p, data->nonce_s) < 0) {
561 		return eap_eke_build_fail(data, ret, id,
562 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
563 	}
564 
565 	if (eap_eke_auth(&data->sess, "EAP-EKE server", data->msgs, auth_s) < 0)
566 	{
567 		return eap_eke_build_fail(data, ret, id,
568 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
569 	}
570 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_S", auth_s, data->sess.prf_len);
571 	if (os_memcmp_const(auth_s, pos + data->sess.pnonce_ps_len,
572 			    data->sess.prf_len) != 0) {
573 		wpa_printf(MSG_INFO, "EAP-EKE: Auth_S does not match");
574 		return eap_eke_build_fail(data, ret, id,
575 					  EAP_EKE_FAIL_AUTHENTICATION_FAIL);
576 	}
577 
578 	wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Confirm/Response");
579 
580 	resp = eap_eke_build_msg(data, id,
581 				 data->sess.pnonce_len + data->sess.prf_len,
582 				 EAP_EKE_CONFIRM);
583 	if (resp == NULL) {
584 		return eap_eke_build_fail(data, ret, id,
585 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
586 	}
587 
588 	prot_len = wpabuf_tailroom(resp);
589 	if (eap_eke_prot(&data->sess, data->nonce_s, data->sess.nonce_len,
590 			 wpabuf_put(resp, 0), &prot_len) < 0) {
591 		wpabuf_free(resp);
592 		return eap_eke_build_fail(data, ret, id,
593 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
594 	}
595 	wpabuf_put(resp, prot_len);
596 
597 	auth = wpabuf_put(resp, data->sess.prf_len);
598 	if (eap_eke_auth(&data->sess, "EAP-EKE peer", data->msgs, auth) < 0) {
599 		wpabuf_free(resp);
600 		return eap_eke_build_fail(data, ret, id,
601 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
602 	}
603 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: Auth_P", auth, data->sess.prf_len);
604 
605 	if (eap_eke_derive_msk(&data->sess, data->serverid, data->serverid_len,
606 			       data->peerid, data->peerid_len,
607 			       data->nonce_s, data->nonce_p,
608 			       data->msk, data->emsk) < 0) {
609 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive MSK/EMSK");
610 		wpabuf_free(resp);
611 		return eap_eke_build_fail(data, ret, id,
612 					  EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
613 	}
614 
615 	os_memset(data->dh_priv, 0, sizeof(data->dh_priv));
616 	eap_eke_session_clean(&data->sess);
617 
618 	eap_eke_state(data, SUCCESS);
619 	ret->methodState = METHOD_MAY_CONT;
620 	ret->decision = DECISION_COND_SUCC;
621 	ret->allowNotifications = FALSE;
622 
623 	return resp;
624 }
625 
626 
627 static struct wpabuf * eap_eke_process_failure(struct eap_eke_data *data,
628 					       struct eap_method_ret *ret,
629 					       const struct wpabuf *reqData,
630 					       const u8 *payload,
631 					       size_t payload_len)
632 {
633 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Failure/Request");
634 
635 	if (payload_len < 4) {
636 		wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Failure");
637 	} else {
638 		u32 code;
639 		code = WPA_GET_BE32(payload);
640 		wpa_printf(MSG_INFO, "EAP-EKE: Failure-Code 0x%x", code);
641 	}
642 
643 	return eap_eke_build_fail(data, ret, eap_get_id(reqData),
644 				  EAP_EKE_FAIL_NO_ERROR);
645 }
646 
647 
648 static struct wpabuf * eap_eke_process(struct eap_sm *sm, void *priv,
649 				       struct eap_method_ret *ret,
650 				       const struct wpabuf *reqData)
651 {
652 	struct eap_eke_data *data = priv;
653 	struct wpabuf *resp;
654 	const u8 *pos, *end;
655 	size_t len;
656 	u8 eke_exch;
657 
658 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_EKE, reqData, &len);
659 	if (pos == NULL || len < 1) {
660 		ret->ignore = TRUE;
661 		return NULL;
662 	}
663 
664 	end = pos + len;
665 	eke_exch = *pos++;
666 
667 	wpa_printf(MSG_DEBUG, "EAP-EKE: Received frame: exch %d", eke_exch);
668 	wpa_hexdump(MSG_DEBUG, "EAP-EKE: Received Data", pos, end - pos);
669 
670 	ret->ignore = FALSE;
671 	ret->methodState = METHOD_MAY_CONT;
672 	ret->decision = DECISION_FAIL;
673 	ret->allowNotifications = TRUE;
674 
675 	switch (eke_exch) {
676 	case EAP_EKE_ID:
677 		resp = eap_eke_process_id(data, ret, reqData, pos, end - pos);
678 		break;
679 	case EAP_EKE_COMMIT:
680 		resp = eap_eke_process_commit(sm, data, ret, reqData,
681 					      pos, end - pos);
682 		break;
683 	case EAP_EKE_CONFIRM:
684 		resp = eap_eke_process_confirm(data, ret, reqData,
685 					       pos, end - pos);
686 		break;
687 	case EAP_EKE_FAILURE:
688 		resp = eap_eke_process_failure(data, ret, reqData,
689 					       pos, end - pos);
690 		break;
691 	default:
692 		wpa_printf(MSG_DEBUG, "EAP-EKE: Ignoring message with unknown EKE-Exch %d", eke_exch);
693 		ret->ignore = TRUE;
694 		return NULL;
695 	}
696 
697 	if (ret->methodState == METHOD_DONE)
698 		ret->allowNotifications = FALSE;
699 
700 	return resp;
701 }
702 
703 
704 static Boolean eap_eke_isKeyAvailable(struct eap_sm *sm, void *priv)
705 {
706 	struct eap_eke_data *data = priv;
707 	return data->state == SUCCESS;
708 }
709 
710 
711 static u8 * eap_eke_getKey(struct eap_sm *sm, void *priv, size_t *len)
712 {
713 	struct eap_eke_data *data = priv;
714 	u8 *key;
715 
716 	if (data->state != SUCCESS)
717 		return NULL;
718 
719 	key = os_malloc(EAP_MSK_LEN);
720 	if (key == NULL)
721 		return NULL;
722 	os_memcpy(key, data->msk, EAP_MSK_LEN);
723 	*len = EAP_MSK_LEN;
724 
725 	return key;
726 }
727 
728 
729 static u8 * eap_eke_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
730 {
731 	struct eap_eke_data *data = priv;
732 	u8 *key;
733 
734 	if (data->state != SUCCESS)
735 		return NULL;
736 
737 	key = os_malloc(EAP_EMSK_LEN);
738 	if (key == NULL)
739 		return NULL;
740 	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
741 	*len = EAP_EMSK_LEN;
742 
743 	return key;
744 }
745 
746 
747 static u8 * eap_eke_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
748 {
749 	struct eap_eke_data *data = priv;
750 	u8 *sid;
751 	size_t sid_len;
752 
753 	if (data->state != SUCCESS)
754 		return NULL;
755 
756 	sid_len = 1 + 2 * data->sess.nonce_len;
757 	sid = os_malloc(sid_len);
758 	if (sid == NULL)
759 		return NULL;
760 	sid[0] = EAP_TYPE_EKE;
761 	os_memcpy(sid + 1, data->nonce_p, data->sess.nonce_len);
762 	os_memcpy(sid + 1 + data->sess.nonce_len, data->nonce_s,
763 		  data->sess.nonce_len);
764 	*len = sid_len;
765 
766 	return sid;
767 }
768 
769 
770 int eap_peer_eke_register(void)
771 {
772 	struct eap_method *eap;
773 	int ret;
774 
775 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
776 				    EAP_VENDOR_IETF, EAP_TYPE_EKE, "EKE");
777 	if (eap == NULL)
778 		return -1;
779 
780 	eap->init = eap_eke_init;
781 	eap->deinit = eap_eke_deinit;
782 	eap->process = eap_eke_process;
783 	eap->isKeyAvailable = eap_eke_isKeyAvailable;
784 	eap->getKey = eap_eke_getKey;
785 	eap->get_emsk = eap_eke_get_emsk;
786 	eap->getSessionId = eap_eke_get_session_id;
787 
788 	ret = eap_peer_method_register(eap);
789 	if (ret)
790 		eap_peer_method_free(eap);
791 	return ret;
792 }
793