2 * hostapd / EAP-EKE (RFC 6124) server
3 * Copyright (c) 2013, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/random.h"
13 #include "eap_server/eap_i.h"
14 #include "eap_common/eap_eke_common.h"
19 IDENTITY
, COMMIT
, CONFIRM
, FAILURE_REPORT
, SUCCESS
, FAILURE
22 u8 emsk
[EAP_EMSK_LEN
];
27 u8 dh_priv
[EAP_EKE_MAX_DH_LEN
];
28 u8 key
[EAP_EKE_MAX_KEY_LEN
];
29 struct eap_eke_session sess
;
30 u8 nonce_p
[EAP_EKE_MAX_NONCE_LEN
];
31 u8 nonce_s
[EAP_EKE_MAX_NONCE_LEN
];
38 static const char * eap_eke_state_txt(int state
)
48 return "FAILURE_REPORT";
59 static void eap_eke_state(struct eap_eke_data
*data
, int state
)
61 wpa_printf(MSG_DEBUG
, "EAP-EKE: %s -> %s",
62 eap_eke_state_txt(data
->state
),
63 eap_eke_state_txt(state
));
68 static void eap_eke_fail(struct eap_eke_data
*data
, u32 code
)
70 wpa_printf(MSG_DEBUG
, "EAP-EKE: Failure - code 0x%x", code
);
71 data
->failure_code
= code
;
72 eap_eke_state(data
, FAILURE_REPORT
);
76 static void * eap_eke_init(struct eap_sm
*sm
)
78 struct eap_eke_data
*data
;
81 data
= os_zalloc(sizeof(*data
));
84 eap_eke_state(data
, IDENTITY
);
86 data
->serverid_type
= EAP_EKE_ID_OPAQUE
;
87 for (i
= 0; i
< sm
->server_id_len
; i
++) {
88 if (sm
->server_id
[i
] == '.' &&
89 data
->serverid_type
== EAP_EKE_ID_OPAQUE
)
90 data
->serverid_type
= EAP_EKE_ID_FQDN
;
91 if (sm
->server_id
[i
] == '@')
92 data
->serverid_type
= EAP_EKE_ID_NAI
;
95 data
->phase2
= sm
->init_phase2
;
101 static void eap_eke_reset(struct eap_sm
*sm
, void *priv
)
103 struct eap_eke_data
*data
= priv
;
104 eap_eke_session_clean(&data
->sess
);
105 os_free(data
->peerid
);
106 wpabuf_free(data
->msgs
);
111 static struct wpabuf
* eap_eke_build_msg(struct eap_eke_data
*data
,
112 u8 id
, size_t length
, u8 eke_exch
)
119 msg
= eap_msg_alloc(EAP_VENDOR_IETF
, EAP_TYPE_EKE
, plen
,
120 EAP_CODE_REQUEST
, id
);
122 wpa_printf(MSG_ERROR
, "EAP-EKE: Failed to allocate memory");
126 wpabuf_put_u8(msg
, eke_exch
);
132 static int supported_proposal(const u8
*pos
)
134 if (pos
[0] == EAP_EKE_DHGROUP_EKE_16
&&
135 pos
[1] == EAP_EKE_ENCR_AES128_CBC
&&
136 pos
[2] == EAP_EKE_PRF_HMAC_SHA2_256
&&
137 pos
[3] == EAP_EKE_MAC_HMAC_SHA2_256
)
140 if (pos
[0] == EAP_EKE_DHGROUP_EKE_15
&&
141 pos
[1] == EAP_EKE_ENCR_AES128_CBC
&&
142 pos
[2] == EAP_EKE_PRF_HMAC_SHA2_256
&&
143 pos
[3] == EAP_EKE_MAC_HMAC_SHA2_256
)
146 if (pos
[0] == EAP_EKE_DHGROUP_EKE_14
&&
147 pos
[1] == EAP_EKE_ENCR_AES128_CBC
&&
148 pos
[2] == EAP_EKE_PRF_HMAC_SHA2_256
&&
149 pos
[3] == EAP_EKE_MAC_HMAC_SHA2_256
)
152 if (pos
[0] == EAP_EKE_DHGROUP_EKE_14
&&
153 pos
[1] == EAP_EKE_ENCR_AES128_CBC
&&
154 pos
[2] == EAP_EKE_PRF_HMAC_SHA1
&&
155 pos
[3] == EAP_EKE_MAC_HMAC_SHA1
)
162 static struct wpabuf
* eap_eke_build_failure(struct eap_eke_data
*data
, u8 id
)
166 wpa_printf(MSG_DEBUG
, "EAP-EKE: Request/Failure: Failure-Code=0x%x",
169 msg
= eap_eke_build_msg(data
, id
, 4, EAP_EKE_FAILURE
);
171 eap_eke_state(data
, FAILURE
);
174 wpabuf_put_be32(msg
, data
->failure_code
);
180 static struct wpabuf
* eap_eke_build_identity(struct eap_sm
*sm
,
181 struct eap_eke_data
*data
,
187 wpa_printf(MSG_DEBUG
, "EAP-EKE: Request/Identity");
189 plen
= 2 + 4 * 4 + 1 + sm
->server_id_len
;
190 msg
= eap_eke_build_msg(data
, id
, plen
, EAP_EKE_ID
);
194 wpabuf_put_u8(msg
, 4); /* NumProposals */
195 wpabuf_put_u8(msg
, 0); /* Reserved */
197 /* Proposal - DH Group 16 with AES128-CBC and SHA256 */
198 wpabuf_put_u8(msg
, EAP_EKE_DHGROUP_EKE_16
); /* Group Description */
199 wpabuf_put_u8(msg
, EAP_EKE_ENCR_AES128_CBC
); /* Encryption */
200 wpabuf_put_u8(msg
, EAP_EKE_PRF_HMAC_SHA2_256
); /* PRF */
201 wpabuf_put_u8(msg
, EAP_EKE_MAC_HMAC_SHA2_256
); /* MAC */
203 /* Proposal - DH Group 15 with AES128-CBC and SHA256 */
204 wpabuf_put_u8(msg
, EAP_EKE_DHGROUP_EKE_15
); /* Group Description */
205 wpabuf_put_u8(msg
, EAP_EKE_ENCR_AES128_CBC
); /* Encryption */
206 wpabuf_put_u8(msg
, EAP_EKE_PRF_HMAC_SHA2_256
); /* PRF */
207 wpabuf_put_u8(msg
, EAP_EKE_MAC_HMAC_SHA2_256
); /* MAC */
209 /* Proposal - DH Group 14 with AES128-CBC and SHA256 */
210 wpabuf_put_u8(msg
, EAP_EKE_DHGROUP_EKE_14
); /* Group Description */
211 wpabuf_put_u8(msg
, EAP_EKE_ENCR_AES128_CBC
); /* Encryption */
212 wpabuf_put_u8(msg
, EAP_EKE_PRF_HMAC_SHA2_256
); /* PRF */
213 wpabuf_put_u8(msg
, EAP_EKE_MAC_HMAC_SHA2_256
); /* MAC */
216 * Proposal - DH Group 14 with AES128-CBC and SHA1
217 * (mandatory to implement algorithms)
219 wpabuf_put_u8(msg
, EAP_EKE_DHGROUP_EKE_14
); /* Group Description */
220 wpabuf_put_u8(msg
, EAP_EKE_ENCR_AES128_CBC
); /* Encryption */
221 wpabuf_put_u8(msg
, EAP_EKE_PRF_HMAC_SHA1
); /* PRF */
222 wpabuf_put_u8(msg
, EAP_EKE_MAC_HMAC_SHA1
); /* MAC */
224 /* Server IDType + Identity */
225 wpabuf_put_u8(msg
, data
->serverid_type
);
226 wpabuf_put_data(msg
, sm
->server_id
, sm
->server_id_len
);
228 wpabuf_free(data
->msgs
);
229 data
->msgs
= wpabuf_dup(msg
);
230 if (data
->msgs
== NULL
) {
239 static struct wpabuf
* eap_eke_build_commit(struct eap_sm
*sm
,
240 struct eap_eke_data
*data
, u8 id
)
243 u8 pub
[EAP_EKE_MAX_DH_LEN
];
245 wpa_printf(MSG_DEBUG
, "EAP-EKE: Request/Commit");
247 if (sm
->user
== NULL
|| sm
->user
->password
== NULL
) {
248 wpa_printf(MSG_INFO
, "EAP-EKE: Password with not configured");
249 eap_eke_fail(data
, EAP_EKE_FAIL_PASSWD_NOT_FOUND
);
250 return eap_eke_build_failure(data
, id
);
253 if (eap_eke_derive_key(&data
->sess
, sm
->user
->password
,
254 sm
->user
->password_len
,
255 sm
->server_id
, sm
->server_id_len
,
256 data
->peerid
, data
->peerid_len
, data
->key
) < 0) {
257 wpa_printf(MSG_INFO
, "EAP-EKE: Failed to derive key");
258 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
259 return eap_eke_build_failure(data
, id
);
262 msg
= eap_eke_build_msg(data
, id
, data
->sess
.dhcomp_len
,
265 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
266 return eap_eke_build_failure(data
, id
);
270 * y_s = g ^ x_s (mod p)
271 * x_s = random number 2 .. p-1
272 * temp = prf(0+, password)
273 * key = prf+(temp, ID_S | ID_P)
274 * DHComponent_S = Encr(key, y_s)
277 if (eap_eke_dh_init(data
->sess
.dhgroup
, data
->dh_priv
, pub
) < 0) {
278 wpa_printf(MSG_INFO
, "EAP-EKE: Failed to initialize DH");
279 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
280 return eap_eke_build_failure(data
, id
);
283 if (eap_eke_dhcomp(&data
->sess
, data
->key
, pub
,
284 wpabuf_put(msg
, data
->sess
.dhcomp_len
))
286 wpa_printf(MSG_INFO
, "EAP-EKE: Failed to build DHComponent_S");
288 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
289 return eap_eke_build_failure(data
, id
);
292 if (wpabuf_resize(&data
->msgs
, wpabuf_len(msg
)) < 0) {
294 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
295 return eap_eke_build_failure(data
, id
);
297 wpabuf_put_buf(data
->msgs
, msg
);
303 static struct wpabuf
* eap_eke_build_confirm(struct eap_sm
*sm
,
304 struct eap_eke_data
*data
, u8 id
)
307 size_t plen
, prot_len
;
308 u8 nonces
[2 * EAP_EKE_MAX_NONCE_LEN
];
311 wpa_printf(MSG_DEBUG
, "EAP-EKE: Request/Confirm");
313 plen
= data
->sess
.pnonce_ps_len
+ data
->sess
.prf_len
;
314 msg
= eap_eke_build_msg(data
, id
, plen
, EAP_EKE_CONFIRM
);
316 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
317 return eap_eke_build_failure(data
, id
);
320 if (random_get_bytes(data
->nonce_s
, data
->sess
.nonce_len
)) {
322 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
323 return eap_eke_build_failure(data
, id
);
325 wpa_hexdump_key(MSG_DEBUG
, "EAP-EKE: Nonce_S",
326 data
->nonce_s
, data
->sess
.nonce_len
);
328 os_memcpy(nonces
, data
->nonce_p
, data
->sess
.nonce_len
);
329 os_memcpy(nonces
+ data
->sess
.nonce_len
, data
->nonce_s
,
330 data
->sess
.nonce_len
);
331 prot_len
= wpabuf_tailroom(msg
);
332 if (eap_eke_prot(&data
->sess
, nonces
, 2 * data
->sess
.nonce_len
,
333 wpabuf_put(msg
, 0), &prot_len
) < 0) {
335 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
336 return eap_eke_build_failure(data
, id
);
338 wpabuf_put(msg
, prot_len
);
340 if (eap_eke_derive_ka(&data
->sess
,
341 sm
->server_id
, sm
->server_id_len
,
342 data
->peerid
, data
->peerid_len
,
343 data
->nonce_p
, data
->nonce_s
) < 0) {
345 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
346 return eap_eke_build_failure(data
, id
);
349 auth
= wpabuf_put(msg
, data
->sess
.prf_len
);
350 if (eap_eke_auth(&data
->sess
, "EAP-EKE server", data
->msgs
, auth
) < 0) {
352 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
353 return eap_eke_build_failure(data
, id
);
355 wpa_hexdump(MSG_DEBUG
, "EAP-EKE: Auth_S", auth
, data
->sess
.prf_len
);
361 static struct wpabuf
* eap_eke_buildReq(struct eap_sm
*sm
, void *priv
, u8 id
)
363 struct eap_eke_data
*data
= priv
;
365 switch (data
->state
) {
367 return eap_eke_build_identity(sm
, data
, id
);
369 return eap_eke_build_commit(sm
, data
, id
);
371 return eap_eke_build_confirm(sm
, data
, id
);
373 return eap_eke_build_failure(data
, id
);
375 wpa_printf(MSG_DEBUG
, "EAP-EKE: Unknown state %d in buildReq",
383 static Boolean
eap_eke_check(struct eap_sm
*sm
, void *priv
,
384 struct wpabuf
*respData
)
386 struct eap_eke_data
*data
= priv
;
391 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, EAP_TYPE_EKE
, respData
, &len
);
392 if (pos
== NULL
|| len
< 1) {
393 wpa_printf(MSG_INFO
, "EAP-EKE: Invalid frame");
398 wpa_printf(MSG_DEBUG
, "EAP-EKE: Received frame: EKE-Exch=%d", eke_exch
);
400 if (data
->state
== IDENTITY
&& eke_exch
== EAP_EKE_ID
)
403 if (data
->state
== COMMIT
&& eke_exch
== EAP_EKE_COMMIT
)
406 if (data
->state
== CONFIRM
&& eke_exch
== EAP_EKE_CONFIRM
)
409 if (eke_exch
== EAP_EKE_FAILURE
)
412 wpa_printf(MSG_INFO
, "EAP-EKE: Unexpected EKE-Exch=%d in state=%d",
413 eke_exch
, data
->state
);
419 static void eap_eke_process_identity(struct eap_sm
*sm
,
420 struct eap_eke_data
*data
,
421 const struct wpabuf
*respData
,
422 const u8
*payload
, size_t payloadlen
)
427 wpa_printf(MSG_DEBUG
, "EAP-EKE: Received Response/Identity");
429 if (data
->state
!= IDENTITY
) {
430 eap_eke_fail(data
, EAP_EKE_FAIL_PROTO_ERROR
);
435 end
= payload
+ payloadlen
;
437 if (pos
+ 2 + 4 + 1 > end
) {
438 wpa_printf(MSG_INFO
, "EAP-EKE: Too short EAP-EKE-ID payload");
439 eap_eke_fail(data
, EAP_EKE_FAIL_PROTO_ERROR
);
444 wpa_printf(MSG_INFO
, "EAP-EKE: Unexpected NumProposals %d (expected 1)",
446 eap_eke_fail(data
, EAP_EKE_FAIL_PROTO_ERROR
);
452 if (!supported_proposal(pos
)) {
453 wpa_printf(MSG_INFO
, "EAP-EKE: Unexpected Proposal (%u:%u:%u:%u)",
454 pos
[0], pos
[1], pos
[2], pos
[3]);
455 eap_eke_fail(data
, EAP_EKE_FAIL_PROTO_ERROR
);
459 wpa_printf(MSG_DEBUG
, "EAP-EKE: Selected Proposal (%u:%u:%u:%u)",
460 pos
[0], pos
[1], pos
[2], pos
[3]);
461 if (eap_eke_session_init(&data
->sess
, pos
[0], pos
[1], pos
[2], pos
[3]) <
463 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
468 data
->peerid_type
= *pos
++;
469 os_free(data
->peerid
);
470 data
->peerid
= os_malloc(end
- pos
);
471 if (data
->peerid
== NULL
) {
472 wpa_printf(MSG_INFO
, "EAP-EKE: Failed to allocate memory for peerid");
473 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
476 os_memcpy(data
->peerid
, pos
, end
- pos
);
477 data
->peerid_len
= end
- pos
;
478 wpa_printf(MSG_DEBUG
, "EAP-EKE: Peer IDType %u", data
->peerid_type
);
479 wpa_hexdump_ascii(MSG_DEBUG
, "EAP-EKE: Peer Identity",
480 data
->peerid
, data
->peerid_len
);
482 if (eap_user_get(sm
, data
->peerid
, data
->peerid_len
, data
->phase2
)) {
483 wpa_printf(MSG_INFO
, "EAP-EKE: Peer Identity not found from user database");
484 eap_eke_fail(data
, EAP_EKE_FAIL_PASSWD_NOT_FOUND
);
488 for (i
= 0; i
< EAP_MAX_METHODS
; i
++) {
489 if (sm
->user
->methods
[i
].vendor
== EAP_VENDOR_IETF
&&
490 sm
->user
->methods
[i
].method
== EAP_TYPE_EKE
)
493 if (i
== EAP_MAX_METHODS
) {
494 wpa_printf(MSG_INFO
, "EAP-EKE: Matching user entry does not allow EAP-EKE");
495 eap_eke_fail(data
, EAP_EKE_FAIL_PASSWD_NOT_FOUND
);
499 if (sm
->user
->password
== NULL
|| sm
->user
->password_len
== 0) {
500 wpa_printf(MSG_INFO
, "EAP-EKE: No password configured for peer");
501 eap_eke_fail(data
, EAP_EKE_FAIL_PASSWD_NOT_FOUND
);
505 if (wpabuf_resize(&data
->msgs
, wpabuf_len(respData
)) < 0) {
506 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
509 wpabuf_put_buf(data
->msgs
, respData
);
511 eap_eke_state(data
, COMMIT
);
515 static void eap_eke_process_commit(struct eap_sm
*sm
,
516 struct eap_eke_data
*data
,
517 const struct wpabuf
*respData
,
518 const u8
*payload
, size_t payloadlen
)
520 const u8
*pos
, *end
, *dhcomp
, *pnonce
;
523 wpa_printf(MSG_DEBUG
, "EAP-EKE: Received Response/Commit");
525 if (data
->state
!= COMMIT
) {
526 eap_eke_fail(data
, EAP_EKE_FAIL_PROTO_ERROR
);
531 end
= payload
+ payloadlen
;
533 if (pos
+ data
->sess
.dhcomp_len
+ data
->sess
.pnonce_len
> end
) {
534 wpa_printf(MSG_DEBUG
, "EAP-EKE: Too short EAP-EKE-Commit");
535 eap_eke_fail(data
, EAP_EKE_FAIL_PROTO_ERROR
);
539 wpa_hexdump(MSG_DEBUG
, "EAP-EKE: DHComponent_P",
540 pos
, data
->sess
.dhcomp_len
);
542 pos
+= data
->sess
.dhcomp_len
;
543 wpa_hexdump(MSG_DEBUG
, "EAP-EKE: PNonce_P", pos
, data
->sess
.pnonce_len
);
545 pos
+= data
->sess
.pnonce_len
;
546 wpa_hexdump(MSG_DEBUG
, "EAP-EKE: CBValue", pos
, end
- pos
);
548 if (eap_eke_shared_secret(&data
->sess
, data
->key
, data
->dh_priv
, dhcomp
)
550 wpa_printf(MSG_INFO
, "EAP-EKE: Failed to derive shared secret");
551 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
555 if (eap_eke_derive_ke_ki(&data
->sess
,
556 sm
->server_id
, sm
->server_id_len
,
557 data
->peerid
, data
->peerid_len
) < 0) {
558 wpa_printf(MSG_INFO
, "EAP-EKE: Failed to derive Ke/Ki");
559 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
563 decrypt_len
= sizeof(data
->nonce_p
);
564 if (eap_eke_decrypt_prot(&data
->sess
, pnonce
, data
->sess
.pnonce_len
,
565 data
->nonce_p
, &decrypt_len
) < 0) {
566 wpa_printf(MSG_INFO
, "EAP-EKE: Failed to decrypt PNonce_P");
567 eap_eke_fail(data
, EAP_EKE_FAIL_AUTHENTICATION_FAIL
);
570 if (decrypt_len
< (size_t) data
->sess
.nonce_len
) {
571 wpa_printf(MSG_INFO
, "EAP-EKE: PNonce_P protected data too short to include Nonce_P");
572 eap_eke_fail(data
, EAP_EKE_FAIL_AUTHENTICATION_FAIL
);
575 wpa_hexdump_key(MSG_DEBUG
, "EAP-EKE: Nonce_P",
576 data
->nonce_p
, data
->sess
.nonce_len
);
578 if (wpabuf_resize(&data
->msgs
, wpabuf_len(respData
)) < 0) {
579 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
582 wpabuf_put_buf(data
->msgs
, respData
);
584 eap_eke_state(data
, CONFIRM
);
588 static void eap_eke_process_confirm(struct eap_sm
*sm
,
589 struct eap_eke_data
*data
,
590 const struct wpabuf
*respData
,
591 const u8
*payload
, size_t payloadlen
)
594 u8 nonce
[EAP_EKE_MAX_NONCE_LEN
];
595 u8 auth_p
[EAP_EKE_MAX_HASH_LEN
];
597 wpa_printf(MSG_DEBUG
, "EAP-EKE: Received Response/Confirm");
599 if (data
->state
!= CONFIRM
) {
600 eap_eke_fail(data
, EAP_EKE_FAIL_PROTO_ERROR
);
604 wpa_printf(MSG_DEBUG
, "EAP-EKE: Received Response/Confirm");
606 if (payloadlen
< (size_t) data
->sess
.pnonce_len
+ data
->sess
.prf_len
) {
607 wpa_printf(MSG_DEBUG
, "EAP-EKE: Too short EAP-EKE-Confirm");
608 eap_eke_fail(data
, EAP_EKE_FAIL_PROTO_ERROR
);
612 decrypt_len
= sizeof(nonce
);
613 if (eap_eke_decrypt_prot(&data
->sess
, payload
, data
->sess
.pnonce_len
,
614 nonce
, &decrypt_len
) < 0) {
615 wpa_printf(MSG_INFO
, "EAP-EKE: Failed to decrypt PNonce_S");
616 eap_eke_fail(data
, EAP_EKE_FAIL_AUTHENTICATION_FAIL
);
619 if (decrypt_len
< (size_t) data
->sess
.nonce_len
) {
620 wpa_printf(MSG_INFO
, "EAP-EKE: PNonce_S protected data too short to include Nonce_S");
621 eap_eke_fail(data
, EAP_EKE_FAIL_AUTHENTICATION_FAIL
);
624 wpa_hexdump_key(MSG_DEBUG
, "EAP-EKE: Received Nonce_S",
625 nonce
, data
->sess
.nonce_len
);
626 if (os_memcmp(nonce
, data
->nonce_s
, data
->sess
.nonce_len
) != 0) {
627 wpa_printf(MSG_INFO
, "EAP-EKE: Received Nonce_S does not match previously sent Nonce_S");
628 eap_eke_fail(data
, EAP_EKE_FAIL_AUTHENTICATION_FAIL
);
632 if (eap_eke_auth(&data
->sess
, "EAP-EKE peer", data
->msgs
, auth_p
) < 0) {
633 wpa_printf(MSG_INFO
, "EAP-EKE: Could not derive Auth_P");
634 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
637 wpa_hexdump(MSG_DEBUG
, "EAP-EKE: Auth_P", auth_p
, data
->sess
.prf_len
);
638 if (os_memcmp_const(auth_p
, payload
+ data
->sess
.pnonce_len
,
639 data
->sess
.prf_len
) != 0) {
640 wpa_printf(MSG_INFO
, "EAP-EKE: Auth_P does not match");
641 eap_eke_fail(data
, EAP_EKE_FAIL_AUTHENTICATION_FAIL
);
645 if (eap_eke_derive_msk(&data
->sess
, sm
->server_id
, sm
->server_id_len
,
646 data
->peerid
, data
->peerid_len
,
647 data
->nonce_s
, data
->nonce_p
,
648 data
->msk
, data
->emsk
) < 0) {
649 wpa_printf(MSG_INFO
, "EAP-EKE: Failed to derive MSK/EMSK");
650 eap_eke_fail(data
, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR
);
654 os_memset(data
->dh_priv
, 0, sizeof(data
->dh_priv
));
655 os_memset(data
->key
, 0, sizeof(data
->key
));
656 eap_eke_session_clean(&data
->sess
);
658 eap_eke_state(data
, SUCCESS
);
662 static void eap_eke_process_failure(struct eap_sm
*sm
,
663 struct eap_eke_data
*data
,
664 const struct wpabuf
*respData
,
665 const u8
*payload
, size_t payloadlen
)
669 wpa_printf(MSG_DEBUG
, "EAP-EKE: Received Response/Failure");
671 if (payloadlen
< 4) {
672 wpa_printf(MSG_DEBUG
, "EAP-EKE: Too short EAP-EKE-Failure");
673 eap_eke_state(data
, FAILURE
);
677 code
= WPA_GET_BE32(payload
);
678 wpa_printf(MSG_DEBUG
, "EAP-EKE: Peer reported failure code 0x%x", code
);
680 eap_eke_state(data
, FAILURE
);
684 static void eap_eke_process(struct eap_sm
*sm
, void *priv
,
685 struct wpabuf
*respData
)
687 struct eap_eke_data
*data
= priv
;
692 pos
= eap_hdr_validate(EAP_VENDOR_IETF
, EAP_TYPE_EKE
, respData
, &len
);
693 if (pos
== NULL
|| len
< 1)
700 wpa_hexdump(MSG_DEBUG
, "EAP-EKE: Received payload", pos
, end
- pos
);
704 eap_eke_process_identity(sm
, data
, respData
, pos
, end
- pos
);
707 eap_eke_process_commit(sm
, data
, respData
, pos
, end
- pos
);
709 case EAP_EKE_CONFIRM
:
710 eap_eke_process_confirm(sm
, data
, respData
, pos
, end
- pos
);
712 case EAP_EKE_FAILURE
:
713 eap_eke_process_failure(sm
, data
, respData
, pos
, end
- pos
);
719 static Boolean
eap_eke_isDone(struct eap_sm
*sm
, void *priv
)
721 struct eap_eke_data
*data
= priv
;
722 return data
->state
== SUCCESS
|| data
->state
== FAILURE
;
726 static u8
* eap_eke_getKey(struct eap_sm
*sm
, void *priv
, size_t *len
)
728 struct eap_eke_data
*data
= priv
;
731 if (data
->state
!= SUCCESS
)
734 key
= os_malloc(EAP_MSK_LEN
);
737 os_memcpy(key
, data
->msk
, EAP_MSK_LEN
);
744 static u8
* eap_eke_get_emsk(struct eap_sm
*sm
, void *priv
, size_t *len
)
746 struct eap_eke_data
*data
= priv
;
749 if (data
->state
!= SUCCESS
)
752 key
= os_malloc(EAP_EMSK_LEN
);
755 os_memcpy(key
, data
->emsk
, EAP_EMSK_LEN
);
762 static Boolean
eap_eke_isSuccess(struct eap_sm
*sm
, void *priv
)
764 struct eap_eke_data
*data
= priv
;
765 return data
->state
== SUCCESS
;
769 int eap_server_eke_register(void)
771 struct eap_method
*eap
;
774 eap
= eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION
,
775 EAP_VENDOR_IETF
, EAP_TYPE_EKE
, "EKE");
779 eap
->init
= eap_eke_init
;
780 eap
->reset
= eap_eke_reset
;
781 eap
->buildReq
= eap_eke_buildReq
;
782 eap
->check
= eap_eke_check
;
783 eap
->process
= eap_eke_process
;
784 eap
->isDone
= eap_eke_isDone
;
785 eap
->getKey
= eap_eke_getKey
;
786 eap
->isSuccess
= eap_eke_isSuccess
;
787 eap
->get_emsk
= eap_eke_get_emsk
;
789 ret
= eap_server_method_register(eap
);
791 eap_server_method_free(eap
);