static void eap_eke_process_commit(struct eap_sm *sm,
struct eap_eke_data *data,
const struct wpabuf *respData,
const u8 *payload, size_t payloadlen)
{
const u8 *pos, *end, *dhcomp, *pnonce;
size_t decrypt_len;
wpa_printf(MSG_DEBUG, "EAP-EKE: Received Response/Commit");
if (data->state != COMMIT) {
eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
return;
}
pos = payload;
end = payload + payloadlen;
if (pos + data->sess.dhcomp_len + data->sess.pnonce_len > end) {
wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Commit");
eap_eke_fail(data, EAP_EKE_FAIL_PROTO_ERROR);
return;
}
wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_P",
pos, data->sess.dhcomp_len);
dhcomp = pos;
pos += data->sess.dhcomp_len;
wpa_hexdump(MSG_DEBUG, "EAP-EKE: PNonce_P", pos, data->sess.pnonce_len);
pnonce = pos;
pos += data->sess.pnonce_len;
wpa_hexdump(MSG_DEBUG, "EAP-EKE: CBValue", pos, end - pos);
if (eap_eke_shared_secret(&data->sess, data->key, data->dh_priv, dhcomp)
< 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive shared secret");
eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
return;
}
if (eap_eke_derive_ke_ki(&data->sess,
sm->server_id, sm->server_id_len,
data->peerid, data->peerid_len) < 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki");
eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
return;
}
decrypt_len = sizeof(data->nonce_p);
if (eap_eke_decrypt_prot(&data->sess, pnonce, data->sess.pnonce_len,
data->nonce_p, &decrypt_len) < 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt PNonce_P");
eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
return;
}
if (decrypt_len < (size_t) data->sess.nonce_len) {
wpa_printf(MSG_INFO, "EAP-EKE: PNonce_P protected data too short to include Nonce_P");
eap_eke_fail(data, EAP_EKE_FAIL_AUTHENTICATION_FAIL);
return;
}
wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_P",
data->nonce_p, data->sess.nonce_len);
if (wpabuf_resize(&data->msgs, wpabuf_len(respData)) < 0) {
eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
return;
}
wpabuf_put_buf(data->msgs, respData);
eap_eke_state(data, CONFIRM);
}
static struct wpabuf * eap_eke_process_commit(struct eap_sm *sm,
struct eap_eke_data *data,
struct eap_method_ret *ret,
const struct wpabuf *reqData,
const u8 *payload,
size_t payload_len)
{
struct wpabuf *resp;
const u8 *pos, *end, *dhcomp;
size_t prot_len;
u8 *rpos;
u8 key[EAP_EKE_MAX_KEY_LEN];
u8 pub[EAP_EKE_MAX_DH_LEN];
const u8 *password;
size_t password_len;
u8 id = eap_get_id(reqData);
if (data->state != COMMIT) {
wpa_printf(MSG_DEBUG, "EAP-EKE: EAP-EKE-Commit/Request received in unexpected state (%d)", data->state);
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PROTO_ERROR);
}
wpa_printf(MSG_DEBUG, "EAP-EKE: Received EAP-EKE-Commit/Request");
password = eap_get_config_password(sm, &password_len);
if (password == NULL) {
wpa_printf(MSG_INFO, "EAP-EKE: No password configured!");
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PASSWD_NOT_FOUND);
}
pos = payload;
end = payload + payload_len;
if (pos + data->sess.dhcomp_len > end) {
wpa_printf(MSG_DEBUG, "EAP-EKE: Too short EAP-EKE-Commit");
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PROTO_ERROR);
}
wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_S",
pos, data->sess.dhcomp_len);
dhcomp = pos;
pos += data->sess.dhcomp_len;
wpa_hexdump(MSG_DEBUG, "EAP-EKE: CBValue", pos, end - pos);
/*
* temp = prf(0+, password)
* key = prf+(temp, ID_S | ID_P)
*/
if (eap_eke_derive_key(&data->sess, password, password_len,
data->serverid, data->serverid_len,
data->peerid, data->peerid_len, key) < 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key");
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
}
/*
* y_p = g ^ x_p (mod p)
* x_p = random number 2 .. p-1
*/
if (eap_eke_dh_init(data->sess.dhgroup, data->dh_priv, pub) < 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to initialize DH");
os_memset(key, 0, sizeof(key));
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
}
if (eap_eke_shared_secret(&data->sess, key, data->dh_priv, dhcomp) < 0)
{
wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive shared secret");
os_memset(key, 0, sizeof(key));
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
}
if (eap_eke_derive_ke_ki(&data->sess,
data->serverid, data->serverid_len,
data->peerid, data->peerid_len) < 0) {
wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki");
os_memset(key, 0, sizeof(key));
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
}
wpa_printf(MSG_DEBUG, "EAP-EKE: Sending EAP-EKE-Commit/Response");
resp = eap_eke_build_msg(data, id,
data->sess.dhcomp_len + data->sess.pnonce_len,
EAP_EKE_COMMIT);
if (resp == NULL) {
os_memset(key, 0, sizeof(key));
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
}
/* DHComponent_P = Encr(key, y_p) */
rpos = wpabuf_put(resp, data->sess.dhcomp_len);
if (eap_eke_dhcomp(&data->sess, key, pub, rpos) < 0) {
wpabuf_free(resp);
wpa_printf(MSG_INFO, "EAP-EKE: Failed to build DHComponent_P");
os_memset(key, 0, sizeof(key));
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
}
os_memset(key, 0, sizeof(key));
wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent_P",
rpos, data->sess.dhcomp_len);
if (random_get_bytes(data->nonce_p, data->sess.nonce_len)) {
wpabuf_free(resp);
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
}
wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Nonce_P",
data->nonce_p, data->sess.nonce_len);
prot_len = wpabuf_tailroom(resp);
if (eap_eke_prot(&data->sess, data->nonce_p, data->sess.nonce_len,
wpabuf_put(resp, 0), &prot_len) < 0) {
wpabuf_free(resp);
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
}
wpa_hexdump(MSG_DEBUG, "EAP-EKE: PNonce_P",
wpabuf_put(resp, 0), prot_len);
wpabuf_put(resp, prot_len);
/* TODO: CBValue */
if (wpabuf_resize(&data->msgs, wpabuf_len(reqData) + wpabuf_len(resp))
< 0) {
wpabuf_free(resp);
return eap_eke_build_fail(data, ret, id,
EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
}
wpabuf_put_buf(data->msgs, reqData);
wpabuf_put_buf(data->msgs, resp);
eap_eke_state(data, CONFIRM);
return resp;
}
