eap_pwd.c 29 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076
  1. /*
  2. * EAP peer method: EAP-pwd (RFC 5931)
  3. * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
  4. *
  5. * This software may be distributed under the terms of the BSD license.
  6. * See README for more details.
  7. */
  8. #include "includes.h"
  9. #include "common.h"
  10. #include "crypto/sha256.h"
  11. #include "crypto/ms_funcs.h"
  12. #include "eap_peer/eap_i.h"
  13. #include "eap_common/eap_pwd_common.h"
  14. struct eap_pwd_data {
  15. enum {
  16. PWD_ID_Req, PWD_Commit_Req, PWD_Confirm_Req,
  17. SUCCESS_ON_FRAG_COMPLETION, SUCCESS, FAILURE
  18. } state;
  19. u8 *id_peer;
  20. size_t id_peer_len;
  21. u8 *id_server;
  22. size_t id_server_len;
  23. u8 *password;
  24. size_t password_len;
  25. int password_hash;
  26. u16 group_num;
  27. EAP_PWD_group *grp;
  28. struct wpabuf *inbuf;
  29. size_t in_frag_pos;
  30. struct wpabuf *outbuf;
  31. size_t out_frag_pos;
  32. size_t mtu;
  33. BIGNUM *k;
  34. BIGNUM *private_value;
  35. BIGNUM *server_scalar;
  36. BIGNUM *my_scalar;
  37. EC_POINT *my_element;
  38. EC_POINT *server_element;
  39. u8 msk[EAP_MSK_LEN];
  40. u8 emsk[EAP_EMSK_LEN];
  41. u8 session_id[1 + SHA256_MAC_LEN];
  42. BN_CTX *bnctx;
  43. };
  44. #ifndef CONFIG_NO_STDOUT_DEBUG
  45. static const char * eap_pwd_state_txt(int state)
  46. {
  47. switch (state) {
  48. case PWD_ID_Req:
  49. return "PWD-ID-Req";
  50. case PWD_Commit_Req:
  51. return "PWD-Commit-Req";
  52. case PWD_Confirm_Req:
  53. return "PWD-Confirm-Req";
  54. case SUCCESS_ON_FRAG_COMPLETION:
  55. return "SUCCESS_ON_FRAG_COMPLETION";
  56. case SUCCESS:
  57. return "SUCCESS";
  58. case FAILURE:
  59. return "FAILURE";
  60. default:
  61. return "PWD-UNK";
  62. }
  63. }
  64. #endif /* CONFIG_NO_STDOUT_DEBUG */
  65. static void eap_pwd_state(struct eap_pwd_data *data, int state)
  66. {
  67. wpa_printf(MSG_DEBUG, "EAP-PWD: %s -> %s",
  68. eap_pwd_state_txt(data->state), eap_pwd_state_txt(state));
  69. data->state = state;
  70. }
  71. static void * eap_pwd_init(struct eap_sm *sm)
  72. {
  73. struct eap_pwd_data *data;
  74. const u8 *identity, *password;
  75. size_t identity_len, password_len;
  76. int fragment_size;
  77. int pwhash;
  78. password = eap_get_config_password2(sm, &password_len, &pwhash);
  79. if (password == NULL) {
  80. wpa_printf(MSG_INFO, "EAP-PWD: No password configured!");
  81. return NULL;
  82. }
  83. identity = eap_get_config_identity(sm, &identity_len);
  84. if (identity == NULL) {
  85. wpa_printf(MSG_INFO, "EAP-PWD: No identity configured!");
  86. return NULL;
  87. }
  88. if ((data = os_zalloc(sizeof(*data))) == NULL) {
  89. wpa_printf(MSG_INFO, "EAP-PWD: memory allocation data fail");
  90. return NULL;
  91. }
  92. if ((data->bnctx = BN_CTX_new()) == NULL) {
  93. wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail");
  94. os_free(data);
  95. return NULL;
  96. }
  97. if ((data->id_peer = os_malloc(identity_len)) == NULL) {
  98. wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
  99. BN_CTX_free(data->bnctx);
  100. os_free(data);
  101. return NULL;
  102. }
  103. os_memcpy(data->id_peer, identity, identity_len);
  104. data->id_peer_len = identity_len;
  105. if ((data->password = os_malloc(password_len)) == NULL) {
  106. wpa_printf(MSG_INFO, "EAP-PWD: memory allocation psk fail");
  107. BN_CTX_free(data->bnctx);
  108. bin_clear_free(data->id_peer, data->id_peer_len);
  109. os_free(data);
  110. return NULL;
  111. }
  112. os_memcpy(data->password, password, password_len);
  113. data->password_len = password_len;
  114. data->password_hash = pwhash;
  115. data->out_frag_pos = data->in_frag_pos = 0;
  116. data->inbuf = data->outbuf = NULL;
  117. fragment_size = eap_get_config_fragment_size(sm);
  118. if (fragment_size <= 0)
  119. data->mtu = 1020; /* default from RFC 5931 */
  120. else
  121. data->mtu = fragment_size;
  122. data->state = PWD_ID_Req;
  123. return data;
  124. }
  125. static void eap_pwd_deinit(struct eap_sm *sm, void *priv)
  126. {
  127. struct eap_pwd_data *data = priv;
  128. BN_clear_free(data->private_value);
  129. BN_clear_free(data->server_scalar);
  130. BN_clear_free(data->my_scalar);
  131. BN_clear_free(data->k);
  132. BN_CTX_free(data->bnctx);
  133. EC_POINT_clear_free(data->my_element);
  134. EC_POINT_clear_free(data->server_element);
  135. bin_clear_free(data->id_peer, data->id_peer_len);
  136. bin_clear_free(data->id_server, data->id_server_len);
  137. bin_clear_free(data->password, data->password_len);
  138. if (data->grp) {
  139. EC_GROUP_free(data->grp->group);
  140. EC_POINT_clear_free(data->grp->pwe);
  141. BN_clear_free(data->grp->order);
  142. BN_clear_free(data->grp->prime);
  143. os_free(data->grp);
  144. }
  145. wpabuf_free(data->inbuf);
  146. wpabuf_free(data->outbuf);
  147. bin_clear_free(data, sizeof(*data));
  148. }
  149. static u8 * eap_pwd_getkey(struct eap_sm *sm, void *priv, size_t *len)
  150. {
  151. struct eap_pwd_data *data = priv;
  152. u8 *key;
  153. if (data->state != SUCCESS)
  154. return NULL;
  155. key = os_malloc(EAP_MSK_LEN);
  156. if (key == NULL)
  157. return NULL;
  158. os_memcpy(key, data->msk, EAP_MSK_LEN);
  159. *len = EAP_MSK_LEN;
  160. return key;
  161. }
  162. static u8 * eap_pwd_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
  163. {
  164. struct eap_pwd_data *data = priv;
  165. u8 *id;
  166. if (data->state != SUCCESS)
  167. return NULL;
  168. id = os_malloc(1 + SHA256_MAC_LEN);
  169. if (id == NULL)
  170. return NULL;
  171. os_memcpy(id, data->session_id, 1 + SHA256_MAC_LEN);
  172. *len = 1 + SHA256_MAC_LEN;
  173. return id;
  174. }
  175. static void
  176. eap_pwd_perform_id_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
  177. struct eap_method_ret *ret,
  178. const struct wpabuf *reqData,
  179. const u8 *payload, size_t payload_len)
  180. {
  181. struct eap_pwd_id *id;
  182. const u8 *password;
  183. size_t password_len;
  184. u8 pwhashhash[16];
  185. int res;
  186. if (data->state != PWD_ID_Req) {
  187. ret->ignore = TRUE;
  188. eap_pwd_state(data, FAILURE);
  189. return;
  190. }
  191. if (payload_len < sizeof(struct eap_pwd_id)) {
  192. ret->ignore = TRUE;
  193. eap_pwd_state(data, FAILURE);
  194. return;
  195. }
  196. id = (struct eap_pwd_id *) payload;
  197. data->group_num = be_to_host16(id->group_num);
  198. wpa_printf(MSG_DEBUG,
  199. "EAP-PWD: Server EAP-pwd-ID proposal: group=%u random=%u prf=%u prep=%u",
  200. data->group_num, id->random_function, id->prf, id->prep);
  201. if ((id->random_function != EAP_PWD_DEFAULT_RAND_FUNC) ||
  202. (id->prf != EAP_PWD_DEFAULT_PRF)) {
  203. ret->ignore = TRUE;
  204. eap_pwd_state(data, FAILURE);
  205. return;
  206. }
  207. if (id->prep != EAP_PWD_PREP_NONE &&
  208. id->prep != EAP_PWD_PREP_MS) {
  209. wpa_printf(MSG_DEBUG,
  210. "EAP-PWD: Unsupported password pre-processing technique (Prep=%u)",
  211. id->prep);
  212. eap_pwd_state(data, FAILURE);
  213. return;
  214. }
  215. if (id->prep == EAP_PWD_PREP_NONE && data->password_hash) {
  216. wpa_printf(MSG_DEBUG,
  217. "EAP-PWD: Unhashed password not available");
  218. eap_pwd_state(data, FAILURE);
  219. return;
  220. }
  221. wpa_printf(MSG_DEBUG, "EAP-PWD (peer): using group %d",
  222. data->group_num);
  223. data->id_server = os_malloc(payload_len - sizeof(struct eap_pwd_id));
  224. if (data->id_server == NULL) {
  225. wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
  226. eap_pwd_state(data, FAILURE);
  227. return;
  228. }
  229. data->id_server_len = payload_len - sizeof(struct eap_pwd_id);
  230. os_memcpy(data->id_server, id->identity, data->id_server_len);
  231. wpa_hexdump_ascii(MSG_INFO, "EAP-PWD (peer): server sent id of",
  232. data->id_server, data->id_server_len);
  233. data->grp = os_zalloc(sizeof(EAP_PWD_group));
  234. if (data->grp == NULL) {
  235. wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
  236. "group");
  237. eap_pwd_state(data, FAILURE);
  238. return;
  239. }
  240. if (id->prep == EAP_PWD_PREP_MS) {
  241. #ifdef CONFIG_FIPS
  242. wpa_printf(MSG_ERROR,
  243. "EAP-PWD (peer): MS password hash not supported in FIPS mode");
  244. eap_pwd_state(data, FAILURE);
  245. return;
  246. #else /* CONFIG_FIPS */
  247. if (data->password_hash) {
  248. res = hash_nt_password_hash(data->password, pwhashhash);
  249. } else {
  250. u8 pwhash[16];
  251. res = nt_password_hash(data->password,
  252. data->password_len, pwhash);
  253. if (res == 0)
  254. res = hash_nt_password_hash(pwhash, pwhashhash);
  255. os_memset(pwhash, 0, sizeof(pwhash));
  256. }
  257. if (res) {
  258. eap_pwd_state(data, FAILURE);
  259. return;
  260. }
  261. password = pwhashhash;
  262. password_len = sizeof(pwhashhash);
  263. #endif /* CONFIG_FIPS */
  264. } else {
  265. password = data->password;
  266. password_len = data->password_len;
  267. }
  268. /* compute PWE */
  269. res = compute_password_element(data->grp, data->group_num,
  270. password, password_len,
  271. data->id_server, data->id_server_len,
  272. data->id_peer, data->id_peer_len,
  273. id->token);
  274. os_memset(pwhashhash, 0, sizeof(pwhashhash));
  275. if (res) {
  276. wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute PWE");
  277. eap_pwd_state(data, FAILURE);
  278. return;
  279. }
  280. wpa_printf(MSG_DEBUG, "EAP-PWD (peer): computed %d bit PWE...",
  281. BN_num_bits(data->grp->prime));
  282. data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +
  283. data->id_peer_len);
  284. if (data->outbuf == NULL) {
  285. eap_pwd_state(data, FAILURE);
  286. return;
  287. }
  288. wpabuf_put_be16(data->outbuf, data->group_num);
  289. wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
  290. wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
  291. wpabuf_put_data(data->outbuf, id->token, sizeof(id->token));
  292. wpabuf_put_u8(data->outbuf, EAP_PWD_PREP_NONE);
  293. wpabuf_put_data(data->outbuf, data->id_peer, data->id_peer_len);
  294. eap_pwd_state(data, PWD_Commit_Req);
  295. }
  296. static void
  297. eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
  298. struct eap_method_ret *ret,
  299. const struct wpabuf *reqData,
  300. const u8 *payload, size_t payload_len)
  301. {
  302. EC_POINT *K = NULL, *point = NULL;
  303. BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
  304. u16 offset;
  305. u8 *ptr, *scalar = NULL, *element = NULL;
  306. size_t prime_len, order_len;
  307. if (data->state != PWD_Commit_Req) {
  308. ret->ignore = TRUE;
  309. goto fin;
  310. }
  311. prime_len = BN_num_bytes(data->grp->prime);
  312. order_len = BN_num_bytes(data->grp->order);
  313. if (payload_len != 2 * prime_len + order_len) {
  314. wpa_printf(MSG_INFO,
  315. "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
  316. (unsigned int) payload_len,
  317. (unsigned int) (2 * prime_len + order_len));
  318. goto fin;
  319. }
  320. if (((data->private_value = BN_new()) == NULL) ||
  321. ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
  322. ((cofactor = BN_new()) == NULL) ||
  323. ((data->my_scalar = BN_new()) == NULL) ||
  324. ((mask = BN_new()) == NULL)) {
  325. wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
  326. goto fin;
  327. }
  328. if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
  329. wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
  330. "for curve");
  331. goto fin;
  332. }
  333. if (BN_rand_range(data->private_value, data->grp->order) != 1 ||
  334. BN_rand_range(mask, data->grp->order) != 1 ||
  335. BN_add(data->my_scalar, data->private_value, mask) != 1 ||
  336. BN_mod(data->my_scalar, data->my_scalar, data->grp->order,
  337. data->bnctx) != 1) {
  338. wpa_printf(MSG_INFO,
  339. "EAP-pwd (peer): unable to get randomness");
  340. goto fin;
  341. }
  342. if (!EC_POINT_mul(data->grp->group, data->my_element, NULL,
  343. data->grp->pwe, mask, data->bnctx)) {
  344. wpa_printf(MSG_INFO, "EAP-PWD (peer): element allocation "
  345. "fail");
  346. eap_pwd_state(data, FAILURE);
  347. goto fin;
  348. }
  349. if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx))
  350. {
  351. wpa_printf(MSG_INFO, "EAP-PWD (peer): element inversion fail");
  352. goto fin;
  353. }
  354. BN_clear_free(mask);
  355. if (((x = BN_new()) == NULL) ||
  356. ((y = BN_new()) == NULL)) {
  357. wpa_printf(MSG_INFO, "EAP-PWD (peer): point allocation fail");
  358. goto fin;
  359. }
  360. /* process the request */
  361. if (((data->server_scalar = BN_new()) == NULL) ||
  362. ((data->k = BN_new()) == NULL) ||
  363. ((K = EC_POINT_new(data->grp->group)) == NULL) ||
  364. ((point = EC_POINT_new(data->grp->group)) == NULL) ||
  365. ((data->server_element = EC_POINT_new(data->grp->group)) == NULL))
  366. {
  367. wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
  368. "fail");
  369. goto fin;
  370. }
  371. /* element, x then y, followed by scalar */
  372. ptr = (u8 *) payload;
  373. BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
  374. ptr += BN_num_bytes(data->grp->prime);
  375. BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
  376. ptr += BN_num_bytes(data->grp->prime);
  377. BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->server_scalar);
  378. if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
  379. data->server_element, x, y,
  380. data->bnctx)) {
  381. wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
  382. "fail");
  383. goto fin;
  384. }
  385. /* check to ensure server's element is not in a small sub-group */
  386. if (BN_cmp(cofactor, BN_value_one())) {
  387. if (!EC_POINT_mul(data->grp->group, point, NULL,
  388. data->server_element, cofactor, NULL)) {
  389. wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
  390. "server element by order!\n");
  391. goto fin;
  392. }
  393. if (EC_POINT_is_at_infinity(data->grp->group, point)) {
  394. wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
  395. "is at infinity!\n");
  396. goto fin;
  397. }
  398. }
  399. /* compute the shared key, k */
  400. if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
  401. data->server_scalar, data->bnctx)) ||
  402. (!EC_POINT_add(data->grp->group, K, K, data->server_element,
  403. data->bnctx)) ||
  404. (!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value,
  405. data->bnctx))) {
  406. wpa_printf(MSG_INFO, "EAP-PWD (peer): computing shared key "
  407. "fail");
  408. goto fin;
  409. }
  410. /* ensure that the shared key isn't in a small sub-group */
  411. if (BN_cmp(cofactor, BN_value_one())) {
  412. if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor,
  413. NULL)) {
  414. wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
  415. "shared key point by order");
  416. goto fin;
  417. }
  418. }
  419. /*
  420. * This check is strictly speaking just for the case above where
  421. * co-factor > 1 but it was suggested that even though this is probably
  422. * never going to happen it is a simple and safe check "just to be
  423. * sure" so let's be safe.
  424. */
  425. if (EC_POINT_is_at_infinity(data->grp->group, K)) {
  426. wpa_printf(MSG_INFO, "EAP-PWD (peer): shared key point is at "
  427. "infinity!\n");
  428. goto fin;
  429. }
  430. if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k,
  431. NULL, data->bnctx)) {
  432. wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to extract "
  433. "shared secret from point");
  434. goto fin;
  435. }
  436. /* now do the response */
  437. if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
  438. data->my_element, x, y,
  439. data->bnctx)) {
  440. wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail");
  441. goto fin;
  442. }
  443. if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) ||
  444. ((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) ==
  445. NULL)) {
  446. wpa_printf(MSG_INFO, "EAP-PWD (peer): data allocation fail");
  447. goto fin;
  448. }
  449. /*
  450. * bignums occupy as little memory as possible so one that is
  451. * sufficiently smaller than the prime or order might need pre-pending
  452. * with zeros.
  453. */
  454. os_memset(scalar, 0, BN_num_bytes(data->grp->order));
  455. os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2);
  456. offset = BN_num_bytes(data->grp->order) -
  457. BN_num_bytes(data->my_scalar);
  458. BN_bn2bin(data->my_scalar, scalar + offset);
  459. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
  460. BN_bn2bin(x, element + offset);
  461. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
  462. BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset);
  463. data->outbuf = wpabuf_alloc(BN_num_bytes(data->grp->order) +
  464. 2 * BN_num_bytes(data->grp->prime));
  465. if (data->outbuf == NULL)
  466. goto fin;
  467. /* we send the element as (x,y) follwed by the scalar */
  468. wpabuf_put_data(data->outbuf, element,
  469. 2 * BN_num_bytes(data->grp->prime));
  470. wpabuf_put_data(data->outbuf, scalar, BN_num_bytes(data->grp->order));
  471. fin:
  472. os_free(scalar);
  473. os_free(element);
  474. BN_clear_free(x);
  475. BN_clear_free(y);
  476. BN_clear_free(cofactor);
  477. EC_POINT_clear_free(K);
  478. EC_POINT_clear_free(point);
  479. if (data->outbuf == NULL)
  480. eap_pwd_state(data, FAILURE);
  481. else
  482. eap_pwd_state(data, PWD_Confirm_Req);
  483. }
  484. static void
  485. eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
  486. struct eap_method_ret *ret,
  487. const struct wpabuf *reqData,
  488. const u8 *payload, size_t payload_len)
  489. {
  490. BIGNUM *x = NULL, *y = NULL;
  491. struct crypto_hash *hash;
  492. u32 cs;
  493. u16 grp;
  494. u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
  495. int offset;
  496. if (data->state != PWD_Confirm_Req) {
  497. ret->ignore = TRUE;
  498. goto fin;
  499. }
  500. if (payload_len != SHA256_MAC_LEN) {
  501. wpa_printf(MSG_INFO,
  502. "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
  503. (unsigned int) payload_len, SHA256_MAC_LEN);
  504. goto fin;
  505. }
  506. /*
  507. * first build up the ciphersuite which is group | random_function |
  508. * prf
  509. */
  510. grp = htons(data->group_num);
  511. ptr = (u8 *) &cs;
  512. os_memcpy(ptr, &grp, sizeof(u16));
  513. ptr += sizeof(u16);
  514. *ptr = EAP_PWD_DEFAULT_RAND_FUNC;
  515. ptr += sizeof(u8);
  516. *ptr = EAP_PWD_DEFAULT_PRF;
  517. /* each component of the cruft will be at most as big as the prime */
  518. if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) ||
  519. ((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
  520. wpa_printf(MSG_INFO, "EAP-PWD (server): confirm allocation "
  521. "fail");
  522. goto fin;
  523. }
  524. /*
  525. * server's commit is H(k | server_element | server_scalar |
  526. * peer_element | peer_scalar | ciphersuite)
  527. */
  528. hash = eap_pwd_h_init();
  529. if (hash == NULL)
  530. goto fin;
  531. /*
  532. * zero the memory each time because this is mod prime math and some
  533. * value may start with a few zeros and the previous one did not.
  534. */
  535. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  536. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
  537. BN_bn2bin(data->k, cruft + offset);
  538. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  539. /* server element: x, y */
  540. if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
  541. data->server_element, x, y,
  542. data->bnctx)) {
  543. wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
  544. "assignment fail");
  545. goto fin;
  546. }
  547. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  548. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
  549. BN_bn2bin(x, cruft + offset);
  550. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  551. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  552. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
  553. BN_bn2bin(y, cruft + offset);
  554. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  555. /* server scalar */
  556. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  557. offset = BN_num_bytes(data->grp->order) -
  558. BN_num_bytes(data->server_scalar);
  559. BN_bn2bin(data->server_scalar, cruft + offset);
  560. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
  561. /* my element: x, y */
  562. if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
  563. data->my_element, x, y,
  564. data->bnctx)) {
  565. wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
  566. "assignment fail");
  567. goto fin;
  568. }
  569. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  570. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
  571. BN_bn2bin(x, cruft + offset);
  572. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  573. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  574. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
  575. BN_bn2bin(y, cruft + offset);
  576. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  577. /* my scalar */
  578. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  579. offset = BN_num_bytes(data->grp->order) -
  580. BN_num_bytes(data->my_scalar);
  581. BN_bn2bin(data->my_scalar, cruft + offset);
  582. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
  583. /* the ciphersuite */
  584. eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
  585. /* random function fin */
  586. eap_pwd_h_final(hash, conf);
  587. ptr = (u8 *) payload;
  588. if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
  589. wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm did not verify");
  590. goto fin;
  591. }
  592. wpa_printf(MSG_DEBUG, "EAP-pwd (peer): confirm verified");
  593. /*
  594. * compute confirm:
  595. * H(k | peer_element | peer_scalar | server_element | server_scalar |
  596. * ciphersuite)
  597. */
  598. hash = eap_pwd_h_init();
  599. if (hash == NULL)
  600. goto fin;
  601. /* k */
  602. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  603. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
  604. BN_bn2bin(data->k, cruft + offset);
  605. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  606. /* my element */
  607. if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
  608. data->my_element, x, y,
  609. data->bnctx)) {
  610. wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
  611. "assignment fail");
  612. goto fin;
  613. }
  614. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  615. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
  616. BN_bn2bin(x, cruft + offset);
  617. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  618. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  619. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
  620. BN_bn2bin(y, cruft + offset);
  621. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  622. /* my scalar */
  623. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  624. offset = BN_num_bytes(data->grp->order) -
  625. BN_num_bytes(data->my_scalar);
  626. BN_bn2bin(data->my_scalar, cruft + offset);
  627. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
  628. /* server element: x, y */
  629. if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
  630. data->server_element, x, y,
  631. data->bnctx)) {
  632. wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
  633. "assignment fail");
  634. goto fin;
  635. }
  636. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  637. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
  638. BN_bn2bin(x, cruft + offset);
  639. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  640. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  641. offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
  642. BN_bn2bin(y, cruft + offset);
  643. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
  644. /* server scalar */
  645. os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
  646. offset = BN_num_bytes(data->grp->order) -
  647. BN_num_bytes(data->server_scalar);
  648. BN_bn2bin(data->server_scalar, cruft + offset);
  649. eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
  650. /* the ciphersuite */
  651. eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
  652. /* all done */
  653. eap_pwd_h_final(hash, conf);
  654. if (compute_keys(data->grp, data->bnctx, data->k,
  655. data->my_scalar, data->server_scalar, conf, ptr,
  656. &cs, data->msk, data->emsk, data->session_id) < 0) {
  657. wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute MSK | "
  658. "EMSK");
  659. goto fin;
  660. }
  661. data->outbuf = wpabuf_alloc(SHA256_MAC_LEN);
  662. if (data->outbuf == NULL)
  663. goto fin;
  664. wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
  665. fin:
  666. bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
  667. BN_clear_free(x);
  668. BN_clear_free(y);
  669. if (data->outbuf == NULL) {
  670. ret->methodState = METHOD_DONE;
  671. ret->decision = DECISION_FAIL;
  672. eap_pwd_state(data, FAILURE);
  673. } else {
  674. eap_pwd_state(data, SUCCESS_ON_FRAG_COMPLETION);
  675. }
  676. }
  677. static struct wpabuf *
  678. eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
  679. const struct wpabuf *reqData)
  680. {
  681. struct eap_pwd_data *data = priv;
  682. struct wpabuf *resp = NULL;
  683. const u8 *pos, *buf;
  684. size_t len;
  685. u16 tot_len = 0;
  686. u8 lm_exch;
  687. pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PWD, reqData, &len);
  688. if ((pos == NULL) || (len < 1)) {
  689. wpa_printf(MSG_DEBUG, "EAP-pwd: Got a frame but pos is %s and "
  690. "len is %d",
  691. pos == NULL ? "NULL" : "not NULL", (int) len);
  692. ret->ignore = TRUE;
  693. return NULL;
  694. }
  695. ret->ignore = FALSE;
  696. ret->methodState = METHOD_MAY_CONT;
  697. ret->decision = DECISION_FAIL;
  698. ret->allowNotifications = FALSE;
  699. lm_exch = *pos;
  700. pos++; /* skip over the bits and the exch */
  701. len--;
  702. /*
  703. * we're fragmenting so send out the next fragment
  704. */
  705. if (data->out_frag_pos) {
  706. /*
  707. * this should be an ACK
  708. */
  709. if (len)
  710. wpa_printf(MSG_INFO, "Bad Response! Fragmenting but "
  711. "not an ACK");
  712. wpa_printf(MSG_DEBUG, "EAP-pwd: Got an ACK for a fragment");
  713. /*
  714. * check if there are going to be more fragments
  715. */
  716. len = wpabuf_len(data->outbuf) - data->out_frag_pos;
  717. if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
  718. len = data->mtu - EAP_PWD_HDR_SIZE;
  719. EAP_PWD_SET_MORE_BIT(lm_exch);
  720. }
  721. resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
  722. EAP_PWD_HDR_SIZE + len,
  723. EAP_CODE_RESPONSE, eap_get_id(reqData));
  724. if (resp == NULL) {
  725. wpa_printf(MSG_INFO, "Unable to allocate memory for "
  726. "next fragment!");
  727. return NULL;
  728. }
  729. wpabuf_put_u8(resp, lm_exch);
  730. buf = wpabuf_head_u8(data->outbuf);
  731. wpabuf_put_data(resp, buf + data->out_frag_pos, len);
  732. data->out_frag_pos += len;
  733. /*
  734. * this is the last fragment so get rid of the out buffer
  735. */
  736. if (data->out_frag_pos >= wpabuf_len(data->outbuf)) {
  737. wpabuf_free(data->outbuf);
  738. data->outbuf = NULL;
  739. data->out_frag_pos = 0;
  740. }
  741. wpa_printf(MSG_DEBUG, "EAP-pwd: Send %s fragment of %d bytes",
  742. data->out_frag_pos == 0 ? "last" : "next",
  743. (int) len);
  744. if (data->state == SUCCESS_ON_FRAG_COMPLETION) {
  745. ret->methodState = METHOD_DONE;
  746. ret->decision = DECISION_UNCOND_SUCC;
  747. eap_pwd_state(data, SUCCESS);
  748. }
  749. return resp;
  750. }
  751. /*
  752. * see if this is a fragment that needs buffering
  753. *
  754. * if it's the first fragment there'll be a length field
  755. */
  756. if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
  757. if (len < 2) {
  758. wpa_printf(MSG_DEBUG,
  759. "EAP-pwd: Frame too short to contain Total-Length field");
  760. ret->ignore = TRUE;
  761. return NULL;
  762. }
  763. tot_len = WPA_GET_BE16(pos);
  764. wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
  765. "total length = %d", tot_len);
  766. if (tot_len > 15000)
  767. return NULL;
  768. if (data->inbuf) {
  769. wpa_printf(MSG_DEBUG,
  770. "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
  771. ret->ignore = TRUE;
  772. return NULL;
  773. }
  774. data->inbuf = wpabuf_alloc(tot_len);
  775. if (data->inbuf == NULL) {
  776. wpa_printf(MSG_INFO, "Out of memory to buffer "
  777. "fragments!");
  778. return NULL;
  779. }
  780. data->in_frag_pos = 0;
  781. pos += sizeof(u16);
  782. len -= sizeof(u16);
  783. }
  784. /*
  785. * buffer and ACK the fragment
  786. */
  787. if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
  788. data->in_frag_pos += len;
  789. if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
  790. wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
  791. "detected (%d vs. %d)!",
  792. (int) data->in_frag_pos,
  793. (int) wpabuf_len(data->inbuf));
  794. wpabuf_free(data->inbuf);
  795. data->inbuf = NULL;
  796. data->in_frag_pos = 0;
  797. return NULL;
  798. }
  799. wpabuf_put_data(data->inbuf, pos, len);
  800. resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
  801. EAP_PWD_HDR_SIZE,
  802. EAP_CODE_RESPONSE, eap_get_id(reqData));
  803. if (resp != NULL)
  804. wpabuf_put_u8(resp, (EAP_PWD_GET_EXCHANGE(lm_exch)));
  805. wpa_printf(MSG_DEBUG, "EAP-pwd: ACKing a %d byte fragment",
  806. (int) len);
  807. return resp;
  808. }
  809. /*
  810. * we're buffering and this is the last fragment
  811. */
  812. if (data->in_frag_pos) {
  813. wpabuf_put_data(data->inbuf, pos, len);
  814. wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
  815. (int) len);
  816. data->in_frag_pos += len;
  817. pos = wpabuf_head_u8(data->inbuf);
  818. len = data->in_frag_pos;
  819. }
  820. wpa_printf(MSG_DEBUG, "EAP-pwd: processing frame: exch %d, len %d",
  821. EAP_PWD_GET_EXCHANGE(lm_exch), (int) len);
  822. switch (EAP_PWD_GET_EXCHANGE(lm_exch)) {
  823. case EAP_PWD_OPCODE_ID_EXCH:
  824. eap_pwd_perform_id_exchange(sm, data, ret, reqData,
  825. pos, len);
  826. break;
  827. case EAP_PWD_OPCODE_COMMIT_EXCH:
  828. eap_pwd_perform_commit_exchange(sm, data, ret, reqData,
  829. pos, len);
  830. break;
  831. case EAP_PWD_OPCODE_CONFIRM_EXCH:
  832. eap_pwd_perform_confirm_exchange(sm, data, ret, reqData,
  833. pos, len);
  834. break;
  835. default:
  836. wpa_printf(MSG_INFO, "EAP-pwd: Ignoring message with unknown "
  837. "opcode %d", lm_exch);
  838. break;
  839. }
  840. /*
  841. * if we buffered the just processed input now's the time to free it
  842. */
  843. if (data->in_frag_pos) {
  844. wpabuf_free(data->inbuf);
  845. data->inbuf = NULL;
  846. data->in_frag_pos = 0;
  847. }
  848. if (data->outbuf == NULL) {
  849. ret->methodState = METHOD_DONE;
  850. ret->decision = DECISION_FAIL;
  851. return NULL; /* generic failure */
  852. }
  853. /*
  854. * we have output! Do we need to fragment it?
  855. */
  856. lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch);
  857. len = wpabuf_len(data->outbuf);
  858. if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
  859. resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
  860. EAP_CODE_RESPONSE, eap_get_id(reqData));
  861. /*
  862. * if so it's the first so include a length field
  863. */
  864. EAP_PWD_SET_LENGTH_BIT(lm_exch);
  865. EAP_PWD_SET_MORE_BIT(lm_exch);
  866. tot_len = len;
  867. /*
  868. * keep the packet at the MTU
  869. */
  870. len = data->mtu - EAP_PWD_HDR_SIZE - sizeof(u16);
  871. wpa_printf(MSG_DEBUG, "EAP-pwd: Fragmenting output, total "
  872. "length = %d", tot_len);
  873. } else {
  874. resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
  875. EAP_PWD_HDR_SIZE + len,
  876. EAP_CODE_RESPONSE, eap_get_id(reqData));
  877. }
  878. if (resp == NULL)
  879. return NULL;
  880. wpabuf_put_u8(resp, lm_exch);
  881. if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
  882. wpabuf_put_be16(resp, tot_len);
  883. data->out_frag_pos += len;
  884. }
  885. buf = wpabuf_head_u8(data->outbuf);
  886. wpabuf_put_data(resp, buf, len);
  887. /*
  888. * if we're not fragmenting then there's no need to carry this around
  889. */
  890. if (data->out_frag_pos == 0) {
  891. wpabuf_free(data->outbuf);
  892. data->outbuf = NULL;
  893. data->out_frag_pos = 0;
  894. if (data->state == SUCCESS_ON_FRAG_COMPLETION) {
  895. ret->methodState = METHOD_DONE;
  896. ret->decision = DECISION_UNCOND_SUCC;
  897. eap_pwd_state(data, SUCCESS);
  898. }
  899. }
  900. return resp;
  901. }
  902. static Boolean eap_pwd_key_available(struct eap_sm *sm, void *priv)
  903. {
  904. struct eap_pwd_data *data = priv;
  905. return data->state == SUCCESS;
  906. }
  907. static u8 * eap_pwd_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
  908. {
  909. struct eap_pwd_data *data = priv;
  910. u8 *key;
  911. if (data->state != SUCCESS)
  912. return NULL;
  913. if ((key = os_malloc(EAP_EMSK_LEN)) == NULL)
  914. return NULL;
  915. os_memcpy(key, data->emsk, EAP_EMSK_LEN);
  916. *len = EAP_EMSK_LEN;
  917. return key;
  918. }
  919. int eap_peer_pwd_register(void)
  920. {
  921. struct eap_method *eap;
  922. int ret;
  923. eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
  924. EAP_VENDOR_IETF, EAP_TYPE_PWD, "PWD");
  925. if (eap == NULL)
  926. return -1;
  927. eap->init = eap_pwd_init;
  928. eap->deinit = eap_pwd_deinit;
  929. eap->process = eap_pwd_process;
  930. eap->isKeyAvailable = eap_pwd_key_available;
  931. eap->getKey = eap_pwd_getkey;
  932. eap->getSessionId = eap_pwd_get_session_id;
  933. eap->get_emsk = eap_pwd_get_emsk;
  934. ret = eap_peer_method_register(eap);
  935. if (ret)
  936. eap_peer_method_free(eap);
  937. return ret;
  938. }