contrib/wpa/src/eap_peer/eap_pwd.c

   1 /*
   2  * EAP peer method: EAP-pwd (RFC 5931)
   3  * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/sha256.h"
  13 #include "eap_peer/eap_i.h"
  14 #include "eap_common/eap_pwd_common.h"
  15
  16
  17 struct eap_pwd_data {
  18         enum {
  19                 PWD_ID_Req, PWD_Commit_Req, PWD_Confirm_Req,
  20                 SUCCESS_ON_FRAG_COMPLETION, SUCCESS, FAILURE
  21         } state;
  22         u8 *id_peer;
  23         size_t id_peer_len;
  24         u8 *id_server;
  25         size_t id_server_len;
  26         u8 *password;
  27         size_t password_len;
  28         u16 group_num;
  29         EAP_PWD_group *grp;
  30
  31         struct wpabuf *inbuf;
  32         size_t in_frag_pos;
  33         struct wpabuf *outbuf;
  34         size_t out_frag_pos;
  35         size_t mtu;
  36
  37         BIGNUM *k;
  38         BIGNUM *private_value;
  39         BIGNUM *server_scalar;
  40         BIGNUM *my_scalar;
  41         EC_POINT *my_element;
  42         EC_POINT *server_element;
  43
  44         u8 msk[EAP_MSK_LEN];
  45         u8 emsk[EAP_EMSK_LEN];
  46         u8 session_id[1 + SHA256_MAC_LEN];
  47
  48         BN_CTX *bnctx;
  49 };
  50
  51
  52 #ifndef CONFIG_NO_STDOUT_DEBUG
  53 static const char * eap_pwd_state_txt(int state)
  54 {
  55         switch (state) {
  56         case PWD_ID_Req:
  57                 return "PWD-ID-Req";
  58         case PWD_Commit_Req:
  59                 return "PWD-Commit-Req";
  60         case PWD_Confirm_Req:
  61                 return "PWD-Confirm-Req";
  62         case SUCCESS_ON_FRAG_COMPLETION:
  63                 return "SUCCESS_ON_FRAG_COMPLETION";
  64         case SUCCESS:
  65                 return "SUCCESS";
  66         case FAILURE:
  67                 return "FAILURE";
  68         default:
  69                 return "PWD-UNK";
  70         }
  71 }
  72 #endif  /* CONFIG_NO_STDOUT_DEBUG */
  73
  74
  75 static void eap_pwd_state(struct eap_pwd_data *data, int state)
  76 {
  77         wpa_printf(MSG_DEBUG, "EAP-PWD: %s -> %s",
  78                    eap_pwd_state_txt(data->state), eap_pwd_state_txt(state));
  79         data->state = state;
  80 }
  81
  82
  83 static void * eap_pwd_init(struct eap_sm *sm)
  84 {
  85         struct eap_pwd_data *data;
  86         const u8 *identity, *password;
  87         size_t identity_len, password_len;
  88         int fragment_size;
  89
  90         password = eap_get_config_password(sm, &password_len);
  91         if (password == NULL) {
  92                 wpa_printf(MSG_INFO, "EAP-PWD: No password configured!");
  93                 return NULL;
  94         }
  95
  96         identity = eap_get_config_identity(sm, &identity_len);
  97         if (identity == NULL) {
  98                 wpa_printf(MSG_INFO, "EAP-PWD: No identity configured!");
  99                 return NULL;
 100         }
 101
 102         if ((data = os_zalloc(sizeof(*data))) == NULL) {
 103                 wpa_printf(MSG_INFO, "EAP-PWD: memory allocation data fail");
 104                 return NULL;
 105         }
 106
 107         if ((data->bnctx = BN_CTX_new()) == NULL) {
 108                 wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail");
 109                 os_free(data);
 110                 return NULL;
 111         }
 112
 113         if ((data->id_peer = os_malloc(identity_len)) == NULL) {
 114                 wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
 115                 BN_CTX_free(data->bnctx);
 116                 os_free(data);
 117                 return NULL;
 118         }
 119
 120         os_memcpy(data->id_peer, identity, identity_len);
 121         data->id_peer_len = identity_len;
 122
 123         if ((data->password = os_malloc(password_len)) == NULL) {
 124                 wpa_printf(MSG_INFO, "EAP-PWD: memory allocation psk fail");
 125                 BN_CTX_free(data->bnctx);
 126                 bin_clear_free(data->id_peer, data->id_peer_len);
 127                 os_free(data);
 128                 return NULL;
 129         }
 130         os_memcpy(data->password, password, password_len);
 131         data->password_len = password_len;
 132
 133         data->out_frag_pos = data->in_frag_pos = 0;
 134         data->inbuf = data->outbuf = NULL;
 135         fragment_size = eap_get_config_fragment_size(sm);
 136         if (fragment_size <= 0)
 137                 data->mtu = 1020; /* default from RFC 5931 */
 138         else
 139                 data->mtu = fragment_size;
 140
 141         data->state = PWD_ID_Req;
 142
 143         return data;
 144 }
 145
 146
 147 static void eap_pwd_deinit(struct eap_sm *sm, void *priv)
 148 {
 149         struct eap_pwd_data *data = priv;
 150
 151         BN_clear_free(data->private_value);
 152         BN_clear_free(data->server_scalar);
 153         BN_clear_free(data->my_scalar);
 154         BN_clear_free(data->k);
 155         BN_CTX_free(data->bnctx);
 156         EC_POINT_clear_free(data->my_element);
 157         EC_POINT_clear_free(data->server_element);
 158         bin_clear_free(data->id_peer, data->id_peer_len);
 159         bin_clear_free(data->id_server, data->id_server_len);
 160         bin_clear_free(data->password, data->password_len);
 161         if (data->grp) {
 162                 EC_GROUP_free(data->grp->group);
 163                 EC_POINT_clear_free(data->grp->pwe);
 164                 BN_clear_free(data->grp->order);
 165                 BN_clear_free(data->grp->prime);
 166                 os_free(data->grp);
 167         }
 168         wpabuf_free(data->inbuf);
 169         wpabuf_free(data->outbuf);
 170         bin_clear_free(data, sizeof(*data));
 171 }
 172
 173
 174 static u8 * eap_pwd_getkey(struct eap_sm *sm, void *priv, size_t *len)
 175 {
 176         struct eap_pwd_data *data = priv;
 177         u8 *key;
 178
 179         if (data->state != SUCCESS)
 180                 return NULL;
 181
 182         key = os_malloc(EAP_MSK_LEN);
 183         if (key == NULL)
 184                 return NULL;
 185
 186         os_memcpy(key, data->msk, EAP_MSK_LEN);
 187         *len = EAP_MSK_LEN;
 188
 189         return key;
 190 }
 191
 192
 193 static u8 * eap_pwd_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
 194 {
 195         struct eap_pwd_data *data = priv;
 196         u8 *id;
 197
 198         if (data->state != SUCCESS)
 199                 return NULL;
 200
 201         id = os_malloc(1 + SHA256_MAC_LEN);
 202         if (id == NULL)
 203                 return NULL;
 204
 205         os_memcpy(id, data->session_id, 1 + SHA256_MAC_LEN);
 206         *len = 1 + SHA256_MAC_LEN;
 207
 208         return id;
 209 }
 210
 211
 212 static void
 213 eap_pwd_perform_id_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
 214                             struct eap_method_ret *ret,
 215                             const struct wpabuf *reqData,
 216                             const u8 *payload, size_t payload_len)
 217 {
 218         struct eap_pwd_id *id;
 219
 220         if (data->state != PWD_ID_Req) {
 221                 ret->ignore = TRUE;
 222                 eap_pwd_state(data, FAILURE);
 223                 return;
 224         }
 225
 226         if (payload_len < sizeof(struct eap_pwd_id)) {
 227                 ret->ignore = TRUE;
 228                 eap_pwd_state(data, FAILURE);
 229                 return;
 230         }
 231
 232         id = (struct eap_pwd_id *) payload;
 233         data->group_num = be_to_host16(id->group_num);
 234         if ((id->random_function != EAP_PWD_DEFAULT_RAND_FUNC) ||
 235             (id->prf != EAP_PWD_DEFAULT_PRF)) {
 236                 ret->ignore = TRUE;
 237                 eap_pwd_state(data, FAILURE);
 238                 return;
 239         }
 240
 241         wpa_printf(MSG_DEBUG, "EAP-PWD (peer): using group %d",
 242                    data->group_num);
 243
 244         data->id_server = os_malloc(payload_len - sizeof(struct eap_pwd_id));
 245         if (data->id_server == NULL) {
 246                 wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
 247                 eap_pwd_state(data, FAILURE);
 248                 return;
 249         }
 250         data->id_server_len = payload_len - sizeof(struct eap_pwd_id);
 251         os_memcpy(data->id_server, id->identity, data->id_server_len);
 252         wpa_hexdump_ascii(MSG_INFO, "EAP-PWD (peer): server sent id of",
 253                           data->id_server, data->id_server_len);
 254
 255         data->grp = os_zalloc(sizeof(EAP_PWD_group));
 256         if (data->grp == NULL) {
 257                 wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
 258                            "group");
 259                 eap_pwd_state(data, FAILURE);
 260                 return;
 261         }
 262
 263         /* compute PWE */
 264         if (compute_password_element(data->grp, data->group_num,
 265                                      data->password, data->password_len,
 266                                      data->id_server, data->id_server_len,
 267                                      data->id_peer, data->id_peer_len,
 268                                      id->token)) {
 269                 wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute PWE");
 270                 eap_pwd_state(data, FAILURE);
 271                 return;
 272         }
 273
 274         wpa_printf(MSG_DEBUG, "EAP-PWD (peer): computed %d bit PWE...",
 275                    BN_num_bits(data->grp->prime));
 276
 277         data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +
 278                                     data->id_peer_len);
 279         if (data->outbuf == NULL) {
 280                 eap_pwd_state(data, FAILURE);
 281                 return;
 282         }
 283         wpabuf_put_be16(data->outbuf, data->group_num);
 284         wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
 285         wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
 286         wpabuf_put_data(data->outbuf, id->token, sizeof(id->token));
 287         wpabuf_put_u8(data->outbuf, EAP_PWD_PREP_NONE);
 288         wpabuf_put_data(data->outbuf, data->id_peer, data->id_peer_len);
 289
 290         eap_pwd_state(data, PWD_Commit_Req);
 291 }
 292
 293
 294 static void
 295 eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
 296                                 struct eap_method_ret *ret,
 297                                 const struct wpabuf *reqData,
 298                                 const u8 *payload, size_t payload_len)
 299 {
 300         EC_POINT *K = NULL, *point = NULL;
 301         BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
 302         u16 offset;
 303         u8 *ptr, *scalar = NULL, *element = NULL;
 304
 305         if (((data->private_value = BN_new()) == NULL) ||
 306             ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
 307             ((cofactor = BN_new()) == NULL) ||
 308             ((data->my_scalar = BN_new()) == NULL) ||
 309             ((mask = BN_new()) == NULL)) {
 310                 wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
 311                 goto fin;
 312         }
 313
 314         if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
 315                 wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
 316                            "for curve");
 317                 goto fin;
 318         }
 319
 320         if (BN_rand_range(data->private_value, data->grp->order) != 1 ||
 321             BN_rand_range(mask, data->grp->order) != 1 ||
 322             BN_add(data->my_scalar, data->private_value, mask) != 1 ||
 323             BN_mod(data->my_scalar, data->my_scalar, data->grp->order,
 324                    data->bnctx) != 1) {
 325                 wpa_printf(MSG_INFO,
 326                            "EAP-pwd (peer): unable to get randomness");
 327                 goto fin;
 328         }
 329
 330         if (!EC_POINT_mul(data->grp->group, data->my_element, NULL,
 331                           data->grp->pwe, mask, data->bnctx)) {
 332                 wpa_printf(MSG_INFO, "EAP-PWD (peer): element allocation "
 333                            "fail");
 334                 eap_pwd_state(data, FAILURE);
 335                 goto fin;
 336         }
 337
 338         if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx))
 339         {
 340                 wpa_printf(MSG_INFO, "EAP-PWD (peer): element inversion fail");
 341                 goto fin;
 342         }
 343         BN_clear_free(mask);
 344
 345         if (((x = BN_new()) == NULL) ||
 346             ((y = BN_new()) == NULL)) {
 347                 wpa_printf(MSG_INFO, "EAP-PWD (peer): point allocation fail");
 348                 goto fin;
 349         }
 350
 351         /* process the request */
 352         if (((data->server_scalar = BN_new()) == NULL) ||
 353             ((data->k = BN_new()) == NULL) ||
 354             ((K = EC_POINT_new(data->grp->group)) == NULL) ||
 355             ((point = EC_POINT_new(data->grp->group)) == NULL) ||
 356             ((data->server_element = EC_POINT_new(data->grp->group)) == NULL))
 357         {
 358                 wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
 359                            "fail");
 360                 goto fin;
 361         }
 362
 363         /* element, x then y, followed by scalar */
 364         ptr = (u8 *) payload;
 365         BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
 366         ptr += BN_num_bytes(data->grp->prime);
 367         BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
 368         ptr += BN_num_bytes(data->grp->prime);
 369         BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->server_scalar);
 370         if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
 371                                                  data->server_element, x, y,
 372                                                  data->bnctx)) {
 373                 wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
 374                            "fail");
 375                 goto fin;
 376         }
 377
 378         /* check to ensure server's element is not in a small sub-group */
 379         if (BN_cmp(cofactor, BN_value_one())) {
 380                 if (!EC_POINT_mul(data->grp->group, point, NULL,
 381                                   data->server_element, cofactor, NULL)) {
 382                         wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
 383                                    "server element by order!\n");
 384                         goto fin;
 385                 }
 386                 if (EC_POINT_is_at_infinity(data->grp->group, point)) {
 387                         wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
 388                                    "is at infinity!\n");
 389                         goto fin;
 390                 }
 391         }
 392
 393         /* compute the shared key, k */
 394         if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
 395                            data->server_scalar, data->bnctx)) ||
 396             (!EC_POINT_add(data->grp->group, K, K, data->server_element,
 397                            data->bnctx)) ||
 398             (!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value,
 399                            data->bnctx))) {
 400                 wpa_printf(MSG_INFO, "EAP-PWD (peer): computing shared key "
 401                            "fail");
 402                 goto fin;
 403         }
 404
 405         /* ensure that the shared key isn't in a small sub-group */
 406         if (BN_cmp(cofactor, BN_value_one())) {
 407                 if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor,
 408                                   NULL)) {
 409                         wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
 410                                    "shared key point by order");
 411                         goto fin;
 412                 }
 413         }
 414
 415         /*
 416          * This check is strictly speaking just for the case above where
 417          * co-factor > 1 but it was suggested that even though this is probably
 418          * never going to happen it is a simple and safe check "just to be
 419          * sure" so let's be safe.
 420          */
 421         if (EC_POINT_is_at_infinity(data->grp->group, K)) {
 422                 wpa_printf(MSG_INFO, "EAP-PWD (peer): shared key point is at "
 423                            "infinity!\n");
 424                 goto fin;
 425         }
 426
 427         if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k,
 428                                                  NULL, data->bnctx)) {
 429                 wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to extract "
 430                            "shared secret from point");
 431                 goto fin;
 432         }
 433
 434         /* now do the response */
 435         if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
 436                                                  data->my_element, x, y,
 437                                                  data->bnctx)) {
 438                 wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail");
 439                 goto fin;
 440         }
 441
 442         if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) ||
 443             ((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) ==
 444              NULL)) {
 445                 wpa_printf(MSG_INFO, "EAP-PWD (peer): data allocation fail");
 446                 goto fin;
 447         }
 448
 449         /*
 450          * bignums occupy as little memory as possible so one that is
 451          * sufficiently smaller than the prime or order might need pre-pending
 452          * with zeros.
 453          */
 454         os_memset(scalar, 0, BN_num_bytes(data->grp->order));
 455         os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2);
 456         offset = BN_num_bytes(data->grp->order) -
 457                 BN_num_bytes(data->my_scalar);
 458         BN_bn2bin(data->my_scalar, scalar + offset);
 459
 460         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
 461         BN_bn2bin(x, element + offset);
 462         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
 463         BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset);
 464
 465         data->outbuf = wpabuf_alloc(BN_num_bytes(data->grp->order) +
 466                                     2 * BN_num_bytes(data->grp->prime));
 467         if (data->outbuf == NULL)
 468                 goto fin;
 469
 470         /* we send the element as (x,y) follwed by the scalar */
 471         wpabuf_put_data(data->outbuf, element,
 472                         2 * BN_num_bytes(data->grp->prime));
 473         wpabuf_put_data(data->outbuf, scalar, BN_num_bytes(data->grp->order));
 474
 475 fin:
 476         os_free(scalar);
 477         os_free(element);
 478         BN_clear_free(x);
 479         BN_clear_free(y);
 480         BN_clear_free(cofactor);
 481         EC_POINT_clear_free(K);
 482         EC_POINT_clear_free(point);
 483         if (data->outbuf == NULL)
 484                 eap_pwd_state(data, FAILURE);
 485         else
 486                 eap_pwd_state(data, PWD_Confirm_Req);
 487 }
 488
 489
 490 static void
 491 eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
 492                                  struct eap_method_ret *ret,
 493                                  const struct wpabuf *reqData,
 494                                  const u8 *payload, size_t payload_len)
 495 {
 496         BIGNUM *x = NULL, *y = NULL;
 497         struct crypto_hash *hash;
 498         u32 cs;
 499         u16 grp;
 500         u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
 501         int offset;
 502
 503         /*
 504          * first build up the ciphersuite which is group | random_function |
 505          *      prf
 506          */
 507         grp = htons(data->group_num);
 508         ptr = (u8 *) &cs;
 509         os_memcpy(ptr, &grp, sizeof(u16));
 510         ptr += sizeof(u16);
 511         *ptr = EAP_PWD_DEFAULT_RAND_FUNC;
 512         ptr += sizeof(u8);
 513         *ptr = EAP_PWD_DEFAULT_PRF;
 514
 515         /* each component of the cruft will be at most as big as the prime */
 516         if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) ||
 517             ((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
 518                 wpa_printf(MSG_INFO, "EAP-PWD (server): confirm allocation "
 519                            "fail");
 520                 goto fin;
 521         }
 522
 523         /*
 524          * server's commit is H(k | server_element | server_scalar |
 525          *                      peer_element | peer_scalar | ciphersuite)
 526          */
 527         hash = eap_pwd_h_init();
 528         if (hash == NULL)
 529                 goto fin;
 530
 531         /*
 532          * zero the memory each time because this is mod prime math and some
 533          * value may start with a few zeros and the previous one did not.
 534          */
 535         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 536         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
 537         BN_bn2bin(data->k, cruft + offset);
 538         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 539
 540         /* server element: x, y */
 541         if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
 542                                                  data->server_element, x, y,
 543                                                  data->bnctx)) {
 544                 wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
 545                            "assignment fail");
 546                 goto fin;
 547         }
 548         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 549         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
 550         BN_bn2bin(x, cruft + offset);
 551         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 552         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 553         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
 554         BN_bn2bin(y, cruft + offset);
 555         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 556
 557         /* server scalar */
 558         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 559         offset = BN_num_bytes(data->grp->order) -
 560                 BN_num_bytes(data->server_scalar);
 561         BN_bn2bin(data->server_scalar, cruft + offset);
 562         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
 563
 564         /* my element: x, y */
 565         if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
 566                                                  data->my_element, x, y,
 567                                                  data->bnctx)) {
 568                 wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
 569                            "assignment fail");
 570                 goto fin;
 571         }
 572
 573         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 574         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
 575         BN_bn2bin(x, cruft + offset);
 576         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 577         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 578         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
 579         BN_bn2bin(y, cruft + offset);
 580         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 581
 582         /* my scalar */
 583         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 584         offset = BN_num_bytes(data->grp->order) -
 585                 BN_num_bytes(data->my_scalar);
 586         BN_bn2bin(data->my_scalar, cruft + offset);
 587         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
 588
 589         /* the ciphersuite */
 590         eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
 591
 592         /* random function fin */
 593         eap_pwd_h_final(hash, conf);
 594
 595         ptr = (u8 *) payload;
 596         if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
 597                 wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm did not verify");
 598                 goto fin;
 599         }
 600
 601         wpa_printf(MSG_DEBUG, "EAP-pwd (peer): confirm verified");
 602
 603         /*
 604          * compute confirm:
 605          *  H(k | peer_element | peer_scalar | server_element | server_scalar |
 606          *    ciphersuite)
 607          */
 608         hash = eap_pwd_h_init();
 609         if (hash == NULL)
 610                 goto fin;
 611
 612         /* k */
 613         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 614         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
 615         BN_bn2bin(data->k, cruft + offset);
 616         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 617
 618         /* my element */
 619         if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
 620                                                  data->my_element, x, y,
 621                                                  data->bnctx)) {
 622                 wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
 623                            "assignment fail");
 624                 goto fin;
 625         }
 626         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 627         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
 628         BN_bn2bin(x, cruft + offset);
 629         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 630         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 631         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
 632         BN_bn2bin(y, cruft + offset);
 633         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 634
 635         /* my scalar */
 636         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 637         offset = BN_num_bytes(data->grp->order) -
 638                 BN_num_bytes(data->my_scalar);
 639         BN_bn2bin(data->my_scalar, cruft + offset);
 640         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
 641
 642         /* server element: x, y */
 643         if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
 644                                                  data->server_element, x, y,
 645                                                  data->bnctx)) {
 646                 wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
 647                            "assignment fail");
 648                 goto fin;
 649         }
 650         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 651         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
 652         BN_bn2bin(x, cruft + offset);
 653         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 654         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 655         offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
 656         BN_bn2bin(y, cruft + offset);
 657         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
 658
 659         /* server scalar */
 660         os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
 661         offset = BN_num_bytes(data->grp->order) -
 662                 BN_num_bytes(data->server_scalar);
 663         BN_bn2bin(data->server_scalar, cruft + offset);
 664         eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
 665
 666         /* the ciphersuite */
 667         eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
 668
 669         /* all done */
 670         eap_pwd_h_final(hash, conf);
 671
 672         if (compute_keys(data->grp, data->bnctx, data->k,
 673                          data->my_scalar, data->server_scalar, conf, ptr,
 674                          &cs, data->msk, data->emsk, data->session_id) < 0) {
 675                 wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute MSK | "
 676                            "EMSK");
 677                 goto fin;
 678         }
 679
 680         data->outbuf = wpabuf_alloc(SHA256_MAC_LEN);
 681         if (data->outbuf == NULL)
 682                 goto fin;
 683
 684         wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
 685
 686 fin:
 687         bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
 688         BN_clear_free(x);
 689         BN_clear_free(y);
 690         if (data->outbuf == NULL) {
 691                 ret->methodState = METHOD_DONE;
 692                 ret->decision = DECISION_FAIL;
 693                 eap_pwd_state(data, FAILURE);
 694         } else {
 695                 eap_pwd_state(data, SUCCESS_ON_FRAG_COMPLETION);
 696         }
 697 }
 698
 699
 700 static struct wpabuf *
 701 eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
 702                 const struct wpabuf *reqData)
 703 {
 704         struct eap_pwd_data *data = priv;
 705         struct wpabuf *resp = NULL;
 706         const u8 *pos, *buf;
 707         size_t len;
 708         u16 tot_len = 0;
 709         u8 lm_exch;
 710
 711         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PWD, reqData, &len);
 712         if ((pos == NULL) || (len < 1)) {
 713                 wpa_printf(MSG_DEBUG, "EAP-pwd: Got a frame but pos is %s and "
 714                            "len is %d",
 715                            pos == NULL ? "NULL" : "not NULL", (int) len);
 716                 ret->ignore = TRUE;
 717                 return NULL;
 718         }
 719
 720         ret->ignore = FALSE;
 721         ret->methodState = METHOD_MAY_CONT;
 722         ret->decision = DECISION_FAIL;
 723         ret->allowNotifications = FALSE;
 724
 725         lm_exch = *pos;
 726         pos++;                  /* skip over the bits and the exch */
 727         len--;
 728
 729         /*
 730          * we're fragmenting so send out the next fragment
 731          */
 732         if (data->out_frag_pos) {
 733                 /*
 734                  * this should be an ACK
 735                  */
 736                 if (len)
 737                         wpa_printf(MSG_INFO, "Bad Response! Fragmenting but "
 738                                    "not an ACK");
 739
 740                 wpa_printf(MSG_DEBUG, "EAP-pwd: Got an ACK for a fragment");
 741                 /*
 742                  * check if there are going to be more fragments
 743                  */
 744                 len = wpabuf_len(data->outbuf) - data->out_frag_pos;
 745                 if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
 746                         len = data->mtu - EAP_PWD_HDR_SIZE;
 747                         EAP_PWD_SET_MORE_BIT(lm_exch);
 748                 }
 749                 resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
 750                                      EAP_PWD_HDR_SIZE + len,
 751                                      EAP_CODE_RESPONSE, eap_get_id(reqData));
 752                 if (resp == NULL) {
 753                         wpa_printf(MSG_INFO, "Unable to allocate memory for "
 754                                    "next fragment!");
 755                         return NULL;
 756                 }
 757                 wpabuf_put_u8(resp, lm_exch);
 758                 buf = wpabuf_head_u8(data->outbuf);
 759                 wpabuf_put_data(resp, buf + data->out_frag_pos, len);
 760                 data->out_frag_pos += len;
 761                 /*
 762                  * this is the last fragment so get rid of the out buffer
 763                  */
 764                 if (data->out_frag_pos >= wpabuf_len(data->outbuf)) {
 765                         wpabuf_free(data->outbuf);
 766                         data->outbuf = NULL;
 767                         data->out_frag_pos = 0;
 768                 }
 769                 wpa_printf(MSG_DEBUG, "EAP-pwd: Send %s fragment of %d bytes",
 770                            data->out_frag_pos == 0 ? "last" : "next",
 771                            (int) len);
 772                 if (data->state == SUCCESS_ON_FRAG_COMPLETION) {
 773                         ret->methodState = METHOD_DONE;
 774                         ret->decision = DECISION_UNCOND_SUCC;
 775                         eap_pwd_state(data, SUCCESS);
 776                 }
 777                 return resp;
 778         }
 779
 780         /*
 781          * see if this is a fragment that needs buffering
 782          *
 783          * if it's the first fragment there'll be a length field
 784          */
 785         if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
 786                 tot_len = WPA_GET_BE16(pos);
 787                 wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
 788                            "total length = %d", tot_len);
 789                 if (tot_len > 15000)
 790                         return NULL;
 791                 data->inbuf = wpabuf_alloc(tot_len);
 792                 if (data->inbuf == NULL) {
 793                         wpa_printf(MSG_INFO, "Out of memory to buffer "
 794                                    "fragments!");
 795                         return NULL;
 796                 }
 797                 pos += sizeof(u16);
 798                 len -= sizeof(u16);
 799         }
 800         /*
 801          * buffer and ACK the fragment
 802          */
 803         if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
 804                 data->in_frag_pos += len;
 805                 if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
 806                         wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
 807                                    "detected (%d vs. %d)!",
 808                                    (int) data->in_frag_pos,
 809                                    (int) wpabuf_len(data->inbuf));
 810                         wpabuf_free(data->inbuf);
 811                         data->inbuf = NULL;
 812                         data->in_frag_pos = 0;
 813                         return NULL;
 814                 }
 815                 wpabuf_put_data(data->inbuf, pos, len);
 816
 817                 resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
 818                                      EAP_PWD_HDR_SIZE,
 819                                      EAP_CODE_RESPONSE, eap_get_id(reqData));
 820                 if (resp != NULL)
 821                         wpabuf_put_u8(resp, (EAP_PWD_GET_EXCHANGE(lm_exch)));
 822                 wpa_printf(MSG_DEBUG, "EAP-pwd: ACKing a %d byte fragment",
 823                            (int) len);
 824                 return resp;
 825         }
 826         /*
 827          * we're buffering and this is the last fragment
 828          */
 829         if (data->in_frag_pos) {
 830                 wpabuf_put_data(data->inbuf, pos, len);
 831                 wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
 832                            (int) len);
 833                 data->in_frag_pos += len;
 834                 pos = wpabuf_head_u8(data->inbuf);
 835                 len = data->in_frag_pos;
 836         }
 837         wpa_printf(MSG_DEBUG, "EAP-pwd: processing frame: exch %d, len %d",
 838                    EAP_PWD_GET_EXCHANGE(lm_exch), (int) len);
 839
 840         switch (EAP_PWD_GET_EXCHANGE(lm_exch)) {
 841         case EAP_PWD_OPCODE_ID_EXCH:
 842                 eap_pwd_perform_id_exchange(sm, data, ret, reqData,
 843                                             pos, len);
 844                 break;
 845         case EAP_PWD_OPCODE_COMMIT_EXCH:
 846                 eap_pwd_perform_commit_exchange(sm, data, ret, reqData,
 847                                                 pos, len);
 848                 break;
 849         case EAP_PWD_OPCODE_CONFIRM_EXCH:
 850                 eap_pwd_perform_confirm_exchange(sm, data, ret, reqData,
 851                                                  pos, len);
 852                 break;
 853         default:
 854                 wpa_printf(MSG_INFO, "EAP-pwd: Ignoring message with unknown "
 855                            "opcode %d", lm_exch);
 856                 break;
 857         }
 858         /*
 859          * if we buffered the just processed input now's the time to free it
 860          */
 861         if (data->in_frag_pos) {
 862                 wpabuf_free(data->inbuf);
 863                 data->inbuf = NULL;
 864                 data->in_frag_pos = 0;
 865         }
 866
 867         if (data->outbuf == NULL) {
 868                 ret->methodState = METHOD_DONE;
 869                 ret->decision = DECISION_FAIL;
 870                 return NULL;        /* generic failure */
 871         }
 872
 873         /*
 874          * we have output! Do we need to fragment it?
 875          */
 876         len = wpabuf_len(data->outbuf);
 877         if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
 878                 resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
 879                                      EAP_CODE_RESPONSE, eap_get_id(reqData));
 880                 /*
 881                  * if so it's the first so include a length field
 882                  */
 883                 EAP_PWD_SET_LENGTH_BIT(lm_exch);
 884                 EAP_PWD_SET_MORE_BIT(lm_exch);
 885                 tot_len = len;
 886                 /*
 887                  * keep the packet at the MTU
 888                  */
 889                 len = data->mtu - EAP_PWD_HDR_SIZE - sizeof(u16);
 890                 wpa_printf(MSG_DEBUG, "EAP-pwd: Fragmenting output, total "
 891                            "length = %d", tot_len);
 892         } else {
 893                 resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
 894                                      EAP_PWD_HDR_SIZE + len,
 895                                      EAP_CODE_RESPONSE, eap_get_id(reqData));
 896         }
 897         if (resp == NULL)
 898                 return NULL;
 899
 900         wpabuf_put_u8(resp, lm_exch);
 901         if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
 902                 wpabuf_put_be16(resp, tot_len);
 903                 data->out_frag_pos += len;
 904         }
 905         buf = wpabuf_head_u8(data->outbuf);
 906         wpabuf_put_data(resp, buf, len);
 907         /*
 908          * if we're not fragmenting then there's no need to carry this around
 909          */
 910         if (data->out_frag_pos == 0) {
 911                 wpabuf_free(data->outbuf);
 912                 data->outbuf = NULL;
 913                 data->out_frag_pos = 0;
 914                 if (data->state == SUCCESS_ON_FRAG_COMPLETION) {
 915                         ret->methodState = METHOD_DONE;
 916                         ret->decision = DECISION_UNCOND_SUCC;
 917                         eap_pwd_state(data, SUCCESS);
 918                 }
 919         }
 920
 921         return resp;
 922 }
 923
 924
 925 static Boolean eap_pwd_key_available(struct eap_sm *sm, void *priv)
 926 {
 927         struct eap_pwd_data *data = priv;
 928         return data->state == SUCCESS;
 929 }
 930
 931
 932 static u8 * eap_pwd_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
 933 {
 934         struct eap_pwd_data *data = priv;
 935         u8 *key;
 936
 937         if (data->state != SUCCESS)
 938                 return NULL;
 939
 940         if ((key = os_malloc(EAP_EMSK_LEN)) == NULL)
 941                 return NULL;
 942
 943         os_memcpy(key, data->emsk, EAP_EMSK_LEN);
 944         *len = EAP_EMSK_LEN;
 945
 946         return key;
 947 }
 948
 949
 950 int eap_peer_pwd_register(void)
 951 {
 952         struct eap_method *eap;
 953         int ret;
 954
 955         eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
 956                                     EAP_VENDOR_IETF, EAP_TYPE_PWD, "PWD");
 957         if (eap == NULL)
 958                 return -1;
 959
 960         eap->init = eap_pwd_init;
 961         eap->deinit = eap_pwd_deinit;
 962         eap->process = eap_pwd_process;
 963         eap->isKeyAvailable = eap_pwd_key_available;
 964         eap->getKey = eap_pwd_getkey;
 965         eap->getSessionId = eap_pwd_get_session_id;
 966         eap->get_emsk = eap_pwd_get_emsk;
 967
 968         ret = eap_peer_method_register(eap);
 969         if (ret)
 970                 eap_peer_method_free(eap);
 971         return ret;
 972 }