contrib/wpa/src/eap_peer/eap_sake.c

   1 /*
   2  * EAP peer method: EAP-SAKE (RFC 4763)
   3  * Copyright (c) 2006-2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/random.h"
  13 #include "eap_peer/eap_i.h"
  14 #include "eap_common/eap_sake_common.h"
  15
  16 struct eap_sake_data {
  17         enum { IDENTITY, CHALLENGE, CONFIRM, SUCCESS, FAILURE } state;
  18         u8 root_secret_a[EAP_SAKE_ROOT_SECRET_LEN];
  19         u8 root_secret_b[EAP_SAKE_ROOT_SECRET_LEN];
  20         u8 rand_s[EAP_SAKE_RAND_LEN];
  21         u8 rand_p[EAP_SAKE_RAND_LEN];
  22         struct {
  23                 u8 auth[EAP_SAKE_TEK_AUTH_LEN];
  24                 u8 cipher[EAP_SAKE_TEK_CIPHER_LEN];
  25         } tek;
  26         u8 msk[EAP_MSK_LEN];
  27         u8 emsk[EAP_EMSK_LEN];
  28         u8 session_id;
  29         int session_id_set;
  30         u8 *peerid;
  31         size_t peerid_len;
  32         u8 *serverid;
  33         size_t serverid_len;
  34 };
  35
  36
  37 static const char * eap_sake_state_txt(int state)
  38 {
  39         switch (state) {
  40         case IDENTITY:
  41                 return "IDENTITY";
  42         case CHALLENGE:
  43                 return "CHALLENGE";
  44         case CONFIRM:
  45                 return "CONFIRM";
  46         case SUCCESS:
  47                 return "SUCCESS";
  48         case FAILURE:
  49                 return "FAILURE";
  50         default:
  51                 return "?";
  52         }
  53 }
  54
  55
  56 static void eap_sake_state(struct eap_sake_data *data, int state)
  57 {
  58         wpa_printf(MSG_DEBUG, "EAP-SAKE: %s -> %s",
  59                    eap_sake_state_txt(data->state),
  60                    eap_sake_state_txt(state));
  61         data->state = state;
  62 }
  63
  64
  65 static void eap_sake_deinit(struct eap_sm *sm, void *priv);
  66
  67
  68 static void * eap_sake_init(struct eap_sm *sm)
  69 {
  70         struct eap_sake_data *data;
  71         const u8 *identity, *password;
  72         size_t identity_len, password_len;
  73
  74         password = eap_get_config_password(sm, &password_len);
  75         if (!password || password_len != 2 * EAP_SAKE_ROOT_SECRET_LEN) {
  76                 wpa_printf(MSG_INFO, "EAP-SAKE: No key of correct length "
  77                            "configured");
  78                 return NULL;
  79         }
  80
  81         data = os_zalloc(sizeof(*data));
  82         if (data == NULL)
  83                 return NULL;
  84         data->state = IDENTITY;
  85
  86         identity = eap_get_config_identity(sm, &identity_len);
  87         if (identity) {
  88                 data->peerid = os_memdup(identity, identity_len);
  89                 if (data->peerid == NULL) {
  90                         eap_sake_deinit(sm, data);
  91                         return NULL;
  92                 }
  93                 data->peerid_len = identity_len;
  94         }
  95
  96         os_memcpy(data->root_secret_a, password, EAP_SAKE_ROOT_SECRET_LEN);
  97         os_memcpy(data->root_secret_b,
  98                   password + EAP_SAKE_ROOT_SECRET_LEN,
  99                   EAP_SAKE_ROOT_SECRET_LEN);
 100
 101         return data;
 102 }
 103
 104
 105 static void eap_sake_deinit(struct eap_sm *sm, void *priv)
 106 {
 107         struct eap_sake_data *data = priv;
 108         os_free(data->serverid);
 109         os_free(data->peerid);
 110         bin_clear_free(data, sizeof(*data));
 111 }
 112
 113
 114 static struct wpabuf * eap_sake_build_msg(struct eap_sake_data *data,
 115                                           int id, size_t length, u8 subtype)
 116 {
 117         struct eap_sake_hdr *sake;
 118         struct wpabuf *msg;
 119         size_t plen;
 120
 121         plen = length + sizeof(struct eap_sake_hdr);
 122
 123         msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_SAKE, plen,
 124                             EAP_CODE_RESPONSE, id);
 125         if (msg == NULL) {
 126                 wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to allocate memory "
 127                            "request");
 128                 return NULL;
 129         }
 130
 131         sake = wpabuf_put(msg, sizeof(*sake));
 132         sake->version = EAP_SAKE_VERSION;
 133         sake->session_id = data->session_id;
 134         sake->subtype = subtype;
 135
 136         return msg;
 137 }
 138
 139
 140 static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm,
 141                                                  struct eap_sake_data *data,
 142                                                  struct eap_method_ret *ret,
 143                                                  u8 id,
 144                                                  const u8 *payload,
 145                                                  size_t payload_len)
 146 {
 147         struct eap_sake_parse_attr attr;
 148         struct wpabuf *resp;
 149
 150         if (data->state != IDENTITY) {
 151                 ret->ignore = TRUE;
 152                 return NULL;
 153         }
 154
 155         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Identity");
 156
 157         if (eap_sake_parse_attributes(payload, payload_len, &attr))
 158                 return NULL;
 159
 160         if (!attr.perm_id_req && !attr.any_id_req) {
 161                 wpa_printf(MSG_INFO, "EAP-SAKE: No AT_PERM_ID_REQ or "
 162                            "AT_ANY_ID_REQ in Request/Identity");
 163                 return NULL;
 164         }
 165
 166         wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Identity");
 167
 168         resp = eap_sake_build_msg(data, id, 2 + data->peerid_len,
 169                                   EAP_SAKE_SUBTYPE_IDENTITY);
 170         if (resp == NULL)
 171                 return NULL;
 172
 173         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
 174         eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
 175                           data->peerid, data->peerid_len);
 176
 177         eap_sake_state(data, CHALLENGE);
 178
 179         return resp;
 180 }
 181
 182
 183 static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm,
 184                                                   struct eap_sake_data *data,
 185                                                   struct eap_method_ret *ret,
 186                                                   u8 id,
 187                                                   const u8 *payload,
 188                                                   size_t payload_len)
 189 {
 190         struct eap_sake_parse_attr attr;
 191         struct wpabuf *resp;
 192         u8 *rpos;
 193         size_t rlen;
 194
 195         if (data->state != IDENTITY && data->state != CHALLENGE) {
 196                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Challenge received "
 197                            "in unexpected state (%d)", data->state);
 198                 ret->ignore = TRUE;
 199                 return NULL;
 200         }
 201         if (data->state == IDENTITY)
 202                 eap_sake_state(data, CHALLENGE);
 203
 204         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Challenge");
 205
 206         if (eap_sake_parse_attributes(payload, payload_len, &attr))
 207                 return NULL;
 208
 209         if (!attr.rand_s) {
 210                 wpa_printf(MSG_INFO, "EAP-SAKE: Request/Challenge did not "
 211                            "include AT_RAND_S");
 212                 return NULL;
 213         }
 214
 215         os_memcpy(data->rand_s, attr.rand_s, EAP_SAKE_RAND_LEN);
 216         wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)",
 217                     data->rand_s, EAP_SAKE_RAND_LEN);
 218
 219         if (random_get_bytes(data->rand_p, EAP_SAKE_RAND_LEN)) {
 220                 wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to get random data");
 221                 return NULL;
 222         }
 223         wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_P (peer rand)",
 224                     data->rand_p, EAP_SAKE_RAND_LEN);
 225
 226         os_free(data->serverid);
 227         data->serverid = NULL;
 228         data->serverid_len = 0;
 229         if (attr.serverid) {
 230                 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-SAKE: SERVERID",
 231                                   attr.serverid, attr.serverid_len);
 232                 data->serverid = os_memdup(attr.serverid, attr.serverid_len);
 233                 if (data->serverid == NULL)
 234                         return NULL;
 235                 data->serverid_len = attr.serverid_len;
 236         }
 237
 238         eap_sake_derive_keys(data->root_secret_a, data->root_secret_b,
 239                              data->rand_s, data->rand_p,
 240                              (u8 *) &data->tek, data->msk, data->emsk);
 241
 242         wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Challenge");
 243
 244         rlen = 2 + EAP_SAKE_RAND_LEN + 2 + EAP_SAKE_MIC_LEN;
 245         if (data->peerid)
 246                 rlen += 2 + data->peerid_len;
 247         resp = eap_sake_build_msg(data, id, rlen, EAP_SAKE_SUBTYPE_CHALLENGE);
 248         if (resp == NULL)
 249                 return NULL;
 250
 251         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_RAND_P");
 252         eap_sake_add_attr(resp, EAP_SAKE_AT_RAND_P,
 253                           data->rand_p, EAP_SAKE_RAND_LEN);
 254
 255         if (data->peerid) {
 256                 wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
 257                 eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
 258                                   data->peerid, data->peerid_len);
 259         }
 260
 261         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
 262         wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
 263         wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
 264         rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
 265         if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
 266                                  data->serverid, data->serverid_len,
 267                                  data->peerid, data->peerid_len, 1,
 268                                  wpabuf_head(resp), wpabuf_len(resp), rpos,
 269                                  rpos)) {
 270                 wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
 271                 wpabuf_free(resp);
 272                 return NULL;
 273         }
 274
 275         eap_sake_state(data, CONFIRM);
 276
 277         return resp;
 278 }
 279
 280
 281 static struct wpabuf * eap_sake_process_confirm(struct eap_sm *sm,
 282                                                 struct eap_sake_data *data,
 283                                                 struct eap_method_ret *ret,
 284                                                 u8 id,
 285                                                 const struct wpabuf *reqData,
 286                                                 const u8 *payload,
 287                                                 size_t payload_len)
 288 {
 289         struct eap_sake_parse_attr attr;
 290         u8 mic_s[EAP_SAKE_MIC_LEN];
 291         struct wpabuf *resp;
 292         u8 *rpos;
 293
 294         if (data->state != CONFIRM) {
 295                 ret->ignore = TRUE;
 296                 return NULL;
 297         }
 298
 299         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Confirm");
 300
 301         if (eap_sake_parse_attributes(payload, payload_len, &attr))
 302                 return NULL;
 303
 304         if (!attr.mic_s) {
 305                 wpa_printf(MSG_INFO, "EAP-SAKE: Request/Confirm did not "
 306                            "include AT_MIC_S");
 307                 return NULL;
 308         }
 309
 310         if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
 311                                  data->serverid, data->serverid_len,
 312                                  data->peerid, data->peerid_len, 0,
 313                                  wpabuf_head(reqData), wpabuf_len(reqData),
 314                                  attr.mic_s, mic_s)) {
 315                 wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
 316                 eap_sake_state(data, FAILURE);
 317                 ret->methodState = METHOD_DONE;
 318                 ret->decision = DECISION_FAIL;
 319                 ret->allowNotifications = FALSE;
 320                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Auth-Reject");
 321                 return eap_sake_build_msg(data, id, 0,
 322                                           EAP_SAKE_SUBTYPE_AUTH_REJECT);
 323         }
 324         if (os_memcmp_const(attr.mic_s, mic_s, EAP_SAKE_MIC_LEN) != 0) {
 325                 wpa_printf(MSG_INFO, "EAP-SAKE: Incorrect AT_MIC_S");
 326                 eap_sake_state(data, FAILURE);
 327                 ret->methodState = METHOD_DONE;
 328                 ret->decision = DECISION_FAIL;
 329                 ret->allowNotifications = FALSE;
 330                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending "
 331                            "Response/Auth-Reject");
 332                 return eap_sake_build_msg(data, id, 0,
 333                                           EAP_SAKE_SUBTYPE_AUTH_REJECT);
 334         }
 335
 336         wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Confirm");
 337
 338         resp = eap_sake_build_msg(data, id, 2 + EAP_SAKE_MIC_LEN,
 339                                   EAP_SAKE_SUBTYPE_CONFIRM);
 340         if (resp == NULL)
 341                 return NULL;
 342
 343         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
 344         wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
 345         wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
 346         rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
 347         if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
 348                                  data->serverid, data->serverid_len,
 349                                  data->peerid, data->peerid_len, 1,
 350                                  wpabuf_head(resp), wpabuf_len(resp), rpos,
 351                                  rpos)) {
 352                 wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
 353                 wpabuf_free(resp);
 354                 return NULL;
 355         }
 356
 357         eap_sake_state(data, SUCCESS);
 358         ret->methodState = METHOD_DONE;
 359         ret->decision = DECISION_UNCOND_SUCC;
 360         ret->allowNotifications = FALSE;
 361
 362         return resp;
 363 }
 364
 365
 366 static struct wpabuf * eap_sake_process(struct eap_sm *sm, void *priv,
 367                                         struct eap_method_ret *ret,
 368                                         const struct wpabuf *reqData)
 369 {
 370         struct eap_sake_data *data = priv;
 371         const struct eap_sake_hdr *req;
 372         struct wpabuf *resp;
 373         const u8 *pos, *end;
 374         size_t len;
 375         u8 subtype, session_id, id;
 376
 377         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SAKE, reqData, &len);
 378         if (pos == NULL || len < sizeof(struct eap_sake_hdr)) {
 379                 ret->ignore = TRUE;
 380                 return NULL;
 381         }
 382
 383         req = (const struct eap_sake_hdr *) pos;
 384         end = pos + len;
 385         id = eap_get_id(reqData);
 386         subtype = req->subtype;
 387         session_id = req->session_id;
 388         pos = (const u8 *) (req + 1);
 389
 390         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received frame: subtype %d "
 391                    "session_id %d", subtype, session_id);
 392         wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Received attributes",
 393                     pos, end - pos);
 394
 395         if (data->session_id_set && data->session_id != session_id) {
 396                 wpa_printf(MSG_INFO, "EAP-SAKE: Session ID mismatch (%d,%d)",
 397                            session_id, data->session_id);
 398                 ret->ignore = TRUE;
 399                 return NULL;
 400         }
 401         data->session_id = session_id;
 402         data->session_id_set = 1;
 403
 404         ret->ignore = FALSE;
 405         ret->methodState = METHOD_MAY_CONT;
 406         ret->decision = DECISION_FAIL;
 407         ret->allowNotifications = TRUE;
 408
 409         switch (subtype) {
 410         case EAP_SAKE_SUBTYPE_IDENTITY:
 411                 resp = eap_sake_process_identity(sm, data, ret, id,
 412                                                  pos, end - pos);
 413                 break;
 414         case EAP_SAKE_SUBTYPE_CHALLENGE:
 415                 resp = eap_sake_process_challenge(sm, data, ret, id,
 416                                                   pos, end - pos);
 417                 break;
 418         case EAP_SAKE_SUBTYPE_CONFIRM:
 419                 resp = eap_sake_process_confirm(sm, data, ret, id, reqData,
 420                                                 pos, end - pos);
 421                 break;
 422         default:
 423                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring message with "
 424                            "unknown subtype %d", subtype);
 425                 ret->ignore = TRUE;
 426                 return NULL;
 427         }
 428
 429         if (ret->methodState == METHOD_DONE)
 430                 ret->allowNotifications = FALSE;
 431
 432         return resp;
 433 }
 434
 435
 436 static Boolean eap_sake_isKeyAvailable(struct eap_sm *sm, void *priv)
 437 {
 438         struct eap_sake_data *data = priv;
 439         return data->state == SUCCESS;
 440 }
 441
 442
 443 static u8 * eap_sake_getKey(struct eap_sm *sm, void *priv, size_t *len)
 444 {
 445         struct eap_sake_data *data = priv;
 446         u8 *key;
 447
 448         if (data->state != SUCCESS)
 449                 return NULL;
 450
 451         key = os_memdup(data->msk, EAP_MSK_LEN);
 452         if (key == NULL)
 453                 return NULL;
 454         *len = EAP_MSK_LEN;
 455
 456         return key;
 457 }
 458
 459
 460 static u8 * eap_sake_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
 461 {
 462         struct eap_sake_data *data = priv;
 463         u8 *id;
 464
 465         if (data->state != SUCCESS)
 466                 return NULL;
 467
 468         *len = 1 + 2 * EAP_SAKE_RAND_LEN;
 469         id = os_malloc(*len);
 470         if (id == NULL)
 471                 return NULL;
 472
 473         id[0] = EAP_TYPE_SAKE;
 474         os_memcpy(id + 1, data->rand_s, EAP_SAKE_RAND_LEN);
 475         os_memcpy(id + 1 + EAP_SAKE_RAND_LEN, data->rand_s, EAP_SAKE_RAND_LEN);
 476         wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Derived Session-Id", id, *len);
 477
 478         return id;
 479 }
 480
 481
 482 static u8 * eap_sake_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
 483 {
 484         struct eap_sake_data *data = priv;
 485         u8 *key;
 486
 487         if (data->state != SUCCESS)
 488                 return NULL;
 489
 490         key = os_memdup(data->emsk, EAP_EMSK_LEN);
 491         if (key == NULL)
 492                 return NULL;
 493         *len = EAP_EMSK_LEN;
 494
 495         return key;
 496 }
 497
 498
 499 int eap_peer_sake_register(void)
 500 {
 501         struct eap_method *eap;
 502
 503         eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
 504                                     EAP_VENDOR_IETF, EAP_TYPE_SAKE, "SAKE");
 505         if (eap == NULL)
 506                 return -1;
 507
 508         eap->init = eap_sake_init;
 509         eap->deinit = eap_sake_deinit;
 510         eap->process = eap_sake_process;
 511         eap->isKeyAvailable = eap_sake_isKeyAvailable;
 512         eap->getKey = eap_sake_getKey;
 513         eap->getSessionId = eap_sake_get_session_id;
 514         eap->get_emsk = eap_sake_get_emsk;
 515
 516         return eap_peer_method_register(eap);
 517 }