xref: /freebsd/contrib/wpa/src/eap_peer/eap_pwd.c (revision 2284664ef9fcb0baaf59f1ef7df877c0b0f2b187)
1 /*
2  * EAP peer method: EAP-pwd (RFC 5931)
3  * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/sha256.h"
13 #include "crypto/ms_funcs.h"
14 #include "eap_peer/eap_i.h"
15 #include "eap_common/eap_pwd_common.h"
16 
17 
18 struct eap_pwd_data {
19 	enum {
20 		PWD_ID_Req, PWD_Commit_Req, PWD_Confirm_Req,
21 		SUCCESS_ON_FRAG_COMPLETION, SUCCESS, FAILURE
22 	} state;
23 	u8 *id_peer;
24 	size_t id_peer_len;
25 	u8 *id_server;
26 	size_t id_server_len;
27 	u8 *password;
28 	size_t password_len;
29 	int password_hash;
30 	u16 group_num;
31 	EAP_PWD_group *grp;
32 
33 	struct wpabuf *inbuf;
34 	size_t in_frag_pos;
35 	struct wpabuf *outbuf;
36 	size_t out_frag_pos;
37 	size_t mtu;
38 
39 	BIGNUM *k;
40 	BIGNUM *private_value;
41 	BIGNUM *server_scalar;
42 	BIGNUM *my_scalar;
43 	EC_POINT *my_element;
44 	EC_POINT *server_element;
45 
46 	u8 msk[EAP_MSK_LEN];
47 	u8 emsk[EAP_EMSK_LEN];
48 	u8 session_id[1 + SHA256_MAC_LEN];
49 
50 	BN_CTX *bnctx;
51 };
52 
53 
54 #ifndef CONFIG_NO_STDOUT_DEBUG
55 static const char * eap_pwd_state_txt(int state)
56 {
57 	switch (state) {
58         case PWD_ID_Req:
59 		return "PWD-ID-Req";
60         case PWD_Commit_Req:
61 		return "PWD-Commit-Req";
62         case PWD_Confirm_Req:
63 		return "PWD-Confirm-Req";
64 	case SUCCESS_ON_FRAG_COMPLETION:
65 		return "SUCCESS_ON_FRAG_COMPLETION";
66         case SUCCESS:
67 		return "SUCCESS";
68         case FAILURE:
69 		return "FAILURE";
70         default:
71 		return "PWD-UNK";
72 	}
73 }
74 #endif  /* CONFIG_NO_STDOUT_DEBUG */
75 
76 
77 static void eap_pwd_state(struct eap_pwd_data *data, int state)
78 {
79 	wpa_printf(MSG_DEBUG, "EAP-PWD: %s -> %s",
80 		   eap_pwd_state_txt(data->state), eap_pwd_state_txt(state));
81 	data->state = state;
82 }
83 
84 
85 static void * eap_pwd_init(struct eap_sm *sm)
86 {
87 	struct eap_pwd_data *data;
88 	const u8 *identity, *password;
89 	size_t identity_len, password_len;
90 	int fragment_size;
91 	int pwhash;
92 
93 	password = eap_get_config_password2(sm, &password_len, &pwhash);
94 	if (password == NULL) {
95 		wpa_printf(MSG_INFO, "EAP-PWD: No password configured!");
96 		return NULL;
97 	}
98 
99 	identity = eap_get_config_identity(sm, &identity_len);
100 	if (identity == NULL) {
101 		wpa_printf(MSG_INFO, "EAP-PWD: No identity configured!");
102 		return NULL;
103 	}
104 
105 	if ((data = os_zalloc(sizeof(*data))) == NULL) {
106 		wpa_printf(MSG_INFO, "EAP-PWD: memory allocation data fail");
107 		return NULL;
108 	}
109 
110 	if ((data->bnctx = BN_CTX_new()) == NULL) {
111 		wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail");
112 		os_free(data);
113 		return NULL;
114 	}
115 
116 	if ((data->id_peer = os_malloc(identity_len)) == NULL) {
117 		wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
118 		BN_CTX_free(data->bnctx);
119 		os_free(data);
120 		return NULL;
121 	}
122 
123 	os_memcpy(data->id_peer, identity, identity_len);
124 	data->id_peer_len = identity_len;
125 
126 	if ((data->password = os_malloc(password_len)) == NULL) {
127 		wpa_printf(MSG_INFO, "EAP-PWD: memory allocation psk fail");
128 		BN_CTX_free(data->bnctx);
129 		bin_clear_free(data->id_peer, data->id_peer_len);
130 		os_free(data);
131 		return NULL;
132 	}
133 	os_memcpy(data->password, password, password_len);
134 	data->password_len = password_len;
135 	data->password_hash = pwhash;
136 
137 	data->out_frag_pos = data->in_frag_pos = 0;
138 	data->inbuf = data->outbuf = NULL;
139 	fragment_size = eap_get_config_fragment_size(sm);
140 	if (fragment_size <= 0)
141 		data->mtu = 1020; /* default from RFC 5931 */
142 	else
143 		data->mtu = fragment_size;
144 
145 	data->state = PWD_ID_Req;
146 
147 	return data;
148 }
149 
150 
151 static void eap_pwd_deinit(struct eap_sm *sm, void *priv)
152 {
153 	struct eap_pwd_data *data = priv;
154 
155 	BN_clear_free(data->private_value);
156 	BN_clear_free(data->server_scalar);
157 	BN_clear_free(data->my_scalar);
158 	BN_clear_free(data->k);
159 	BN_CTX_free(data->bnctx);
160 	EC_POINT_clear_free(data->my_element);
161 	EC_POINT_clear_free(data->server_element);
162 	bin_clear_free(data->id_peer, data->id_peer_len);
163 	bin_clear_free(data->id_server, data->id_server_len);
164 	bin_clear_free(data->password, data->password_len);
165 	if (data->grp) {
166 		EC_GROUP_free(data->grp->group);
167 		EC_POINT_clear_free(data->grp->pwe);
168 		BN_clear_free(data->grp->order);
169 		BN_clear_free(data->grp->prime);
170 		os_free(data->grp);
171 	}
172 	wpabuf_free(data->inbuf);
173 	wpabuf_free(data->outbuf);
174 	bin_clear_free(data, sizeof(*data));
175 }
176 
177 
178 static u8 * eap_pwd_getkey(struct eap_sm *sm, void *priv, size_t *len)
179 {
180 	struct eap_pwd_data *data = priv;
181 	u8 *key;
182 
183 	if (data->state != SUCCESS)
184 		return NULL;
185 
186 	key = os_malloc(EAP_MSK_LEN);
187 	if (key == NULL)
188 		return NULL;
189 
190 	os_memcpy(key, data->msk, EAP_MSK_LEN);
191 	*len = EAP_MSK_LEN;
192 
193 	return key;
194 }
195 
196 
197 static u8 * eap_pwd_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
198 {
199 	struct eap_pwd_data *data = priv;
200 	u8 *id;
201 
202 	if (data->state != SUCCESS)
203 		return NULL;
204 
205 	id = os_malloc(1 + SHA256_MAC_LEN);
206 	if (id == NULL)
207 		return NULL;
208 
209 	os_memcpy(id, data->session_id, 1 + SHA256_MAC_LEN);
210 	*len = 1 + SHA256_MAC_LEN;
211 
212 	return id;
213 }
214 
215 
216 static void
217 eap_pwd_perform_id_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
218 			    struct eap_method_ret *ret,
219 			    const struct wpabuf *reqData,
220 			    const u8 *payload, size_t payload_len)
221 {
222 	struct eap_pwd_id *id;
223 	const u8 *password;
224 	size_t password_len;
225 	u8 pwhashhash[16];
226 	int res;
227 
228 	if (data->state != PWD_ID_Req) {
229 		ret->ignore = TRUE;
230 		eap_pwd_state(data, FAILURE);
231 		return;
232 	}
233 
234 	if (payload_len < sizeof(struct eap_pwd_id)) {
235 		ret->ignore = TRUE;
236 		eap_pwd_state(data, FAILURE);
237 		return;
238 	}
239 
240 	id = (struct eap_pwd_id *) payload;
241 	data->group_num = be_to_host16(id->group_num);
242 	wpa_printf(MSG_DEBUG,
243 		   "EAP-PWD: Server EAP-pwd-ID proposal: group=%u random=%u prf=%u prep=%u",
244 		   data->group_num, id->random_function, id->prf, id->prep);
245 	if ((id->random_function != EAP_PWD_DEFAULT_RAND_FUNC) ||
246 	    (id->prf != EAP_PWD_DEFAULT_PRF)) {
247 		ret->ignore = TRUE;
248 		eap_pwd_state(data, FAILURE);
249 		return;
250 	}
251 
252 	if (id->prep != EAP_PWD_PREP_NONE &&
253 	    id->prep != EAP_PWD_PREP_MS) {
254 		wpa_printf(MSG_DEBUG,
255 			   "EAP-PWD: Unsupported password pre-processing technique (Prep=%u)",
256 			   id->prep);
257 		eap_pwd_state(data, FAILURE);
258 		return;
259 	}
260 
261 	if (id->prep == EAP_PWD_PREP_NONE && data->password_hash) {
262 		wpa_printf(MSG_DEBUG,
263 			   "EAP-PWD: Unhashed password not available");
264 		eap_pwd_state(data, FAILURE);
265 		return;
266 	}
267 
268 	wpa_printf(MSG_DEBUG, "EAP-PWD (peer): using group %d",
269 		   data->group_num);
270 
271 	data->id_server = os_malloc(payload_len - sizeof(struct eap_pwd_id));
272 	if (data->id_server == NULL) {
273 		wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
274 		eap_pwd_state(data, FAILURE);
275 		return;
276 	}
277 	data->id_server_len = payload_len - sizeof(struct eap_pwd_id);
278 	os_memcpy(data->id_server, id->identity, data->id_server_len);
279 	wpa_hexdump_ascii(MSG_INFO, "EAP-PWD (peer): server sent id of",
280 			  data->id_server, data->id_server_len);
281 
282 	data->grp = os_zalloc(sizeof(EAP_PWD_group));
283 	if (data->grp == NULL) {
284 		wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
285 			   "group");
286 		eap_pwd_state(data, FAILURE);
287 		return;
288 	}
289 
290 	if (id->prep == EAP_PWD_PREP_MS) {
291 #ifdef CONFIG_FIPS
292 		wpa_printf(MSG_ERROR,
293 			   "EAP-PWD (peer): MS password hash not supported in FIPS mode");
294 		eap_pwd_state(data, FAILURE);
295 		return;
296 #else /* CONFIG_FIPS */
297 		if (data->password_hash) {
298 			res = hash_nt_password_hash(data->password, pwhashhash);
299 		} else {
300 			u8 pwhash[16];
301 
302 			res = nt_password_hash(data->password,
303 					       data->password_len, pwhash);
304 			if (res == 0)
305 				res = hash_nt_password_hash(pwhash, pwhashhash);
306 			os_memset(pwhash, 0, sizeof(pwhash));
307 		}
308 
309 		if (res) {
310 			eap_pwd_state(data, FAILURE);
311 			return;
312 		}
313 
314 		password = pwhashhash;
315 		password_len = sizeof(pwhashhash);
316 #endif /* CONFIG_FIPS */
317 	} else {
318 		password = data->password;
319 		password_len = data->password_len;
320 	}
321 
322 	/* compute PWE */
323 	res = compute_password_element(data->grp, data->group_num,
324 				       password, password_len,
325 				       data->id_server, data->id_server_len,
326 				       data->id_peer, data->id_peer_len,
327 				       id->token);
328 	os_memset(pwhashhash, 0, sizeof(pwhashhash));
329 	if (res) {
330 		wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute PWE");
331 		eap_pwd_state(data, FAILURE);
332 		return;
333 	}
334 
335 	wpa_printf(MSG_DEBUG, "EAP-PWD (peer): computed %d bit PWE...",
336 		   BN_num_bits(data->grp->prime));
337 
338 	data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +
339 				    data->id_peer_len);
340 	if (data->outbuf == NULL) {
341 		eap_pwd_state(data, FAILURE);
342 		return;
343 	}
344 	wpabuf_put_be16(data->outbuf, data->group_num);
345 	wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
346 	wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
347 	wpabuf_put_data(data->outbuf, id->token, sizeof(id->token));
348 	wpabuf_put_u8(data->outbuf, EAP_PWD_PREP_NONE);
349 	wpabuf_put_data(data->outbuf, data->id_peer, data->id_peer_len);
350 
351 	eap_pwd_state(data, PWD_Commit_Req);
352 }
353 
354 
355 static void
356 eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
357 				struct eap_method_ret *ret,
358 				const struct wpabuf *reqData,
359 				const u8 *payload, size_t payload_len)
360 {
361 	EC_POINT *K = NULL, *point = NULL;
362 	BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
363 	u16 offset;
364 	u8 *ptr, *scalar = NULL, *element = NULL;
365 	size_t prime_len, order_len;
366 
367 	if (data->state != PWD_Commit_Req) {
368 		ret->ignore = TRUE;
369 		goto fin;
370 	}
371 
372 	prime_len = BN_num_bytes(data->grp->prime);
373 	order_len = BN_num_bytes(data->grp->order);
374 
375 	if (payload_len != 2 * prime_len + order_len) {
376 		wpa_printf(MSG_INFO,
377 			   "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
378 			   (unsigned int) payload_len,
379 			   (unsigned int) (2 * prime_len + order_len));
380 		goto fin;
381 	}
382 
383 	if (((data->private_value = BN_new()) == NULL) ||
384 	    ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
385 	    ((cofactor = BN_new()) == NULL) ||
386 	    ((data->my_scalar = BN_new()) == NULL) ||
387 	    ((mask = BN_new()) == NULL)) {
388 		wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
389 		goto fin;
390 	}
391 
392 	if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
393 		wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
394 			   "for curve");
395 		goto fin;
396 	}
397 
398 	if (BN_rand_range(data->private_value, data->grp->order) != 1 ||
399 	    BN_rand_range(mask, data->grp->order) != 1 ||
400 	    BN_add(data->my_scalar, data->private_value, mask) != 1 ||
401 	    BN_mod(data->my_scalar, data->my_scalar, data->grp->order,
402 		   data->bnctx) != 1) {
403 		wpa_printf(MSG_INFO,
404 			   "EAP-pwd (peer): unable to get randomness");
405 		goto fin;
406 	}
407 
408 	if (!EC_POINT_mul(data->grp->group, data->my_element, NULL,
409 			  data->grp->pwe, mask, data->bnctx)) {
410 		wpa_printf(MSG_INFO, "EAP-PWD (peer): element allocation "
411 			   "fail");
412 		eap_pwd_state(data, FAILURE);
413 		goto fin;
414 	}
415 
416 	if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx))
417 	{
418 		wpa_printf(MSG_INFO, "EAP-PWD (peer): element inversion fail");
419 		goto fin;
420 	}
421 
422 	if (((x = BN_new()) == NULL) ||
423 	    ((y = BN_new()) == NULL)) {
424 		wpa_printf(MSG_INFO, "EAP-PWD (peer): point allocation fail");
425 		goto fin;
426 	}
427 
428 	/* process the request */
429 	if (((data->server_scalar = BN_new()) == NULL) ||
430 	    ((data->k = BN_new()) == NULL) ||
431 	    ((K = EC_POINT_new(data->grp->group)) == NULL) ||
432 	    ((point = EC_POINT_new(data->grp->group)) == NULL) ||
433 	    ((data->server_element = EC_POINT_new(data->grp->group)) == NULL))
434 	{
435 		wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
436 			   "fail");
437 		goto fin;
438 	}
439 
440 	/* element, x then y, followed by scalar */
441 	ptr = (u8 *) payload;
442 	BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
443 	ptr += BN_num_bytes(data->grp->prime);
444 	BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
445 	ptr += BN_num_bytes(data->grp->prime);
446 	BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->server_scalar);
447 	if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
448 						 data->server_element, x, y,
449 						 data->bnctx)) {
450 		wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
451 			   "fail");
452 		goto fin;
453 	}
454 
455 	/* check to ensure server's element is not in a small sub-group */
456 	if (BN_cmp(cofactor, BN_value_one())) {
457 		if (!EC_POINT_mul(data->grp->group, point, NULL,
458 				  data->server_element, cofactor, NULL)) {
459 			wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
460 				   "server element by order!\n");
461 			goto fin;
462 		}
463 		if (EC_POINT_is_at_infinity(data->grp->group, point)) {
464 			wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
465 				   "is at infinity!\n");
466 			goto fin;
467 		}
468 	}
469 
470 	/* compute the shared key, k */
471 	if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
472 			   data->server_scalar, data->bnctx)) ||
473 	    (!EC_POINT_add(data->grp->group, K, K, data->server_element,
474 			   data->bnctx)) ||
475 	    (!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value,
476 			   data->bnctx))) {
477 		wpa_printf(MSG_INFO, "EAP-PWD (peer): computing shared key "
478 			   "fail");
479 		goto fin;
480 	}
481 
482 	/* ensure that the shared key isn't in a small sub-group */
483 	if (BN_cmp(cofactor, BN_value_one())) {
484 		if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor,
485 				  NULL)) {
486 			wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
487 				   "shared key point by order");
488 			goto fin;
489 		}
490 	}
491 
492 	/*
493 	 * This check is strictly speaking just for the case above where
494 	 * co-factor > 1 but it was suggested that even though this is probably
495 	 * never going to happen it is a simple and safe check "just to be
496 	 * sure" so let's be safe.
497 	 */
498 	if (EC_POINT_is_at_infinity(data->grp->group, K)) {
499 		wpa_printf(MSG_INFO, "EAP-PWD (peer): shared key point is at "
500 			   "infinity!\n");
501 		goto fin;
502 	}
503 
504 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k,
505 						 NULL, data->bnctx)) {
506 		wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to extract "
507 			   "shared secret from point");
508 		goto fin;
509 	}
510 
511 	/* now do the response */
512 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
513 						 data->my_element, x, y,
514 						 data->bnctx)) {
515 		wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail");
516 		goto fin;
517 	}
518 
519 	if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) ||
520 	    ((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) ==
521 	     NULL)) {
522 		wpa_printf(MSG_INFO, "EAP-PWD (peer): data allocation fail");
523 		goto fin;
524 	}
525 
526 	/*
527 	 * bignums occupy as little memory as possible so one that is
528 	 * sufficiently smaller than the prime or order might need pre-pending
529 	 * with zeros.
530 	 */
531 	os_memset(scalar, 0, BN_num_bytes(data->grp->order));
532 	os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2);
533 	offset = BN_num_bytes(data->grp->order) -
534 		BN_num_bytes(data->my_scalar);
535 	BN_bn2bin(data->my_scalar, scalar + offset);
536 
537 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
538 	BN_bn2bin(x, element + offset);
539 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
540 	BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset);
541 
542 	data->outbuf = wpabuf_alloc(BN_num_bytes(data->grp->order) +
543 				    2 * BN_num_bytes(data->grp->prime));
544 	if (data->outbuf == NULL)
545 		goto fin;
546 
547 	/* we send the element as (x,y) follwed by the scalar */
548 	wpabuf_put_data(data->outbuf, element,
549 			2 * BN_num_bytes(data->grp->prime));
550 	wpabuf_put_data(data->outbuf, scalar, BN_num_bytes(data->grp->order));
551 
552 fin:
553 	os_free(scalar);
554 	os_free(element);
555 	BN_clear_free(x);
556 	BN_clear_free(y);
557 	BN_clear_free(mask);
558 	BN_clear_free(cofactor);
559 	EC_POINT_clear_free(K);
560 	EC_POINT_clear_free(point);
561 	if (data->outbuf == NULL)
562 		eap_pwd_state(data, FAILURE);
563 	else
564 		eap_pwd_state(data, PWD_Confirm_Req);
565 }
566 
567 
568 static void
569 eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
570 				 struct eap_method_ret *ret,
571 				 const struct wpabuf *reqData,
572 				 const u8 *payload, size_t payload_len)
573 {
574 	BIGNUM *x = NULL, *y = NULL;
575 	struct crypto_hash *hash;
576 	u32 cs;
577 	u16 grp;
578 	u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
579 	int offset;
580 
581 	if (data->state != PWD_Confirm_Req) {
582 		ret->ignore = TRUE;
583 		goto fin;
584 	}
585 
586 	if (payload_len != SHA256_MAC_LEN) {
587 		wpa_printf(MSG_INFO,
588 			   "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
589 			   (unsigned int) payload_len, SHA256_MAC_LEN);
590 		goto fin;
591 	}
592 
593 	/*
594 	 * first build up the ciphersuite which is group | random_function |
595 	 *	prf
596 	 */
597 	grp = htons(data->group_num);
598 	ptr = (u8 *) &cs;
599 	os_memcpy(ptr, &grp, sizeof(u16));
600 	ptr += sizeof(u16);
601 	*ptr = EAP_PWD_DEFAULT_RAND_FUNC;
602 	ptr += sizeof(u8);
603 	*ptr = EAP_PWD_DEFAULT_PRF;
604 
605 	/* each component of the cruft will be at most as big as the prime */
606 	if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) ||
607 	    ((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
608 		wpa_printf(MSG_INFO, "EAP-PWD (server): confirm allocation "
609 			   "fail");
610 		goto fin;
611 	}
612 
613 	/*
614 	 * server's commit is H(k | server_element | server_scalar |
615 	 *			peer_element | peer_scalar | ciphersuite)
616 	 */
617 	hash = eap_pwd_h_init();
618 	if (hash == NULL)
619 		goto fin;
620 
621 	/*
622 	 * zero the memory each time because this is mod prime math and some
623 	 * value may start with a few zeros and the previous one did not.
624 	 */
625 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
626 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
627 	BN_bn2bin(data->k, cruft + offset);
628 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
629 
630 	/* server element: x, y */
631 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
632 						 data->server_element, x, y,
633 						 data->bnctx)) {
634 		wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
635 			   "assignment fail");
636 		goto fin;
637 	}
638 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
639 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
640 	BN_bn2bin(x, cruft + offset);
641 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
642 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
643 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
644 	BN_bn2bin(y, cruft + offset);
645 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
646 
647 	/* server scalar */
648 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
649 	offset = BN_num_bytes(data->grp->order) -
650 		BN_num_bytes(data->server_scalar);
651 	BN_bn2bin(data->server_scalar, cruft + offset);
652 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
653 
654 	/* my element: x, y */
655 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
656 						 data->my_element, x, y,
657 						 data->bnctx)) {
658 		wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
659 			   "assignment fail");
660 		goto fin;
661 	}
662 
663 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
664 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
665 	BN_bn2bin(x, cruft + offset);
666 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
667 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
668 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
669 	BN_bn2bin(y, cruft + offset);
670 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
671 
672 	/* my scalar */
673 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
674 	offset = BN_num_bytes(data->grp->order) -
675 		BN_num_bytes(data->my_scalar);
676 	BN_bn2bin(data->my_scalar, cruft + offset);
677 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
678 
679 	/* the ciphersuite */
680 	eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
681 
682 	/* random function fin */
683 	eap_pwd_h_final(hash, conf);
684 
685 	ptr = (u8 *) payload;
686 	if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
687 		wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm did not verify");
688 		goto fin;
689 	}
690 
691 	wpa_printf(MSG_DEBUG, "EAP-pwd (peer): confirm verified");
692 
693 	/*
694 	 * compute confirm:
695 	 *  H(k | peer_element | peer_scalar | server_element | server_scalar |
696 	 *    ciphersuite)
697 	 */
698 	hash = eap_pwd_h_init();
699 	if (hash == NULL)
700 		goto fin;
701 
702 	/* k */
703 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
704 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
705 	BN_bn2bin(data->k, cruft + offset);
706 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
707 
708 	/* my element */
709 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
710 						 data->my_element, x, y,
711 						 data->bnctx)) {
712 		wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
713 			   "assignment fail");
714 		goto fin;
715 	}
716 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
717 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
718 	BN_bn2bin(x, cruft + offset);
719 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
720 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
721 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
722 	BN_bn2bin(y, cruft + offset);
723 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
724 
725 	/* my scalar */
726 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
727 	offset = BN_num_bytes(data->grp->order) -
728 		BN_num_bytes(data->my_scalar);
729 	BN_bn2bin(data->my_scalar, cruft + offset);
730 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
731 
732 	/* server element: x, y */
733 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
734 						 data->server_element, x, y,
735 						 data->bnctx)) {
736 		wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
737 			   "assignment fail");
738 		goto fin;
739 	}
740 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
741 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
742 	BN_bn2bin(x, cruft + offset);
743 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
744 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
745 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
746 	BN_bn2bin(y, cruft + offset);
747 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
748 
749 	/* server scalar */
750 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
751 	offset = BN_num_bytes(data->grp->order) -
752 		BN_num_bytes(data->server_scalar);
753 	BN_bn2bin(data->server_scalar, cruft + offset);
754 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
755 
756 	/* the ciphersuite */
757 	eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
758 
759 	/* all done */
760 	eap_pwd_h_final(hash, conf);
761 
762 	if (compute_keys(data->grp, data->bnctx, data->k,
763 			 data->my_scalar, data->server_scalar, conf, ptr,
764 			 &cs, data->msk, data->emsk, data->session_id) < 0) {
765 		wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute MSK | "
766 			   "EMSK");
767 		goto fin;
768 	}
769 
770 	data->outbuf = wpabuf_alloc(SHA256_MAC_LEN);
771 	if (data->outbuf == NULL)
772 		goto fin;
773 
774 	wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
775 
776 fin:
777 	if (data->grp)
778 		bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
779 	BN_clear_free(x);
780 	BN_clear_free(y);
781 	if (data->outbuf == NULL) {
782 		ret->methodState = METHOD_DONE;
783 		ret->decision = DECISION_FAIL;
784 		eap_pwd_state(data, FAILURE);
785 	} else {
786 		eap_pwd_state(data, SUCCESS_ON_FRAG_COMPLETION);
787 	}
788 }
789 
790 
791 static struct wpabuf *
792 eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
793 		const struct wpabuf *reqData)
794 {
795 	struct eap_pwd_data *data = priv;
796 	struct wpabuf *resp = NULL;
797 	const u8 *pos, *buf;
798 	size_t len;
799 	u16 tot_len = 0;
800 	u8 lm_exch;
801 
802 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PWD, reqData, &len);
803 	if ((pos == NULL) || (len < 1)) {
804 		wpa_printf(MSG_DEBUG, "EAP-pwd: Got a frame but pos is %s and "
805 			   "len is %d",
806 			   pos == NULL ? "NULL" : "not NULL", (int) len);
807 		ret->ignore = TRUE;
808 		return NULL;
809 	}
810 
811 	ret->ignore = FALSE;
812 	ret->methodState = METHOD_MAY_CONT;
813 	ret->decision = DECISION_FAIL;
814 	ret->allowNotifications = FALSE;
815 
816 	lm_exch = *pos;
817 	pos++;                  /* skip over the bits and the exch */
818 	len--;
819 
820 	/*
821 	 * we're fragmenting so send out the next fragment
822 	 */
823 	if (data->out_frag_pos) {
824 		/*
825 		 * this should be an ACK
826 		 */
827 		if (len)
828 			wpa_printf(MSG_INFO, "Bad Response! Fragmenting but "
829 				   "not an ACK");
830 
831 		wpa_printf(MSG_DEBUG, "EAP-pwd: Got an ACK for a fragment");
832 		/*
833 		 * check if there are going to be more fragments
834 		 */
835 		len = wpabuf_len(data->outbuf) - data->out_frag_pos;
836 		if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
837 			len = data->mtu - EAP_PWD_HDR_SIZE;
838 			EAP_PWD_SET_MORE_BIT(lm_exch);
839 		}
840 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
841 				     EAP_PWD_HDR_SIZE + len,
842 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
843 		if (resp == NULL) {
844 			wpa_printf(MSG_INFO, "Unable to allocate memory for "
845 				   "next fragment!");
846 			return NULL;
847 		}
848 		wpabuf_put_u8(resp, lm_exch);
849 		buf = wpabuf_head_u8(data->outbuf);
850 		wpabuf_put_data(resp, buf + data->out_frag_pos, len);
851 		data->out_frag_pos += len;
852 		/*
853 		 * this is the last fragment so get rid of the out buffer
854 		 */
855 		if (data->out_frag_pos >= wpabuf_len(data->outbuf)) {
856 			wpabuf_free(data->outbuf);
857 			data->outbuf = NULL;
858 			data->out_frag_pos = 0;
859 		}
860 		wpa_printf(MSG_DEBUG, "EAP-pwd: Send %s fragment of %d bytes",
861 			   data->out_frag_pos == 0 ? "last" : "next",
862 			   (int) len);
863 		if (data->state == SUCCESS_ON_FRAG_COMPLETION) {
864 			ret->methodState = METHOD_DONE;
865 			ret->decision = DECISION_UNCOND_SUCC;
866 			eap_pwd_state(data, SUCCESS);
867 		}
868 		return resp;
869 	}
870 
871 	/*
872 	 * see if this is a fragment that needs buffering
873 	 *
874 	 * if it's the first fragment there'll be a length field
875 	 */
876 	if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
877 		if (len < 2) {
878 			wpa_printf(MSG_DEBUG,
879 				   "EAP-pwd: Frame too short to contain Total-Length field");
880 			ret->ignore = TRUE;
881 			return NULL;
882 		}
883 		tot_len = WPA_GET_BE16(pos);
884 		wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
885 			   "total length = %d", tot_len);
886 		if (tot_len > 15000)
887 			return NULL;
888 		if (data->inbuf) {
889 			wpa_printf(MSG_DEBUG,
890 				   "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
891 			ret->ignore = TRUE;
892 			return NULL;
893 		}
894 		data->inbuf = wpabuf_alloc(tot_len);
895 		if (data->inbuf == NULL) {
896 			wpa_printf(MSG_INFO, "Out of memory to buffer "
897 				   "fragments!");
898 			return NULL;
899 		}
900 		data->in_frag_pos = 0;
901 		pos += sizeof(u16);
902 		len -= sizeof(u16);
903 	}
904 	/*
905 	 * buffer and ACK the fragment
906 	 */
907 	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
908 		data->in_frag_pos += len;
909 		if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
910 			wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
911 				   "detected (%d vs. %d)!",
912 				   (int) data->in_frag_pos,
913 				   (int) wpabuf_len(data->inbuf));
914 			wpabuf_free(data->inbuf);
915 			data->inbuf = NULL;
916 			data->in_frag_pos = 0;
917 			return NULL;
918 		}
919 		wpabuf_put_data(data->inbuf, pos, len);
920 	}
921 	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
922 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
923 				     EAP_PWD_HDR_SIZE,
924 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
925 		if (resp != NULL)
926 			wpabuf_put_u8(resp, (EAP_PWD_GET_EXCHANGE(lm_exch)));
927 		wpa_printf(MSG_DEBUG, "EAP-pwd: ACKing a %d byte fragment",
928 			   (int) len);
929 		return resp;
930 	}
931 	/*
932 	 * we're buffering and this is the last fragment
933 	 */
934 	if (data->in_frag_pos) {
935 		wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
936 			   (int) len);
937 		pos = wpabuf_head_u8(data->inbuf);
938 		len = data->in_frag_pos;
939 	}
940 	wpa_printf(MSG_DEBUG, "EAP-pwd: processing frame: exch %d, len %d",
941 		   EAP_PWD_GET_EXCHANGE(lm_exch), (int) len);
942 
943 	switch (EAP_PWD_GET_EXCHANGE(lm_exch)) {
944 	case EAP_PWD_OPCODE_ID_EXCH:
945 		eap_pwd_perform_id_exchange(sm, data, ret, reqData,
946 					    pos, len);
947 		break;
948 	case EAP_PWD_OPCODE_COMMIT_EXCH:
949 		eap_pwd_perform_commit_exchange(sm, data, ret, reqData,
950 						pos, len);
951 		break;
952 	case EAP_PWD_OPCODE_CONFIRM_EXCH:
953 		eap_pwd_perform_confirm_exchange(sm, data, ret, reqData,
954 						 pos, len);
955 		break;
956 	default:
957 		wpa_printf(MSG_INFO, "EAP-pwd: Ignoring message with unknown "
958 			   "opcode %d", lm_exch);
959 		break;
960 	}
961 	/*
962 	 * if we buffered the just processed input now's the time to free it
963 	 */
964 	if (data->in_frag_pos) {
965 		wpabuf_free(data->inbuf);
966 		data->inbuf = NULL;
967 		data->in_frag_pos = 0;
968 	}
969 
970 	if (data->outbuf == NULL) {
971 		ret->methodState = METHOD_DONE;
972 		ret->decision = DECISION_FAIL;
973 		return NULL;        /* generic failure */
974 	}
975 
976 	/*
977 	 * we have output! Do we need to fragment it?
978 	 */
979 	lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch);
980 	len = wpabuf_len(data->outbuf);
981 	if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
982 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
983 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
984 		/*
985 		 * if so it's the first so include a length field
986 		 */
987 		EAP_PWD_SET_LENGTH_BIT(lm_exch);
988 		EAP_PWD_SET_MORE_BIT(lm_exch);
989 		tot_len = len;
990 		/*
991 		 * keep the packet at the MTU
992 		 */
993 		len = data->mtu - EAP_PWD_HDR_SIZE - sizeof(u16);
994 		wpa_printf(MSG_DEBUG, "EAP-pwd: Fragmenting output, total "
995 			   "length = %d", tot_len);
996 	} else {
997 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
998 				     EAP_PWD_HDR_SIZE + len,
999 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
1000 	}
1001 	if (resp == NULL)
1002 		return NULL;
1003 
1004 	wpabuf_put_u8(resp, lm_exch);
1005 	if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
1006 		wpabuf_put_be16(resp, tot_len);
1007 		data->out_frag_pos += len;
1008 	}
1009 	buf = wpabuf_head_u8(data->outbuf);
1010 	wpabuf_put_data(resp, buf, len);
1011 	/*
1012 	 * if we're not fragmenting then there's no need to carry this around
1013 	 */
1014 	if (data->out_frag_pos == 0) {
1015 		wpabuf_free(data->outbuf);
1016 		data->outbuf = NULL;
1017 		data->out_frag_pos = 0;
1018 		if (data->state == SUCCESS_ON_FRAG_COMPLETION) {
1019 			ret->methodState = METHOD_DONE;
1020 			ret->decision = DECISION_UNCOND_SUCC;
1021 			eap_pwd_state(data, SUCCESS);
1022 		}
1023 	}
1024 
1025 	return resp;
1026 }
1027 
1028 
1029 static Boolean eap_pwd_key_available(struct eap_sm *sm, void *priv)
1030 {
1031 	struct eap_pwd_data *data = priv;
1032 	return data->state == SUCCESS;
1033 }
1034 
1035 
1036 static u8 * eap_pwd_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1037 {
1038 	struct eap_pwd_data *data = priv;
1039 	u8 *key;
1040 
1041 	if (data->state != SUCCESS)
1042 		return NULL;
1043 
1044 	if ((key = os_malloc(EAP_EMSK_LEN)) == NULL)
1045 		return NULL;
1046 
1047 	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
1048 	*len = EAP_EMSK_LEN;
1049 
1050 	return key;
1051 }
1052 
1053 
1054 int eap_peer_pwd_register(void)
1055 {
1056 	struct eap_method *eap;
1057 
1058 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
1059 				    EAP_VENDOR_IETF, EAP_TYPE_PWD, "PWD");
1060 	if (eap == NULL)
1061 		return -1;
1062 
1063 	eap->init = eap_pwd_init;
1064 	eap->deinit = eap_pwd_deinit;
1065 	eap->process = eap_pwd_process;
1066 	eap->isKeyAvailable = eap_pwd_key_available;
1067 	eap->getKey = eap_pwd_getkey;
1068 	eap->getSessionId = eap_pwd_get_session_id;
1069 	eap->get_emsk = eap_pwd_get_emsk;
1070 
1071 	return eap_peer_method_register(eap);
1072 }
1073