xref: /freebsd/contrib/wpa/src/eap_peer/eap_sake.c (revision fed1ca4b719c56c930f2259d80663cd34be812bb)
1 /*
2  * EAP peer method: EAP-SAKE (RFC 4763)
3  * Copyright (c) 2006-2008, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/random.h"
13 #include "eap_peer/eap_i.h"
14 #include "eap_common/eap_sake_common.h"
15 
16 struct eap_sake_data {
17 	enum { IDENTITY, CHALLENGE, CONFIRM, SUCCESS, FAILURE } state;
18 	u8 root_secret_a[EAP_SAKE_ROOT_SECRET_LEN];
19 	u8 root_secret_b[EAP_SAKE_ROOT_SECRET_LEN];
20 	u8 rand_s[EAP_SAKE_RAND_LEN];
21 	u8 rand_p[EAP_SAKE_RAND_LEN];
22 	struct {
23 		u8 auth[EAP_SAKE_TEK_AUTH_LEN];
24 		u8 cipher[EAP_SAKE_TEK_CIPHER_LEN];
25 	} tek;
26 	u8 msk[EAP_MSK_LEN];
27 	u8 emsk[EAP_EMSK_LEN];
28 	u8 session_id;
29 	int session_id_set;
30 	u8 *peerid;
31 	size_t peerid_len;
32 	u8 *serverid;
33 	size_t serverid_len;
34 };
35 
36 
37 static const char * eap_sake_state_txt(int state)
38 {
39 	switch (state) {
40 	case IDENTITY:
41 		return "IDENTITY";
42 	case CHALLENGE:
43 		return "CHALLENGE";
44 	case CONFIRM:
45 		return "CONFIRM";
46 	case SUCCESS:
47 		return "SUCCESS";
48 	case FAILURE:
49 		return "FAILURE";
50 	default:
51 		return "?";
52 	}
53 }
54 
55 
56 static void eap_sake_state(struct eap_sake_data *data, int state)
57 {
58 	wpa_printf(MSG_DEBUG, "EAP-SAKE: %s -> %s",
59 		   eap_sake_state_txt(data->state),
60 		   eap_sake_state_txt(state));
61 	data->state = state;
62 }
63 
64 
65 static void eap_sake_deinit(struct eap_sm *sm, void *priv);
66 
67 
68 static void * eap_sake_init(struct eap_sm *sm)
69 {
70 	struct eap_sake_data *data;
71 	const u8 *identity, *password;
72 	size_t identity_len, password_len;
73 
74 	password = eap_get_config_password(sm, &password_len);
75 	if (!password || password_len != 2 * EAP_SAKE_ROOT_SECRET_LEN) {
76 		wpa_printf(MSG_INFO, "EAP-SAKE: No key of correct length "
77 			   "configured");
78 		return NULL;
79 	}
80 
81 	data = os_zalloc(sizeof(*data));
82 	if (data == NULL)
83 		return NULL;
84 	data->state = IDENTITY;
85 
86 	identity = eap_get_config_identity(sm, &identity_len);
87 	if (identity) {
88 		data->peerid = os_malloc(identity_len);
89 		if (data->peerid == NULL) {
90 			eap_sake_deinit(sm, data);
91 			return NULL;
92 		}
93 		os_memcpy(data->peerid, identity, identity_len);
94 		data->peerid_len = identity_len;
95 	}
96 
97 	os_memcpy(data->root_secret_a, password, EAP_SAKE_ROOT_SECRET_LEN);
98 	os_memcpy(data->root_secret_b,
99 		  password + EAP_SAKE_ROOT_SECRET_LEN,
100 		  EAP_SAKE_ROOT_SECRET_LEN);
101 
102 	return data;
103 }
104 
105 
106 static void eap_sake_deinit(struct eap_sm *sm, void *priv)
107 {
108 	struct eap_sake_data *data = priv;
109 	os_free(data->serverid);
110 	os_free(data->peerid);
111 	bin_clear_free(data, sizeof(*data));
112 }
113 
114 
115 static struct wpabuf * eap_sake_build_msg(struct eap_sake_data *data,
116 					  int id, size_t length, u8 subtype)
117 {
118 	struct eap_sake_hdr *sake;
119 	struct wpabuf *msg;
120 	size_t plen;
121 
122 	plen = length + sizeof(struct eap_sake_hdr);
123 
124 	msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_SAKE, plen,
125 			    EAP_CODE_RESPONSE, id);
126 	if (msg == NULL) {
127 		wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to allocate memory "
128 			   "request");
129 		return NULL;
130 	}
131 
132 	sake = wpabuf_put(msg, sizeof(*sake));
133 	sake->version = EAP_SAKE_VERSION;
134 	sake->session_id = data->session_id;
135 	sake->subtype = subtype;
136 
137 	return msg;
138 }
139 
140 
141 static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm,
142 						 struct eap_sake_data *data,
143 						 struct eap_method_ret *ret,
144 						 u8 id,
145 						 const u8 *payload,
146 						 size_t payload_len)
147 {
148 	struct eap_sake_parse_attr attr;
149 	struct wpabuf *resp;
150 
151 	if (data->state != IDENTITY) {
152 		ret->ignore = TRUE;
153 		return NULL;
154 	}
155 
156 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Identity");
157 
158 	if (eap_sake_parse_attributes(payload, payload_len, &attr))
159 		return NULL;
160 
161 	if (!attr.perm_id_req && !attr.any_id_req) {
162 		wpa_printf(MSG_INFO, "EAP-SAKE: No AT_PERM_ID_REQ or "
163 			   "AT_ANY_ID_REQ in Request/Identity");
164 		return NULL;
165 	}
166 
167 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Identity");
168 
169 	resp = eap_sake_build_msg(data, id, 2 + data->peerid_len,
170 				  EAP_SAKE_SUBTYPE_IDENTITY);
171 	if (resp == NULL)
172 		return NULL;
173 
174 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
175 	eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
176 			  data->peerid, data->peerid_len);
177 
178 	eap_sake_state(data, CHALLENGE);
179 
180 	return resp;
181 }
182 
183 
184 static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm,
185 						  struct eap_sake_data *data,
186 						  struct eap_method_ret *ret,
187 						  u8 id,
188 						  const u8 *payload,
189 						  size_t payload_len)
190 {
191 	struct eap_sake_parse_attr attr;
192 	struct wpabuf *resp;
193 	u8 *rpos;
194 	size_t rlen;
195 
196 	if (data->state != IDENTITY && data->state != CHALLENGE) {
197 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Challenge received "
198 			   "in unexpected state (%d)", data->state);
199 		ret->ignore = TRUE;
200 		return NULL;
201 	}
202 	if (data->state == IDENTITY)
203 		eap_sake_state(data, CHALLENGE);
204 
205 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Challenge");
206 
207 	if (eap_sake_parse_attributes(payload, payload_len, &attr))
208 		return NULL;
209 
210 	if (!attr.rand_s) {
211 		wpa_printf(MSG_INFO, "EAP-SAKE: Request/Challenge did not "
212 			   "include AT_RAND_S");
213 		return NULL;
214 	}
215 
216 	os_memcpy(data->rand_s, attr.rand_s, EAP_SAKE_RAND_LEN);
217 	wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)",
218 		    data->rand_s, EAP_SAKE_RAND_LEN);
219 
220 	if (random_get_bytes(data->rand_p, EAP_SAKE_RAND_LEN)) {
221 		wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to get random data");
222 		return NULL;
223 	}
224 	wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_P (peer rand)",
225 		    data->rand_p, EAP_SAKE_RAND_LEN);
226 
227 	os_free(data->serverid);
228 	data->serverid = NULL;
229 	data->serverid_len = 0;
230 	if (attr.serverid) {
231 		wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-SAKE: SERVERID",
232 				  attr.serverid, attr.serverid_len);
233 		data->serverid = os_malloc(attr.serverid_len);
234 		if (data->serverid == NULL)
235 			return NULL;
236 		os_memcpy(data->serverid, attr.serverid, attr.serverid_len);
237 		data->serverid_len = attr.serverid_len;
238 	}
239 
240 	eap_sake_derive_keys(data->root_secret_a, data->root_secret_b,
241 			     data->rand_s, data->rand_p,
242 			     (u8 *) &data->tek, data->msk, data->emsk);
243 
244 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Challenge");
245 
246 	rlen = 2 + EAP_SAKE_RAND_LEN + 2 + EAP_SAKE_MIC_LEN;
247 	if (data->peerid)
248 		rlen += 2 + data->peerid_len;
249 	resp = eap_sake_build_msg(data, id, rlen, EAP_SAKE_SUBTYPE_CHALLENGE);
250 	if (resp == NULL)
251 		return NULL;
252 
253 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_RAND_P");
254 	eap_sake_add_attr(resp, EAP_SAKE_AT_RAND_P,
255 			  data->rand_p, EAP_SAKE_RAND_LEN);
256 
257 	if (data->peerid) {
258 		wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
259 		eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
260 				  data->peerid, data->peerid_len);
261 	}
262 
263 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
264 	wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
265 	wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
266 	rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
267 	if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
268 				 data->serverid, data->serverid_len,
269 				 data->peerid, data->peerid_len, 1,
270 				 wpabuf_head(resp), wpabuf_len(resp), rpos,
271 				 rpos)) {
272 		wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
273 		wpabuf_free(resp);
274 		return NULL;
275 	}
276 
277 	eap_sake_state(data, CONFIRM);
278 
279 	return resp;
280 }
281 
282 
283 static struct wpabuf * eap_sake_process_confirm(struct eap_sm *sm,
284 						struct eap_sake_data *data,
285 						struct eap_method_ret *ret,
286 						u8 id,
287 						const struct wpabuf *reqData,
288 						const u8 *payload,
289 						size_t payload_len)
290 {
291 	struct eap_sake_parse_attr attr;
292 	u8 mic_s[EAP_SAKE_MIC_LEN];
293 	struct wpabuf *resp;
294 	u8 *rpos;
295 
296 	if (data->state != CONFIRM) {
297 		ret->ignore = TRUE;
298 		return NULL;
299 	}
300 
301 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Confirm");
302 
303 	if (eap_sake_parse_attributes(payload, payload_len, &attr))
304 		return NULL;
305 
306 	if (!attr.mic_s) {
307 		wpa_printf(MSG_INFO, "EAP-SAKE: Request/Confirm did not "
308 			   "include AT_MIC_S");
309 		return NULL;
310 	}
311 
312 	eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
313 			     data->serverid, data->serverid_len,
314 			     data->peerid, data->peerid_len, 0,
315 			     wpabuf_head(reqData), wpabuf_len(reqData),
316 			     attr.mic_s, mic_s);
317 	if (os_memcmp_const(attr.mic_s, mic_s, EAP_SAKE_MIC_LEN) != 0) {
318 		wpa_printf(MSG_INFO, "EAP-SAKE: Incorrect AT_MIC_S");
319 		eap_sake_state(data, FAILURE);
320 		ret->methodState = METHOD_DONE;
321 		ret->decision = DECISION_FAIL;
322 		ret->allowNotifications = FALSE;
323 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending "
324 			   "Response/Auth-Reject");
325 		return eap_sake_build_msg(data, id, 0,
326 					  EAP_SAKE_SUBTYPE_AUTH_REJECT);
327 	}
328 
329 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Confirm");
330 
331 	resp = eap_sake_build_msg(data, id, 2 + EAP_SAKE_MIC_LEN,
332 				  EAP_SAKE_SUBTYPE_CONFIRM);
333 	if (resp == NULL)
334 		return NULL;
335 
336 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
337 	wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
338 	wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
339 	rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
340 	if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
341 				 data->serverid, data->serverid_len,
342 				 data->peerid, data->peerid_len, 1,
343 				 wpabuf_head(resp), wpabuf_len(resp), rpos,
344 				 rpos)) {
345 		wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
346 		wpabuf_free(resp);
347 		return NULL;
348 	}
349 
350 	eap_sake_state(data, SUCCESS);
351 	ret->methodState = METHOD_DONE;
352 	ret->decision = DECISION_UNCOND_SUCC;
353 	ret->allowNotifications = FALSE;
354 
355 	return resp;
356 }
357 
358 
359 static struct wpabuf * eap_sake_process(struct eap_sm *sm, void *priv,
360 					struct eap_method_ret *ret,
361 					const struct wpabuf *reqData)
362 {
363 	struct eap_sake_data *data = priv;
364 	const struct eap_sake_hdr *req;
365 	struct wpabuf *resp;
366 	const u8 *pos, *end;
367 	size_t len;
368 	u8 subtype, session_id, id;
369 
370 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SAKE, reqData, &len);
371 	if (pos == NULL || len < sizeof(struct eap_sake_hdr)) {
372 		ret->ignore = TRUE;
373 		return NULL;
374 	}
375 
376 	req = (const struct eap_sake_hdr *) pos;
377 	end = pos + len;
378 	id = eap_get_id(reqData);
379 	subtype = req->subtype;
380 	session_id = req->session_id;
381 	pos = (const u8 *) (req + 1);
382 
383 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Received frame: subtype %d "
384 		   "session_id %d", subtype, session_id);
385 	wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Received attributes",
386 		    pos, end - pos);
387 
388 	if (data->session_id_set && data->session_id != session_id) {
389 		wpa_printf(MSG_INFO, "EAP-SAKE: Session ID mismatch (%d,%d)",
390 			   session_id, data->session_id);
391 		ret->ignore = TRUE;
392 		return NULL;
393 	}
394 	data->session_id = session_id;
395 	data->session_id_set = 1;
396 
397 	ret->ignore = FALSE;
398 	ret->methodState = METHOD_MAY_CONT;
399 	ret->decision = DECISION_FAIL;
400 	ret->allowNotifications = TRUE;
401 
402 	switch (subtype) {
403 	case EAP_SAKE_SUBTYPE_IDENTITY:
404 		resp = eap_sake_process_identity(sm, data, ret, id,
405 						 pos, end - pos);
406 		break;
407 	case EAP_SAKE_SUBTYPE_CHALLENGE:
408 		resp = eap_sake_process_challenge(sm, data, ret, id,
409 						  pos, end - pos);
410 		break;
411 	case EAP_SAKE_SUBTYPE_CONFIRM:
412 		resp = eap_sake_process_confirm(sm, data, ret, id, reqData,
413 						pos, end - pos);
414 		break;
415 	default:
416 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring message with "
417 			   "unknown subtype %d", subtype);
418 		ret->ignore = TRUE;
419 		return NULL;
420 	}
421 
422 	if (ret->methodState == METHOD_DONE)
423 		ret->allowNotifications = FALSE;
424 
425 	return resp;
426 }
427 
428 
429 static Boolean eap_sake_isKeyAvailable(struct eap_sm *sm, void *priv)
430 {
431 	struct eap_sake_data *data = priv;
432 	return data->state == SUCCESS;
433 }
434 
435 
436 static u8 * eap_sake_getKey(struct eap_sm *sm, void *priv, size_t *len)
437 {
438 	struct eap_sake_data *data = priv;
439 	u8 *key;
440 
441 	if (data->state != SUCCESS)
442 		return NULL;
443 
444 	key = os_malloc(EAP_MSK_LEN);
445 	if (key == NULL)
446 		return NULL;
447 	os_memcpy(key, data->msk, EAP_MSK_LEN);
448 	*len = EAP_MSK_LEN;
449 
450 	return key;
451 }
452 
453 
454 static u8 * eap_sake_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
455 {
456 	struct eap_sake_data *data = priv;
457 	u8 *id;
458 
459 	if (data->state != SUCCESS)
460 		return NULL;
461 
462 	*len = 1 + 2 * EAP_SAKE_RAND_LEN;
463 	id = os_malloc(*len);
464 	if (id == NULL)
465 		return NULL;
466 
467 	id[0] = EAP_TYPE_SAKE;
468 	os_memcpy(id + 1, data->rand_s, EAP_SAKE_RAND_LEN);
469 	os_memcpy(id + 1 + EAP_SAKE_RAND_LEN, data->rand_s, EAP_SAKE_RAND_LEN);
470 	wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Derived Session-Id", id, *len);
471 
472 	return id;
473 }
474 
475 
476 static u8 * eap_sake_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
477 {
478 	struct eap_sake_data *data = priv;
479 	u8 *key;
480 
481 	if (data->state != SUCCESS)
482 		return NULL;
483 
484 	key = os_malloc(EAP_EMSK_LEN);
485 	if (key == NULL)
486 		return NULL;
487 	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
488 	*len = EAP_EMSK_LEN;
489 
490 	return key;
491 }
492 
493 
494 int eap_peer_sake_register(void)
495 {
496 	struct eap_method *eap;
497 	int ret;
498 
499 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
500 				    EAP_VENDOR_IETF, EAP_TYPE_SAKE, "SAKE");
501 	if (eap == NULL)
502 		return -1;
503 
504 	eap->init = eap_sake_init;
505 	eap->deinit = eap_sake_deinit;
506 	eap->process = eap_sake_process;
507 	eap->isKeyAvailable = eap_sake_isKeyAvailable;
508 	eap->getKey = eap_sake_getKey;
509 	eap->getSessionId = eap_sake_get_session_id;
510 	eap->get_emsk = eap_sake_get_emsk;
511 
512 	ret = eap_peer_method_register(eap);
513 	if (ret)
514 		eap_peer_method_free(eap);
515 	return ret;
516 }
517