1f05cddf9SRui Paulo /*
2f05cddf9SRui Paulo * hostapd / EAP-pwd (RFC 5931) server
3f05cddf9SRui Paulo * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
4f05cddf9SRui Paulo *
5f05cddf9SRui Paulo * This software may be distributed under the terms of the BSD license.
6f05cddf9SRui Paulo * See README for more details.
7f05cddf9SRui Paulo */
8f05cddf9SRui Paulo
9f05cddf9SRui Paulo #include "includes.h"
10f05cddf9SRui Paulo
11f05cddf9SRui Paulo #include "common.h"
12f05cddf9SRui Paulo #include "crypto/sha256.h"
13325151a3SRui Paulo #include "crypto/ms_funcs.h"
1485732ac8SCy Schubert #include "crypto/crypto.h"
15f05cddf9SRui Paulo #include "eap_server/eap_i.h"
16f05cddf9SRui Paulo #include "eap_common/eap_pwd_common.h"
17f05cddf9SRui Paulo
18f05cddf9SRui Paulo
19f05cddf9SRui Paulo struct eap_pwd_data {
20f05cddf9SRui Paulo enum {
21f05cddf9SRui Paulo PWD_ID_Req, PWD_Commit_Req, PWD_Confirm_Req, SUCCESS, FAILURE
22f05cddf9SRui Paulo } state;
23f05cddf9SRui Paulo u8 *id_peer;
24f05cddf9SRui Paulo size_t id_peer_len;
25f05cddf9SRui Paulo u8 *id_server;
26f05cddf9SRui Paulo size_t id_server_len;
27f05cddf9SRui Paulo u8 *password;
28f05cddf9SRui Paulo size_t password_len;
29325151a3SRui Paulo int password_hash;
3085732ac8SCy Schubert u8 *salt;
3185732ac8SCy Schubert size_t salt_len;
32f05cddf9SRui Paulo u32 token;
33f05cddf9SRui Paulo u16 group_num;
3485732ac8SCy Schubert u8 password_prep;
35f05cddf9SRui Paulo EAP_PWD_group *grp;
36f05cddf9SRui Paulo
37f05cddf9SRui Paulo struct wpabuf *inbuf;
38f05cddf9SRui Paulo size_t in_frag_pos;
39f05cddf9SRui Paulo struct wpabuf *outbuf;
40f05cddf9SRui Paulo size_t out_frag_pos;
41f05cddf9SRui Paulo size_t mtu;
42f05cddf9SRui Paulo
4385732ac8SCy Schubert struct crypto_bignum *k;
4485732ac8SCy Schubert struct crypto_bignum *private_value;
4585732ac8SCy Schubert struct crypto_bignum *peer_scalar;
4685732ac8SCy Schubert struct crypto_bignum *my_scalar;
4785732ac8SCy Schubert struct crypto_ec_point *my_element;
4885732ac8SCy Schubert struct crypto_ec_point *peer_element;
49f05cddf9SRui Paulo
50f05cddf9SRui Paulo u8 my_confirm[SHA256_MAC_LEN];
51f05cddf9SRui Paulo
52f05cddf9SRui Paulo u8 msk[EAP_MSK_LEN];
53f05cddf9SRui Paulo u8 emsk[EAP_EMSK_LEN];
545b9c547cSRui Paulo u8 session_id[1 + SHA256_MAC_LEN];
55f05cddf9SRui Paulo };
56f05cddf9SRui Paulo
57f05cddf9SRui Paulo
eap_pwd_state_txt(int state)58f05cddf9SRui Paulo static const char * eap_pwd_state_txt(int state)
59f05cddf9SRui Paulo {
60f05cddf9SRui Paulo switch (state) {
61f05cddf9SRui Paulo case PWD_ID_Req:
62f05cddf9SRui Paulo return "PWD-ID-Req";
63f05cddf9SRui Paulo case PWD_Commit_Req:
64f05cddf9SRui Paulo return "PWD-Commit-Req";
65f05cddf9SRui Paulo case PWD_Confirm_Req:
66f05cddf9SRui Paulo return "PWD-Confirm-Req";
67f05cddf9SRui Paulo case SUCCESS:
68f05cddf9SRui Paulo return "SUCCESS";
69f05cddf9SRui Paulo case FAILURE:
70f05cddf9SRui Paulo return "FAILURE";
71f05cddf9SRui Paulo default:
72f05cddf9SRui Paulo return "PWD-Unk";
73f05cddf9SRui Paulo }
74f05cddf9SRui Paulo }
75f05cddf9SRui Paulo
76f05cddf9SRui Paulo
eap_pwd_state(struct eap_pwd_data * data,int state)77f05cddf9SRui Paulo static void eap_pwd_state(struct eap_pwd_data *data, int state)
78f05cddf9SRui Paulo {
79f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: %s -> %s",
80f05cddf9SRui Paulo eap_pwd_state_txt(data->state), eap_pwd_state_txt(state));
81f05cddf9SRui Paulo data->state = state;
82f05cddf9SRui Paulo }
83f05cddf9SRui Paulo
84f05cddf9SRui Paulo
eap_pwd_init(struct eap_sm * sm)85f05cddf9SRui Paulo static void * eap_pwd_init(struct eap_sm *sm)
86f05cddf9SRui Paulo {
87f05cddf9SRui Paulo struct eap_pwd_data *data;
88f05cddf9SRui Paulo
89f05cddf9SRui Paulo if (sm->user == NULL || sm->user->password == NULL ||
90f05cddf9SRui Paulo sm->user->password_len == 0) {
91f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): Password is not "
92f05cddf9SRui Paulo "configured");
93f05cddf9SRui Paulo return NULL;
94f05cddf9SRui Paulo }
95f05cddf9SRui Paulo
96f05cddf9SRui Paulo data = os_zalloc(sizeof(*data));
97f05cddf9SRui Paulo if (data == NULL)
98f05cddf9SRui Paulo return NULL;
99f05cddf9SRui Paulo
100c1d255d3SCy Schubert data->group_num = sm->cfg->pwd_group;
101f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Selected group number %d",
102f05cddf9SRui Paulo data->group_num);
103f05cddf9SRui Paulo data->state = PWD_ID_Req;
104f05cddf9SRui Paulo
105f05cddf9SRui Paulo data->id_server = (u8 *) os_strdup("server");
106f05cddf9SRui Paulo if (data->id_server)
107f05cddf9SRui Paulo data->id_server_len = os_strlen((char *) data->id_server);
108f05cddf9SRui Paulo
109f05cddf9SRui Paulo data->password = os_malloc(sm->user->password_len);
110f05cddf9SRui Paulo if (data->password == NULL) {
111f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD: Memory allocation password "
112f05cddf9SRui Paulo "fail");
1135b9c547cSRui Paulo bin_clear_free(data->id_server, data->id_server_len);
114f05cddf9SRui Paulo os_free(data);
115f05cddf9SRui Paulo return NULL;
116f05cddf9SRui Paulo }
117f05cddf9SRui Paulo data->password_len = sm->user->password_len;
118f05cddf9SRui Paulo os_memcpy(data->password, sm->user->password, data->password_len);
119325151a3SRui Paulo data->password_hash = sm->user->password_hash;
120f05cddf9SRui Paulo
12185732ac8SCy Schubert data->salt_len = sm->user->salt_len;
12285732ac8SCy Schubert if (data->salt_len) {
12385732ac8SCy Schubert data->salt = os_memdup(sm->user->salt, sm->user->salt_len);
12485732ac8SCy Schubert if (!data->salt) {
12585732ac8SCy Schubert wpa_printf(MSG_INFO,
12685732ac8SCy Schubert "EAP-pwd: Memory allocation of salt failed");
1275b9c547cSRui Paulo bin_clear_free(data->id_server, data->id_server_len);
12885732ac8SCy Schubert bin_clear_free(data->password, data->password_len);
129f05cddf9SRui Paulo os_free(data);
130f05cddf9SRui Paulo return NULL;
131f05cddf9SRui Paulo }
13285732ac8SCy Schubert }
133f05cddf9SRui Paulo
134f05cddf9SRui Paulo data->in_frag_pos = data->out_frag_pos = 0;
135f05cddf9SRui Paulo data->inbuf = data->outbuf = NULL;
1365b9c547cSRui Paulo /* use default MTU from RFC 5931 if not configured otherwise */
137c1d255d3SCy Schubert data->mtu = sm->cfg->fragment_size > 0 ? sm->cfg->fragment_size : 1020;
138f05cddf9SRui Paulo
139f05cddf9SRui Paulo return data;
140f05cddf9SRui Paulo }
141f05cddf9SRui Paulo
142f05cddf9SRui Paulo
eap_pwd_reset(struct eap_sm * sm,void * priv)143f05cddf9SRui Paulo static void eap_pwd_reset(struct eap_sm *sm, void *priv)
144f05cddf9SRui Paulo {
145f05cddf9SRui Paulo struct eap_pwd_data *data = priv;
146f05cddf9SRui Paulo
14785732ac8SCy Schubert crypto_bignum_deinit(data->private_value, 1);
14885732ac8SCy Schubert crypto_bignum_deinit(data->peer_scalar, 1);
14985732ac8SCy Schubert crypto_bignum_deinit(data->my_scalar, 1);
15085732ac8SCy Schubert crypto_bignum_deinit(data->k, 1);
15185732ac8SCy Schubert crypto_ec_point_deinit(data->my_element, 1);
15285732ac8SCy Schubert crypto_ec_point_deinit(data->peer_element, 1);
1535b9c547cSRui Paulo bin_clear_free(data->id_peer, data->id_peer_len);
1545b9c547cSRui Paulo bin_clear_free(data->id_server, data->id_server_len);
1555b9c547cSRui Paulo bin_clear_free(data->password, data->password_len);
15685732ac8SCy Schubert bin_clear_free(data->salt, data->salt_len);
157f05cddf9SRui Paulo if (data->grp) {
15885732ac8SCy Schubert crypto_ec_deinit(data->grp->group);
15985732ac8SCy Schubert crypto_ec_point_deinit(data->grp->pwe, 1);
160f05cddf9SRui Paulo os_free(data->grp);
161f05cddf9SRui Paulo }
1625b9c547cSRui Paulo wpabuf_free(data->inbuf);
1635b9c547cSRui Paulo wpabuf_free(data->outbuf);
1645b9c547cSRui Paulo bin_clear_free(data, sizeof(*data));
165f05cddf9SRui Paulo }
166f05cddf9SRui Paulo
167f05cddf9SRui Paulo
eap_pwd_build_id_req(struct eap_sm * sm,struct eap_pwd_data * data,u8 id)168f05cddf9SRui Paulo static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data,
169f05cddf9SRui Paulo u8 id)
170f05cddf9SRui Paulo {
171f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: ID/Request");
172f05cddf9SRui Paulo /*
173f05cddf9SRui Paulo * if we're fragmenting then we already have an id request, just return
174f05cddf9SRui Paulo */
175f05cddf9SRui Paulo if (data->out_frag_pos)
176f05cddf9SRui Paulo return;
177f05cddf9SRui Paulo
178f05cddf9SRui Paulo data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +
179f05cddf9SRui Paulo data->id_server_len);
180f05cddf9SRui Paulo if (data->outbuf == NULL) {
181f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
182f05cddf9SRui Paulo return;
183f05cddf9SRui Paulo }
184f05cddf9SRui Paulo
185780fb4a2SCy Schubert if (os_get_random((u8 *) &data->token, sizeof(data->token)) < 0) {
186780fb4a2SCy Schubert wpabuf_free(data->outbuf);
187780fb4a2SCy Schubert data->outbuf = NULL;
188780fb4a2SCy Schubert eap_pwd_state(data, FAILURE);
189780fb4a2SCy Schubert return;
190780fb4a2SCy Schubert }
191780fb4a2SCy Schubert
19285732ac8SCy Schubert wpa_hexdump_key(MSG_DEBUG, "EAP-pwd (server): password",
19385732ac8SCy Schubert data->password, data->password_len);
19485732ac8SCy Schubert if (data->salt_len)
19585732ac8SCy Schubert wpa_hexdump(MSG_DEBUG, "EAP-pwd (server): salt",
19685732ac8SCy Schubert data->salt, data->salt_len);
19785732ac8SCy Schubert
19885732ac8SCy Schubert /*
19985732ac8SCy Schubert * If this is a salted password then figure out how it was hashed
20085732ac8SCy Schubert * based on the length.
20185732ac8SCy Schubert */
20285732ac8SCy Schubert if (data->salt_len) {
20385732ac8SCy Schubert switch (data->password_len) {
20485732ac8SCy Schubert case 20:
20585732ac8SCy Schubert data->password_prep = EAP_PWD_PREP_SSHA1;
20685732ac8SCy Schubert break;
20785732ac8SCy Schubert case 32:
20885732ac8SCy Schubert data->password_prep = EAP_PWD_PREP_SSHA256;
20985732ac8SCy Schubert break;
21085732ac8SCy Schubert case 64:
21185732ac8SCy Schubert data->password_prep = EAP_PWD_PREP_SSHA512;
21285732ac8SCy Schubert break;
21385732ac8SCy Schubert default:
21485732ac8SCy Schubert wpa_printf(MSG_INFO,
21585732ac8SCy Schubert "EAP-pwd (server): bad size %d for salted password",
21685732ac8SCy Schubert (int) data->password_len);
21785732ac8SCy Schubert eap_pwd_state(data, FAILURE);
21885732ac8SCy Schubert return;
21985732ac8SCy Schubert }
22085732ac8SCy Schubert } else {
22185732ac8SCy Schubert /* Otherwise, figure out whether it's MS hashed or plain */
22285732ac8SCy Schubert data->password_prep = data->password_hash ? EAP_PWD_PREP_MS :
22385732ac8SCy Schubert EAP_PWD_PREP_NONE;
22485732ac8SCy Schubert }
22585732ac8SCy Schubert
226f05cddf9SRui Paulo wpabuf_put_be16(data->outbuf, data->group_num);
227f05cddf9SRui Paulo wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
228f05cddf9SRui Paulo wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
229f05cddf9SRui Paulo wpabuf_put_data(data->outbuf, &data->token, sizeof(data->token));
23085732ac8SCy Schubert wpabuf_put_u8(data->outbuf, data->password_prep);
231f05cddf9SRui Paulo wpabuf_put_data(data->outbuf, data->id_server, data->id_server_len);
232f05cddf9SRui Paulo }
233f05cddf9SRui Paulo
234f05cddf9SRui Paulo
eap_pwd_build_commit_req(struct eap_sm * sm,struct eap_pwd_data * data,u8 id)235f05cddf9SRui Paulo static void eap_pwd_build_commit_req(struct eap_sm *sm,
236f05cddf9SRui Paulo struct eap_pwd_data *data, u8 id)
237f05cddf9SRui Paulo {
23885732ac8SCy Schubert struct crypto_bignum *mask = NULL;
2394bc52338SCy Schubert u8 *scalar, *element;
24085732ac8SCy Schubert size_t prime_len, order_len;
241f05cddf9SRui Paulo
242f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Commit/Request");
243f05cddf9SRui Paulo /*
244f05cddf9SRui Paulo * if we're fragmenting then we already have an commit request, just
245f05cddf9SRui Paulo * return
246f05cddf9SRui Paulo */
247f05cddf9SRui Paulo if (data->out_frag_pos)
248f05cddf9SRui Paulo return;
249f05cddf9SRui Paulo
25085732ac8SCy Schubert prime_len = crypto_ec_prime_len(data->grp->group);
25185732ac8SCy Schubert order_len = crypto_ec_order_len(data->grp->group);
25285732ac8SCy Schubert
25385732ac8SCy Schubert data->private_value = crypto_bignum_init();
25485732ac8SCy Schubert data->my_element = crypto_ec_point_init(data->grp->group);
25585732ac8SCy Schubert data->my_scalar = crypto_bignum_init();
25685732ac8SCy Schubert mask = crypto_bignum_init();
25785732ac8SCy Schubert if (!data->private_value || !data->my_element || !data->my_scalar ||
25885732ac8SCy Schubert !mask) {
259f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): scalar allocation "
260f05cddf9SRui Paulo "fail");
261f05cddf9SRui Paulo goto fin;
262f05cddf9SRui Paulo }
263f05cddf9SRui Paulo
2644bc52338SCy Schubert if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask,
2654bc52338SCy Schubert data->my_scalar) < 0)
2665b9c547cSRui Paulo goto fin;
267f05cddf9SRui Paulo
26885732ac8SCy Schubert if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask,
26985732ac8SCy Schubert data->my_element) < 0) {
270f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): element allocation "
271f05cddf9SRui Paulo "fail");
272f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
273f05cddf9SRui Paulo goto fin;
274f05cddf9SRui Paulo }
275f05cddf9SRui Paulo
27685732ac8SCy Schubert if (crypto_ec_point_invert(data->grp->group, data->my_element) < 0) {
277f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): element inversion "
278f05cddf9SRui Paulo "fail");
279f05cddf9SRui Paulo goto fin;
280f05cddf9SRui Paulo }
281f05cddf9SRui Paulo
28285732ac8SCy Schubert data->outbuf = wpabuf_alloc(2 * prime_len + order_len +
28385732ac8SCy Schubert (data->salt ? 1 + data->salt_len : 0));
284f05cddf9SRui Paulo if (data->outbuf == NULL)
285f05cddf9SRui Paulo goto fin;
286f05cddf9SRui Paulo
28785732ac8SCy Schubert /* If we're doing salted password prep, add the salt */
28885732ac8SCy Schubert if (data->salt_len) {
28985732ac8SCy Schubert wpabuf_put_u8(data->outbuf, data->salt_len);
29085732ac8SCy Schubert wpabuf_put_data(data->outbuf, data->salt, data->salt_len);
29185732ac8SCy Schubert }
29285732ac8SCy Schubert
293f05cddf9SRui Paulo /* We send the element as (x,y) followed by the scalar */
2944bc52338SCy Schubert element = wpabuf_put(data->outbuf, 2 * prime_len);
2954bc52338SCy Schubert scalar = wpabuf_put(data->outbuf, order_len);
296*a90b9d01SCy Schubert if (crypto_bignum_to_bin(data->my_scalar, scalar, order_len,
297*a90b9d01SCy Schubert order_len) < 0)
298*a90b9d01SCy Schubert goto fin;
299*a90b9d01SCy Schubert
3004bc52338SCy Schubert if (crypto_ec_point_to_bin(data->grp->group, data->my_element, element,
3014bc52338SCy Schubert element + prime_len) < 0) {
3024bc52338SCy Schubert wpa_printf(MSG_INFO, "EAP-PWD (server): point assignment "
3034bc52338SCy Schubert "fail");
3044bc52338SCy Schubert goto fin;
3054bc52338SCy Schubert }
306f05cddf9SRui Paulo
307f05cddf9SRui Paulo fin:
30885732ac8SCy Schubert crypto_bignum_deinit(mask, 1);
309f05cddf9SRui Paulo if (data->outbuf == NULL)
310f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
311f05cddf9SRui Paulo }
312f05cddf9SRui Paulo
313f05cddf9SRui Paulo
eap_pwd_build_confirm_req(struct eap_sm * sm,struct eap_pwd_data * data,u8 id)314f05cddf9SRui Paulo static void eap_pwd_build_confirm_req(struct eap_sm *sm,
315f05cddf9SRui Paulo struct eap_pwd_data *data, u8 id)
316f05cddf9SRui Paulo {
3174bc52338SCy Schubert struct crypto_hash *hash = NULL;
318f05cddf9SRui Paulo u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
319f05cddf9SRui Paulo u16 grp;
32085732ac8SCy Schubert size_t prime_len, order_len;
321f05cddf9SRui Paulo
322f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Confirm/Request");
323f05cddf9SRui Paulo /*
324f05cddf9SRui Paulo * if we're fragmenting then we already have an confirm request, just
325f05cddf9SRui Paulo * return
326f05cddf9SRui Paulo */
327f05cddf9SRui Paulo if (data->out_frag_pos)
328f05cddf9SRui Paulo return;
329f05cddf9SRui Paulo
33085732ac8SCy Schubert prime_len = crypto_ec_prime_len(data->grp->group);
33185732ac8SCy Schubert order_len = crypto_ec_order_len(data->grp->group);
33285732ac8SCy Schubert
333f05cddf9SRui Paulo /* Each component of the cruft will be at most as big as the prime */
33485732ac8SCy Schubert cruft = os_malloc(prime_len * 2);
33585732ac8SCy Schubert if (!cruft) {
336f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): debug allocation "
337f05cddf9SRui Paulo "fail");
338f05cddf9SRui Paulo goto fin;
339f05cddf9SRui Paulo }
340f05cddf9SRui Paulo
341f05cddf9SRui Paulo /*
342f05cddf9SRui Paulo * commit is H(k | server_element | server_scalar | peer_element |
343f05cddf9SRui Paulo * peer_scalar | ciphersuite)
344f05cddf9SRui Paulo */
345f05cddf9SRui Paulo hash = eap_pwd_h_init();
346f05cddf9SRui Paulo if (hash == NULL)
347f05cddf9SRui Paulo goto fin;
348f05cddf9SRui Paulo
349f05cddf9SRui Paulo /*
350f05cddf9SRui Paulo * Zero the memory each time because this is mod prime math and some
351f05cddf9SRui Paulo * value may start with a few zeros and the previous one did not.
352f05cddf9SRui Paulo *
353f05cddf9SRui Paulo * First is k
354f05cddf9SRui Paulo */
355*a90b9d01SCy Schubert if (crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len) < 0)
356*a90b9d01SCy Schubert goto fin;
357*a90b9d01SCy Schubert
35885732ac8SCy Schubert eap_pwd_h_update(hash, cruft, prime_len);
359f05cddf9SRui Paulo
360f05cddf9SRui Paulo /* server element: x, y */
36185732ac8SCy Schubert if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft,
36285732ac8SCy Schubert cruft + prime_len) < 0) {
363f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
364f05cddf9SRui Paulo "assignment fail");
365f05cddf9SRui Paulo goto fin;
366f05cddf9SRui Paulo }
36785732ac8SCy Schubert eap_pwd_h_update(hash, cruft, prime_len * 2);
368f05cddf9SRui Paulo
369f05cddf9SRui Paulo /* server scalar */
370*a90b9d01SCy Schubert if (crypto_bignum_to_bin(data->my_scalar, cruft, order_len,
371*a90b9d01SCy Schubert order_len) < 0)
372*a90b9d01SCy Schubert goto fin;
373*a90b9d01SCy Schubert
37485732ac8SCy Schubert eap_pwd_h_update(hash, cruft, order_len);
375f05cddf9SRui Paulo
376f05cddf9SRui Paulo /* peer element: x, y */
37785732ac8SCy Schubert if (crypto_ec_point_to_bin(data->grp->group, data->peer_element, cruft,
37885732ac8SCy Schubert cruft + prime_len) < 0) {
379f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
380f05cddf9SRui Paulo "assignment fail");
381f05cddf9SRui Paulo goto fin;
382f05cddf9SRui Paulo }
38385732ac8SCy Schubert eap_pwd_h_update(hash, cruft, prime_len * 2);
384f05cddf9SRui Paulo
385f05cddf9SRui Paulo /* peer scalar */
386*a90b9d01SCy Schubert if (crypto_bignum_to_bin(data->peer_scalar, cruft, order_len,
387*a90b9d01SCy Schubert order_len) < 0)
388*a90b9d01SCy Schubert goto fin;
389*a90b9d01SCy Schubert
39085732ac8SCy Schubert eap_pwd_h_update(hash, cruft, order_len);
391f05cddf9SRui Paulo
392f05cddf9SRui Paulo /* ciphersuite */
393f05cddf9SRui Paulo grp = htons(data->group_num);
39485732ac8SCy Schubert os_memset(cruft, 0, prime_len);
395f05cddf9SRui Paulo ptr = cruft;
396f05cddf9SRui Paulo os_memcpy(ptr, &grp, sizeof(u16));
397f05cddf9SRui Paulo ptr += sizeof(u16);
398f05cddf9SRui Paulo *ptr = EAP_PWD_DEFAULT_RAND_FUNC;
399f05cddf9SRui Paulo ptr += sizeof(u8);
400f05cddf9SRui Paulo *ptr = EAP_PWD_DEFAULT_PRF;
401f05cddf9SRui Paulo ptr += sizeof(u8);
402f05cddf9SRui Paulo eap_pwd_h_update(hash, cruft, ptr - cruft);
403f05cddf9SRui Paulo
404f05cddf9SRui Paulo /* all done with the random function */
405f05cddf9SRui Paulo eap_pwd_h_final(hash, conf);
4064bc52338SCy Schubert hash = NULL;
407f05cddf9SRui Paulo os_memcpy(data->my_confirm, conf, SHA256_MAC_LEN);
408f05cddf9SRui Paulo
409f05cddf9SRui Paulo data->outbuf = wpabuf_alloc(SHA256_MAC_LEN);
410f05cddf9SRui Paulo if (data->outbuf == NULL)
411f05cddf9SRui Paulo goto fin;
412f05cddf9SRui Paulo
413f05cddf9SRui Paulo wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
414f05cddf9SRui Paulo
415f05cddf9SRui Paulo fin:
41685732ac8SCy Schubert bin_clear_free(cruft, prime_len * 2);
417f05cddf9SRui Paulo if (data->outbuf == NULL)
418f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
4194bc52338SCy Schubert eap_pwd_h_final(hash, NULL);
420f05cddf9SRui Paulo }
421f05cddf9SRui Paulo
422f05cddf9SRui Paulo
423f05cddf9SRui Paulo static struct wpabuf *
eap_pwd_build_req(struct eap_sm * sm,void * priv,u8 id)424f05cddf9SRui Paulo eap_pwd_build_req(struct eap_sm *sm, void *priv, u8 id)
425f05cddf9SRui Paulo {
426f05cddf9SRui Paulo struct eap_pwd_data *data = priv;
427f05cddf9SRui Paulo struct wpabuf *req;
428f05cddf9SRui Paulo u8 lm_exch;
429f05cddf9SRui Paulo const u8 *buf;
430f05cddf9SRui Paulo u16 totlen = 0;
431f05cddf9SRui Paulo size_t len;
432f05cddf9SRui Paulo
433f05cddf9SRui Paulo /*
434f05cddf9SRui Paulo * if we're buffering response fragments then just ACK
435f05cddf9SRui Paulo */
436f05cddf9SRui Paulo if (data->in_frag_pos) {
437f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: ACKing a fragment!!");
438f05cddf9SRui Paulo req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
439f05cddf9SRui Paulo EAP_PWD_HDR_SIZE, EAP_CODE_REQUEST, id);
440f05cddf9SRui Paulo if (req == NULL) {
441f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
442f05cddf9SRui Paulo return NULL;
443f05cddf9SRui Paulo }
444f05cddf9SRui Paulo switch (data->state) {
445f05cddf9SRui Paulo case PWD_ID_Req:
446f05cddf9SRui Paulo wpabuf_put_u8(req, EAP_PWD_OPCODE_ID_EXCH);
447f05cddf9SRui Paulo break;
448f05cddf9SRui Paulo case PWD_Commit_Req:
449f05cddf9SRui Paulo wpabuf_put_u8(req, EAP_PWD_OPCODE_COMMIT_EXCH);
450f05cddf9SRui Paulo break;
451f05cddf9SRui Paulo case PWD_Confirm_Req:
452f05cddf9SRui Paulo wpabuf_put_u8(req, EAP_PWD_OPCODE_CONFIRM_EXCH);
453f05cddf9SRui Paulo break;
454f05cddf9SRui Paulo default:
455f05cddf9SRui Paulo eap_pwd_state(data, FAILURE); /* just to be sure */
456f05cddf9SRui Paulo wpabuf_free(req);
457f05cddf9SRui Paulo return NULL;
458f05cddf9SRui Paulo }
459f05cddf9SRui Paulo return req;
460f05cddf9SRui Paulo }
461f05cddf9SRui Paulo
462f05cddf9SRui Paulo /*
463f05cddf9SRui Paulo * build the data portion of a request
464f05cddf9SRui Paulo */
465f05cddf9SRui Paulo switch (data->state) {
466f05cddf9SRui Paulo case PWD_ID_Req:
467f05cddf9SRui Paulo eap_pwd_build_id_req(sm, data, id);
468f05cddf9SRui Paulo lm_exch = EAP_PWD_OPCODE_ID_EXCH;
469f05cddf9SRui Paulo break;
470f05cddf9SRui Paulo case PWD_Commit_Req:
471f05cddf9SRui Paulo eap_pwd_build_commit_req(sm, data, id);
472f05cddf9SRui Paulo lm_exch = EAP_PWD_OPCODE_COMMIT_EXCH;
473f05cddf9SRui Paulo break;
474f05cddf9SRui Paulo case PWD_Confirm_Req:
475f05cddf9SRui Paulo eap_pwd_build_confirm_req(sm, data, id);
476f05cddf9SRui Paulo lm_exch = EAP_PWD_OPCODE_CONFIRM_EXCH;
477f05cddf9SRui Paulo break;
478f05cddf9SRui Paulo default:
479f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-pwd: Unknown state %d in build_req",
480f05cddf9SRui Paulo data->state);
481f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
482f05cddf9SRui Paulo lm_exch = 0; /* hush now, sweet compiler */
483f05cddf9SRui Paulo break;
484f05cddf9SRui Paulo }
485f05cddf9SRui Paulo
486f05cddf9SRui Paulo if (data->state == FAILURE)
487f05cddf9SRui Paulo return NULL;
488f05cddf9SRui Paulo
489f05cddf9SRui Paulo /*
490f05cddf9SRui Paulo * determine whether that data needs to be fragmented
491f05cddf9SRui Paulo */
492f05cddf9SRui Paulo len = wpabuf_len(data->outbuf) - data->out_frag_pos;
493f05cddf9SRui Paulo if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
494f05cddf9SRui Paulo len = data->mtu - EAP_PWD_HDR_SIZE;
495f05cddf9SRui Paulo EAP_PWD_SET_MORE_BIT(lm_exch);
496f05cddf9SRui Paulo /*
497f05cddf9SRui Paulo * if this is the first fragment, need to set the M bit
498f05cddf9SRui Paulo * and add the total length to the eap_pwd_hdr
499f05cddf9SRui Paulo */
500f05cddf9SRui Paulo if (data->out_frag_pos == 0) {
501f05cddf9SRui Paulo EAP_PWD_SET_LENGTH_BIT(lm_exch);
502f05cddf9SRui Paulo totlen = wpabuf_len(data->outbuf) +
503f05cddf9SRui Paulo EAP_PWD_HDR_SIZE + sizeof(u16);
504f05cddf9SRui Paulo len -= sizeof(u16);
505f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Fragmenting output, "
506f05cddf9SRui Paulo "total length = %d", totlen);
507f05cddf9SRui Paulo }
508f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Send a %d byte fragment",
509f05cddf9SRui Paulo (int) len);
510f05cddf9SRui Paulo }
511f05cddf9SRui Paulo
512f05cddf9SRui Paulo /*
513f05cddf9SRui Paulo * alloc an eap request and populate it with the data
514f05cddf9SRui Paulo */
515f05cddf9SRui Paulo req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
516f05cddf9SRui Paulo EAP_PWD_HDR_SIZE + len +
517f05cddf9SRui Paulo (totlen ? sizeof(u16) : 0),
518f05cddf9SRui Paulo EAP_CODE_REQUEST, id);
519f05cddf9SRui Paulo if (req == NULL) {
520f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
521f05cddf9SRui Paulo return NULL;
522f05cddf9SRui Paulo }
523f05cddf9SRui Paulo
524f05cddf9SRui Paulo wpabuf_put_u8(req, lm_exch);
525f05cddf9SRui Paulo if (EAP_PWD_GET_LENGTH_BIT(lm_exch))
526f05cddf9SRui Paulo wpabuf_put_be16(req, totlen);
527f05cddf9SRui Paulo
528f05cddf9SRui Paulo buf = wpabuf_head_u8(data->outbuf);
529f05cddf9SRui Paulo wpabuf_put_data(req, buf + data->out_frag_pos, len);
530f05cddf9SRui Paulo data->out_frag_pos += len;
531f05cddf9SRui Paulo /*
532f05cddf9SRui Paulo * either not fragged or last fragment, either way free up the data
533f05cddf9SRui Paulo */
534f05cddf9SRui Paulo if (data->out_frag_pos >= wpabuf_len(data->outbuf)) {
535f05cddf9SRui Paulo wpabuf_free(data->outbuf);
5365b9c547cSRui Paulo data->outbuf = NULL;
537f05cddf9SRui Paulo data->out_frag_pos = 0;
538f05cddf9SRui Paulo }
539f05cddf9SRui Paulo
540f05cddf9SRui Paulo return req;
541f05cddf9SRui Paulo }
542f05cddf9SRui Paulo
543f05cddf9SRui Paulo
eap_pwd_check(struct eap_sm * sm,void * priv,struct wpabuf * respData)544c1d255d3SCy Schubert static bool eap_pwd_check(struct eap_sm *sm, void *priv,
545f05cddf9SRui Paulo struct wpabuf *respData)
546f05cddf9SRui Paulo {
547f05cddf9SRui Paulo struct eap_pwd_data *data = priv;
548f05cddf9SRui Paulo const u8 *pos;
549f05cddf9SRui Paulo size_t len;
550f05cddf9SRui Paulo
551f05cddf9SRui Paulo pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PWD, respData, &len);
552f05cddf9SRui Paulo if (pos == NULL || len < 1) {
553f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-pwd: Invalid frame");
554c1d255d3SCy Schubert return true;
555f05cddf9SRui Paulo }
556f05cddf9SRui Paulo
557f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Received frame: exch = %d, len = %d",
558f05cddf9SRui Paulo EAP_PWD_GET_EXCHANGE(*pos), (int) len);
559f05cddf9SRui Paulo
560f05cddf9SRui Paulo if (data->state == PWD_ID_Req &&
561f05cddf9SRui Paulo ((EAP_PWD_GET_EXCHANGE(*pos)) == EAP_PWD_OPCODE_ID_EXCH))
562c1d255d3SCy Schubert return false;
563f05cddf9SRui Paulo
564f05cddf9SRui Paulo if (data->state == PWD_Commit_Req &&
565f05cddf9SRui Paulo ((EAP_PWD_GET_EXCHANGE(*pos)) == EAP_PWD_OPCODE_COMMIT_EXCH))
566c1d255d3SCy Schubert return false;
567f05cddf9SRui Paulo
568f05cddf9SRui Paulo if (data->state == PWD_Confirm_Req &&
569f05cddf9SRui Paulo ((EAP_PWD_GET_EXCHANGE(*pos)) == EAP_PWD_OPCODE_CONFIRM_EXCH))
570c1d255d3SCy Schubert return false;
571f05cddf9SRui Paulo
572f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-pwd: Unexpected opcode=%d in state=%d",
573f05cddf9SRui Paulo *pos, data->state);
574f05cddf9SRui Paulo
575c1d255d3SCy Schubert return true;
576f05cddf9SRui Paulo }
577f05cddf9SRui Paulo
578f05cddf9SRui Paulo
eap_pwd_process_id_resp(struct eap_sm * sm,struct eap_pwd_data * data,const u8 * payload,size_t payload_len)579f05cddf9SRui Paulo static void eap_pwd_process_id_resp(struct eap_sm *sm,
580f05cddf9SRui Paulo struct eap_pwd_data *data,
581f05cddf9SRui Paulo const u8 *payload, size_t payload_len)
582f05cddf9SRui Paulo {
583f05cddf9SRui Paulo struct eap_pwd_id *id;
584325151a3SRui Paulo const u8 *password;
585325151a3SRui Paulo size_t password_len;
586325151a3SRui Paulo u8 pwhashhash[16];
587325151a3SRui Paulo int res;
588f05cddf9SRui Paulo
589f05cddf9SRui Paulo if (payload_len < sizeof(struct eap_pwd_id)) {
590f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-pwd: Invalid ID response");
591f05cddf9SRui Paulo return;
592f05cddf9SRui Paulo }
593f05cddf9SRui Paulo
594f05cddf9SRui Paulo id = (struct eap_pwd_id *) payload;
595f05cddf9SRui Paulo if ((data->group_num != be_to_host16(id->group_num)) ||
596f05cddf9SRui Paulo (id->random_function != EAP_PWD_DEFAULT_RAND_FUNC) ||
597f05cddf9SRui Paulo (os_memcmp(id->token, (u8 *)&data->token, sizeof(data->token))) ||
59885732ac8SCy Schubert (id->prf != EAP_PWD_DEFAULT_PRF) ||
59985732ac8SCy Schubert (id->prep != data->password_prep)) {
600f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-pwd: peer changed parameters");
601f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
602f05cddf9SRui Paulo return;
603f05cddf9SRui Paulo }
60485732ac8SCy Schubert if (data->id_peer || data->grp) {
60585732ac8SCy Schubert wpa_printf(MSG_INFO, "EAP-pwd: data was already allocated");
60685732ac8SCy Schubert return;
60785732ac8SCy Schubert }
608f05cddf9SRui Paulo data->id_peer = os_malloc(payload_len - sizeof(struct eap_pwd_id));
609f05cddf9SRui Paulo if (data->id_peer == NULL) {
610f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
611f05cddf9SRui Paulo return;
612f05cddf9SRui Paulo }
613f05cddf9SRui Paulo data->id_peer_len = payload_len - sizeof(struct eap_pwd_id);
614f05cddf9SRui Paulo os_memcpy(data->id_peer, id->identity, data->id_peer_len);
615f05cddf9SRui Paulo wpa_hexdump_ascii(MSG_DEBUG, "EAP-PWD (server): peer sent id of",
616f05cddf9SRui Paulo data->id_peer, data->id_peer_len);
617f05cddf9SRui Paulo
61885732ac8SCy Schubert data->grp = get_eap_pwd_group(data->group_num);
6195b9c547cSRui Paulo if (data->grp == NULL) {
620f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
621f05cddf9SRui Paulo "group");
622f05cddf9SRui Paulo return;
623f05cddf9SRui Paulo }
624325151a3SRui Paulo
62585732ac8SCy Schubert /*
62685732ac8SCy Schubert * If it's PREP_MS then hash the password again, otherwise regardless
62785732ac8SCy Schubert * of the prep the client is doing, the password we have is the one to
62885732ac8SCy Schubert * use to generate the password element.
62985732ac8SCy Schubert */
63085732ac8SCy Schubert if (data->password_prep == EAP_PWD_PREP_MS) {
631325151a3SRui Paulo res = hash_nt_password_hash(data->password, pwhashhash);
632325151a3SRui Paulo if (res)
633325151a3SRui Paulo return;
634325151a3SRui Paulo password = pwhashhash;
635325151a3SRui Paulo password_len = sizeof(pwhashhash);
636325151a3SRui Paulo } else {
637325151a3SRui Paulo password = data->password;
638325151a3SRui Paulo password_len = data->password_len;
639325151a3SRui Paulo }
640325151a3SRui Paulo
641325151a3SRui Paulo res = compute_password_element(data->grp, data->group_num,
642325151a3SRui Paulo password, password_len,
643f05cddf9SRui Paulo data->id_server, data->id_server_len,
644f05cddf9SRui Paulo data->id_peer, data->id_peer_len,
645325151a3SRui Paulo (u8 *) &data->token);
646206b73d0SCy Schubert forced_memzero(pwhashhash, sizeof(pwhashhash));
647325151a3SRui Paulo if (res) {
648f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): unable to compute "
649f05cddf9SRui Paulo "PWE");
650f05cddf9SRui Paulo return;
651f05cddf9SRui Paulo }
652f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-PWD (server): computed %d bit PWE...",
65385732ac8SCy Schubert (int) crypto_ec_prime_len_bits(data->grp->group));
654f05cddf9SRui Paulo
655f05cddf9SRui Paulo eap_pwd_state(data, PWD_Commit_Req);
656f05cddf9SRui Paulo }
657f05cddf9SRui Paulo
658f05cddf9SRui Paulo
659f05cddf9SRui Paulo static void
eap_pwd_process_commit_resp(struct eap_sm * sm,struct eap_pwd_data * data,const u8 * payload,size_t payload_len)660f05cddf9SRui Paulo eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
661f05cddf9SRui Paulo const u8 *payload, size_t payload_len)
662f05cddf9SRui Paulo {
66385732ac8SCy Schubert const u8 *ptr;
6644bc52338SCy Schubert struct crypto_ec_point *K = NULL;
665f05cddf9SRui Paulo int res = 0;
666325151a3SRui Paulo size_t prime_len, order_len;
667f05cddf9SRui Paulo
668f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
669f05cddf9SRui Paulo
67085732ac8SCy Schubert prime_len = crypto_ec_prime_len(data->grp->group);
67185732ac8SCy Schubert order_len = crypto_ec_order_len(data->grp->group);
672325151a3SRui Paulo
673325151a3SRui Paulo if (payload_len != 2 * prime_len + order_len) {
674325151a3SRui Paulo wpa_printf(MSG_INFO,
675325151a3SRui Paulo "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
676325151a3SRui Paulo (unsigned int) payload_len,
677325151a3SRui Paulo (unsigned int) (2 * prime_len + order_len));
678325151a3SRui Paulo goto fin;
679325151a3SRui Paulo }
680325151a3SRui Paulo
68185732ac8SCy Schubert data->k = crypto_bignum_init();
68285732ac8SCy Schubert K = crypto_ec_point_init(data->grp->group);
6834bc52338SCy Schubert if (!data->k || !K) {
684f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
685f05cddf9SRui Paulo "fail");
686f05cddf9SRui Paulo goto fin;
687f05cddf9SRui Paulo }
688f05cddf9SRui Paulo
689f05cddf9SRui Paulo /* element, x then y, followed by scalar */
69085732ac8SCy Schubert ptr = payload;
6914bc52338SCy Schubert data->peer_element = eap_pwd_get_element(data->grp, ptr);
69285732ac8SCy Schubert if (!data->peer_element) {
693f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
694f05cddf9SRui Paulo "fail");
695f05cddf9SRui Paulo goto fin;
696f05cddf9SRui Paulo }
69785732ac8SCy Schubert ptr += prime_len * 2;
6984bc52338SCy Schubert data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);
69985732ac8SCy Schubert if (!data->peer_scalar) {
70085732ac8SCy Schubert wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
70185732ac8SCy Schubert "fail");
70285732ac8SCy Schubert goto fin;
70385732ac8SCy Schubert }
704f05cddf9SRui Paulo
7054bc52338SCy Schubert /* detect reflection attacks */
7064bc52338SCy Schubert if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||
7074bc52338SCy Schubert crypto_ec_point_cmp(data->grp->group, data->my_element,
7084bc52338SCy Schubert data->peer_element) == 0) {
7094bc52338SCy Schubert wpa_printf(MSG_INFO,
7104bc52338SCy Schubert "EAP-PWD (server): detected reflection attack!");
711f05cddf9SRui Paulo goto fin;
712f05cddf9SRui Paulo }
713f05cddf9SRui Paulo
714f05cddf9SRui Paulo /* compute the shared key, k */
71585732ac8SCy Schubert if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe,
71685732ac8SCy Schubert data->peer_scalar, K) < 0) ||
71785732ac8SCy Schubert (crypto_ec_point_add(data->grp->group, K, data->peer_element,
71885732ac8SCy Schubert K) < 0) ||
71985732ac8SCy Schubert (crypto_ec_point_mul(data->grp->group, K, data->private_value,
72085732ac8SCy Schubert K) < 0)) {
721f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): computing shared key "
722f05cddf9SRui Paulo "fail");
723f05cddf9SRui Paulo goto fin;
724f05cddf9SRui Paulo }
725f05cddf9SRui Paulo
726f05cddf9SRui Paulo /*
7274bc52338SCy Schubert * This check is strictly speaking just for the case where
728f05cddf9SRui Paulo * co-factor > 1 but it was suggested that even though this is probably
729f05cddf9SRui Paulo * never going to happen it is a simple and safe check "just to be
730f05cddf9SRui Paulo * sure" so let's be safe.
731f05cddf9SRui Paulo */
73285732ac8SCy Schubert if (crypto_ec_point_is_at_infinity(data->grp->group, K)) {
733f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): shared key point is "
734f05cddf9SRui Paulo "at infinity");
735f05cddf9SRui Paulo goto fin;
736f05cddf9SRui Paulo }
73785732ac8SCy Schubert if (crypto_ec_point_x(data->grp->group, K, data->k)) {
738f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): unable to extract "
739f05cddf9SRui Paulo "shared secret from secret point");
740f05cddf9SRui Paulo goto fin;
741f05cddf9SRui Paulo }
742f05cddf9SRui Paulo res = 1;
743f05cddf9SRui Paulo
744f05cddf9SRui Paulo fin:
74585732ac8SCy Schubert crypto_ec_point_deinit(K, 1);
746f05cddf9SRui Paulo
747f05cddf9SRui Paulo if (res)
748f05cddf9SRui Paulo eap_pwd_state(data, PWD_Confirm_Req);
749f05cddf9SRui Paulo else
750f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
751f05cddf9SRui Paulo }
752f05cddf9SRui Paulo
753f05cddf9SRui Paulo
754f05cddf9SRui Paulo static void
eap_pwd_process_confirm_resp(struct eap_sm * sm,struct eap_pwd_data * data,const u8 * payload,size_t payload_len)755f05cddf9SRui Paulo eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
756f05cddf9SRui Paulo const u8 *payload, size_t payload_len)
757f05cddf9SRui Paulo {
7584bc52338SCy Schubert struct crypto_hash *hash = NULL;
759f05cddf9SRui Paulo u32 cs;
760f05cddf9SRui Paulo u16 grp;
761f05cddf9SRui Paulo u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
76285732ac8SCy Schubert size_t prime_len, order_len;
76385732ac8SCy Schubert
76485732ac8SCy Schubert prime_len = crypto_ec_prime_len(data->grp->group);
76585732ac8SCy Schubert order_len = crypto_ec_order_len(data->grp->group);
766f05cddf9SRui Paulo
767325151a3SRui Paulo if (payload_len != SHA256_MAC_LEN) {
768325151a3SRui Paulo wpa_printf(MSG_INFO,
769325151a3SRui Paulo "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
770325151a3SRui Paulo (unsigned int) payload_len, SHA256_MAC_LEN);
771325151a3SRui Paulo goto fin;
772325151a3SRui Paulo }
773325151a3SRui Paulo
774f05cddf9SRui Paulo /* build up the ciphersuite: group | random_function | prf */
775f05cddf9SRui Paulo grp = htons(data->group_num);
776f05cddf9SRui Paulo ptr = (u8 *) &cs;
777f05cddf9SRui Paulo os_memcpy(ptr, &grp, sizeof(u16));
778f05cddf9SRui Paulo ptr += sizeof(u16);
779f05cddf9SRui Paulo *ptr = EAP_PWD_DEFAULT_RAND_FUNC;
780f05cddf9SRui Paulo ptr += sizeof(u8);
781f05cddf9SRui Paulo *ptr = EAP_PWD_DEFAULT_PRF;
782f05cddf9SRui Paulo
783f05cddf9SRui Paulo /* each component of the cruft will be at most as big as the prime */
78485732ac8SCy Schubert cruft = os_malloc(prime_len * 2);
78585732ac8SCy Schubert if (!cruft) {
786f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (peer): allocation fail");
787f05cddf9SRui Paulo goto fin;
788f05cddf9SRui Paulo }
789f05cddf9SRui Paulo
790f05cddf9SRui Paulo /*
791f05cddf9SRui Paulo * commit is H(k | peer_element | peer_scalar | server_element |
792f05cddf9SRui Paulo * server_scalar | ciphersuite)
793f05cddf9SRui Paulo */
794f05cddf9SRui Paulo hash = eap_pwd_h_init();
795f05cddf9SRui Paulo if (hash == NULL)
796f05cddf9SRui Paulo goto fin;
797f05cddf9SRui Paulo
798f05cddf9SRui Paulo /* k */
799*a90b9d01SCy Schubert if (crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len) < 0)
800*a90b9d01SCy Schubert goto fin;
801*a90b9d01SCy Schubert
80285732ac8SCy Schubert eap_pwd_h_update(hash, cruft, prime_len);
803f05cddf9SRui Paulo
804f05cddf9SRui Paulo /* peer element: x, y */
80585732ac8SCy Schubert if (crypto_ec_point_to_bin(data->grp->group, data->peer_element, cruft,
80685732ac8SCy Schubert cruft + prime_len) < 0) {
807f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
808f05cddf9SRui Paulo "assignment fail");
809f05cddf9SRui Paulo goto fin;
810f05cddf9SRui Paulo }
81185732ac8SCy Schubert eap_pwd_h_update(hash, cruft, prime_len * 2);
812f05cddf9SRui Paulo
813f05cddf9SRui Paulo /* peer scalar */
814*a90b9d01SCy Schubert if (crypto_bignum_to_bin(data->peer_scalar, cruft, order_len,
815*a90b9d01SCy Schubert order_len) < 0)
816*a90b9d01SCy Schubert goto fin;
817*a90b9d01SCy Schubert
81885732ac8SCy Schubert eap_pwd_h_update(hash, cruft, order_len);
819f05cddf9SRui Paulo
820f05cddf9SRui Paulo /* server element: x, y */
82185732ac8SCy Schubert if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft,
82285732ac8SCy Schubert cruft + prime_len) < 0) {
823f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
824f05cddf9SRui Paulo "assignment fail");
825f05cddf9SRui Paulo goto fin;
826f05cddf9SRui Paulo }
82785732ac8SCy Schubert eap_pwd_h_update(hash, cruft, prime_len * 2);
828f05cddf9SRui Paulo
829f05cddf9SRui Paulo /* server scalar */
830*a90b9d01SCy Schubert if (crypto_bignum_to_bin(data->my_scalar, cruft, order_len,
831*a90b9d01SCy Schubert order_len) < 0)
832*a90b9d01SCy Schubert goto fin;
833*a90b9d01SCy Schubert
83485732ac8SCy Schubert eap_pwd_h_update(hash, cruft, order_len);
835f05cddf9SRui Paulo
836f05cddf9SRui Paulo /* ciphersuite */
837f05cddf9SRui Paulo eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
838f05cddf9SRui Paulo
839f05cddf9SRui Paulo /* all done */
840f05cddf9SRui Paulo eap_pwd_h_final(hash, conf);
8414bc52338SCy Schubert hash = NULL;
842f05cddf9SRui Paulo
843f05cddf9SRui Paulo ptr = (u8 *) payload;
8445b9c547cSRui Paulo if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
845f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-PWD (server): confirm did not "
846f05cddf9SRui Paulo "verify");
847f05cddf9SRui Paulo goto fin;
848f05cddf9SRui Paulo }
849f05cddf9SRui Paulo
850f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd (server): confirm verified");
85185732ac8SCy Schubert if (compute_keys(data->grp, data->k,
852f05cddf9SRui Paulo data->peer_scalar, data->my_scalar, conf,
8535b9c547cSRui Paulo data->my_confirm, &cs, data->msk, data->emsk,
8545b9c547cSRui Paulo data->session_id) < 0)
855f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
856f05cddf9SRui Paulo else
857f05cddf9SRui Paulo eap_pwd_state(data, SUCCESS);
858f05cddf9SRui Paulo
859f05cddf9SRui Paulo fin:
86085732ac8SCy Schubert bin_clear_free(cruft, prime_len * 2);
8614bc52338SCy Schubert eap_pwd_h_final(hash, NULL);
862f05cddf9SRui Paulo }
863f05cddf9SRui Paulo
864f05cddf9SRui Paulo
eap_pwd_process(struct eap_sm * sm,void * priv,struct wpabuf * respData)865f05cddf9SRui Paulo static void eap_pwd_process(struct eap_sm *sm, void *priv,
866f05cddf9SRui Paulo struct wpabuf *respData)
867f05cddf9SRui Paulo {
868f05cddf9SRui Paulo struct eap_pwd_data *data = priv;
869f05cddf9SRui Paulo const u8 *pos;
870f05cddf9SRui Paulo size_t len;
871f05cddf9SRui Paulo u8 lm_exch;
872f05cddf9SRui Paulo u16 tot_len;
873f05cddf9SRui Paulo
874f05cddf9SRui Paulo pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PWD, respData, &len);
875f05cddf9SRui Paulo if ((pos == NULL) || (len < 1)) {
876f05cddf9SRui Paulo wpa_printf(MSG_INFO, "Bad EAP header! pos %s and len = %d",
877f05cddf9SRui Paulo (pos == NULL) ? "is NULL" : "is not NULL",
878f05cddf9SRui Paulo (int) len);
879f05cddf9SRui Paulo return;
880f05cddf9SRui Paulo }
881f05cddf9SRui Paulo
882f05cddf9SRui Paulo lm_exch = *pos;
883f05cddf9SRui Paulo pos++; /* skip over the bits and the exch */
884f05cddf9SRui Paulo len--;
885f05cddf9SRui Paulo
886f05cddf9SRui Paulo /*
887f05cddf9SRui Paulo * if we're fragmenting then this should be an ACK with no data,
888f05cddf9SRui Paulo * just return and continue fragmenting in the "build" section above
889f05cddf9SRui Paulo */
890f05cddf9SRui Paulo if (data->out_frag_pos) {
891f05cddf9SRui Paulo if (len > 1)
892f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-pwd: Bad response! "
893f05cddf9SRui Paulo "Fragmenting but not an ACK");
894f05cddf9SRui Paulo else
895f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: received ACK from "
896f05cddf9SRui Paulo "peer");
897f05cddf9SRui Paulo return;
898f05cddf9SRui Paulo }
899f05cddf9SRui Paulo /*
900f05cddf9SRui Paulo * if we're receiving fragmented packets then we need to buffer...
901f05cddf9SRui Paulo *
902f05cddf9SRui Paulo * the first fragment has a total length
903f05cddf9SRui Paulo */
904f05cddf9SRui Paulo if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
905325151a3SRui Paulo if (len < 2) {
906325151a3SRui Paulo wpa_printf(MSG_DEBUG,
907325151a3SRui Paulo "EAP-pwd: Frame too short to contain Total-Length field");
908325151a3SRui Paulo return;
909325151a3SRui Paulo }
910f05cddf9SRui Paulo tot_len = WPA_GET_BE16(pos);
911f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
912f05cddf9SRui Paulo "length = %d", tot_len);
9135b9c547cSRui Paulo if (tot_len > 15000)
9145b9c547cSRui Paulo return;
915325151a3SRui Paulo if (data->inbuf) {
916325151a3SRui Paulo wpa_printf(MSG_DEBUG,
917325151a3SRui Paulo "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
918325151a3SRui Paulo return;
919325151a3SRui Paulo }
920f05cddf9SRui Paulo data->inbuf = wpabuf_alloc(tot_len);
921f05cddf9SRui Paulo if (data->inbuf == NULL) {
922f05cddf9SRui Paulo wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
923f05cddf9SRui Paulo "buffer fragments!");
924f05cddf9SRui Paulo return;
925f05cddf9SRui Paulo }
926325151a3SRui Paulo data->in_frag_pos = 0;
927f05cddf9SRui Paulo pos += sizeof(u16);
928f05cddf9SRui Paulo len -= sizeof(u16);
929f05cddf9SRui Paulo }
930f05cddf9SRui Paulo /*
931f05cddf9SRui Paulo * the first and all intermediate fragments have the M bit set
932f05cddf9SRui Paulo */
933780fb4a2SCy Schubert if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
9344bc52338SCy Schubert if (!data->inbuf) {
9354bc52338SCy Schubert wpa_printf(MSG_DEBUG,
9364bc52338SCy Schubert "EAP-pwd: No buffer for reassembly");
9374bc52338SCy Schubert eap_pwd_state(data, FAILURE);
9384bc52338SCy Schubert return;
9394bc52338SCy Schubert }
940f05cddf9SRui Paulo if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
941f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
942f05cddf9SRui Paulo "attack detected! (%d+%d > %d)",
943f05cddf9SRui Paulo (int) data->in_frag_pos, (int) len,
944f05cddf9SRui Paulo (int) wpabuf_size(data->inbuf));
945f05cddf9SRui Paulo eap_pwd_state(data, FAILURE);
946f05cddf9SRui Paulo return;
947f05cddf9SRui Paulo }
948f05cddf9SRui Paulo wpabuf_put_data(data->inbuf, pos, len);
949f05cddf9SRui Paulo data->in_frag_pos += len;
950780fb4a2SCy Schubert }
951780fb4a2SCy Schubert if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
952f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
953f05cddf9SRui Paulo (int) len);
954f05cddf9SRui Paulo return;
955f05cddf9SRui Paulo }
956f05cddf9SRui Paulo /*
957f05cddf9SRui Paulo * last fragment won't have the M bit set (but we're obviously
958f05cddf9SRui Paulo * buffering fragments so that's how we know it's the last)
959f05cddf9SRui Paulo */
9604bc52338SCy Schubert if (data->in_frag_pos && data->inbuf) {
961f05cddf9SRui Paulo pos = wpabuf_head_u8(data->inbuf);
962f05cddf9SRui Paulo len = data->in_frag_pos;
963f05cddf9SRui Paulo wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
964f05cddf9SRui Paulo (int) len);
965f05cddf9SRui Paulo }
966f05cddf9SRui Paulo switch (EAP_PWD_GET_EXCHANGE(lm_exch)) {
967f05cddf9SRui Paulo case EAP_PWD_OPCODE_ID_EXCH:
968f05cddf9SRui Paulo eap_pwd_process_id_resp(sm, data, pos, len);
969f05cddf9SRui Paulo break;
970f05cddf9SRui Paulo case EAP_PWD_OPCODE_COMMIT_EXCH:
971f05cddf9SRui Paulo eap_pwd_process_commit_resp(sm, data, pos, len);
972f05cddf9SRui Paulo break;
973f05cddf9SRui Paulo case EAP_PWD_OPCODE_CONFIRM_EXCH:
974f05cddf9SRui Paulo eap_pwd_process_confirm_resp(sm, data, pos, len);
975f05cddf9SRui Paulo break;
976f05cddf9SRui Paulo }
977f05cddf9SRui Paulo /*
978f05cddf9SRui Paulo * if we had been buffering fragments, here's a great place
979f05cddf9SRui Paulo * to clean up
980f05cddf9SRui Paulo */
981f05cddf9SRui Paulo if (data->in_frag_pos) {
982f05cddf9SRui Paulo wpabuf_free(data->inbuf);
9835b9c547cSRui Paulo data->inbuf = NULL;
984f05cddf9SRui Paulo data->in_frag_pos = 0;
985f05cddf9SRui Paulo }
986f05cddf9SRui Paulo }
987f05cddf9SRui Paulo
988f05cddf9SRui Paulo
eap_pwd_getkey(struct eap_sm * sm,void * priv,size_t * len)989f05cddf9SRui Paulo static u8 * eap_pwd_getkey(struct eap_sm *sm, void *priv, size_t *len)
990f05cddf9SRui Paulo {
991f05cddf9SRui Paulo struct eap_pwd_data *data = priv;
992f05cddf9SRui Paulo u8 *key;
993f05cddf9SRui Paulo
994f05cddf9SRui Paulo if (data->state != SUCCESS)
995f05cddf9SRui Paulo return NULL;
996f05cddf9SRui Paulo
99785732ac8SCy Schubert key = os_memdup(data->msk, EAP_MSK_LEN);
998f05cddf9SRui Paulo if (key == NULL)
999f05cddf9SRui Paulo return NULL;
1000f05cddf9SRui Paulo
1001f05cddf9SRui Paulo *len = EAP_MSK_LEN;
1002f05cddf9SRui Paulo
1003f05cddf9SRui Paulo return key;
1004f05cddf9SRui Paulo }
1005f05cddf9SRui Paulo
1006f05cddf9SRui Paulo
eap_pwd_get_emsk(struct eap_sm * sm,void * priv,size_t * len)1007f05cddf9SRui Paulo static u8 * eap_pwd_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
1008f05cddf9SRui Paulo {
1009f05cddf9SRui Paulo struct eap_pwd_data *data = priv;
1010f05cddf9SRui Paulo u8 *key;
1011f05cddf9SRui Paulo
1012f05cddf9SRui Paulo if (data->state != SUCCESS)
1013f05cddf9SRui Paulo return NULL;
1014f05cddf9SRui Paulo
101585732ac8SCy Schubert key = os_memdup(data->emsk, EAP_EMSK_LEN);
1016f05cddf9SRui Paulo if (key == NULL)
1017f05cddf9SRui Paulo return NULL;
1018f05cddf9SRui Paulo
1019f05cddf9SRui Paulo *len = EAP_EMSK_LEN;
1020f05cddf9SRui Paulo
1021f05cddf9SRui Paulo return key;
1022f05cddf9SRui Paulo }
1023f05cddf9SRui Paulo
1024f05cddf9SRui Paulo
eap_pwd_is_success(struct eap_sm * sm,void * priv)1025c1d255d3SCy Schubert static bool eap_pwd_is_success(struct eap_sm *sm, void *priv)
1026f05cddf9SRui Paulo {
1027f05cddf9SRui Paulo struct eap_pwd_data *data = priv;
1028f05cddf9SRui Paulo return data->state == SUCCESS;
1029f05cddf9SRui Paulo }
1030f05cddf9SRui Paulo
1031f05cddf9SRui Paulo
eap_pwd_is_done(struct eap_sm * sm,void * priv)1032c1d255d3SCy Schubert static bool eap_pwd_is_done(struct eap_sm *sm, void *priv)
1033f05cddf9SRui Paulo {
1034f05cddf9SRui Paulo struct eap_pwd_data *data = priv;
1035f05cddf9SRui Paulo return (data->state == SUCCESS) || (data->state == FAILURE);
1036f05cddf9SRui Paulo }
1037f05cddf9SRui Paulo
1038f05cddf9SRui Paulo
eap_pwd_get_session_id(struct eap_sm * sm,void * priv,size_t * len)10395b9c547cSRui Paulo static u8 * eap_pwd_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
10405b9c547cSRui Paulo {
10415b9c547cSRui Paulo struct eap_pwd_data *data = priv;
10425b9c547cSRui Paulo u8 *id;
10435b9c547cSRui Paulo
10445b9c547cSRui Paulo if (data->state != SUCCESS)
10455b9c547cSRui Paulo return NULL;
10465b9c547cSRui Paulo
104785732ac8SCy Schubert id = os_memdup(data->session_id, 1 + SHA256_MAC_LEN);
10485b9c547cSRui Paulo if (id == NULL)
10495b9c547cSRui Paulo return NULL;
10505b9c547cSRui Paulo
10515b9c547cSRui Paulo *len = 1 + SHA256_MAC_LEN;
10525b9c547cSRui Paulo
10535b9c547cSRui Paulo return id;
10545b9c547cSRui Paulo }
10555b9c547cSRui Paulo
10565b9c547cSRui Paulo
eap_server_pwd_register(void)1057f05cddf9SRui Paulo int eap_server_pwd_register(void)
1058f05cddf9SRui Paulo {
1059f05cddf9SRui Paulo struct eap_method *eap;
1060f05cddf9SRui Paulo
1061f05cddf9SRui Paulo eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION,
1062f05cddf9SRui Paulo EAP_VENDOR_IETF, EAP_TYPE_PWD,
1063f05cddf9SRui Paulo "PWD");
1064f05cddf9SRui Paulo if (eap == NULL)
1065f05cddf9SRui Paulo return -1;
1066f05cddf9SRui Paulo
1067f05cddf9SRui Paulo eap->init = eap_pwd_init;
1068f05cddf9SRui Paulo eap->reset = eap_pwd_reset;
1069f05cddf9SRui Paulo eap->buildReq = eap_pwd_build_req;
1070f05cddf9SRui Paulo eap->check = eap_pwd_check;
1071f05cddf9SRui Paulo eap->process = eap_pwd_process;
1072f05cddf9SRui Paulo eap->isDone = eap_pwd_is_done;
1073f05cddf9SRui Paulo eap->getKey = eap_pwd_getkey;
1074f05cddf9SRui Paulo eap->get_emsk = eap_pwd_get_emsk;
1075f05cddf9SRui Paulo eap->isSuccess = eap_pwd_is_success;
10765b9c547cSRui Paulo eap->getSessionId = eap_pwd_get_session_id;
1077f05cddf9SRui Paulo
1078780fb4a2SCy Schubert return eap_server_method_register(eap);
1079f05cddf9SRui Paulo }
1080