Home | History | Annotate | Download | only in eap_peer
      1 /*
      2  * EAP peer method: EAP-pwd (RFC 5931)
      3  * Copyright (c) 2010, Dan Harkins <dharkins (at) lounge.org>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "crypto/sha256.h"
     13 #include "crypto/ms_funcs.h"
     14 #include "eap_peer/eap_i.h"
     15 #include "eap_common/eap_pwd_common.h"
     16 
     17 
     18 struct eap_pwd_data {
     19 	enum {
     20 		PWD_ID_Req, PWD_Commit_Req, PWD_Confirm_Req,
     21 		SUCCESS_ON_FRAG_COMPLETION, SUCCESS, FAILURE
     22 	} state;
     23 	u8 *id_peer;
     24 	size_t id_peer_len;
     25 	u8 *id_server;
     26 	size_t id_server_len;
     27 	u8 *password;
     28 	size_t password_len;
     29 	int password_hash;
     30 	u16 group_num;
     31 	EAP_PWD_group *grp;
     32 
     33 	struct wpabuf *inbuf;
     34 	size_t in_frag_pos;
     35 	struct wpabuf *outbuf;
     36 	size_t out_frag_pos;
     37 	size_t mtu;
     38 
     39 	BIGNUM *k;
     40 	BIGNUM *private_value;
     41 	BIGNUM *server_scalar;
     42 	BIGNUM *my_scalar;
     43 	EC_POINT *my_element;
     44 	EC_POINT *server_element;
     45 
     46 	u8 msk[EAP_MSK_LEN];
     47 	u8 emsk[EAP_EMSK_LEN];
     48 	u8 session_id[1 + SHA256_MAC_LEN];
     49 
     50 	BN_CTX *bnctx;
     51 };
     52 
     53 
     54 #ifndef CONFIG_NO_STDOUT_DEBUG
     55 static const char * eap_pwd_state_txt(int state)
     56 {
     57 	switch (state) {
     58         case PWD_ID_Req:
     59 		return "PWD-ID-Req";
     60         case PWD_Commit_Req:
     61 		return "PWD-Commit-Req";
     62         case PWD_Confirm_Req:
     63 		return "PWD-Confirm-Req";
     64 	case SUCCESS_ON_FRAG_COMPLETION:
     65 		return "SUCCESS_ON_FRAG_COMPLETION";
     66         case SUCCESS:
     67 		return "SUCCESS";
     68         case FAILURE:
     69 		return "FAILURE";
     70         default:
     71 		return "PWD-UNK";
     72 	}
     73 }
     74 #endif  /* CONFIG_NO_STDOUT_DEBUG */
     75 
     76 
     77 static void eap_pwd_state(struct eap_pwd_data *data, int state)
     78 {
     79 	wpa_printf(MSG_DEBUG, "EAP-PWD: %s -> %s",
     80 		   eap_pwd_state_txt(data->state), eap_pwd_state_txt(state));
     81 	data->state = state;
     82 }
     83 
     84 
     85 static void * eap_pwd_init(struct eap_sm *sm)
     86 {
     87 	struct eap_pwd_data *data;
     88 	const u8 *identity, *password;
     89 	size_t identity_len, password_len;
     90 	int fragment_size;
     91 	int pwhash;
     92 
     93 	password = eap_get_config_password2(sm, &password_len, &pwhash);
     94 	if (password == NULL) {
     95 		wpa_printf(MSG_INFO, "EAP-PWD: No password configured!");
     96 		return NULL;
     97 	}
     98 
     99 	identity = eap_get_config_identity(sm, &identity_len);
    100 	if (identity == NULL) {
    101 		wpa_printf(MSG_INFO, "EAP-PWD: No identity configured!");
    102 		return NULL;
    103 	}
    104 
    105 	if ((data = os_zalloc(sizeof(*data))) == NULL) {
    106 		wpa_printf(MSG_INFO, "EAP-PWD: memory allocation data fail");
    107 		return NULL;
    108 	}
    109 
    110 	if ((data->bnctx = BN_CTX_new()) == NULL) {
    111 		wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail");
    112 		os_free(data);
    113 		return NULL;
    114 	}
    115 
    116 	if ((data->id_peer = os_malloc(identity_len)) == NULL) {
    117 		wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
    118 		BN_CTX_free(data->bnctx);
    119 		os_free(data);
    120 		return NULL;
    121 	}
    122 
    123 	os_memcpy(data->id_peer, identity, identity_len);
    124 	data->id_peer_len = identity_len;
    125 
    126 	if ((data->password = os_malloc(password_len)) == NULL) {
    127 		wpa_printf(MSG_INFO, "EAP-PWD: memory allocation psk fail");
    128 		BN_CTX_free(data->bnctx);
    129 		bin_clear_free(data->id_peer, data->id_peer_len);
    130 		os_free(data);
    131 		return NULL;
    132 	}
    133 	os_memcpy(data->password, password, password_len);
    134 	data->password_len = password_len;
    135 	data->password_hash = pwhash;
    136 
    137 	data->out_frag_pos = data->in_frag_pos = 0;
    138 	data->inbuf = data->outbuf = NULL;
    139 	fragment_size = eap_get_config_fragment_size(sm);
    140 	if (fragment_size <= 0)
    141 		data->mtu = 1020; /* default from RFC 5931 */
    142 	else
    143 		data->mtu = fragment_size;
    144 
    145 	data->state = PWD_ID_Req;
    146 
    147 	return data;
    148 }
    149 
    150 
    151 static void eap_pwd_deinit(struct eap_sm *sm, void *priv)
    152 {
    153 	struct eap_pwd_data *data = priv;
    154 
    155 	BN_clear_free(data->private_value);
    156 	BN_clear_free(data->server_scalar);
    157 	BN_clear_free(data->my_scalar);
    158 	BN_clear_free(data->k);
    159 	BN_CTX_free(data->bnctx);
    160 	EC_POINT_clear_free(data->my_element);
    161 	EC_POINT_clear_free(data->server_element);
    162 	bin_clear_free(data->id_peer, data->id_peer_len);
    163 	bin_clear_free(data->id_server, data->id_server_len);
    164 	bin_clear_free(data->password, data->password_len);
    165 	if (data->grp) {
    166 		EC_GROUP_free(data->grp->group);
    167 		EC_POINT_clear_free(data->grp->pwe);
    168 		BN_clear_free(data->grp->order);
    169 		BN_clear_free(data->grp->prime);
    170 		os_free(data->grp);
    171 	}
    172 	wpabuf_free(data->inbuf);
    173 	wpabuf_free(data->outbuf);
    174 	bin_clear_free(data, sizeof(*data));
    175 }
    176 
    177 
    178 static u8 * eap_pwd_getkey(struct eap_sm *sm, void *priv, size_t *len)
    179 {
    180 	struct eap_pwd_data *data = priv;
    181 	u8 *key;
    182 
    183 	if (data->state != SUCCESS)
    184 		return NULL;
    185 
    186 	key = os_malloc(EAP_MSK_LEN);
    187 	if (key == NULL)
    188 		return NULL;
    189 
    190 	os_memcpy(key, data->msk, EAP_MSK_LEN);
    191 	*len = EAP_MSK_LEN;
    192 
    193 	return key;
    194 }
    195 
    196 
    197 static u8 * eap_pwd_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
    198 {
    199 	struct eap_pwd_data *data = priv;
    200 	u8 *id;
    201 
    202 	if (data->state != SUCCESS)
    203 		return NULL;
    204 
    205 	id = os_malloc(1 + SHA256_MAC_LEN);
    206 	if (id == NULL)
    207 		return NULL;
    208 
    209 	os_memcpy(id, data->session_id, 1 + SHA256_MAC_LEN);
    210 	*len = 1 + SHA256_MAC_LEN;
    211 
    212 	return id;
    213 }
    214 
    215 
    216 static void
    217 eap_pwd_perform_id_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
    218 			    struct eap_method_ret *ret,
    219 			    const struct wpabuf *reqData,
    220 			    const u8 *payload, size_t payload_len)
    221 {
    222 	struct eap_pwd_id *id;
    223 	const u8 *password;
    224 	size_t password_len;
    225 	u8 pwhashhash[16];
    226 	int res;
    227 
    228 	if (data->state != PWD_ID_Req) {
    229 		ret->ignore = TRUE;
    230 		eap_pwd_state(data, FAILURE);
    231 		return;
    232 	}
    233 
    234 	if (payload_len < sizeof(struct eap_pwd_id)) {
    235 		ret->ignore = TRUE;
    236 		eap_pwd_state(data, FAILURE);
    237 		return;
    238 	}
    239 
    240 	id = (struct eap_pwd_id *) payload;
    241 	data->group_num = be_to_host16(id->group_num);
    242 	wpa_printf(MSG_DEBUG,
    243 		   "EAP-PWD: Server EAP-pwd-ID proposal: group=%u random=%u prf=%u prep=%u",
    244 		   data->group_num, id->random_function, id->prf, id->prep);
    245 	if ((id->random_function != EAP_PWD_DEFAULT_RAND_FUNC) ||
    246 	    (id->prf != EAP_PWD_DEFAULT_PRF)) {
    247 		ret->ignore = TRUE;
    248 		eap_pwd_state(data, FAILURE);
    249 		return;
    250 	}
    251 
    252 	if (id->prep != EAP_PWD_PREP_NONE &&
    253 	    id->prep != EAP_PWD_PREP_MS) {
    254 		wpa_printf(MSG_DEBUG,
    255 			   "EAP-PWD: Unsupported password pre-processing technique (Prep=%u)",
    256 			   id->prep);
    257 		eap_pwd_state(data, FAILURE);
    258 		return;
    259 	}
    260 
    261 	if (id->prep == EAP_PWD_PREP_NONE && data->password_hash) {
    262 		wpa_printf(MSG_DEBUG,
    263 			   "EAP-PWD: Unhashed password not available");
    264 		eap_pwd_state(data, FAILURE);
    265 		return;
    266 	}
    267 
    268 	wpa_printf(MSG_DEBUG, "EAP-PWD (peer): using group %d",
    269 		   data->group_num);
    270 
    271 	data->id_server = os_malloc(payload_len - sizeof(struct eap_pwd_id));
    272 	if (data->id_server == NULL) {
    273 		wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
    274 		eap_pwd_state(data, FAILURE);
    275 		return;
    276 	}
    277 	data->id_server_len = payload_len - sizeof(struct eap_pwd_id);
    278 	os_memcpy(data->id_server, id->identity, data->id_server_len);
    279 	wpa_hexdump_ascii(MSG_INFO, "EAP-PWD (peer): server sent id of",
    280 			  data->id_server, data->id_server_len);
    281 
    282 	data->grp = os_zalloc(sizeof(EAP_PWD_group));
    283 	if (data->grp == NULL) {
    284 		wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
    285 			   "group");
    286 		eap_pwd_state(data, FAILURE);
    287 		return;
    288 	}
    289 
    290 	if (id->prep == EAP_PWD_PREP_MS) {
    291 #ifdef CONFIG_FIPS
    292 		wpa_printf(MSG_ERROR,
    293 			   "EAP-PWD (peer): MS password hash not supported in FIPS mode");
    294 		eap_pwd_state(data, FAILURE);
    295 		return;
    296 #else /* CONFIG_FIPS */
    297 		if (data->password_hash) {
    298 			res = hash_nt_password_hash(data->password, pwhashhash);
    299 		} else {
    300 			u8 pwhash[16];
    301 
    302 			res = nt_password_hash(data->password,
    303 					       data->password_len, pwhash);
    304 			if (res == 0)
    305 				res = hash_nt_password_hash(pwhash, pwhashhash);
    306 			os_memset(pwhash, 0, sizeof(pwhash));
    307 		}
    308 
    309 		if (res) {
    310 			eap_pwd_state(data, FAILURE);
    311 			return;
    312 		}
    313 
    314 		password = pwhashhash;
    315 		password_len = sizeof(pwhashhash);
    316 #endif /* CONFIG_FIPS */
    317 	} else {
    318 		password = data->password;
    319 		password_len = data->password_len;
    320 	}
    321 
    322 	/* compute PWE */
    323 	res = compute_password_element(data->grp, data->group_num,
    324 				       password, password_len,
    325 				       data->id_server, data->id_server_len,
    326 				       data->id_peer, data->id_peer_len,
    327 				       id->token);
    328 	os_memset(pwhashhash, 0, sizeof(pwhashhash));
    329 	if (res) {
    330 		wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute PWE");
    331 		eap_pwd_state(data, FAILURE);
    332 		return;
    333 	}
    334 
    335 	wpa_printf(MSG_DEBUG, "EAP-PWD (peer): computed %d bit PWE...",
    336 		   BN_num_bits(data->grp->prime));
    337 
    338 	data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +
    339 				    data->id_peer_len);
    340 	if (data->outbuf == NULL) {
    341 		eap_pwd_state(data, FAILURE);
    342 		return;
    343 	}
    344 	wpabuf_put_be16(data->outbuf, data->group_num);
    345 	wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
    346 	wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
    347 	wpabuf_put_data(data->outbuf, id->token, sizeof(id->token));
    348 	wpabuf_put_u8(data->outbuf, EAP_PWD_PREP_NONE);
    349 	wpabuf_put_data(data->outbuf, data->id_peer, data->id_peer_len);
    350 
    351 	eap_pwd_state(data, PWD_Commit_Req);
    352 }
    353 
    354 
    355 static void
    356 eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
    357 				struct eap_method_ret *ret,
    358 				const struct wpabuf *reqData,
    359 				const u8 *payload, size_t payload_len)
    360 {
    361 	EC_POINT *K = NULL, *point = NULL;
    362 	BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
    363 	u16 offset;
    364 	u8 *ptr, *scalar = NULL, *element = NULL;
    365 	size_t prime_len, order_len;
    366 
    367 	if (data->state != PWD_Commit_Req) {
    368 		ret->ignore = TRUE;
    369 		goto fin;
    370 	}
    371 
    372 	prime_len = BN_num_bytes(data->grp->prime);
    373 	order_len = BN_num_bytes(data->grp->order);
    374 
    375 	if (payload_len != 2 * prime_len + order_len) {
    376 		wpa_printf(MSG_INFO,
    377 			   "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
    378 			   (unsigned int) payload_len,
    379 			   (unsigned int) (2 * prime_len + order_len));
    380 		goto fin;
    381 	}
    382 
    383 	if (((data->private_value = BN_new()) == NULL) ||
    384 	    ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
    385 	    ((cofactor = BN_new()) == NULL) ||
    386 	    ((data->my_scalar = BN_new()) == NULL) ||
    387 	    ((mask = BN_new()) == NULL)) {
    388 		wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
    389 		goto fin;
    390 	}
    391 
    392 	if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
    393 		wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
    394 			   "for curve");
    395 		goto fin;
    396 	}
    397 
    398 	if (BN_rand_range(data->private_value, data->grp->order) != 1 ||
    399 	    BN_rand_range(mask, data->grp->order) != 1 ||
    400 	    BN_add(data->my_scalar, data->private_value, mask) != 1 ||
    401 	    BN_mod(data->my_scalar, data->my_scalar, data->grp->order,
    402 		   data->bnctx) != 1) {
    403 		wpa_printf(MSG_INFO,
    404 			   "EAP-pwd (peer): unable to get randomness");
    405 		goto fin;
    406 	}
    407 
    408 	if (!EC_POINT_mul(data->grp->group, data->my_element, NULL,
    409 			  data->grp->pwe, mask, data->bnctx)) {
    410 		wpa_printf(MSG_INFO, "EAP-PWD (peer): element allocation "
    411 			   "fail");
    412 		eap_pwd_state(data, FAILURE);
    413 		goto fin;
    414 	}
    415 
    416 	if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx))
    417 	{
    418 		wpa_printf(MSG_INFO, "EAP-PWD (peer): element inversion fail");
    419 		goto fin;
    420 	}
    421 
    422 	if (((x = BN_new()) == NULL) ||
    423 	    ((y = BN_new()) == NULL)) {
    424 		wpa_printf(MSG_INFO, "EAP-PWD (peer): point allocation fail");
    425 		goto fin;
    426 	}
    427 
    428 	/* process the request */
    429 	if (((data->server_scalar = BN_new()) == NULL) ||
    430 	    ((data->k = BN_new()) == NULL) ||
    431 	    ((K = EC_POINT_new(data->grp->group)) == NULL) ||
    432 	    ((point = EC_POINT_new(data->grp->group)) == NULL) ||
    433 	    ((data->server_element = EC_POINT_new(data->grp->group)) == NULL))
    434 	{
    435 		wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
    436 			   "fail");
    437 		goto fin;
    438 	}
    439 
    440 	/* element, x then y, followed by scalar */
    441 	ptr = (u8 *) payload;
    442 	BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
    443 	ptr += BN_num_bytes(data->grp->prime);
    444 	BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
    445 	ptr += BN_num_bytes(data->grp->prime);
    446 	BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->server_scalar);
    447 	if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
    448 						 data->server_element, x, y,
    449 						 data->bnctx)) {
    450 		wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
    451 			   "fail");
    452 		goto fin;
    453 	}
    454 
    455 	/* check to ensure server's element is not in a small sub-group */
    456 	if (BN_cmp(cofactor, BN_value_one())) {
    457 		if (!EC_POINT_mul(data->grp->group, point, NULL,
    458 				  data->server_element, cofactor, NULL)) {
    459 			wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
    460 				   "server element by order!\n");
    461 			goto fin;
    462 		}
    463 		if (EC_POINT_is_at_infinity(data->grp->group, point)) {
    464 			wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
    465 				   "is at infinity!\n");
    466 			goto fin;
    467 		}
    468 	}
    469 
    470 	/* compute the shared key, k */
    471 	if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
    472 			   data->server_scalar, data->bnctx)) ||
    473 	    (!EC_POINT_add(data->grp->group, K, K, data->server_element,
    474 			   data->bnctx)) ||
    475 	    (!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value,
    476 			   data->bnctx))) {
    477 		wpa_printf(MSG_INFO, "EAP-PWD (peer): computing shared key "
    478 			   "fail");
    479 		goto fin;
    480 	}
    481 
    482 	/* ensure that the shared key isn't in a small sub-group */
    483 	if (BN_cmp(cofactor, BN_value_one())) {
    484 		if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor,
    485 				  NULL)) {
    486 			wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
    487 				   "shared key point by order");
    488 			goto fin;
    489 		}
    490 	}
    491 
    492 	/*
    493 	 * This check is strictly speaking just for the case above where
    494 	 * co-factor > 1 but it was suggested that even though this is probably
    495 	 * never going to happen it is a simple and safe check "just to be
    496 	 * sure" so let's be safe.
    497 	 */
    498 	if (EC_POINT_is_at_infinity(data->grp->group, K)) {
    499 		wpa_printf(MSG_INFO, "EAP-PWD (peer): shared key point is at "
    500 			   "infinity!\n");
    501 		goto fin;
    502 	}
    503 
    504 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k,
    505 						 NULL, data->bnctx)) {
    506 		wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to extract "
    507 			   "shared secret from point");
    508 		goto fin;
    509 	}
    510 
    511 	/* now do the response */
    512 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
    513 						 data->my_element, x, y,
    514 						 data->bnctx)) {
    515 		wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail");
    516 		goto fin;
    517 	}
    518 
    519 	if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) ||
    520 	    ((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) ==
    521 	     NULL)) {
    522 		wpa_printf(MSG_INFO, "EAP-PWD (peer): data allocation fail");
    523 		goto fin;
    524 	}
    525 
    526 	/*
    527 	 * bignums occupy as little memory as possible so one that is
    528 	 * sufficiently smaller than the prime or order might need pre-pending
    529 	 * with zeros.
    530 	 */
    531 	os_memset(scalar, 0, BN_num_bytes(data->grp->order));
    532 	os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2);
    533 	offset = BN_num_bytes(data->grp->order) -
    534 		BN_num_bytes(data->my_scalar);
    535 	BN_bn2bin(data->my_scalar, scalar + offset);
    536 
    537 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
    538 	BN_bn2bin(x, element + offset);
    539 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
    540 	BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset);
    541 
    542 	data->outbuf = wpabuf_alloc(BN_num_bytes(data->grp->order) +
    543 				    2 * BN_num_bytes(data->grp->prime));
    544 	if (data->outbuf == NULL)
    545 		goto fin;
    546 
    547 	/* we send the element as (x,y) follwed by the scalar */
    548 	wpabuf_put_data(data->outbuf, element,
    549 			2 * BN_num_bytes(data->grp->prime));
    550 	wpabuf_put_data(data->outbuf, scalar, BN_num_bytes(data->grp->order));
    551 
    552 fin:
    553 	os_free(scalar);
    554 	os_free(element);
    555 	BN_clear_free(x);
    556 	BN_clear_free(y);
    557 	BN_clear_free(mask);
    558 	BN_clear_free(cofactor);
    559 	EC_POINT_clear_free(K);
    560 	EC_POINT_clear_free(point);
    561 	if (data->outbuf == NULL)
    562 		eap_pwd_state(data, FAILURE);
    563 	else
    564 		eap_pwd_state(data, PWD_Confirm_Req);
    565 }
    566 
    567 
    568 static void
    569 eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
    570 				 struct eap_method_ret *ret,
    571 				 const struct wpabuf *reqData,
    572 				 const u8 *payload, size_t payload_len)
    573 {
    574 	BIGNUM *x = NULL, *y = NULL;
    575 	struct crypto_hash *hash;
    576 	u32 cs;
    577 	u16 grp;
    578 	u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
    579 	int offset;
    580 
    581 	if (data->state != PWD_Confirm_Req) {
    582 		ret->ignore = TRUE;
    583 		goto fin;
    584 	}
    585 
    586 	if (payload_len != SHA256_MAC_LEN) {
    587 		wpa_printf(MSG_INFO,
    588 			   "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
    589 			   (unsigned int) payload_len, SHA256_MAC_LEN);
    590 		goto fin;
    591 	}
    592 
    593 	/*
    594 	 * first build up the ciphersuite which is group | random_function |
    595 	 *	prf
    596 	 */
    597 	grp = htons(data->group_num);
    598 	ptr = (u8 *) &cs;
    599 	os_memcpy(ptr, &grp, sizeof(u16));
    600 	ptr += sizeof(u16);
    601 	*ptr = EAP_PWD_DEFAULT_RAND_FUNC;
    602 	ptr += sizeof(u8);
    603 	*ptr = EAP_PWD_DEFAULT_PRF;
    604 
    605 	/* each component of the cruft will be at most as big as the prime */
    606 	if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) ||
    607 	    ((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
    608 		wpa_printf(MSG_INFO, "EAP-PWD (server): confirm allocation "
    609 			   "fail");
    610 		goto fin;
    611 	}
    612 
    613 	/*
    614 	 * server's commit is H(k | server_element | server_scalar |
    615 	 *			peer_element | peer_scalar | ciphersuite)
    616 	 */
    617 	hash = eap_pwd_h_init();
    618 	if (hash == NULL)
    619 		goto fin;
    620 
    621 	/*
    622 	 * zero the memory each time because this is mod prime math and some
    623 	 * value may start with a few zeros and the previous one did not.
    624 	 */
    625 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    626 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
    627 	BN_bn2bin(data->k, cruft + offset);
    628 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    629 
    630 	/* server element: x, y */
    631 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
    632 						 data->server_element, x, y,
    633 						 data->bnctx)) {
    634 		wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
    635 			   "assignment fail");
    636 		goto fin;
    637 	}
    638 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    639 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
    640 	BN_bn2bin(x, cruft + offset);
    641 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    642 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    643 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
    644 	BN_bn2bin(y, cruft + offset);
    645 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    646 
    647 	/* server scalar */
    648 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    649 	offset = BN_num_bytes(data->grp->order) -
    650 		BN_num_bytes(data->server_scalar);
    651 	BN_bn2bin(data->server_scalar, cruft + offset);
    652 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
    653 
    654 	/* my element: x, y */
    655 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
    656 						 data->my_element, x, y,
    657 						 data->bnctx)) {
    658 		wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
    659 			   "assignment fail");
    660 		goto fin;
    661 	}
    662 
    663 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    664 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
    665 	BN_bn2bin(x, cruft + offset);
    666 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    667 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    668 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
    669 	BN_bn2bin(y, cruft + offset);
    670 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    671 
    672 	/* my scalar */
    673 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    674 	offset = BN_num_bytes(data->grp->order) -
    675 		BN_num_bytes(data->my_scalar);
    676 	BN_bn2bin(data->my_scalar, cruft + offset);
    677 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
    678 
    679 	/* the ciphersuite */
    680 	eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
    681 
    682 	/* random function fin */
    683 	eap_pwd_h_final(hash, conf);
    684 
    685 	ptr = (u8 *) payload;
    686 	if (os_memcmp_const(conf, ptr, SHA256_MAC_LEN)) {
    687 		wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm did not verify");
    688 		goto fin;
    689 	}
    690 
    691 	wpa_printf(MSG_DEBUG, "EAP-pwd (peer): confirm verified");
    692 
    693 	/*
    694 	 * compute confirm:
    695 	 *  H(k | peer_element | peer_scalar | server_element | server_scalar |
    696 	 *    ciphersuite)
    697 	 */
    698 	hash = eap_pwd_h_init();
    699 	if (hash == NULL)
    700 		goto fin;
    701 
    702 	/* k */
    703 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    704 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
    705 	BN_bn2bin(data->k, cruft + offset);
    706 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    707 
    708 	/* my element */
    709 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
    710 						 data->my_element, x, y,
    711 						 data->bnctx)) {
    712 		wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
    713 			   "assignment fail");
    714 		goto fin;
    715 	}
    716 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    717 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
    718 	BN_bn2bin(x, cruft + offset);
    719 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    720 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    721 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
    722 	BN_bn2bin(y, cruft + offset);
    723 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    724 
    725 	/* my scalar */
    726 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    727 	offset = BN_num_bytes(data->grp->order) -
    728 		BN_num_bytes(data->my_scalar);
    729 	BN_bn2bin(data->my_scalar, cruft + offset);
    730 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
    731 
    732 	/* server element: x, y */
    733 	if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
    734 						 data->server_element, x, y,
    735 						 data->bnctx)) {
    736 		wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
    737 			   "assignment fail");
    738 		goto fin;
    739 	}
    740 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    741 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
    742 	BN_bn2bin(x, cruft + offset);
    743 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    744 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    745 	offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
    746 	BN_bn2bin(y, cruft + offset);
    747 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
    748 
    749 	/* server scalar */
    750 	os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
    751 	offset = BN_num_bytes(data->grp->order) -
    752 		BN_num_bytes(data->server_scalar);
    753 	BN_bn2bin(data->server_scalar, cruft + offset);
    754 	eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
    755 
    756 	/* the ciphersuite */
    757 	eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
    758 
    759 	/* all done */
    760 	eap_pwd_h_final(hash, conf);
    761 
    762 	if (compute_keys(data->grp, data->bnctx, data->k,
    763 			 data->my_scalar, data->server_scalar, conf, ptr,
    764 			 &cs, data->msk, data->emsk, data->session_id) < 0) {
    765 		wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute MSK | "
    766 			   "EMSK");
    767 		goto fin;
    768 	}
    769 
    770 	data->outbuf = wpabuf_alloc(SHA256_MAC_LEN);
    771 	if (data->outbuf == NULL)
    772 		goto fin;
    773 
    774 	wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
    775 
    776 fin:
    777 	if (data->grp)
    778 		bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
    779 	BN_clear_free(x);
    780 	BN_clear_free(y);
    781 	if (data->outbuf == NULL) {
    782 		ret->methodState = METHOD_DONE;
    783 		ret->decision = DECISION_FAIL;
    784 		eap_pwd_state(data, FAILURE);
    785 	} else {
    786 		eap_pwd_state(data, SUCCESS_ON_FRAG_COMPLETION);
    787 	}
    788 }
    789 
    790 
    791 static struct wpabuf *
    792 eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
    793 		const struct wpabuf *reqData)
    794 {
    795 	struct eap_pwd_data *data = priv;
    796 	struct wpabuf *resp = NULL;
    797 	const u8 *pos, *buf;
    798 	size_t len;
    799 	u16 tot_len = 0;
    800 	u8 lm_exch;
    801 
    802 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PWD, reqData, &len);
    803 	if ((pos == NULL) || (len < 1)) {
    804 		wpa_printf(MSG_DEBUG, "EAP-pwd: Got a frame but pos is %s and "
    805 			   "len is %d",
    806 			   pos == NULL ? "NULL" : "not NULL", (int) len);
    807 		ret->ignore = TRUE;
    808 		return NULL;
    809 	}
    810 
    811 	ret->ignore = FALSE;
    812 	ret->methodState = METHOD_MAY_CONT;
    813 	ret->decision = DECISION_FAIL;
    814 	ret->allowNotifications = FALSE;
    815 
    816 	lm_exch = *pos;
    817 	pos++;                  /* skip over the bits and the exch */
    818 	len--;
    819 
    820 	/*
    821 	 * we're fragmenting so send out the next fragment
    822 	 */
    823 	if (data->out_frag_pos) {
    824 		/*
    825 		 * this should be an ACK
    826 		 */
    827 		if (len)
    828 			wpa_printf(MSG_INFO, "Bad Response! Fragmenting but "
    829 				   "not an ACK");
    830 
    831 		wpa_printf(MSG_DEBUG, "EAP-pwd: Got an ACK for a fragment");
    832 		/*
    833 		 * check if there are going to be more fragments
    834 		 */
    835 		len = wpabuf_len(data->outbuf) - data->out_frag_pos;
    836 		if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
    837 			len = data->mtu - EAP_PWD_HDR_SIZE;
    838 			EAP_PWD_SET_MORE_BIT(lm_exch);
    839 		}
    840 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
    841 				     EAP_PWD_HDR_SIZE + len,
    842 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
    843 		if (resp == NULL) {
    844 			wpa_printf(MSG_INFO, "Unable to allocate memory for "
    845 				   "next fragment!");
    846 			return NULL;
    847 		}
    848 		wpabuf_put_u8(resp, lm_exch);
    849 		buf = wpabuf_head_u8(data->outbuf);
    850 		wpabuf_put_data(resp, buf + data->out_frag_pos, len);
    851 		data->out_frag_pos += len;
    852 		/*
    853 		 * this is the last fragment so get rid of the out buffer
    854 		 */
    855 		if (data->out_frag_pos >= wpabuf_len(data->outbuf)) {
    856 			wpabuf_free(data->outbuf);
    857 			data->outbuf = NULL;
    858 			data->out_frag_pos = 0;
    859 		}
    860 		wpa_printf(MSG_DEBUG, "EAP-pwd: Send %s fragment of %d bytes",
    861 			   data->out_frag_pos == 0 ? "last" : "next",
    862 			   (int) len);
    863 		if (data->state == SUCCESS_ON_FRAG_COMPLETION) {
    864 			ret->methodState = METHOD_DONE;
    865 			ret->decision = DECISION_UNCOND_SUCC;
    866 			eap_pwd_state(data, SUCCESS);
    867 		}
    868 		return resp;
    869 	}
    870 
    871 	/*
    872 	 * see if this is a fragment that needs buffering
    873 	 *
    874 	 * if it's the first fragment there'll be a length field
    875 	 */
    876 	if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
    877 		if (len < 2) {
    878 			wpa_printf(MSG_DEBUG,
    879 				   "EAP-pwd: Frame too short to contain Total-Length field");
    880 			ret->ignore = TRUE;
    881 			return NULL;
    882 		}
    883 		tot_len = WPA_GET_BE16(pos);
    884 		wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
    885 			   "total length = %d", tot_len);
    886 		if (tot_len > 15000)
    887 			return NULL;
    888 		if (data->inbuf) {
    889 			wpa_printf(MSG_DEBUG,
    890 				   "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
    891 			ret->ignore = TRUE;
    892 			return NULL;
    893 		}
    894 		data->inbuf = wpabuf_alloc(tot_len);
    895 		if (data->inbuf == NULL) {
    896 			wpa_printf(MSG_INFO, "Out of memory to buffer "
    897 				   "fragments!");
    898 			return NULL;
    899 		}
    900 		data->in_frag_pos = 0;
    901 		pos += sizeof(u16);
    902 		len -= sizeof(u16);
    903 	}
    904 	/*
    905 	 * buffer and ACK the fragment
    906 	 */
    907 	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
    908 		data->in_frag_pos += len;
    909 		if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
    910 			wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
    911 				   "detected (%d vs. %d)!",
    912 				   (int) data->in_frag_pos,
    913 				   (int) wpabuf_len(data->inbuf));
    914 			wpabuf_free(data->inbuf);
    915 			data->inbuf = NULL;
    916 			data->in_frag_pos = 0;
    917 			return NULL;
    918 		}
    919 		wpabuf_put_data(data->inbuf, pos, len);
    920 	}
    921 	if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
    922 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
    923 				     EAP_PWD_HDR_SIZE,
    924 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
    925 		if (resp != NULL)
    926 			wpabuf_put_u8(resp, (EAP_PWD_GET_EXCHANGE(lm_exch)));
    927 		wpa_printf(MSG_DEBUG, "EAP-pwd: ACKing a %d byte fragment",
    928 			   (int) len);
    929 		return resp;
    930 	}
    931 	/*
    932 	 * we're buffering and this is the last fragment
    933 	 */
    934 	if (data->in_frag_pos) {
    935 		wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
    936 			   (int) len);
    937 		pos = wpabuf_head_u8(data->inbuf);
    938 		len = data->in_frag_pos;
    939 	}
    940 	wpa_printf(MSG_DEBUG, "EAP-pwd: processing frame: exch %d, len %d",
    941 		   EAP_PWD_GET_EXCHANGE(lm_exch), (int) len);
    942 
    943 	switch (EAP_PWD_GET_EXCHANGE(lm_exch)) {
    944 	case EAP_PWD_OPCODE_ID_EXCH:
    945 		eap_pwd_perform_id_exchange(sm, data, ret, reqData,
    946 					    pos, len);
    947 		break;
    948 	case EAP_PWD_OPCODE_COMMIT_EXCH:
    949 		eap_pwd_perform_commit_exchange(sm, data, ret, reqData,
    950 						pos, len);
    951 		break;
    952 	case EAP_PWD_OPCODE_CONFIRM_EXCH:
    953 		eap_pwd_perform_confirm_exchange(sm, data, ret, reqData,
    954 						 pos, len);
    955 		break;
    956 	default:
    957 		wpa_printf(MSG_INFO, "EAP-pwd: Ignoring message with unknown "
    958 			   "opcode %d", lm_exch);
    959 		break;
    960 	}
    961 	/*
    962 	 * if we buffered the just processed input now's the time to free it
    963 	 */
    964 	if (data->in_frag_pos) {
    965 		wpabuf_free(data->inbuf);
    966 		data->inbuf = NULL;
    967 		data->in_frag_pos = 0;
    968 	}
    969 
    970 	if (data->outbuf == NULL) {
    971 		ret->methodState = METHOD_DONE;
    972 		ret->decision = DECISION_FAIL;
    973 		return NULL;        /* generic failure */
    974 	}
    975 
    976 	/*
    977 	 * we have output! Do we need to fragment it?
    978 	 */
    979 	lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch);
    980 	len = wpabuf_len(data->outbuf);
    981 	if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
    982 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
    983 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
    984 		/*
    985 		 * if so it's the first so include a length field
    986 		 */
    987 		EAP_PWD_SET_LENGTH_BIT(lm_exch);
    988 		EAP_PWD_SET_MORE_BIT(lm_exch);
    989 		tot_len = len;
    990 		/*
    991 		 * keep the packet at the MTU
    992 		 */
    993 		len = data->mtu - EAP_PWD_HDR_SIZE - sizeof(u16);
    994 		wpa_printf(MSG_DEBUG, "EAP-pwd: Fragmenting output, total "
    995 			   "length = %d", tot_len);
    996 	} else {
    997 		resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
    998 				     EAP_PWD_HDR_SIZE + len,
    999 				     EAP_CODE_RESPONSE, eap_get_id(reqData));
   1000 	}
   1001 	if (resp == NULL)
   1002 		return NULL;
   1003 
   1004 	wpabuf_put_u8(resp, lm_exch);
   1005 	if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
   1006 		wpabuf_put_be16(resp, tot_len);
   1007 		data->out_frag_pos += len;
   1008 	}
   1009 	buf = wpabuf_head_u8(data->outbuf);
   1010 	wpabuf_put_data(resp, buf, len);
   1011 	/*
   1012 	 * if we're not fragmenting then there's no need to carry this around
   1013 	 */
   1014 	if (data->out_frag_pos == 0) {
   1015 		wpabuf_free(data->outbuf);
   1016 		data->outbuf = NULL;
   1017 		data->out_frag_pos = 0;
   1018 		if (data->state == SUCCESS_ON_FRAG_COMPLETION) {
   1019 			ret->methodState = METHOD_DONE;
   1020 			ret->decision = DECISION_UNCOND_SUCC;
   1021 			eap_pwd_state(data, SUCCESS);
   1022 		}
   1023 	}
   1024 
   1025 	return resp;
   1026 }
   1027 
   1028 
   1029 static Boolean eap_pwd_key_available(struct eap_sm *sm, void *priv)
   1030 {
   1031 	struct eap_pwd_data *data = priv;
   1032 	return data->state == SUCCESS;
   1033 }
   1034 
   1035 
   1036 static u8 * eap_pwd_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
   1037 {
   1038 	struct eap_pwd_data *data = priv;
   1039 	u8 *key;
   1040 
   1041 	if (data->state != SUCCESS)
   1042 		return NULL;
   1043 
   1044 	if ((key = os_malloc(EAP_EMSK_LEN)) == NULL)
   1045 		return NULL;
   1046 
   1047 	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
   1048 	*len = EAP_EMSK_LEN;
   1049 
   1050 	return key;
   1051 }
   1052 
   1053 
   1054 int eap_peer_pwd_register(void)
   1055 {
   1056 	struct eap_method *eap;
   1057 
   1058 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
   1059 				    EAP_VENDOR_IETF, EAP_TYPE_PWD, "PWD");
   1060 	if (eap == NULL)
   1061 		return -1;
   1062 
   1063 	eap->init = eap_pwd_init;
   1064 	eap->deinit = eap_pwd_deinit;
   1065 	eap->process = eap_pwd_process;
   1066 	eap->isKeyAvailable = eap_pwd_key_available;
   1067 	eap->getKey = eap_pwd_getkey;
   1068 	eap->getSessionId = eap_pwd_get_session_id;
   1069 	eap->get_emsk = eap_pwd_get_emsk;
   1070 
   1071 	return eap_peer_method_register(eap);
   1072 }
   1073