Home | History | Annotate | Download | only in eap_peer
      1 /*
      2  * EAP peer method: EAP-SAKE (RFC 4763)
      3  * Copyright (c) 2006-2008, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 
     11 #include "common.h"
     12 #include "crypto/random.h"
     13 #include "eap_peer/eap_i.h"
     14 #include "eap_common/eap_sake_common.h"
     15 
     16 struct eap_sake_data {
     17 	enum { IDENTITY, CHALLENGE, CONFIRM, SUCCESS, FAILURE } state;
     18 	u8 root_secret_a[EAP_SAKE_ROOT_SECRET_LEN];
     19 	u8 root_secret_b[EAP_SAKE_ROOT_SECRET_LEN];
     20 	u8 rand_s[EAP_SAKE_RAND_LEN];
     21 	u8 rand_p[EAP_SAKE_RAND_LEN];
     22 	struct {
     23 		u8 auth[EAP_SAKE_TEK_AUTH_LEN];
     24 		u8 cipher[EAP_SAKE_TEK_CIPHER_LEN];
     25 	} tek;
     26 	u8 msk[EAP_MSK_LEN];
     27 	u8 emsk[EAP_EMSK_LEN];
     28 	u8 session_id;
     29 	int session_id_set;
     30 	u8 *peerid;
     31 	size_t peerid_len;
     32 	u8 *serverid;
     33 	size_t serverid_len;
     34 };
     35 
     36 
     37 static const char * eap_sake_state_txt(int state)
     38 {
     39 	switch (state) {
     40 	case IDENTITY:
     41 		return "IDENTITY";
     42 	case CHALLENGE:
     43 		return "CHALLENGE";
     44 	case CONFIRM:
     45 		return "CONFIRM";
     46 	case SUCCESS:
     47 		return "SUCCESS";
     48 	case FAILURE:
     49 		return "FAILURE";
     50 	default:
     51 		return "?";
     52 	}
     53 }
     54 
     55 
     56 static void eap_sake_state(struct eap_sake_data *data, int state)
     57 {
     58 	wpa_printf(MSG_DEBUG, "EAP-SAKE: %s -> %s",
     59 		   eap_sake_state_txt(data->state),
     60 		   eap_sake_state_txt(state));
     61 	data->state = state;
     62 }
     63 
     64 
     65 static void eap_sake_deinit(struct eap_sm *sm, void *priv);
     66 
     67 
     68 static void * eap_sake_init(struct eap_sm *sm)
     69 {
     70 	struct eap_sake_data *data;
     71 	const u8 *identity, *password;
     72 	size_t identity_len, password_len;
     73 
     74 	password = eap_get_config_password(sm, &password_len);
     75 	if (!password || password_len != 2 * EAP_SAKE_ROOT_SECRET_LEN) {
     76 		wpa_printf(MSG_INFO, "EAP-SAKE: No key of correct length "
     77 			   "configured");
     78 		return NULL;
     79 	}
     80 
     81 	data = os_zalloc(sizeof(*data));
     82 	if (data == NULL)
     83 		return NULL;
     84 	data->state = IDENTITY;
     85 
     86 	identity = eap_get_config_identity(sm, &identity_len);
     87 	if (identity) {
     88 		data->peerid = os_malloc(identity_len);
     89 		if (data->peerid == NULL) {
     90 			eap_sake_deinit(sm, data);
     91 			return NULL;
     92 		}
     93 		os_memcpy(data->peerid, identity, identity_len);
     94 		data->peerid_len = identity_len;
     95 	}
     96 
     97 	os_memcpy(data->root_secret_a, password, EAP_SAKE_ROOT_SECRET_LEN);
     98 	os_memcpy(data->root_secret_b,
     99 		  password + EAP_SAKE_ROOT_SECRET_LEN,
    100 		  EAP_SAKE_ROOT_SECRET_LEN);
    101 
    102 	return data;
    103 }
    104 
    105 
    106 static void eap_sake_deinit(struct eap_sm *sm, void *priv)
    107 {
    108 	struct eap_sake_data *data = priv;
    109 	os_free(data->serverid);
    110 	os_free(data->peerid);
    111 	bin_clear_free(data, sizeof(*data));
    112 }
    113 
    114 
    115 static struct wpabuf * eap_sake_build_msg(struct eap_sake_data *data,
    116 					  int id, size_t length, u8 subtype)
    117 {
    118 	struct eap_sake_hdr *sake;
    119 	struct wpabuf *msg;
    120 	size_t plen;
    121 
    122 	plen = length + sizeof(struct eap_sake_hdr);
    123 
    124 	msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_SAKE, plen,
    125 			    EAP_CODE_RESPONSE, id);
    126 	if (msg == NULL) {
    127 		wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to allocate memory "
    128 			   "request");
    129 		return NULL;
    130 	}
    131 
    132 	sake = wpabuf_put(msg, sizeof(*sake));
    133 	sake->version = EAP_SAKE_VERSION;
    134 	sake->session_id = data->session_id;
    135 	sake->subtype = subtype;
    136 
    137 	return msg;
    138 }
    139 
    140 
    141 static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm,
    142 						 struct eap_sake_data *data,
    143 						 struct eap_method_ret *ret,
    144 						 u8 id,
    145 						 const u8 *payload,
    146 						 size_t payload_len)
    147 {
    148 	struct eap_sake_parse_attr attr;
    149 	struct wpabuf *resp;
    150 
    151 	if (data->state != IDENTITY) {
    152 		ret->ignore = TRUE;
    153 		return NULL;
    154 	}
    155 
    156 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Identity");
    157 
    158 	if (eap_sake_parse_attributes(payload, payload_len, &attr))
    159 		return NULL;
    160 
    161 	if (!attr.perm_id_req && !attr.any_id_req) {
    162 		wpa_printf(MSG_INFO, "EAP-SAKE: No AT_PERM_ID_REQ or "
    163 			   "AT_ANY_ID_REQ in Request/Identity");
    164 		return NULL;
    165 	}
    166 
    167 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Identity");
    168 
    169 	resp = eap_sake_build_msg(data, id, 2 + data->peerid_len,
    170 				  EAP_SAKE_SUBTYPE_IDENTITY);
    171 	if (resp == NULL)
    172 		return NULL;
    173 
    174 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
    175 	eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
    176 			  data->peerid, data->peerid_len);
    177 
    178 	eap_sake_state(data, CHALLENGE);
    179 
    180 	return resp;
    181 }
    182 
    183 
    184 static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm,
    185 						  struct eap_sake_data *data,
    186 						  struct eap_method_ret *ret,
    187 						  u8 id,
    188 						  const u8 *payload,
    189 						  size_t payload_len)
    190 {
    191 	struct eap_sake_parse_attr attr;
    192 	struct wpabuf *resp;
    193 	u8 *rpos;
    194 	size_t rlen;
    195 
    196 	if (data->state != IDENTITY && data->state != CHALLENGE) {
    197 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Challenge received "
    198 			   "in unexpected state (%d)", data->state);
    199 		ret->ignore = TRUE;
    200 		return NULL;
    201 	}
    202 	if (data->state == IDENTITY)
    203 		eap_sake_state(data, CHALLENGE);
    204 
    205 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Challenge");
    206 
    207 	if (eap_sake_parse_attributes(payload, payload_len, &attr))
    208 		return NULL;
    209 
    210 	if (!attr.rand_s) {
    211 		wpa_printf(MSG_INFO, "EAP-SAKE: Request/Challenge did not "
    212 			   "include AT_RAND_S");
    213 		return NULL;
    214 	}
    215 
    216 	os_memcpy(data->rand_s, attr.rand_s, EAP_SAKE_RAND_LEN);
    217 	wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)",
    218 		    data->rand_s, EAP_SAKE_RAND_LEN);
    219 
    220 	if (random_get_bytes(data->rand_p, EAP_SAKE_RAND_LEN)) {
    221 		wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to get random data");
    222 		return NULL;
    223 	}
    224 	wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_P (peer rand)",
    225 		    data->rand_p, EAP_SAKE_RAND_LEN);
    226 
    227 	os_free(data->serverid);
    228 	data->serverid = NULL;
    229 	data->serverid_len = 0;
    230 	if (attr.serverid) {
    231 		wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-SAKE: SERVERID",
    232 				  attr.serverid, attr.serverid_len);
    233 		data->serverid = os_malloc(attr.serverid_len);
    234 		if (data->serverid == NULL)
    235 			return NULL;
    236 		os_memcpy(data->serverid, attr.serverid, attr.serverid_len);
    237 		data->serverid_len = attr.serverid_len;
    238 	}
    239 
    240 	eap_sake_derive_keys(data->root_secret_a, data->root_secret_b,
    241 			     data->rand_s, data->rand_p,
    242 			     (u8 *) &data->tek, data->msk, data->emsk);
    243 
    244 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Challenge");
    245 
    246 	rlen = 2 + EAP_SAKE_RAND_LEN + 2 + EAP_SAKE_MIC_LEN;
    247 	if (data->peerid)
    248 		rlen += 2 + data->peerid_len;
    249 	resp = eap_sake_build_msg(data, id, rlen, EAP_SAKE_SUBTYPE_CHALLENGE);
    250 	if (resp == NULL)
    251 		return NULL;
    252 
    253 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_RAND_P");
    254 	eap_sake_add_attr(resp, EAP_SAKE_AT_RAND_P,
    255 			  data->rand_p, EAP_SAKE_RAND_LEN);
    256 
    257 	if (data->peerid) {
    258 		wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
    259 		eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
    260 				  data->peerid, data->peerid_len);
    261 	}
    262 
    263 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
    264 	wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
    265 	wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
    266 	rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
    267 	if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
    268 				 data->serverid, data->serverid_len,
    269 				 data->peerid, data->peerid_len, 1,
    270 				 wpabuf_head(resp), wpabuf_len(resp), rpos,
    271 				 rpos)) {
    272 		wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
    273 		wpabuf_free(resp);
    274 		return NULL;
    275 	}
    276 
    277 	eap_sake_state(data, CONFIRM);
    278 
    279 	return resp;
    280 }
    281 
    282 
    283 static struct wpabuf * eap_sake_process_confirm(struct eap_sm *sm,
    284 						struct eap_sake_data *data,
    285 						struct eap_method_ret *ret,
    286 						u8 id,
    287 						const struct wpabuf *reqData,
    288 						const u8 *payload,
    289 						size_t payload_len)
    290 {
    291 	struct eap_sake_parse_attr attr;
    292 	u8 mic_s[EAP_SAKE_MIC_LEN];
    293 	struct wpabuf *resp;
    294 	u8 *rpos;
    295 
    296 	if (data->state != CONFIRM) {
    297 		ret->ignore = TRUE;
    298 		return NULL;
    299 	}
    300 
    301 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Confirm");
    302 
    303 	if (eap_sake_parse_attributes(payload, payload_len, &attr))
    304 		return NULL;
    305 
    306 	if (!attr.mic_s) {
    307 		wpa_printf(MSG_INFO, "EAP-SAKE: Request/Confirm did not "
    308 			   "include AT_MIC_S");
    309 		return NULL;
    310 	}
    311 
    312 	eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
    313 			     data->serverid, data->serverid_len,
    314 			     data->peerid, data->peerid_len, 0,
    315 			     wpabuf_head(reqData), wpabuf_len(reqData),
    316 			     attr.mic_s, mic_s);
    317 	if (os_memcmp_const(attr.mic_s, mic_s, EAP_SAKE_MIC_LEN) != 0) {
    318 		wpa_printf(MSG_INFO, "EAP-SAKE: Incorrect AT_MIC_S");
    319 		eap_sake_state(data, FAILURE);
    320 		ret->methodState = METHOD_DONE;
    321 		ret->decision = DECISION_FAIL;
    322 		ret->allowNotifications = FALSE;
    323 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending "
    324 			   "Response/Auth-Reject");
    325 		return eap_sake_build_msg(data, id, 0,
    326 					  EAP_SAKE_SUBTYPE_AUTH_REJECT);
    327 	}
    328 
    329 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Confirm");
    330 
    331 	resp = eap_sake_build_msg(data, id, 2 + EAP_SAKE_MIC_LEN,
    332 				  EAP_SAKE_SUBTYPE_CONFIRM);
    333 	if (resp == NULL)
    334 		return NULL;
    335 
    336 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
    337 	wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
    338 	wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
    339 	rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
    340 	if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
    341 				 data->serverid, data->serverid_len,
    342 				 data->peerid, data->peerid_len, 1,
    343 				 wpabuf_head(resp), wpabuf_len(resp), rpos,
    344 				 rpos)) {
    345 		wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
    346 		wpabuf_free(resp);
    347 		return NULL;
    348 	}
    349 
    350 	eap_sake_state(data, SUCCESS);
    351 	ret->methodState = METHOD_DONE;
    352 	ret->decision = DECISION_UNCOND_SUCC;
    353 	ret->allowNotifications = FALSE;
    354 
    355 	return resp;
    356 }
    357 
    358 
    359 static struct wpabuf * eap_sake_process(struct eap_sm *sm, void *priv,
    360 					struct eap_method_ret *ret,
    361 					const struct wpabuf *reqData)
    362 {
    363 	struct eap_sake_data *data = priv;
    364 	const struct eap_sake_hdr *req;
    365 	struct wpabuf *resp;
    366 	const u8 *pos, *end;
    367 	size_t len;
    368 	u8 subtype, session_id, id;
    369 
    370 	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SAKE, reqData, &len);
    371 	if (pos == NULL || len < sizeof(struct eap_sake_hdr)) {
    372 		ret->ignore = TRUE;
    373 		return NULL;
    374 	}
    375 
    376 	req = (const struct eap_sake_hdr *) pos;
    377 	end = pos + len;
    378 	id = eap_get_id(reqData);
    379 	subtype = req->subtype;
    380 	session_id = req->session_id;
    381 	pos = (const u8 *) (req + 1);
    382 
    383 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Received frame: subtype %d "
    384 		   "session_id %d", subtype, session_id);
    385 	wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Received attributes",
    386 		    pos, end - pos);
    387 
    388 	if (data->session_id_set && data->session_id != session_id) {
    389 		wpa_printf(MSG_INFO, "EAP-SAKE: Session ID mismatch (%d,%d)",
    390 			   session_id, data->session_id);
    391 		ret->ignore = TRUE;
    392 		return NULL;
    393 	}
    394 	data->session_id = session_id;
    395 	data->session_id_set = 1;
    396 
    397 	ret->ignore = FALSE;
    398 	ret->methodState = METHOD_MAY_CONT;
    399 	ret->decision = DECISION_FAIL;
    400 	ret->allowNotifications = TRUE;
    401 
    402 	switch (subtype) {
    403 	case EAP_SAKE_SUBTYPE_IDENTITY:
    404 		resp = eap_sake_process_identity(sm, data, ret, id,
    405 						 pos, end - pos);
    406 		break;
    407 	case EAP_SAKE_SUBTYPE_CHALLENGE:
    408 		resp = eap_sake_process_challenge(sm, data, ret, id,
    409 						  pos, end - pos);
    410 		break;
    411 	case EAP_SAKE_SUBTYPE_CONFIRM:
    412 		resp = eap_sake_process_confirm(sm, data, ret, id, reqData,
    413 						pos, end - pos);
    414 		break;
    415 	default:
    416 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring message with "
    417 			   "unknown subtype %d", subtype);
    418 		ret->ignore = TRUE;
    419 		return NULL;
    420 	}
    421 
    422 	if (ret->methodState == METHOD_DONE)
    423 		ret->allowNotifications = FALSE;
    424 
    425 	return resp;
    426 }
    427 
    428 
    429 static Boolean eap_sake_isKeyAvailable(struct eap_sm *sm, void *priv)
    430 {
    431 	struct eap_sake_data *data = priv;
    432 	return data->state == SUCCESS;
    433 }
    434 
    435 
    436 static u8 * eap_sake_getKey(struct eap_sm *sm, void *priv, size_t *len)
    437 {
    438 	struct eap_sake_data *data = priv;
    439 	u8 *key;
    440 
    441 	if (data->state != SUCCESS)
    442 		return NULL;
    443 
    444 	key = os_malloc(EAP_MSK_LEN);
    445 	if (key == NULL)
    446 		return NULL;
    447 	os_memcpy(key, data->msk, EAP_MSK_LEN);
    448 	*len = EAP_MSK_LEN;
    449 
    450 	return key;
    451 }
    452 
    453 
    454 static u8 * eap_sake_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
    455 {
    456 	struct eap_sake_data *data = priv;
    457 	u8 *id;
    458 
    459 	if (data->state != SUCCESS)
    460 		return NULL;
    461 
    462 	*len = 1 + 2 * EAP_SAKE_RAND_LEN;
    463 	id = os_malloc(*len);
    464 	if (id == NULL)
    465 		return NULL;
    466 
    467 	id[0] = EAP_TYPE_SAKE;
    468 	os_memcpy(id + 1, data->rand_s, EAP_SAKE_RAND_LEN);
    469 	os_memcpy(id + 1 + EAP_SAKE_RAND_LEN, data->rand_s, EAP_SAKE_RAND_LEN);
    470 	wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Derived Session-Id", id, *len);
    471 
    472 	return id;
    473 }
    474 
    475 
    476 static u8 * eap_sake_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
    477 {
    478 	struct eap_sake_data *data = priv;
    479 	u8 *key;
    480 
    481 	if (data->state != SUCCESS)
    482 		return NULL;
    483 
    484 	key = os_malloc(EAP_EMSK_LEN);
    485 	if (key == NULL)
    486 		return NULL;
    487 	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
    488 	*len = EAP_EMSK_LEN;
    489 
    490 	return key;
    491 }
    492 
    493 
    494 int eap_peer_sake_register(void)
    495 {
    496 	struct eap_method *eap;
    497 
    498 	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
    499 				    EAP_VENDOR_IETF, EAP_TYPE_SAKE, "SAKE");
    500 	if (eap == NULL)
    501 		return -1;
    502 
    503 	eap->init = eap_sake_init;
    504 	eap->deinit = eap_sake_deinit;
    505 	eap->process = eap_sake_process;
    506 	eap->isKeyAvailable = eap_sake_isKeyAvailable;
    507 	eap->getKey = eap_sake_getKey;
    508 	eap->getSessionId = eap_sake_get_session_id;
    509 	eap->get_emsk = eap_sake_get_emsk;
    510 
    511 	return eap_peer_method_register(eap);
    512 }
    513