2 * Copyright (c) Dan Harkins, 2012
4 * Copyright holder grants permission for redistribution and use in source
5 * and binary forms, with or without modification, provided that the
6 * following conditions are met:
7 * 1. Redistribution of source code must retain the above copyright
8 * notice, this list of conditions, and the following disclaimer
10 * 2. Redistribution in binary form must retain the above copyright
11 * notice, this list of conditions, and the following disclaimer
12 * in the documentation and/or other materials provided with the
15 * "DISCLAIMER OF LIABILITY
17 * THIS SOFTWARE IS PROVIDED BY DAN HARKINS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
19 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INDUSTRIAL LOUNGE BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * This license and distribution terms cannot be changed. In other words,
30 * this code cannot simply be copied and put under a different distribution
31 * license (including the GNU public license).
35 USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
37 #include "rlm_eap_pwd.h"
41 #define MPPE_KEY_LEN 32
42 #define MSK_EMSK_LEN (2*MPPE_KEY_LEN)
44 static CONF_PARSER pwd_module_config[] = {
45 { "group", FR_CONF_OFFSET(PW_TYPE_INTEGER, eap_pwd_t, group), "19" },
46 { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, eap_pwd_t, fragment_size), "1020" },
47 { "server_id", FR_CONF_OFFSET(PW_TYPE_STRING, eap_pwd_t, server_id), NULL },
48 { "virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, eap_pwd_t, virtual_server), NULL },
49 CONF_PARSER_TERMINATOR
52 static int mod_detach (void *arg)
56 inst = (eap_pwd_t *) arg;
58 if (inst->bnctx) BN_CTX_free(inst->bnctx);
63 static int mod_instantiate (CONF_SECTION *cs, void **instance)
67 *instance = inst = talloc_zero(cs, eap_pwd_t);
70 if (cf_section_parse(cs, inst, pwd_module_config) < 0) {
74 if (inst->fragment_size < 100) {
75 cf_log_err_cs(cs, "Fragment size is too small");
79 if ((inst->bnctx = BN_CTX_new()) == NULL) {
80 cf_log_err_cs(cs, "Failed to get BN context");
87 static int _free_pwd_session (pwd_session_t *session)
89 BN_clear_free(session->private_value);
90 BN_clear_free(session->peer_scalar);
91 BN_clear_free(session->my_scalar);
92 BN_clear_free(session->k);
93 EC_POINT_clear_free(session->my_element);
94 EC_POINT_clear_free(session->peer_element);
95 EC_GROUP_free(session->group);
96 EC_POINT_clear_free(session->pwe);
97 BN_clear_free(session->order);
98 BN_clear_free(session->prime);
103 static int send_pwd_request (pwd_session_t *session, EAP_DS *eap_ds)
109 len = (session->out_len - session->out_pos) + sizeof(pwd_hdr);
111 eap_ds->request->code = PW_EAP_REQUEST;
112 eap_ds->request->type.num = PW_EAP_PWD;
113 eap_ds->request->type.length = (len > session->mtu) ? session->mtu : len;
114 eap_ds->request->type.data = talloc_zero_array(eap_ds->request, uint8_t, eap_ds->request->type.length);
115 hdr = (pwd_hdr *)eap_ds->request->type.data;
117 switch (session->state) {
118 case PWD_STATE_ID_REQ:
119 EAP_PWD_SET_EXCHANGE(hdr, EAP_PWD_EXCH_ID);
122 case PWD_STATE_COMMIT:
123 EAP_PWD_SET_EXCHANGE(hdr, EAP_PWD_EXCH_COMMIT);
126 case PWD_STATE_CONFIRM:
127 EAP_PWD_SET_EXCHANGE(hdr, EAP_PWD_EXCH_CONFIRM);
131 ERROR("rlm_eap_pwd: PWD state is invalid. Can't send request");
135 * are we fragmenting?
137 if (((session->out_len - session->out_pos) + sizeof(pwd_hdr)) > session->mtu) {
138 EAP_PWD_SET_MORE_BIT(hdr);
139 if (session->out_pos == 0) {
141 * the first fragment, add the total length
143 EAP_PWD_SET_LENGTH_BIT(hdr);
144 totlen = ntohs(session->out_len);
145 memcpy(hdr->data, (char *)&totlen, sizeof(totlen));
146 memcpy(hdr->data + sizeof(uint16_t),
148 session->mtu - sizeof(pwd_hdr) - sizeof(uint16_t));
149 session->out_pos += (session->mtu - sizeof(pwd_hdr) - sizeof(uint16_t));
152 * an intermediate fragment
154 memcpy(hdr->data, session->out + session->out_pos, (session->mtu - sizeof(pwd_hdr)));
155 session->out_pos += (session->mtu - sizeof(pwd_hdr));
159 * either it's not a fragment or it's the last fragment.
160 * The out buffer isn't needed anymore though so get rid of it.
162 memcpy(hdr->data, session->out + session->out_pos,
163 (session->out_len - session->out_pos));
164 talloc_free(session->out);
166 session->out_pos = session->out_len = 0;
171 static int mod_session_init (void *instance, eap_handler_t *handler)
173 pwd_session_t *session;
174 eap_pwd_t *inst = (eap_pwd_t *)instance;
176 pwd_id_packet_t *packet;
178 if (!inst || !handler) {
179 ERROR("rlm_eap_pwd: Initiate, NULL data provided");
184 * make sure the server's been configured properly
186 if (!inst->server_id) {
187 ERROR("rlm_eap_pwd: Server ID is not configured");
190 switch (inst->group) {
199 ERROR("rlm_eap_pwd: Group is not supported");
203 if ((session = talloc_zero(handler, pwd_session_t)) == NULL) return 0;
204 talloc_set_destructor(session, _free_pwd_session);
206 * set things up so they can be free'd reliably
208 session->group_num = inst->group;
209 session->private_value = NULL;
210 session->peer_scalar = NULL;
211 session->my_scalar = NULL;
213 session->my_element = NULL;
214 session->peer_element = NULL;
215 session->group = NULL;
217 session->order = NULL;
218 session->prime = NULL;
221 * The admin can dynamically change the MTU.
223 session->mtu = inst->fragment_size;
224 vp = fr_pair_find_by_num(handler->request->packet->vps, PW_FRAMED_MTU, 0, TAG_ANY);
227 * session->mtu is *our* MTU. We need to subtract off the EAP
230 * 9 = 4 (EAPOL header) + 4 (EAP header) + 1 (EAP type)
232 * The fragmentation code deals with the included length
233 * so we don't need to subtract that here.
235 if (vp && (vp->vp_integer > 100) && (vp->vp_integer < session->mtu)) {
236 session->mtu = vp->vp_integer - 9;
239 session->state = PWD_STATE_ID_REQ;
241 session->out_pos = 0;
242 handler->opaque = session;
245 * construct an EAP-pwd-ID/Request
247 session->out_len = sizeof(pwd_id_packet_t) + strlen(inst->server_id);
248 if ((session->out = talloc_zero_array(session, uint8_t, session->out_len)) == NULL) {
252 packet = (pwd_id_packet_t *)session->out;
253 packet->group_num = htons(session->group_num);
254 packet->random_function = EAP_PWD_DEF_RAND_FUN;
255 packet->prf = EAP_PWD_DEF_PRF;
256 session->token = fr_rand();
257 memcpy(packet->token, (char *)&session->token, 4);
258 packet->prep = EAP_PWD_PREP_NONE;
259 memcpy(packet->identity, inst->server_id, session->out_len - sizeof(pwd_id_packet_t) );
261 handler->stage = PROCESS;
263 return send_pwd_request(session, handler->eap_ds);
266 static int mod_process(void *arg, eap_handler_t *handler)
268 pwd_session_t *session;
270 pwd_id_packet_t *packet;
271 eap_packet_t *response;
272 REQUEST *request, *fake;
277 eap_pwd_t *inst = (eap_pwd_t *)arg;
279 uint8_t exch, *in, *ptr, msk[MSK_EMSK_LEN], emsk[MSK_EMSK_LEN];
280 uint8_t peer_confirm[SHA256_DIGEST_LENGTH];
281 BIGNUM *x = NULL, *y = NULL;
283 if (((eap_ds = handler->eap_ds) == NULL) || !inst) return 0;
285 session = (pwd_session_t *)handler->opaque;
286 request = handler->request;
287 response = handler->eap_ds->response;
288 hdr = (pwd_hdr *)response->type.data;
291 * The header must be at least one byte.
293 if (!hdr || (response->type.length < sizeof(pwd_hdr))) {
294 RDEBUG("Packet with insufficient data");
299 in_len = response->type.length - sizeof(pwd_hdr);
302 * see if we're fragmenting, if so continue until we're done
304 if (session->out_pos) {
305 if (in_len) RDEBUG2("pwd got something more than an ACK for a fragment");
307 return send_pwd_request(session, eap_ds);
311 * the first fragment will have a total length, make a
312 * buffer to hold all the fragments
314 if (EAP_PWD_GET_LENGTH_BIT(hdr)) {
316 RDEBUG2("pwd already alloced buffer for fragments");
321 RDEBUG("Invalid packet: length bit set, but no length field");
325 session->in_len = ntohs(in[0] * 256 | in[1]);
326 if ((session->in = talloc_zero_array(session, uint8_t, session->in_len)) == NULL) {
327 RDEBUG2("pwd cannot allocate %zd buffer to hold fragments",
331 memset(session->in, 0, session->in_len);
333 in += sizeof(uint16_t);
334 in_len -= sizeof(uint16_t);
338 * all fragments, including the 1st will have the M(ore) bit set,
339 * buffer those fragments!
341 if (EAP_PWD_GET_MORE_BIT(hdr)) {
342 rad_assert(session->in != NULL);
344 if ((session->in_pos + in_len) > session->in_len) {
345 RDEBUG2("Fragment overflows packet.");
349 memcpy(session->in + session->in_pos, in, in_len);
350 session->in_pos += in_len;
353 * send back an ACK for this fragment
355 exch = EAP_PWD_GET_EXCHANGE(hdr);
356 eap_ds->request->code = PW_EAP_REQUEST;
357 eap_ds->request->type.num = PW_EAP_PWD;
358 eap_ds->request->type.length = sizeof(pwd_hdr);
359 if ((eap_ds->request->type.data = talloc_array(eap_ds->request, uint8_t, sizeof(pwd_hdr))) == NULL) {
362 hdr = (pwd_hdr *)eap_ds->request->type.data;
363 EAP_PWD_SET_EXCHANGE(hdr, exch);
370 * the last fragment...
372 if ((session->in_pos + in_len) > session->in_len) {
373 RDEBUG2("pwd will not overflow a fragment buffer. Nope, not prudent");
376 memcpy(session->in + session->in_pos, in, in_len);
378 in_len = session->in_len;
381 switch (session->state) {
382 case PWD_STATE_ID_REQ:
383 if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_ID) {
384 RDEBUG2("pwd exchange is incorrect: not ID");
388 packet = (pwd_id_packet_t *) in;
389 if (in_len < sizeof(packet)) {
390 RDEBUG("Packet is too small (%zd < %zd).", in_len, sizeof(packet));
394 if ((packet->prf != EAP_PWD_DEF_PRF) ||
395 (packet->random_function != EAP_PWD_DEF_RAND_FUN) ||
396 (packet->prep != EAP_PWD_PREP_NONE) ||
397 (CRYPTO_memcmp(packet->token, &session->token, 4)) ||
398 (packet->group_num != ntohs(session->group_num))) {
399 RDEBUG2("pwd id response is invalid");
403 * we've agreed on the ciphersuite, record it...
405 ptr = (uint8_t *)&session->ciphersuite;
406 memcpy(ptr, (char *)&packet->group_num, sizeof(uint16_t));
407 ptr += sizeof(uint16_t);
408 *ptr = EAP_PWD_DEF_RAND_FUN;
409 ptr += sizeof(uint8_t);
410 *ptr = EAP_PWD_DEF_PRF;
412 session->peer_id_len = in_len - sizeof(pwd_id_packet_t);
413 if (session->peer_id_len >= sizeof(session->peer_id)) {
414 RDEBUG2("pwd id response is malformed");
418 memcpy(session->peer_id, packet->identity, session->peer_id_len);
419 session->peer_id[session->peer_id_len] = '\0';
422 * make fake request to get the password for the usable ID
424 if ((fake = request_alloc_fake(handler->request)) == NULL) {
425 RDEBUG("pwd unable to create fake request!");
428 fake->username = fr_pair_afrom_num(fake->packet, PW_USER_NAME, 0);
429 if (!fake->username) {
430 RDEBUG("Failed creating pair for peer id");
434 fr_pair_value_bstrncpy(fake->username, session->peer_id, session->peer_id_len);
435 fr_pair_add(&fake->packet->vps, fake->username);
437 if ((vp = fr_pair_find_by_num(request->config, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) {
438 fake->server = vp->vp_strvalue;
439 } else if (inst->virtual_server) {
440 fake->server = inst->virtual_server;
441 } /* else fake->server == request->server */
443 RDEBUG("Sending tunneled request");
444 rdebug_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL);
447 RDEBUG("server %s {", fake->server);
453 * Call authorization recursively, which will
457 process_authorize(0, fake);
461 * Note that we don't do *anything* with the reply
465 RDEBUG("} # server %s", fake->server);
470 RDEBUG("Got tunneled reply code %d", fake->reply->code);
471 rdebug_pair_list(L_DBG_LVL_1, request, fake->reply->vps, NULL);
473 if ((pw = fr_pair_find_by_num(fake->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY)) == NULL) {
474 DEBUG2("failed to find password for %s to do pwd authentication",
480 if (compute_password_element(session, session->group_num,
481 pw->data.strvalue, strlen(pw->data.strvalue),
482 inst->server_id, strlen(inst->server_id),
483 session->peer_id, strlen(session->peer_id),
485 DEBUG2("failed to obtain password element");
492 * compute our scalar and element
494 if (compute_scalar_element(session, inst->bnctx)) {
495 DEBUG2("failed to compute server's scalar and element");
499 if (((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
500 DEBUG2("server point allocation failed");
505 * element is a point, get both coordinates: x and y
507 if (!EC_POINT_get_affine_coordinates_GFp(session->group, session->my_element, x, y,
509 DEBUG2("server point assignment failed");
518 session->out_len = BN_num_bytes(session->order) + (2 * BN_num_bytes(session->prime));
519 if ((session->out = talloc_array(session, uint8_t, session->out_len)) == NULL) {
522 memset(session->out, 0, session->out_len);
525 offset = BN_num_bytes(session->prime) - BN_num_bytes(x);
526 BN_bn2bin(x, ptr + offset);
528 ptr += BN_num_bytes(session->prime);
529 offset = BN_num_bytes(session->prime) - BN_num_bytes(y);
530 BN_bn2bin(y, ptr + offset);
532 ptr += BN_num_bytes(session->prime);
533 offset = BN_num_bytes(session->order) - BN_num_bytes(session->my_scalar);
534 BN_bn2bin(session->my_scalar, ptr + offset);
536 session->state = PWD_STATE_COMMIT;
537 ret = send_pwd_request(session, eap_ds);
540 case PWD_STATE_COMMIT:
541 if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_COMMIT) {
542 RDEBUG2("pwd exchange is incorrect: not commit!");
547 * process the peer's commit and generate the shared key, k
549 if (process_peer_commit(session, in, in_len, inst->bnctx)) {
550 RDEBUG2("failed to process peer's commit");
555 * compute our confirm blob
557 if (compute_server_confirm(session, session->my_confirm, inst->bnctx)) {
558 ERROR("rlm_eap_pwd: failed to compute confirm!");
563 * construct a response...which is just our confirm blob
565 session->out_len = SHA256_DIGEST_LENGTH;
566 if ((session->out = talloc_array(session, uint8_t, session->out_len)) == NULL) {
570 memset(session->out, 0, session->out_len);
571 memcpy(session->out, session->my_confirm, SHA256_DIGEST_LENGTH);
573 session->state = PWD_STATE_CONFIRM;
574 ret = send_pwd_request(session, eap_ds);
577 case PWD_STATE_CONFIRM:
578 if (in_len < SHA256_DIGEST_LENGTH) {
579 RDEBUG("Peer confirm is too short (%zd < %d)",
580 in_len, SHA256_DIGEST_LENGTH);
584 if (EAP_PWD_GET_EXCHANGE(hdr) != EAP_PWD_EXCH_CONFIRM) {
585 RDEBUG2("pwd exchange is incorrect: not commit!");
588 if (compute_peer_confirm(session, peer_confirm, inst->bnctx)) {
589 RDEBUG2("pwd exchange cannot compute peer's confirm");
592 if (CRYPTO_memcmp(peer_confirm, in, SHA256_DIGEST_LENGTH)) {
593 RDEBUG2("pwd exchange fails: peer confirm is incorrect!");
596 if (compute_keys(session, peer_confirm, msk, emsk)) {
597 RDEBUG2("pwd exchange cannot generate (E)MSK!");
600 eap_ds->request->code = PW_EAP_SUCCESS;
602 * return the MSK (in halves)
604 eap_add_reply(handler->request, "MS-MPPE-Recv-Key", msk, MPPE_KEY_LEN);
605 eap_add_reply(handler->request, "MS-MPPE-Send-Key", msk + MPPE_KEY_LEN, MPPE_KEY_LEN);
611 RDEBUG2("unknown PWD state");
616 * we processed the buffered fragments, get rid of them
619 talloc_free(session->in);
626 extern rlm_eap_module_t rlm_eap_pwd;
627 rlm_eap_module_t rlm_eap_pwd = {
629 .instantiate = mod_instantiate, /* Create new submodule instance */
630 .session_init = mod_session_init, /* Create the initial request */
631 .process = mod_process, /* Process next round of EAP method */
632 .detach = mod_detach /* Destroy the submodule instance */