libeap/src/eap_peer/eap_sake.c

   1 /*
   2  * EAP peer method: EAP-SAKE (RFC 4763)
   3  * Copyright (c) 2006-2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/random.h"
  13 #include "eap_peer/eap_i.h"
  14 #include "eap_common/eap_sake_common.h"
  15
  16 struct eap_sake_data {
  17         enum { IDENTITY, CHALLENGE, CONFIRM, SUCCESS, FAILURE } state;
  18         u8 root_secret_a[EAP_SAKE_ROOT_SECRET_LEN];
  19         u8 root_secret_b[EAP_SAKE_ROOT_SECRET_LEN];
  20         u8 rand_s[EAP_SAKE_RAND_LEN];
  21         u8 rand_p[EAP_SAKE_RAND_LEN];
  22         struct {
  23                 u8 auth[EAP_SAKE_TEK_AUTH_LEN];
  24                 u8 cipher[EAP_SAKE_TEK_CIPHER_LEN];
  25         } tek;
  26         u8 msk[EAP_MSK_LEN];
  27         u8 emsk[EAP_EMSK_LEN];
  28         u8 session_id;
  29         int session_id_set;
  30         u8 *peerid;
  31         size_t peerid_len;
  32         u8 *serverid;
  33         size_t serverid_len;
  34 };
  35
  36
  37 static const char * eap_sake_state_txt(int state)
  38 {
  39         switch (state) {
  40         case IDENTITY:
  41                 return "IDENTITY";
  42         case CHALLENGE:
  43                 return "CHALLENGE";
  44         case CONFIRM:
  45                 return "CONFIRM";
  46         case SUCCESS:
  47                 return "SUCCESS";
  48         case FAILURE:
  49                 return "FAILURE";
  50         default:
  51                 return "?";
  52         }
  53 }
  54
  55
  56 static void eap_sake_state(struct eap_sake_data *data, int state)
  57 {
  58         wpa_printf(MSG_DEBUG, "EAP-SAKE: %s -> %s",
  59                    eap_sake_state_txt(data->state),
  60                    eap_sake_state_txt(state));
  61         data->state = state;
  62 }
  63
  64
  65 static void eap_sake_deinit(struct eap_sm *sm, void *priv);
  66
  67
  68 static void * eap_sake_init(struct eap_sm *sm)
  69 {
  70         struct eap_sake_data *data;
  71         const u8 *identity, *password;
  72         size_t identity_len, password_len;
  73
  74         password = eap_get_config_password(sm, &password_len);
  75         if (!password || password_len != 2 * EAP_SAKE_ROOT_SECRET_LEN) {
  76                 wpa_printf(MSG_INFO, "EAP-SAKE: No key of correct length "
  77                            "configured");
  78                 return NULL;
  79         }
  80
  81         data = os_zalloc(sizeof(*data));
  82         if (data == NULL)
  83                 return NULL;
  84         data->state = IDENTITY;
  85
  86         identity = eap_get_config_identity(sm, &identity_len);
  87         if (identity) {
  88                 data->peerid = os_malloc(identity_len);
  89                 if (data->peerid == NULL) {
  90                         eap_sake_deinit(sm, data);
  91                         return NULL;
  92                 }
  93                 os_memcpy(data->peerid, identity, identity_len);
  94                 data->peerid_len = identity_len;
  95         }
  96
  97         os_memcpy(data->root_secret_a, password, EAP_SAKE_ROOT_SECRET_LEN);
  98         os_memcpy(data->root_secret_b,
  99                   password + EAP_SAKE_ROOT_SECRET_LEN,
 100                   EAP_SAKE_ROOT_SECRET_LEN);
 101
 102         return data;
 103 }
 104
 105
 106 static void eap_sake_deinit(struct eap_sm *sm, void *priv)
 107 {
 108         struct eap_sake_data *data = priv;
 109         os_free(data->serverid);
 110         os_free(data->peerid);
 111         bin_clear_free(data, sizeof(*data));
 112 }
 113
 114
 115 static struct wpabuf * eap_sake_build_msg(struct eap_sake_data *data,
 116                                           int id, size_t length, u8 subtype)
 117 {
 118         struct eap_sake_hdr *sake;
 119         struct wpabuf *msg;
 120         size_t plen;
 121
 122         plen = length + sizeof(struct eap_sake_hdr);
 123
 124         msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_SAKE, plen,
 125                             EAP_CODE_RESPONSE, id);
 126         if (msg == NULL) {
 127                 wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to allocate memory "
 128                            "request");
 129                 return NULL;
 130         }
 131
 132         sake = wpabuf_put(msg, sizeof(*sake));
 133         sake->version = EAP_SAKE_VERSION;
 134         sake->session_id = data->session_id;
 135         sake->subtype = subtype;
 136
 137         return msg;
 138 }
 139
 140
 141 static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm,
 142                                                  struct eap_sake_data *data,
 143                                                  struct eap_method_ret *ret,
 144                                                  u8 id,
 145                                                  const u8 *payload,
 146                                                  size_t payload_len)
 147 {
 148         struct eap_sake_parse_attr attr;
 149         struct wpabuf *resp;
 150
 151         if (data->state != IDENTITY) {
 152                 ret->ignore = TRUE;
 153                 return NULL;
 154         }
 155
 156         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Identity");
 157
 158         if (eap_sake_parse_attributes(payload, payload_len, &attr))
 159                 return NULL;
 160
 161         if (!attr.perm_id_req && !attr.any_id_req) {
 162                 wpa_printf(MSG_INFO, "EAP-SAKE: No AT_PERM_ID_REQ or "
 163                            "AT_ANY_ID_REQ in Request/Identity");
 164                 return NULL;
 165         }
 166
 167         wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Identity");
 168
 169         resp = eap_sake_build_msg(data, id, 2 + data->peerid_len,
 170                                   EAP_SAKE_SUBTYPE_IDENTITY);
 171         if (resp == NULL)
 172                 return NULL;
 173
 174         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
 175         eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
 176                           data->peerid, data->peerid_len);
 177
 178         eap_sake_state(data, CHALLENGE);
 179
 180         return resp;
 181 }
 182
 183
 184 static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm,
 185                                                   struct eap_sake_data *data,
 186                                                   struct eap_method_ret *ret,
 187                                                   u8 id,
 188                                                   const u8 *payload,
 189                                                   size_t payload_len)
 190 {
 191         struct eap_sake_parse_attr attr;
 192         struct wpabuf *resp;
 193         u8 *rpos;
 194         size_t rlen;
 195
 196         if (data->state != IDENTITY && data->state != CHALLENGE) {
 197                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Challenge received "
 198                            "in unexpected state (%d)", data->state);
 199                 ret->ignore = TRUE;
 200                 return NULL;
 201         }
 202         if (data->state == IDENTITY)
 203                 eap_sake_state(data, CHALLENGE);
 204
 205         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Challenge");
 206
 207         if (eap_sake_parse_attributes(payload, payload_len, &attr))
 208                 return NULL;
 209
 210         if (!attr.rand_s) {
 211                 wpa_printf(MSG_INFO, "EAP-SAKE: Request/Challenge did not "
 212                            "include AT_RAND_S");
 213                 return NULL;
 214         }
 215
 216         os_memcpy(data->rand_s, attr.rand_s, EAP_SAKE_RAND_LEN);
 217         wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)",
 218                     data->rand_s, EAP_SAKE_RAND_LEN);
 219
 220         if (random_get_bytes(data->rand_p, EAP_SAKE_RAND_LEN)) {
 221                 wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to get random data");
 222                 return NULL;
 223         }
 224         wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_P (peer rand)",
 225                     data->rand_p, EAP_SAKE_RAND_LEN);
 226
 227         os_free(data->serverid);
 228         data->serverid = NULL;
 229         data->serverid_len = 0;
 230         if (attr.serverid) {
 231                 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-SAKE: SERVERID",
 232                                   attr.serverid, attr.serverid_len);
 233                 data->serverid = os_malloc(attr.serverid_len);
 234                 if (data->serverid == NULL)
 235                         return NULL;
 236                 os_memcpy(data->serverid, attr.serverid, attr.serverid_len);
 237                 data->serverid_len = attr.serverid_len;
 238         }
 239
 240         eap_sake_derive_keys(data->root_secret_a, data->root_secret_b,
 241                              data->rand_s, data->rand_p,
 242                              (u8 *) &data->tek, data->msk, data->emsk);
 243
 244         wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Challenge");
 245
 246         rlen = 2 + EAP_SAKE_RAND_LEN + 2 + EAP_SAKE_MIC_LEN;
 247         if (data->peerid)
 248                 rlen += 2 + data->peerid_len;
 249         resp = eap_sake_build_msg(data, id, rlen, EAP_SAKE_SUBTYPE_CHALLENGE);
 250         if (resp == NULL)
 251                 return NULL;
 252
 253         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_RAND_P");
 254         eap_sake_add_attr(resp, EAP_SAKE_AT_RAND_P,
 255                           data->rand_p, EAP_SAKE_RAND_LEN);
 256
 257         if (data->peerid) {
 258                 wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
 259                 eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
 260                                   data->peerid, data->peerid_len);
 261         }
 262
 263         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
 264         wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
 265         wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
 266         rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
 267         if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
 268                                  data->serverid, data->serverid_len,
 269                                  data->peerid, data->peerid_len, 1,
 270                                  wpabuf_head(resp), wpabuf_len(resp), rpos,
 271                                  rpos)) {
 272                 wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
 273                 wpabuf_free(resp);
 274                 return NULL;
 275         }
 276
 277         eap_sake_state(data, CONFIRM);
 278
 279         return resp;
 280 }
 281
 282
 283 static struct wpabuf * eap_sake_process_confirm(struct eap_sm *sm,
 284                                                 struct eap_sake_data *data,
 285                                                 struct eap_method_ret *ret,
 286                                                 u8 id,
 287                                                 const struct wpabuf *reqData,
 288                                                 const u8 *payload,
 289                                                 size_t payload_len)
 290 {
 291         struct eap_sake_parse_attr attr;
 292         u8 mic_s[EAP_SAKE_MIC_LEN];
 293         struct wpabuf *resp;
 294         u8 *rpos;
 295
 296         if (data->state != CONFIRM) {
 297                 ret->ignore = TRUE;
 298                 return NULL;
 299         }
 300
 301         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Confirm");
 302
 303         if (eap_sake_parse_attributes(payload, payload_len, &attr))
 304                 return NULL;
 305
 306         if (!attr.mic_s) {
 307                 wpa_printf(MSG_INFO, "EAP-SAKE: Request/Confirm did not "
 308                            "include AT_MIC_S");
 309                 return NULL;
 310         }
 311
 312         if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
 313                                  data->serverid, data->serverid_len,
 314                                  data->peerid, data->peerid_len, 0,
 315                                  wpabuf_head(reqData), wpabuf_len(reqData),
 316                                  attr.mic_s, mic_s)) {
 317                 wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
 318                 eap_sake_state(data, FAILURE);
 319                 ret->methodState = METHOD_DONE;
 320                 ret->decision = DECISION_FAIL;
 321                 ret->allowNotifications = FALSE;
 322                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Auth-Reject");
 323                 return eap_sake_build_msg(data, id, 0,
 324                                           EAP_SAKE_SUBTYPE_AUTH_REJECT);
 325         }
 326         if (os_memcmp_const(attr.mic_s, mic_s, EAP_SAKE_MIC_LEN) != 0) {
 327                 wpa_printf(MSG_INFO, "EAP-SAKE: Incorrect AT_MIC_S");
 328                 eap_sake_state(data, FAILURE);
 329                 ret->methodState = METHOD_DONE;
 330                 ret->decision = DECISION_FAIL;
 331                 ret->allowNotifications = FALSE;
 332                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending "
 333                            "Response/Auth-Reject");
 334                 return eap_sake_build_msg(data, id, 0,
 335                                           EAP_SAKE_SUBTYPE_AUTH_REJECT);
 336         }
 337
 338         wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Confirm");
 339
 340         resp = eap_sake_build_msg(data, id, 2 + EAP_SAKE_MIC_LEN,
 341                                   EAP_SAKE_SUBTYPE_CONFIRM);
 342         if (resp == NULL)
 343                 return NULL;
 344
 345         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
 346         wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
 347         wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
 348         rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
 349         if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
 350                                  data->serverid, data->serverid_len,
 351                                  data->peerid, data->peerid_len, 1,
 352                                  wpabuf_head(resp), wpabuf_len(resp), rpos,
 353                                  rpos)) {
 354                 wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
 355                 wpabuf_free(resp);
 356                 return NULL;
 357         }
 358
 359         eap_sake_state(data, SUCCESS);
 360         ret->methodState = METHOD_DONE;
 361         ret->decision = DECISION_UNCOND_SUCC;
 362         ret->allowNotifications = FALSE;
 363
 364         return resp;
 365 }
 366
 367
 368 static struct wpabuf * eap_sake_process(struct eap_sm *sm, void *priv,
 369                                         struct eap_method_ret *ret,
 370                                         const struct wpabuf *reqData)
 371 {
 372         struct eap_sake_data *data = priv;
 373         const struct eap_sake_hdr *req;
 374         struct wpabuf *resp;
 375         const u8 *pos, *end;
 376         size_t len;
 377         u8 subtype, session_id, id;
 378
 379         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SAKE, reqData, &len);
 380         if (pos == NULL || len < sizeof(struct eap_sake_hdr)) {
 381                 ret->ignore = TRUE;
 382                 return NULL;
 383         }
 384
 385         req = (const struct eap_sake_hdr *) pos;
 386         end = pos + len;
 387         id = eap_get_id(reqData);
 388         subtype = req->subtype;
 389         session_id = req->session_id;
 390         pos = (const u8 *) (req + 1);
 391
 392         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received frame: subtype %d "
 393                    "session_id %d", subtype, session_id);
 394         wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Received attributes",
 395                     pos, end - pos);
 396
 397         if (data->session_id_set && data->session_id != session_id) {
 398                 wpa_printf(MSG_INFO, "EAP-SAKE: Session ID mismatch (%d,%d)",
 399                            session_id, data->session_id);
 400                 ret->ignore = TRUE;
 401                 return NULL;
 402         }
 403         data->session_id = session_id;
 404         data->session_id_set = 1;
 405
 406         ret->ignore = FALSE;
 407         ret->methodState = METHOD_MAY_CONT;
 408         ret->decision = DECISION_FAIL;
 409         ret->allowNotifications = TRUE;
 410
 411         switch (subtype) {
 412         case EAP_SAKE_SUBTYPE_IDENTITY:
 413                 resp = eap_sake_process_identity(sm, data, ret, id,
 414                                                  pos, end - pos);
 415                 break;
 416         case EAP_SAKE_SUBTYPE_CHALLENGE:
 417                 resp = eap_sake_process_challenge(sm, data, ret, id,
 418                                                   pos, end - pos);
 419                 break;
 420         case EAP_SAKE_SUBTYPE_CONFIRM:
 421                 resp = eap_sake_process_confirm(sm, data, ret, id, reqData,
 422                                                 pos, end - pos);
 423                 break;
 424         default:
 425                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring message with "
 426                            "unknown subtype %d", subtype);
 427                 ret->ignore = TRUE;
 428                 return NULL;
 429         }
 430
 431         if (ret->methodState == METHOD_DONE)
 432                 ret->allowNotifications = FALSE;
 433
 434         return resp;
 435 }
 436
 437
 438 static Boolean eap_sake_isKeyAvailable(struct eap_sm *sm, void *priv)
 439 {
 440         struct eap_sake_data *data = priv;
 441         return data->state == SUCCESS;
 442 }
 443
 444
 445 static u8 * eap_sake_getKey(struct eap_sm *sm, void *priv, size_t *len)
 446 {
 447         struct eap_sake_data *data = priv;
 448         u8 *key;
 449
 450         if (data->state != SUCCESS)
 451                 return NULL;
 452
 453         key = os_malloc(EAP_MSK_LEN);
 454         if (key == NULL)
 455                 return NULL;
 456         os_memcpy(key, data->msk, EAP_MSK_LEN);
 457         *len = EAP_MSK_LEN;
 458
 459         return key;
 460 }
 461
 462
 463 static u8 * eap_sake_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
 464 {
 465         struct eap_sake_data *data = priv;
 466         u8 *id;
 467
 468         if (data->state != SUCCESS)
 469                 return NULL;
 470
 471         *len = 1 + 2 * EAP_SAKE_RAND_LEN;
 472         id = os_malloc(*len);
 473         if (id == NULL)
 474                 return NULL;
 475
 476         id[0] = EAP_TYPE_SAKE;
 477         os_memcpy(id + 1, data->rand_s, EAP_SAKE_RAND_LEN);
 478         os_memcpy(id + 1 + EAP_SAKE_RAND_LEN, data->rand_s, EAP_SAKE_RAND_LEN);
 479         wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Derived Session-Id", id, *len);
 480
 481         return id;
 482 }
 483
 484
 485 static u8 * eap_sake_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
 486 {
 487         struct eap_sake_data *data = priv;
 488         u8 *key;
 489
 490         if (data->state != SUCCESS)
 491                 return NULL;
 492
 493         key = os_malloc(EAP_EMSK_LEN);
 494         if (key == NULL)
 495                 return NULL;
 496         os_memcpy(key, data->emsk, EAP_EMSK_LEN);
 497         *len = EAP_EMSK_LEN;
 498
 499         return key;
 500 }
 501
 502
 503 int eap_peer_sake_register(void)
 504 {
 505         struct eap_method *eap;
 506
 507         eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
 508                                     EAP_VENDOR_IETF, EAP_TYPE_SAKE, "SAKE");
 509         if (eap == NULL)
 510                 return -1;
 511
 512         eap->init = eap_sake_init;
 513         eap->deinit = eap_sake_deinit;
 514         eap->process = eap_sake_process;
 515         eap->isKeyAvailable = eap_sake_isKeyAvailable;
 516         eap->getKey = eap_sake_getKey;
 517         eap->getSessionId = eap_sake_get_session_id;
 518         eap->get_emsk = eap_sake_get_emsk;
 519
 520         return eap_peer_method_register(eap);
 521 }