2 * EAP peer method: EAP-pwd (RFC 5931)
3 * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the BSD license.
8 * Alternatively, this software may be distributed under the terms of the
9 * GNU General Public License version 2 as published by the Free Software
12 * See README and COPYING for more details.
18 #include "eap_peer/eap_i.h"
19 #include "eap_common/eap_pwd_common.h"
24 PWD_ID_Req, PWD_Commit_Req, PWD_Confirm_Req, SUCCESS, FAILURE
36 BIGNUM *private_value;
37 BIGNUM *server_scalar;
40 EC_POINT *server_element;
43 u8 emsk[EAP_EMSK_LEN];
49 #ifndef CONFIG_NO_STDOUT_DEBUG
50 static const char * eap_pwd_state_txt(int state)
56 return "PWD-Commit-Req";
58 return "PWD-Confirm-Req";
67 #endif /* CONFIG_NO_STDOUT_DEBUG */
70 static void eap_pwd_state(struct eap_pwd_data *data, int state)
72 wpa_printf(MSG_INFO, "EAP-PWD: %s -> %s",
73 eap_pwd_state_txt(data->state), eap_pwd_state_txt(state));
78 static void * eap_pwd_init(struct eap_sm *sm)
80 struct eap_pwd_data *data;
81 const u8 *identity, *password;
82 size_t identity_len, password_len;
84 password = eap_get_config_password(sm, &password_len);
85 if (password == NULL) {
86 wpa_printf(MSG_INFO, "EAP-PWD: No password configured!");
90 identity = eap_get_config_identity(sm, &identity_len);
91 if (identity == NULL) {
92 wpa_printf(MSG_INFO, "EAP-PWD: No identity configured!");
96 if ((data = os_zalloc(sizeof(*data))) == NULL) {
97 wpa_printf(MSG_INFO, "EAP-PWD: memory allocation data fail");
101 if ((data->bnctx = BN_CTX_new()) == NULL) {
102 wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail");
107 if ((data->id_peer = os_malloc(identity_len)) == NULL) {
108 wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
109 BN_CTX_free(data->bnctx);
114 os_memcpy(data->id_peer, identity, identity_len);
115 data->id_peer_len = identity_len;
117 if ((data->password = os_malloc(password_len)) == NULL) {
118 wpa_printf(MSG_INFO, "EAP-PWD: memory allocation psk fail");
119 BN_CTX_free(data->bnctx);
120 os_free(data->id_peer);
124 os_memcpy(data->password, password, password_len);
125 data->password_len = password_len;
127 data->state = PWD_ID_Req;
133 static void eap_pwd_deinit(struct eap_sm *sm, void *priv)
135 struct eap_pwd_data *data = priv;
137 BN_free(data->private_value);
138 BN_free(data->server_scalar);
139 BN_free(data->my_scalar);
141 BN_CTX_free(data->bnctx);
142 EC_POINT_free(data->my_element);
143 EC_POINT_free(data->server_element);
144 os_free(data->id_peer);
145 os_free(data->id_server);
146 os_free(data->password);
148 EC_GROUP_free(data->grp->group);
149 EC_POINT_free(data->grp->pwe);
150 BN_free(data->grp->order);
151 BN_free(data->grp->prime);
158 static u8 * eap_pwd_getkey(struct eap_sm *sm, void *priv, size_t *len)
160 struct eap_pwd_data *data = priv;
163 if (data->state != SUCCESS)
166 key = os_malloc(EAP_MSK_LEN);
170 os_memcpy(key, data->msk, EAP_MSK_LEN);
177 static struct wpabuf *
178 eap_pwd_perform_id_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
179 struct eap_method_ret *ret,
180 const struct wpabuf *reqData,
181 const u8 *payload, size_t payload_len)
183 struct eap_pwd_id *id;
186 if (data->state != PWD_ID_Req) {
191 if (payload_len < sizeof(struct eap_pwd_id)) {
196 id = (struct eap_pwd_id *) payload;
197 data->group_num = be_to_host16(id->group_num);
198 if ((id->random_function != EAP_PWD_DEFAULT_RAND_FUNC) ||
199 (id->prf != EAP_PWD_DEFAULT_PRF)) {
204 wpa_printf(MSG_DEBUG, "EAP-PWD (peer): server said group %d",
207 data->id_server = os_malloc(payload_len - sizeof(struct eap_pwd_id));
208 if (data->id_server == NULL) {
209 wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
212 data->id_server_len = payload_len - sizeof(struct eap_pwd_id);
213 os_memcpy(data->id_server, id->identity, data->id_server_len);
214 wpa_hexdump_ascii(MSG_INFO, "EAP-PWD (peer): server sent id of",
215 data->id_server, data->id_server_len);
217 if ((data->grp = (EAP_PWD_group *) os_malloc(sizeof(EAP_PWD_group))) ==
219 wpa_printf(MSG_INFO, "EAP-PWD: failed to allocate memory for "
225 if (compute_password_element(data->grp, data->group_num,
226 data->password, data->password_len,
227 data->id_server, data->id_server_len,
228 data->id_peer, data->id_peer_len,
230 wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute PWE");
234 wpa_printf(MSG_INFO, "EAP-PWD (peer): computed %d bit PWE...",
235 BN_num_bits(data->grp->prime));
237 resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
238 1 + sizeof(struct eap_pwd_id) + data->id_peer_len,
239 EAP_CODE_RESPONSE, eap_get_id(reqData));
243 wpabuf_put_u8(resp, EAP_PWD_OPCODE_ID_EXCH);
244 wpabuf_put_be16(resp, data->group_num);
245 wpabuf_put_u8(resp, EAP_PWD_DEFAULT_RAND_FUNC);
246 wpabuf_put_u8(resp, EAP_PWD_DEFAULT_PRF);
247 wpabuf_put_data(resp, id->token, sizeof(id->token));
248 wpabuf_put_u8(resp, EAP_PWD_PREP_NONE);
249 wpabuf_put_data(resp, data->id_peer, data->id_peer_len);
251 eap_pwd_state(data, PWD_Commit_Req);
257 static struct wpabuf *
258 eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
259 struct eap_method_ret *ret,
260 const struct wpabuf *reqData,
261 const u8 *payload, size_t payload_len)
263 struct wpabuf *resp = NULL;
264 EC_POINT *K = NULL, *point = NULL;
265 BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
267 u8 *ptr, *scalar = NULL, *element = NULL;
269 if (((data->private_value = BN_new()) == NULL) ||
270 ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
271 ((cofactor = BN_new()) == NULL) ||
272 ((data->my_scalar = BN_new()) == NULL) ||
273 ((mask = BN_new()) == NULL)) {
274 wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
278 if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
279 wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
284 BN_rand_range(data->private_value, data->grp->order);
285 BN_rand_range(mask, data->grp->order);
286 BN_add(data->my_scalar, data->private_value, mask);
287 BN_mod(data->my_scalar, data->my_scalar, data->grp->order,
290 if (!EC_POINT_mul(data->grp->group, data->my_element, NULL,
291 data->grp->pwe, mask, data->bnctx)) {
292 wpa_printf(MSG_INFO, "EAP-PWD (peer): element allocation "
294 eap_pwd_state(data, FAILURE);
298 if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx))
300 wpa_printf(MSG_INFO, "EAP-PWD (peer): element inversion fail");
305 if (((x = BN_new()) == NULL) ||
306 ((y = BN_new()) == NULL)) {
307 wpa_printf(MSG_INFO, "EAP-PWD (peer): point allocation fail");
311 /* process the request */
312 if (((data->server_scalar = BN_new()) == NULL) ||
313 ((data->k = BN_new()) == NULL) ||
314 ((K = EC_POINT_new(data->grp->group)) == NULL) ||
315 ((point = EC_POINT_new(data->grp->group)) == NULL) ||
316 ((data->server_element = EC_POINT_new(data->grp->group)) == NULL))
318 wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
323 /* element, x then y, followed by scalar */
324 ptr = (u8 *) payload;
325 BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
326 ptr += BN_num_bytes(data->grp->prime);
327 BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
328 ptr += BN_num_bytes(data->grp->prime);
329 BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->server_scalar);
330 if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
331 data->server_element, x, y,
333 wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
338 /* check to ensure server's element is not in a small sub-group */
339 if (BN_cmp(cofactor, BN_value_one())) {
340 if (!EC_POINT_mul(data->grp->group, point, NULL,
341 data->server_element, cofactor, NULL)) {
342 wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
343 "server element by order!\n");
346 if (EC_POINT_is_at_infinity(data->grp->group, point)) {
347 wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
348 "is at infinity!\n");
353 /* compute the shared key, k */
354 if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
355 data->server_scalar, data->bnctx)) ||
356 (!EC_POINT_add(data->grp->group, K, K, data->server_element,
358 (!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value,
360 wpa_printf(MSG_INFO, "EAP-PWD (peer): computing shared key "
365 /* ensure that the shared key isn't in a small sub-group */
366 if (BN_cmp(cofactor, BN_value_one())) {
367 if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor,
369 wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
370 "shared key point by order");
376 * This check is strictly speaking just for the case above where
377 * co-factor > 1 but it was suggested that even though this is probably
378 * never going to happen it is a simple and safe check "just to be
379 * sure" so let's be safe.
381 if (EC_POINT_is_at_infinity(data->grp->group, K)) {
382 wpa_printf(MSG_INFO, "EAP-PWD (peer): shared key point is at "
387 if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k,
388 NULL, data->bnctx)) {
389 wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to extract "
390 "shared secret from point");
394 /* now do the response */
395 if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
396 data->my_element, x, y,
398 wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail");
402 if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) ||
403 ((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) ==
405 wpa_printf(MSG_INFO, "EAP-PWD (peer): data allocation fail");
410 * bignums occupy as little memory as possible so one that is
411 * sufficiently smaller than the prime or order might need pre-pending
414 os_memset(scalar, 0, BN_num_bytes(data->grp->order));
415 os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2);
416 offset = BN_num_bytes(data->grp->order) -
417 BN_num_bytes(data->my_scalar);
418 BN_bn2bin(data->my_scalar, scalar + offset);
420 offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
421 BN_bn2bin(x, element + offset);
422 offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
423 BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset);
425 resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
426 sizeof(struct eap_pwd_hdr) +
427 BN_num_bytes(data->grp->order) +
428 (2 * BN_num_bytes(data->grp->prime)),
429 EAP_CODE_RESPONSE, eap_get_id(reqData));
433 wpabuf_put_u8(resp, EAP_PWD_OPCODE_COMMIT_EXCH);
435 /* we send the element as (x,y) follwed by the scalar */
436 wpabuf_put_data(resp, element, (2 * BN_num_bytes(data->grp->prime)));
437 wpabuf_put_data(resp, scalar, BN_num_bytes(data->grp->order));
446 EC_POINT_free(point);
448 eap_pwd_state(data, FAILURE);
450 eap_pwd_state(data, PWD_Confirm_Req);
456 static struct wpabuf *
457 eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
458 struct eap_method_ret *ret,
459 const struct wpabuf *reqData,
460 const u8 *payload, size_t payload_len)
462 struct wpabuf *resp = NULL;
463 BIGNUM *x = NULL, *y = NULL;
466 u8 conf[SHA256_DIGEST_LENGTH], *cruft = NULL, *ptr;
469 * first build up the ciphersuite which is group | random_function |
473 os_memcpy(ptr, &data->group_num, sizeof(u16));
475 *ptr = EAP_PWD_DEFAULT_RAND_FUNC;
477 *ptr = EAP_PWD_DEFAULT_PRF;
479 /* each component of the cruft will be at most as big as the prime */
480 if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) ||
481 ((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
482 wpa_printf(MSG_INFO, "EAP-PWD (server): debug allocation "
488 * server's commit is H(k | server_element | server_scalar |
489 * peer_element | peer_scalar | ciphersuite)
494 * zero the memory each time because this is mod prime math and some
495 * value may start with a few zeros and the previous one did not.
497 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
498 BN_bn2bin(data->k, cruft);
499 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
501 /* server element: x, y */
502 if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
503 data->server_element, x, y,
505 wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
509 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
511 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
512 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
514 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
517 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
518 BN_bn2bin(data->server_scalar, cruft);
519 H_Update(&ctx, cruft, BN_num_bytes(data->grp->order));
521 /* my element: x, y */
522 if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
523 data->my_element, x, y,
525 wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
530 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
532 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
533 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
535 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
538 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
539 BN_bn2bin(data->my_scalar, cruft);
540 H_Update(&ctx, cruft, BN_num_bytes(data->grp->order));
542 /* the ciphersuite */
543 H_Update(&ctx, (u8 *) &cs, sizeof(u32));
545 /* random function fin */
548 ptr = (u8 *) payload;
549 if (os_memcmp(conf, ptr, SHA256_DIGEST_LENGTH)) {
550 wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm did not verify");
554 wpa_printf(MSG_DEBUG, "EAP-pwd (peer): confirm verified");
558 * H(k | peer_element | peer_scalar | server_element | server_scalar |
564 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
565 BN_bn2bin(data->k, cruft);
566 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
569 if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
570 data->my_element, x, y,
572 wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
576 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
578 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
579 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
581 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
584 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
585 BN_bn2bin(data->my_scalar, cruft);
586 H_Update(&ctx, cruft, BN_num_bytes(data->grp->order));
588 /* server element: x, y */
589 if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
590 data->server_element, x, y,
592 wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
596 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
598 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
599 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
601 H_Update(&ctx, cruft, BN_num_bytes(data->grp->prime));
604 os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
605 BN_bn2bin(data->server_scalar, cruft);
606 H_Update(&ctx, cruft, BN_num_bytes(data->grp->order));
608 /* the ciphersuite */
609 H_Update(&ctx, (u8 *) &cs, sizeof(u32));
614 resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
615 sizeof(struct eap_pwd_hdr) + SHA256_DIGEST_LENGTH,
616 EAP_CODE_RESPONSE, eap_get_id(reqData));
620 wpabuf_put_u8(resp, EAP_PWD_OPCODE_CONFIRM_EXCH);
621 wpabuf_put_data(resp, conf, SHA256_DIGEST_LENGTH);
623 if (compute_keys(data->grp, data->bnctx, data->k, data->server_element,
624 data->my_element, data->server_scalar,
625 data->my_scalar, &cs, data->msk, data->emsk) < 0) {
626 wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute MSK | "
635 ret->methodState = METHOD_DONE;
637 ret->decision = DECISION_FAIL;
638 eap_pwd_state(data, FAILURE);
640 ret->decision = DECISION_UNCOND_SUCC;
641 eap_pwd_state(data, SUCCESS);
648 static struct wpabuf *
649 eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
650 const struct wpabuf *reqData)
652 struct eap_pwd_data *data = priv;
653 struct wpabuf *resp = NULL;
658 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PWD, reqData, &len);
659 if ((pos == NULL) || (len < 1)) {
664 wpa_printf(MSG_INFO, "EAP-pwd: Received frame: opcode %d", *pos);
667 ret->methodState = METHOD_MAY_CONT;
668 ret->decision = DECISION_FAIL;
669 ret->allowNotifications = FALSE;
673 case EAP_PWD_OPCODE_ID_EXCH:
674 resp = eap_pwd_perform_id_exchange(sm, data, ret, reqData,
677 case EAP_PWD_OPCODE_COMMIT_EXCH:
678 resp = eap_pwd_perform_commit_exchange(sm, data, ret, reqData,
681 case EAP_PWD_OPCODE_CONFIRM_EXCH:
682 resp = eap_pwd_perform_confirm_exchange(sm, data, ret, reqData,
686 wpa_printf(MSG_INFO, "EAP-pwd: Ignoring message with unknown "
695 static Boolean eap_pwd_key_available(struct eap_sm *sm, void *priv)
697 struct eap_pwd_data *data = priv;
698 return data->state == SUCCESS;
702 static u8 * eap_pwd_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
704 struct eap_pwd_data *data = priv;
707 if (data->state != SUCCESS)
710 if ((key = os_malloc(EAP_EMSK_LEN)) == NULL)
713 os_memcpy(key, data->emsk, EAP_EMSK_LEN);
720 int eap_peer_pwd_register(void)
722 struct eap_method *eap;
725 EVP_add_digest(EVP_sha256());
726 eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
727 EAP_VENDOR_IETF, EAP_TYPE_PWD, "PWD");
731 eap->init = eap_pwd_init;
732 eap->deinit = eap_pwd_deinit;
733 eap->process = eap_pwd_process;
734 eap->isKeyAvailable = eap_pwd_key_available;
735 eap->getKey = eap_pwd_getkey;
736 eap->get_emsk = eap_pwd_get_emsk;
738 ret = eap_peer_method_register(eap);
740 eap_peer_method_free(eap);