contrib/hostapd/src/eap_peer/eap_sake.c

   1 /*
   2  * EAP peer method: EAP-SAKE (RFC 4763)
   3  * Copyright (c) 2006-2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/random.h"
  13 #include "eap_peer/eap_i.h"
  14 #include "eap_common/eap_sake_common.h"
  15
  16 struct eap_sake_data {
  17         enum { IDENTITY, CHALLENGE, CONFIRM, SUCCESS, FAILURE } state;
  18         u8 root_secret_a[EAP_SAKE_ROOT_SECRET_LEN];
  19         u8 root_secret_b[EAP_SAKE_ROOT_SECRET_LEN];
  20         u8 rand_s[EAP_SAKE_RAND_LEN];
  21         u8 rand_p[EAP_SAKE_RAND_LEN];
  22         struct {
  23                 u8 auth[EAP_SAKE_TEK_AUTH_LEN];
  24                 u8 cipher[EAP_SAKE_TEK_CIPHER_LEN];
  25         } tek;
  26         u8 msk[EAP_MSK_LEN];
  27         u8 emsk[EAP_EMSK_LEN];
  28         u8 session_id;
  29         int session_id_set;
  30         u8 *peerid;
  31         size_t peerid_len;
  32         u8 *serverid;
  33         size_t serverid_len;
  34 };
  35
  36
  37 static const char * eap_sake_state_txt(int state)
  38 {
  39         switch (state) {
  40         case IDENTITY:
  41                 return "IDENTITY";
  42         case CHALLENGE:
  43                 return "CHALLENGE";
  44         case CONFIRM:
  45                 return "CONFIRM";
  46         case SUCCESS:
  47                 return "SUCCESS";
  48         case FAILURE:
  49                 return "FAILURE";
  50         default:
  51                 return "?";
  52         }
  53 }
  54
  55
  56 static void eap_sake_state(struct eap_sake_data *data, int state)
  57 {
  58         wpa_printf(MSG_DEBUG, "EAP-SAKE: %s -> %s",
  59                    eap_sake_state_txt(data->state),
  60                    eap_sake_state_txt(state));
  61         data->state = state;
  62 }
  63
  64
  65 static void eap_sake_deinit(struct eap_sm *sm, void *priv);
  66
  67
  68 static void * eap_sake_init(struct eap_sm *sm)
  69 {
  70         struct eap_sake_data *data;
  71         const u8 *identity, *password;
  72         size_t identity_len, password_len;
  73
  74         password = eap_get_config_password(sm, &password_len);
  75         if (!password || password_len != 2 * EAP_SAKE_ROOT_SECRET_LEN) {
  76                 wpa_printf(MSG_INFO, "EAP-SAKE: No key of correct length "
  77                            "configured");
  78                 return NULL;
  79         }
  80
  81         data = os_zalloc(sizeof(*data));
  82         if (data == NULL)
  83                 return NULL;
  84         data->state = IDENTITY;
  85
  86         identity = eap_get_config_identity(sm, &identity_len);
  87         if (identity) {
  88                 data->peerid = os_malloc(identity_len);
  89                 if (data->peerid == NULL) {
  90                         eap_sake_deinit(sm, data);
  91                         return NULL;
  92                 }
  93                 os_memcpy(data->peerid, identity, identity_len);
  94                 data->peerid_len = identity_len;
  95         }
  96
  97         os_memcpy(data->root_secret_a, password, EAP_SAKE_ROOT_SECRET_LEN);
  98         os_memcpy(data->root_secret_b,
  99                   password + EAP_SAKE_ROOT_SECRET_LEN,
 100                   EAP_SAKE_ROOT_SECRET_LEN);
 101
 102         return data;
 103 }
 104
 105
 106 static void eap_sake_deinit(struct eap_sm *sm, void *priv)
 107 {
 108         struct eap_sake_data *data = priv;
 109         os_free(data->serverid);
 110         os_free(data->peerid);
 111         os_free(data);
 112 }
 113
 114
 115 static struct wpabuf * eap_sake_build_msg(struct eap_sake_data *data,
 116                                           int id, size_t length, u8 subtype)
 117 {
 118         struct eap_sake_hdr *sake;
 119         struct wpabuf *msg;
 120         size_t plen;
 121
 122         plen = length + sizeof(struct eap_sake_hdr);
 123
 124         msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_SAKE, plen,
 125                             EAP_CODE_RESPONSE, id);
 126         if (msg == NULL) {
 127                 wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to allocate memory "
 128                            "request");
 129                 return NULL;
 130         }
 131
 132         sake = wpabuf_put(msg, sizeof(*sake));
 133         sake->version = EAP_SAKE_VERSION;
 134         sake->session_id = data->session_id;
 135         sake->subtype = subtype;
 136
 137         return msg;
 138 }
 139
 140
 141 static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm,
 142                                                  struct eap_sake_data *data,
 143                                                  struct eap_method_ret *ret,
 144                                                  const struct wpabuf *reqData,
 145                                                  const u8 *payload,
 146                                                  size_t payload_len)
 147 {
 148         struct eap_sake_parse_attr attr;
 149         struct wpabuf *resp;
 150
 151         if (data->state != IDENTITY) {
 152                 ret->ignore = TRUE;
 153                 return NULL;
 154         }
 155
 156         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Identity");
 157
 158         if (eap_sake_parse_attributes(payload, payload_len, &attr))
 159                 return NULL;
 160
 161         if (!attr.perm_id_req && !attr.any_id_req) {
 162                 wpa_printf(MSG_INFO, "EAP-SAKE: No AT_PERM_ID_REQ or "
 163                            "AT_ANY_ID_REQ in Request/Identity");
 164                 return NULL;
 165         }
 166
 167         wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Identity");
 168
 169         resp = eap_sake_build_msg(data, eap_get_id(reqData),
 170                                   2 + data->peerid_len,
 171                                   EAP_SAKE_SUBTYPE_IDENTITY);
 172         if (resp == NULL)
 173                 return NULL;
 174
 175         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
 176         eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
 177                           data->peerid, data->peerid_len);
 178
 179         eap_sake_state(data, CHALLENGE);
 180
 181         return resp;
 182 }
 183
 184
 185 static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm,
 186                                                   struct eap_sake_data *data,
 187                                                   struct eap_method_ret *ret,
 188                                                   const struct wpabuf *reqData,
 189                                                   const u8 *payload,
 190                                                   size_t payload_len)
 191 {
 192         struct eap_sake_parse_attr attr;
 193         struct wpabuf *resp;
 194         u8 *rpos;
 195         size_t rlen;
 196
 197         if (data->state != IDENTITY && data->state != CHALLENGE) {
 198                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Challenge received "
 199                            "in unexpected state (%d)", data->state);
 200                 ret->ignore = TRUE;
 201                 return NULL;
 202         }
 203         if (data->state == IDENTITY)
 204                 eap_sake_state(data, CHALLENGE);
 205
 206         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Challenge");
 207
 208         if (eap_sake_parse_attributes(payload, payload_len, &attr))
 209                 return NULL;
 210
 211         if (!attr.rand_s) {
 212                 wpa_printf(MSG_INFO, "EAP-SAKE: Request/Challenge did not "
 213                            "include AT_RAND_S");
 214                 return NULL;
 215         }
 216
 217         os_memcpy(data->rand_s, attr.rand_s, EAP_SAKE_RAND_LEN);
 218         wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)",
 219                     data->rand_s, EAP_SAKE_RAND_LEN);
 220
 221         if (random_get_bytes(data->rand_p, EAP_SAKE_RAND_LEN)) {
 222                 wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to get random data");
 223                 return NULL;
 224         }
 225         wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_P (peer rand)",
 226                     data->rand_p, EAP_SAKE_RAND_LEN);
 227
 228         os_free(data->serverid);
 229         data->serverid = NULL;
 230         data->serverid_len = 0;
 231         if (attr.serverid) {
 232                 wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-SAKE: SERVERID",
 233                                   attr.serverid, attr.serverid_len);
 234                 data->serverid = os_malloc(attr.serverid_len);
 235                 if (data->serverid == NULL)
 236                         return NULL;
 237                 os_memcpy(data->serverid, attr.serverid, attr.serverid_len);
 238                 data->serverid_len = attr.serverid_len;
 239         }
 240
 241         eap_sake_derive_keys(data->root_secret_a, data->root_secret_b,
 242                              data->rand_s, data->rand_p,
 243                              (u8 *) &data->tek, data->msk, data->emsk);
 244
 245         wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Challenge");
 246
 247         rlen = 2 + EAP_SAKE_RAND_LEN + 2 + EAP_SAKE_MIC_LEN;
 248         if (data->peerid)
 249                 rlen += 2 + data->peerid_len;
 250         resp = eap_sake_build_msg(data, eap_get_id(reqData), rlen,
 251                                   EAP_SAKE_SUBTYPE_CHALLENGE);
 252         if (resp == NULL)
 253                 return NULL;
 254
 255         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_RAND_P");
 256         eap_sake_add_attr(resp, EAP_SAKE_AT_RAND_P,
 257                           data->rand_p, EAP_SAKE_RAND_LEN);
 258
 259         if (data->peerid) {
 260                 wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID");
 261                 eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID,
 262                                   data->peerid, data->peerid_len);
 263         }
 264
 265         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
 266         wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
 267         wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
 268         rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
 269         if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
 270                                  data->serverid, data->serverid_len,
 271                                  data->peerid, data->peerid_len, 1,
 272                                  wpabuf_head(resp), wpabuf_len(resp), rpos,
 273                                  rpos)) {
 274                 wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
 275                 wpabuf_free(resp);
 276                 return NULL;
 277         }
 278
 279         eap_sake_state(data, CONFIRM);
 280
 281         return resp;
 282 }
 283
 284
 285 static struct wpabuf * eap_sake_process_confirm(struct eap_sm *sm,
 286                                                 struct eap_sake_data *data,
 287                                                 struct eap_method_ret *ret,
 288                                                 const struct wpabuf *reqData,
 289                                                 const u8 *payload,
 290                                                 size_t payload_len)
 291 {
 292         struct eap_sake_parse_attr attr;
 293         u8 mic_s[EAP_SAKE_MIC_LEN];
 294         struct wpabuf *resp;
 295         u8 *rpos;
 296
 297         if (data->state != CONFIRM) {
 298                 ret->ignore = TRUE;
 299                 return NULL;
 300         }
 301
 302         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Confirm");
 303
 304         if (eap_sake_parse_attributes(payload, payload_len, &attr))
 305                 return NULL;
 306
 307         if (!attr.mic_s) {
 308                 wpa_printf(MSG_INFO, "EAP-SAKE: Request/Confirm did not "
 309                            "include AT_MIC_S");
 310                 return NULL;
 311         }
 312
 313         eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
 314                              data->serverid, data->serverid_len,
 315                              data->peerid, data->peerid_len, 0,
 316                              wpabuf_head(reqData), wpabuf_len(reqData),
 317                              attr.mic_s, mic_s);
 318         if (os_memcmp(attr.mic_s, mic_s, EAP_SAKE_MIC_LEN) != 0) {
 319                 wpa_printf(MSG_INFO, "EAP-SAKE: Incorrect AT_MIC_S");
 320                 eap_sake_state(data, FAILURE);
 321                 ret->methodState = METHOD_DONE;
 322                 ret->decision = DECISION_FAIL;
 323                 ret->allowNotifications = FALSE;
 324                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending "
 325                            "Response/Auth-Reject");
 326                 return eap_sake_build_msg(data, eap_get_id(reqData), 0,
 327                                           EAP_SAKE_SUBTYPE_AUTH_REJECT);
 328         }
 329
 330         wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Confirm");
 331
 332         resp = eap_sake_build_msg(data, eap_get_id(reqData),
 333                                   2 + EAP_SAKE_MIC_LEN,
 334                                   EAP_SAKE_SUBTYPE_CONFIRM);
 335         if (resp == NULL)
 336                 return NULL;
 337
 338         wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P");
 339         wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P);
 340         wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN);
 341         rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN);
 342         if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
 343                                  data->serverid, data->serverid_len,
 344                                  data->peerid, data->peerid_len, 1,
 345                                  wpabuf_head(resp), wpabuf_len(resp), rpos,
 346                                  rpos)) {
 347                 wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC");
 348                 wpabuf_free(resp);
 349                 return NULL;
 350         }
 351
 352         eap_sake_state(data, SUCCESS);
 353         ret->methodState = METHOD_DONE;
 354         ret->decision = DECISION_UNCOND_SUCC;
 355         ret->allowNotifications = FALSE;
 356
 357         return resp;
 358 }
 359
 360
 361 static struct wpabuf * eap_sake_process(struct eap_sm *sm, void *priv,
 362                                         struct eap_method_ret *ret,
 363                                         const struct wpabuf *reqData)
 364 {
 365         struct eap_sake_data *data = priv;
 366         const struct eap_sake_hdr *req;
 367         struct wpabuf *resp;
 368         const u8 *pos, *end;
 369         size_t len;
 370         u8 subtype, session_id;
 371
 372         pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SAKE, reqData, &len);
 373         if (pos == NULL || len < sizeof(struct eap_sake_hdr)) {
 374                 ret->ignore = TRUE;
 375                 return NULL;
 376         }
 377
 378         req = (const struct eap_sake_hdr *) pos;
 379         end = pos + len;
 380         subtype = req->subtype;
 381         session_id = req->session_id;
 382         pos = (const u8 *) (req + 1);
 383
 384         wpa_printf(MSG_DEBUG, "EAP-SAKE: Received frame: subtype %d "
 385                    "session_id %d", subtype, session_id);
 386         wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Received attributes",
 387                     pos, end - pos);
 388
 389         if (data->session_id_set && data->session_id != session_id) {
 390                 wpa_printf(MSG_INFO, "EAP-SAKE: Session ID mismatch (%d,%d)",
 391                            session_id, data->session_id);
 392                 ret->ignore = TRUE;
 393                 return NULL;
 394         }
 395         data->session_id = session_id;
 396         data->session_id_set = 1;
 397
 398         ret->ignore = FALSE;
 399         ret->methodState = METHOD_MAY_CONT;
 400         ret->decision = DECISION_FAIL;
 401         ret->allowNotifications = TRUE;
 402
 403         switch (subtype) {
 404         case EAP_SAKE_SUBTYPE_IDENTITY:
 405                 resp = eap_sake_process_identity(sm, data, ret, reqData,
 406                                                  pos, end - pos);
 407                 break;
 408         case EAP_SAKE_SUBTYPE_CHALLENGE:
 409                 resp = eap_sake_process_challenge(sm, data, ret, reqData,
 410                                                   pos, end - pos);
 411                 break;
 412         case EAP_SAKE_SUBTYPE_CONFIRM:
 413                 resp = eap_sake_process_confirm(sm, data, ret, reqData,
 414                                                 pos, end - pos);
 415                 break;
 416         default:
 417                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring message with "
 418                            "unknown subtype %d", subtype);
 419                 ret->ignore = TRUE;
 420                 return NULL;
 421         }
 422
 423         if (ret->methodState == METHOD_DONE)
 424                 ret->allowNotifications = FALSE;
 425
 426         return resp;
 427 }
 428
 429
 430 static Boolean eap_sake_isKeyAvailable(struct eap_sm *sm, void *priv)
 431 {
 432         struct eap_sake_data *data = priv;
 433         return data->state == SUCCESS;
 434 }
 435
 436
 437 static u8 * eap_sake_getKey(struct eap_sm *sm, void *priv, size_t *len)
 438 {
 439         struct eap_sake_data *data = priv;
 440         u8 *key;
 441
 442         if (data->state != SUCCESS)
 443                 return NULL;
 444
 445         key = os_malloc(EAP_MSK_LEN);
 446         if (key == NULL)
 447                 return NULL;
 448         os_memcpy(key, data->msk, EAP_MSK_LEN);
 449         *len = EAP_MSK_LEN;
 450
 451         return key;
 452 }
 453
 454
 455 static u8 * eap_sake_get_session_id(struct eap_sm *sm, void *priv, size_t *len)
 456 {
 457         struct eap_sake_data *data = priv;
 458         u8 *id;
 459
 460         if (data->state != SUCCESS)
 461                 return NULL;
 462
 463         *len = 1 + 2 * EAP_SAKE_RAND_LEN;
 464         id = os_malloc(*len);
 465         if (id == NULL)
 466                 return NULL;
 467
 468         id[0] = EAP_TYPE_SAKE;
 469         os_memcpy(id + 1, data->rand_s, EAP_SAKE_RAND_LEN);
 470         os_memcpy(id + 1 + EAP_SAKE_RAND_LEN, data->rand_s, EAP_SAKE_RAND_LEN);
 471         wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Derived Session-Id", id, *len);
 472
 473         return id;
 474 }
 475
 476
 477 static u8 * eap_sake_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
 478 {
 479         struct eap_sake_data *data = priv;
 480         u8 *key;
 481
 482         if (data->state != SUCCESS)
 483                 return NULL;
 484
 485         key = os_malloc(EAP_EMSK_LEN);
 486         if (key == NULL)
 487                 return NULL;
 488         os_memcpy(key, data->emsk, EAP_EMSK_LEN);
 489         *len = EAP_EMSK_LEN;
 490
 491         return key;
 492 }
 493
 494
 495 int eap_peer_sake_register(void)
 496 {
 497         struct eap_method *eap;
 498         int ret;
 499
 500         eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
 501                                     EAP_VENDOR_IETF, EAP_TYPE_SAKE, "SAKE");
 502         if (eap == NULL)
 503                 return -1;
 504
 505         eap->init = eap_sake_init;
 506         eap->deinit = eap_sake_deinit;
 507         eap->process = eap_sake_process;
 508         eap->isKeyAvailable = eap_sake_isKeyAvailable;
 509         eap->getKey = eap_sake_getKey;
 510         eap->getSessionId = eap_sake_get_session_id;
 511         eap->get_emsk = eap_sake_get_emsk;
 512
 513         ret = eap_peer_method_register(eap);
 514         if (ret)
 515                 eap_peer_method_free(eap);
 516         return ret;
 517 }