[thirdparty/hostap.git] / src / eap_peer / eap_psk.c

/*
 * EAP peer method: EAP-PSK (RFC 4764)
 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * Alternatively, this software may be distributed under the terms of BSD
 * license.
 *
 * See README and COPYING for more details.
 *
 * Note: EAP-PSK is an EAP authentication method and as such, completely
 * different from WPA-PSK. This file is not needed for WPA-PSK functionality.
 */

#include "includes.h"

#include "common.h"
#include "crypto/aes_wrap.h"
#include "crypto/random.h"
#include "eap_common/eap_psk_common.h"
#include "eap_i.h"


struct eap_psk_data {
	enum { PSK_INIT, PSK_MAC_SENT, PSK_DONE } state;
	u8 rand_p[EAP_PSK_RAND_LEN];
	u8 ak[EAP_PSK_AK_LEN], kdk[EAP_PSK_KDK_LEN], tek[EAP_PSK_TEK_LEN];
	u8 *id_s, *id_p;
	size_t id_s_len, id_p_len;
	u8 msk[EAP_MSK_LEN];
	u8 emsk[EAP_EMSK_LEN];
};


static void * eap_psk_init(struct eap_sm *sm)
{
	struct eap_psk_data *data;
	const u8 *identity, *password;
	size_t identity_len, password_len;

	password = eap_get_config_password(sm, &password_len);
	if (!password || password_len != 16) {
		wpa_printf(MSG_INFO, "EAP-PSK: 16-octet pre-shared key not "
			   "configured");
		return NULL;
	}

	data = os_zalloc(sizeof(*data));
	if (data == NULL)
		return NULL;
	if (eap_psk_key_setup(password, data->ak, data->kdk)) {
		os_free(data);
		return NULL;
	}
	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: AK", data->ak, EAP_PSK_AK_LEN);
	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: KDK", data->kdk, EAP_PSK_KDK_LEN);
	data->state = PSK_INIT;

	identity = eap_get_config_identity(sm, &identity_len);
	if (identity) {
		data->id_p = os_malloc(identity_len);
		if (data->id_p)
			os_memcpy(data->id_p, identity, identity_len);
		data->id_p_len = identity_len;
	}
	if (data->id_p == NULL) {
		wpa_printf(MSG_INFO, "EAP-PSK: could not get own identity");
		os_free(data);
		return NULL;
	}

	return data;
}


static void eap_psk_deinit(struct eap_sm *sm, void *priv)
{
	struct eap_psk_data *data = priv;
	os_free(data->id_s);
	os_free(data->id_p);
	os_free(data);
}


static struct wpabuf * eap_psk_process_1(struct eap_psk_data *data,
					 struct eap_method_ret *ret,
					 const struct wpabuf *reqData)
{
	const struct eap_psk_hdr_1 *hdr1;
	struct eap_psk_hdr_2 *hdr2;
	struct wpabuf *resp;
	u8 *buf, *pos;
	size_t buflen, len;
	const u8 *cpos;

	wpa_printf(MSG_DEBUG, "EAP-PSK: in INIT state");

	cpos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PSK, reqData, &len);
	hdr1 = (const struct eap_psk_hdr_1 *) cpos;
	if (cpos == NULL || len < sizeof(*hdr1)) {
		wpa_printf(MSG_INFO, "EAP-PSK: Invalid first message "
			   "length (%lu; expected %lu or more)",
			   (unsigned long) len,
			   (unsigned long) sizeof(*hdr1));
		ret->ignore = TRUE;
		return NULL;
	}
	wpa_printf(MSG_DEBUG, "EAP-PSK: Flags=0x%x", hdr1->flags);
	if (EAP_PSK_FLAGS_GET_T(hdr1->flags) != 0) {
		wpa_printf(MSG_INFO, "EAP-PSK: Unexpected T=%d (expected 0)",
			   EAP_PSK_FLAGS_GET_T(hdr1->flags));
		ret->methodState = METHOD_DONE;
		ret->decision = DECISION_FAIL;
		return NULL;
	}
	wpa_hexdump(MSG_DEBUG, "EAP-PSK: RAND_S", hdr1->rand_s,
		    EAP_PSK_RAND_LEN);
	os_free(data->id_s);
	data->id_s_len = len - sizeof(*hdr1);
	data->id_s = os_malloc(data->id_s_len);
	if (data->id_s == NULL) {
		wpa_printf(MSG_ERROR, "EAP-PSK: Failed to allocate memory for "
			   "ID_S (len=%lu)", (unsigned long) data->id_s_len);
		ret->ignore = TRUE;
		return NULL;
	}
	os_memcpy(data->id_s, (u8 *) (hdr1 + 1), data->id_s_len);
	wpa_hexdump_ascii(MSG_DEBUG, "EAP-PSK: ID_S",
			  data->id_s, data->id_s_len);

	if (random_get_bytes(data->rand_p, EAP_PSK_RAND_LEN)) {
		wpa_printf(MSG_ERROR, "EAP-PSK: Failed to get random data");
		ret->ignore = TRUE;
		return NULL;
	}

	resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PSK,
			     sizeof(*hdr2) + data->id_p_len, EAP_CODE_RESPONSE,
			     eap_get_id(reqData));
	if (resp == NULL)
		return NULL;
	hdr2 = wpabuf_put(resp, sizeof(*hdr2));
	hdr2->flags = EAP_PSK_FLAGS_SET_T(1); /* T=1 */
	os_memcpy(hdr2->rand_s, hdr1->rand_s, EAP_PSK_RAND_LEN);
	os_memcpy(hdr2->rand_p, data->rand_p, EAP_PSK_RAND_LEN);
	wpabuf_put_data(resp, data->id_p, data->id_p_len);
	/* MAC_P = OMAC1-AES-128(AK, ID_P||ID_S||RAND_S||RAND_P) */
	buflen = data->id_p_len + data->id_s_len + 2 * EAP_PSK_RAND_LEN;
	buf = os_malloc(buflen);
	if (buf == NULL) {
		wpabuf_free(resp);
		return NULL;
	}
	os_memcpy(buf, data->id_p, data->id_p_len);
	pos = buf + data->id_p_len;
	os_memcpy(pos, data->id_s, data->id_s_len);
	pos += data->id_s_len;
	os_memcpy(pos, hdr1->rand_s, EAP_PSK_RAND_LEN);
	pos += EAP_PSK_RAND_LEN;
	os_memcpy(pos, data->rand_p, EAP_PSK_RAND_LEN);
	if (omac1_aes_128(data->ak, buf, buflen, hdr2->mac_p)) {
		os_free(buf);
		wpabuf_free(resp);
		return NULL;
	}
	os_free(buf);
	wpa_hexdump(MSG_DEBUG, "EAP-PSK: RAND_P", hdr2->rand_p,
		    EAP_PSK_RAND_LEN);
	wpa_hexdump(MSG_DEBUG, "EAP-PSK: MAC_P", hdr2->mac_p, EAP_PSK_MAC_LEN);
	wpa_hexdump_ascii(MSG_DEBUG, "EAP-PSK: ID_P",
			  data->id_p, data->id_p_len);

	data->state = PSK_MAC_SENT;

	return resp;
}


static struct wpabuf * eap_psk_process_3(struct eap_psk_data *data,
					 struct eap_method_ret *ret,
					 const struct wpabuf *reqData)
{
	const struct eap_psk_hdr_3 *hdr3;
	struct eap_psk_hdr_4 *hdr4;
	struct wpabuf *resp;
	u8 *buf, *rpchannel, nonce[16], *decrypted;
	const u8 *pchannel, *tag, *msg;
	u8 mac[EAP_PSK_MAC_LEN];
	size_t buflen, left, data_len, len, plen;
	int failed = 0;
	const u8 *pos;

	wpa_printf(MSG_DEBUG, "EAP-PSK: in MAC_SENT state");

	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PSK,
			       reqData, &len);
	hdr3 = (const struct eap_psk_hdr_3 *) pos;
	if (pos == NULL || len < sizeof(*hdr3)) {
		wpa_printf(MSG_INFO, "EAP-PSK: Invalid third message "
			   "length (%lu; expected %lu or more)",
			   (unsigned long) len,
			   (unsigned long) sizeof(*hdr3));
		ret->ignore = TRUE;
		return NULL;
	}
	left = len - sizeof(*hdr3);
	pchannel = (const u8 *) (hdr3 + 1);
	wpa_printf(MSG_DEBUG, "EAP-PSK: Flags=0x%x", hdr3->flags);
	if (EAP_PSK_FLAGS_GET_T(hdr3->flags) != 2) {
		wpa_printf(MSG_INFO, "EAP-PSK: Unexpected T=%d (expected 2)",
			   EAP_PSK_FLAGS_GET_T(hdr3->flags));
		ret->methodState = METHOD_DONE;
		ret->decision = DECISION_FAIL;
		return NULL;
	}
	wpa_hexdump(MSG_DEBUG, "EAP-PSK: RAND_S", hdr3->rand_s,
		    EAP_PSK_RAND_LEN);
	wpa_hexdump(MSG_DEBUG, "EAP-PSK: MAC_S", hdr3->mac_s, EAP_PSK_MAC_LEN);
	wpa_hexdump(MSG_DEBUG, "EAP-PSK: PCHANNEL", pchannel, left);

	if (left < 4 + 16 + 1) {
		wpa_printf(MSG_INFO, "EAP-PSK: Too short PCHANNEL data in "
			   "third message (len=%lu, expected 21)",
			   (unsigned long) left);
		ret->ignore = TRUE;
		return NULL;
	}

	/* MAC_S = OMAC1-AES-128(AK, ID_S||RAND_P) */
	buflen = data->id_s_len + EAP_PSK_RAND_LEN;
	buf = os_malloc(buflen);
	if (buf == NULL)
		return NULL;
	os_memcpy(buf, data->id_s, data->id_s_len);
	os_memcpy(buf + data->id_s_len, data->rand_p, EAP_PSK_RAND_LEN);
	if (omac1_aes_128(data->ak, buf, buflen, mac)) {
		os_free(buf);
		return NULL;
	}
	os_free(buf);
	if (os_memcmp(mac, hdr3->mac_s, EAP_PSK_MAC_LEN) != 0) {
		wpa_printf(MSG_WARNING, "EAP-PSK: Invalid MAC_S in third "
			   "message");
		ret->methodState = METHOD_DONE;
		ret->decision = DECISION_FAIL;
		return NULL;
	}
	wpa_printf(MSG_DEBUG, "EAP-PSK: MAC_S verified successfully");

	if (eap_psk_derive_keys(data->kdk, data->rand_p, data->tek,
				data->msk, data->emsk)) {
		ret->methodState = METHOD_DONE;
		ret->decision = DECISION_FAIL;
		return NULL;
	}
	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: TEK", data->tek, EAP_PSK_TEK_LEN);
	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: MSK", data->msk, EAP_MSK_LEN);
	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: EMSK", data->emsk, EAP_EMSK_LEN);

	os_memset(nonce, 0, 12);
	os_memcpy(nonce + 12, pchannel, 4);
	pchannel += 4;
	left -= 4;

	tag = pchannel;
	pchannel += 16;
	left -= 16;

	msg = pchannel;

	wpa_hexdump(MSG_MSGDUMP, "EAP-PSK: PCHANNEL - nonce",
		    nonce, sizeof(nonce));
	wpa_hexdump(MSG_MSGDUMP, "EAP-PSK: PCHANNEL - hdr",
		    wpabuf_head(reqData), 5);
	wpa_hexdump(MSG_MSGDUMP, "EAP-PSK: PCHANNEL - cipher msg", msg, left);

	decrypted = os_malloc(left);
	if (decrypted == NULL) {
		ret->methodState = METHOD_DONE;
		ret->decision = DECISION_FAIL;
		return NULL;
	}
	os_memcpy(decrypted, msg, left);

	if (aes_128_eax_decrypt(data->tek, nonce, sizeof(nonce),
				wpabuf_head(reqData),
				sizeof(struct eap_hdr) + 1 +
				sizeof(*hdr3) - EAP_PSK_MAC_LEN, decrypted,
				left, tag)) {
		wpa_printf(MSG_WARNING, "EAP-PSK: PCHANNEL decryption failed");
		os_free(decrypted);
		return NULL;
	}
	wpa_hexdump(MSG_DEBUG, "EAP-PSK: Decrypted PCHANNEL message",
		    decrypted, left);

	/* Verify R flag */
	switch (decrypted[0] >> 6) {
	case EAP_PSK_R_FLAG_CONT:
		wpa_printf(MSG_DEBUG, "EAP-PSK: R flag - CONT - unsupported");
		failed = 1;
		break;
	case EAP_PSK_R_FLAG_DONE_SUCCESS:
		wpa_printf(MSG_DEBUG, "EAP-PSK: R flag - DONE_SUCCESS");
		break;
	case EAP_PSK_R_FLAG_DONE_FAILURE:
		wpa_printf(MSG_DEBUG, "EAP-PSK: R flag - DONE_FAILURE");
		wpa_printf(MSG_INFO, "EAP-PSK: Authentication server rejected "
			   "authentication");
		failed = 1;
		break;
	}

	data_len = 1;
	if ((decrypted[0] & EAP_PSK_E_FLAG) && left > 1)
		data_len++;
	plen = sizeof(*hdr4) + 4 + 16 + data_len;
	resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PSK, plen,
			     EAP_CODE_RESPONSE, eap_get_id(reqData));
	if (resp == NULL) {
		os_free(decrypted);
		return NULL;
	}
	hdr4 = wpabuf_put(resp, sizeof(*hdr4));
	hdr4->flags = EAP_PSK_FLAGS_SET_T(3); /* T=3 */
	os_memcpy(hdr4->rand_s, hdr3->rand_s, EAP_PSK_RAND_LEN);
	rpchannel = wpabuf_put(resp, 4 + 16 + data_len);

	/* nonce++ */
	inc_byte_array(nonce, sizeof(nonce));
	os_memcpy(rpchannel, nonce + 12, 4);

	if (decrypted[0] & EAP_PSK_E_FLAG) {
		wpa_printf(MSG_DEBUG, "EAP-PSK: Unsupported E (Ext) flag");
		failed = 1;
		rpchannel[4 + 16] = (EAP_PSK_R_FLAG_DONE_FAILURE << 6) |
			EAP_PSK_E_FLAG;
		if (left > 1) {
			/* Add empty EXT_Payload with same EXT_Type */
			rpchannel[4 + 16 + 1] = decrypted[1];
		}
	} else if (failed)
		rpchannel[4 + 16] = EAP_PSK_R_FLAG_DONE_FAILURE << 6;
	else
		rpchannel[4 + 16] = EAP_PSK_R_FLAG_DONE_SUCCESS << 6;

	wpa_hexdump(MSG_DEBUG, "EAP-PSK: reply message (plaintext)",
		    rpchannel + 4 + 16, data_len);
	if (aes_128_eax_encrypt(data->tek, nonce, sizeof(nonce),
				wpabuf_head(resp),
				sizeof(struct eap_hdr) + 1 + sizeof(*hdr4),
				rpchannel + 4 + 16, data_len, rpchannel + 4)) {
		os_free(decrypted);
		wpabuf_free(resp);
		return NULL;
	}
	wpa_hexdump(MSG_DEBUG, "EAP-PSK: reply message (PCHANNEL)",
		    rpchannel, 4 + 16 + data_len);

	wpa_printf(MSG_DEBUG, "EAP-PSK: Completed %ssuccessfully",
		   failed ? "un" : "");
	data->state = PSK_DONE;
	ret->methodState = METHOD_DONE;
	ret->decision = failed ? DECISION_FAIL : DECISION_UNCOND_SUCC;

	os_free(decrypted);

	return resp;
}


static struct wpabuf * eap_psk_process(struct eap_sm *sm, void *priv,
				       struct eap_method_ret *ret,
				       const struct wpabuf *reqData)
{
	struct eap_psk_data *data = priv;
	const u8 *pos;
	struct wpabuf *resp = NULL;
	size_t len;

	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PSK, reqData, &len);
	if (pos == NULL) {
		ret->ignore = TRUE;
		return NULL;
	}

	ret->ignore = FALSE;
	ret->methodState = METHOD_MAY_CONT;
	ret->decision = DECISION_FAIL;
	ret->allowNotifications = TRUE;

	switch (data->state) {
	case PSK_INIT:
		resp = eap_psk_process_1(data, ret, reqData);
		break;
	case PSK_MAC_SENT:
		resp = eap_psk_process_3(data, ret, reqData);
		break;
	case PSK_DONE:
		wpa_printf(MSG_DEBUG, "EAP-PSK: in DONE state - ignore "
			   "unexpected message");
		ret->ignore = TRUE;
		return NULL;
	}

	if (ret->methodState == METHOD_DONE) {
		ret->allowNotifications = FALSE;
	}

	return resp;
}


static Boolean eap_psk_isKeyAvailable(struct eap_sm *sm, void *priv)
{
	struct eap_psk_data *data = priv;
	return data->state == PSK_DONE;
}


static u8 * eap_psk_getKey(struct eap_sm *sm, void *priv, size_t *len)
{
	struct eap_psk_data *data = priv;
	u8 *key;

	if (data->state != PSK_DONE)
		return NULL;

	key = os_malloc(EAP_MSK_LEN);
	if (key == NULL)
		return NULL;

	*len = EAP_MSK_LEN;
	os_memcpy(key, data->msk, EAP_MSK_LEN);

	return key;
}


static u8 * eap_psk_get_emsk(struct eap_sm *sm, void *priv, size_t *len)
{
	struct eap_psk_data *data = priv;
	u8 *key;

	if (data->state != PSK_DONE)
		return NULL;

	key = os_malloc(EAP_EMSK_LEN);
	if (key == NULL)
		return NULL;

	*len = EAP_EMSK_LEN;
	os_memcpy(key, data->emsk, EAP_EMSK_LEN);

	return key;
}


int eap_peer_psk_register(void)
{
	struct eap_method *eap;
	int ret;

	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
				    EAP_VENDOR_IETF, EAP_TYPE_PSK, "PSK");
	if (eap == NULL)
		return -1;

	eap->init = eap_psk_init;
	eap->deinit = eap_psk_deinit;
	eap->process = eap_psk_process;
	eap->isKeyAvailable = eap_psk_isKeyAvailable;
	eap->getKey = eap_psk_getKey;
	eap->get_emsk = eap_psk_get_emsk;

	ret = eap_peer_method_register(eap);
	if (ret)
		eap_peer_method_free(eap);
	return ret;
}
Commit	Line	Data
6fc6879b JM	1	/*
	2	* EAP peer method: EAP-PSK (RFC 4764)
	3	* Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License version 2 as
	7	* published by the Free Software Foundation.
	8	*
	9	* Alternatively, this software may be distributed under the terms of BSD
	10	* license.
	11	*
	12	* See README and COPYING for more details.
	13	*
	14	* Note: EAP-PSK is an EAP authentication method and as such, completely
	15	* different from WPA-PSK. This file is not needed for WPA-PSK functionality.
	16	*/
	17
	18	#include "includes.h"
	19
	20	#include "common.h"
03da66bd	21	#include "crypto/aes_wrap.h"
3642c431	22	#include "crypto/random.h"
6fc6879b	23	#include "eap_common/eap_psk_common.h"
03da66bd	24	#include "eap_i.h"
6fc6879b JM	25
	26
	27	struct eap_psk_data {
	28	enum { PSK_INIT, PSK_MAC_SENT, PSK_DONE } state;
	29	u8 rand_p[EAP_PSK_RAND_LEN];
	30	u8 ak[EAP_PSK_AK_LEN], kdk[EAP_PSK_KDK_LEN], tek[EAP_PSK_TEK_LEN];
	31	u8 id_s, id_p;
	32	size_t id_s_len, id_p_len;
	33	u8 msk[EAP_MSK_LEN];
	34	u8 emsk[EAP_EMSK_LEN];
	35	};
	36
	37
	38	static void * eap_psk_init(struct eap_sm *sm)
	39	{
	40	struct eap_psk_data *data;
	41	const u8 identity, password;
	42	size_t identity_len, password_len;
	43
	44	password = eap_get_config_password(sm, &password_len);
	45	if (!password \|\| password_len != 16) {
	46	wpa_printf(MSG_INFO, "EAP-PSK: 16-octet pre-shared key not "
	47	"configured");
	48	return NULL;
	49	}
	50
	51	data = os_zalloc(sizeof(*data));
	52	if (data == NULL)
	53	return NULL;
	54	if (eap_psk_key_setup(password, data->ak, data->kdk)) {
	55	os_free(data);
	56	return NULL;
	57	}
	58	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: AK", data->ak, EAP_PSK_AK_LEN);
	59	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: KDK", data->kdk, EAP_PSK_KDK_LEN);
	60	data->state = PSK_INIT;
	61
	62	identity = eap_get_config_identity(sm, &identity_len);
	63	if (identity) {
	64	data->id_p = os_malloc(identity_len);
	65	if (data->id_p)
	66	os_memcpy(data->id_p, identity, identity_len);
	67	data->id_p_len = identity_len;
	68	}
	69	if (data->id_p == NULL) {
	70	wpa_printf(MSG_INFO, "EAP-PSK: could not get own identity");
	71	os_free(data);
	72	return NULL;
	73	}
	74
	75	return data;
	76	}
	77
	78
	79	static void eap_psk_deinit(struct eap_sm sm, void priv)
	80	{
	81	struct eap_psk_data *data = priv;
	82	os_free(data->id_s);
	83	os_free(data->id_p);
	84	os_free(data);
	85	}
	86
	87
	88	static struct wpabuf * eap_psk_process_1(struct eap_psk_data *data,
89	struct eap_method_ret *ret,
90	const struct wpabuf *reqData)
91	{
92	const struct eap_psk_hdr_1 *hdr1;
93	struct eap_psk_hdr_2 *hdr2;
94	struct wpabuf *resp;
95	u8 buf, pos;
96	size_t buflen, len;
97	const u8 *cpos;
98
99	wpa_printf(MSG_DEBUG, "EAP-PSK: in INIT state");
100
101	cpos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PSK, reqData, &len);
102	hdr1 = (const struct eap_psk_hdr_1 *) cpos;
103	if (cpos == NULL \|\| len < sizeof(*hdr1)) {
104	wpa_printf(MSG_INFO, "EAP-PSK: Invalid first message "
105	"length (%lu; expected %lu or more)",
106	(unsigned long) len,
107	(unsigned long) sizeof(*hdr1));
108	ret->ignore = TRUE;
109	return NULL;
110	}
111	wpa_printf(MSG_DEBUG, "EAP-PSK: Flags=0x%x", hdr1->flags);
112	if (EAP_PSK_FLAGS_GET_T(hdr1->flags) != 0) {
113	wpa_printf(MSG_INFO, "EAP-PSK: Unexpected T=%d (expected 0)",
114	EAP_PSK_FLAGS_GET_T(hdr1->flags));
115	ret->methodState = METHOD_DONE;
116	ret->decision = DECISION_FAIL;
117	return NULL;
118	}
119	wpa_hexdump(MSG_DEBUG, "EAP-PSK: RAND_S", hdr1->rand_s,
120	EAP_PSK_RAND_LEN);
121	os_free(data->id_s);
122	data->id_s_len = len - sizeof(*hdr1);
123	data->id_s = os_malloc(data->id_s_len);
124	if (data->id_s == NULL) {
125	wpa_printf(MSG_ERROR, "EAP-PSK: Failed to allocate memory for "
126	"ID_S (len=%lu)", (unsigned long) data->id_s_len);
127	ret->ignore = TRUE;
128	return NULL;
129	}
130	os_memcpy(data->id_s, (u8 *) (hdr1 + 1), data->id_s_len);
131	wpa_hexdump_ascii(MSG_DEBUG, "EAP-PSK: ID_S",
132	data->id_s, data->id_s_len);
133
3642c431	134	if (random_get_bytes(data->rand_p, EAP_PSK_RAND_LEN)) {
6fc6879b JM	135	wpa_printf(MSG_ERROR, "EAP-PSK: Failed to get random data");
	136	ret->ignore = TRUE;
	137	return NULL;
	138	}
	139
	140	resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PSK,
	141	sizeof(*hdr2) + data->id_p_len, EAP_CODE_RESPONSE,
	142	eap_get_id(reqData));
	143	if (resp == NULL)
	144	return NULL;
	145	hdr2 = wpabuf_put(resp, sizeof(*hdr2));
	146	hdr2->flags = EAP_PSK_FLAGS_SET_T(1); /* T=1 */
	147	os_memcpy(hdr2->rand_s, hdr1->rand_s, EAP_PSK_RAND_LEN);
	148	os_memcpy(hdr2->rand_p, data->rand_p, EAP_PSK_RAND_LEN);
	149	wpabuf_put_data(resp, data->id_p, data->id_p_len);
	150	/* MAC_P = OMAC1-AES-128(AK, ID_P\|\|ID_S\|\|RAND_S\|\|RAND_P) */
	151	buflen = data->id_p_len + data->id_s_len + 2 * EAP_PSK_RAND_LEN;
	152	buf = os_malloc(buflen);
	153	if (buf == NULL) {
	154	wpabuf_free(resp);
	155	return NULL;
	156	}
	157	os_memcpy(buf, data->id_p, data->id_p_len);
	158	pos = buf + data->id_p_len;
	159	os_memcpy(pos, data->id_s, data->id_s_len);
	160	pos += data->id_s_len;
	161	os_memcpy(pos, hdr1->rand_s, EAP_PSK_RAND_LEN);
	162	pos += EAP_PSK_RAND_LEN;
	163	os_memcpy(pos, data->rand_p, EAP_PSK_RAND_LEN);
	164	if (omac1_aes_128(data->ak, buf, buflen, hdr2->mac_p)) {
	165	os_free(buf);
	166	wpabuf_free(resp);
	167	return NULL;
	168	}
	169	os_free(buf);
	170	wpa_hexdump(MSG_DEBUG, "EAP-PSK: RAND_P", hdr2->rand_p,
	171	EAP_PSK_RAND_LEN);
	172	wpa_hexdump(MSG_DEBUG, "EAP-PSK: MAC_P", hdr2->mac_p, EAP_PSK_MAC_LEN);
	173	wpa_hexdump_ascii(MSG_DEBUG, "EAP-PSK: ID_P",
	174	data->id_p, data->id_p_len);
	175
	176	data->state = PSK_MAC_SENT;
	177
	178	return resp;
	179	}
	180
	181
	182	static struct wpabuf * eap_psk_process_3(struct eap_psk_data *data,
	183	struct eap_method_ret *ret,
	184	const struct wpabuf *reqData)
	185	{
	186	const struct eap_psk_hdr_3 *hdr3;
	187	struct eap_psk_hdr_4 *hdr4;
	188	struct wpabuf *resp;
	189	u8 buf, rpchannel, nonce[16], *decrypted;
	190	const u8 pchannel, tag, *msg;
	191	u8 mac[EAP_PSK_MAC_LEN];
	192	size_t buflen, left, data_len, len, plen;
	193	int failed = 0;
	194	const u8 *pos;
	195
	196	wpa_printf(MSG_DEBUG, "EAP-PSK: in MAC_SENT state");
	197
	198	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PSK,
199	reqData, &len);
200	hdr3 = (const struct eap_psk_hdr_3 *) pos;
201	if (pos == NULL \|\| len < sizeof(*hdr3)) {
202	wpa_printf(MSG_INFO, "EAP-PSK: Invalid third message "
203	"length (%lu; expected %lu or more)",
204	(unsigned long) len,
205	(unsigned long) sizeof(*hdr3));
206	ret->ignore = TRUE;
207	return NULL;
208	}
209	left = len - sizeof(*hdr3);
210	pchannel = (const u8 *) (hdr3 + 1);
211	wpa_printf(MSG_DEBUG, "EAP-PSK: Flags=0x%x", hdr3->flags);
212	if (EAP_PSK_FLAGS_GET_T(hdr3->flags) != 2) {
213	wpa_printf(MSG_INFO, "EAP-PSK: Unexpected T=%d (expected 2)",
214	EAP_PSK_FLAGS_GET_T(hdr3->flags));
215	ret->methodState = METHOD_DONE;
216	ret->decision = DECISION_FAIL;
217	return NULL;
218	}
219	wpa_hexdump(MSG_DEBUG, "EAP-PSK: RAND_S", hdr3->rand_s,
220	EAP_PSK_RAND_LEN);
221	wpa_hexdump(MSG_DEBUG, "EAP-PSK: MAC_S", hdr3->mac_s, EAP_PSK_MAC_LEN);
222	wpa_hexdump(MSG_DEBUG, "EAP-PSK: PCHANNEL", pchannel, left);
223
224	if (left < 4 + 16 + 1) {
225	wpa_printf(MSG_INFO, "EAP-PSK: Too short PCHANNEL data in "
226	"third message (len=%lu, expected 21)",
227	(unsigned long) left);
228	ret->ignore = TRUE;
229	return NULL;
230	}
231
232	/* MAC_S = OMAC1-AES-128(AK, ID_S\|\|RAND_P) */
233	buflen = data->id_s_len + EAP_PSK_RAND_LEN;
234	buf = os_malloc(buflen);
235	if (buf == NULL)
236	return NULL;
237	os_memcpy(buf, data->id_s, data->id_s_len);
238	os_memcpy(buf + data->id_s_len, data->rand_p, EAP_PSK_RAND_LEN);
239	if (omac1_aes_128(data->ak, buf, buflen, mac)) {
240	os_free(buf);
241	return NULL;
242	}
243	os_free(buf);
244	if (os_memcmp(mac, hdr3->mac_s, EAP_PSK_MAC_LEN) != 0) {
245	wpa_printf(MSG_WARNING, "EAP-PSK: Invalid MAC_S in third "
246	"message");
247	ret->methodState = METHOD_DONE;
248	ret->decision = DECISION_FAIL;
249	return NULL;
250	}
251	wpa_printf(MSG_DEBUG, "EAP-PSK: MAC_S verified successfully");
252
253	if (eap_psk_derive_keys(data->kdk, data->rand_p, data->tek,
254	data->msk, data->emsk)) {
255	ret->methodState = METHOD_DONE;
256	ret->decision = DECISION_FAIL;
257	return NULL;
258	}
259	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: TEK", data->tek, EAP_PSK_TEK_LEN);
260	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: MSK", data->msk, EAP_MSK_LEN);
261	wpa_hexdump_key(MSG_DEBUG, "EAP-PSK: EMSK", data->emsk, EAP_EMSK_LEN);
262
263	os_memset(nonce, 0, 12);
264	os_memcpy(nonce + 12, pchannel, 4);
265	pchannel += 4;
266	left -= 4;
267
268	tag = pchannel;
269	pchannel += 16;
270	left -= 16;
271
272	msg = pchannel;
273
274	wpa_hexdump(MSG_MSGDUMP, "EAP-PSK: PCHANNEL - nonce",
275	nonce, sizeof(nonce));
276	wpa_hexdump(MSG_MSGDUMP, "EAP-PSK: PCHANNEL - hdr",
277	wpabuf_head(reqData), 5);
278	wpa_hexdump(MSG_MSGDUMP, "EAP-PSK: PCHANNEL - cipher msg", msg, left);
279
280	decrypted = os_malloc(left);
281	if (decrypted == NULL) {
282	ret->methodState = METHOD_DONE;
283	ret->decision = DECISION_FAIL;
284	return NULL;
285	}
286	os_memcpy(decrypted, msg, left);
287
288	if (aes_128_eax_decrypt(data->tek, nonce, sizeof(nonce),
289	wpabuf_head(reqData),
290	sizeof(struct eap_hdr) + 1 +
291	sizeof(*hdr3) - EAP_PSK_MAC_LEN, decrypted,
292	left, tag)) {
293	wpa_printf(MSG_WARNING, "EAP-PSK: PCHANNEL decryption failed");
294	os_free(decrypted);
295	return NULL;
296	}
297	wpa_hexdump(MSG_DEBUG, "EAP-PSK: Decrypted PCHANNEL message",
298	decrypted, left);
299
300	/* Verify R flag */
301	switch (decrypted[0] >> 6) {
302	case EAP_PSK_R_FLAG_CONT:
303	wpa_printf(MSG_DEBUG, "EAP-PSK: R flag - CONT - unsupported");
304	failed = 1;
305	break;
306	case EAP_PSK_R_FLAG_DONE_SUCCESS:
307	wpa_printf(MSG_DEBUG, "EAP-PSK: R flag - DONE_SUCCESS");
308	break;
309	case EAP_PSK_R_FLAG_DONE_FAILURE:
310	wpa_printf(MSG_DEBUG, "EAP-PSK: R flag - DONE_FAILURE");
311	wpa_printf(MSG_INFO, "EAP-PSK: Authentication server rejected "
312	"authentication");
313	failed = 1;
314	break;
315	}
316
317	data_len = 1;
318	if ((decrypted[0] & EAP_PSK_E_FLAG) && left > 1)
319	data_len++;
320	plen = sizeof(*hdr4) + 4 + 16 + data_len;
321	resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PSK, plen,
322	EAP_CODE_RESPONSE, eap_get_id(reqData));
323	if (resp == NULL) {
324	os_free(decrypted);
325	return NULL;
326	}
327	hdr4 = wpabuf_put(resp, sizeof(*hdr4));
328	hdr4->flags = EAP_PSK_FLAGS_SET_T(3); /* T=3 */
329	os_memcpy(hdr4->rand_s, hdr3->rand_s, EAP_PSK_RAND_LEN);
330	rpchannel = wpabuf_put(resp, 4 + 16 + data_len);
331
332	/* nonce++ */
333	inc_byte_array(nonce, sizeof(nonce));
334	os_memcpy(rpchannel, nonce + 12, 4);
335
336	if (decrypted[0] & EAP_PSK_E_FLAG) {
337	wpa_printf(MSG_DEBUG, "EAP-PSK: Unsupported E (Ext) flag");
338	failed = 1;
339	rpchannel[4 + 16] = (EAP_PSK_R_FLAG_DONE_FAILURE << 6) \|
340	EAP_PSK_E_FLAG;
341	if (left > 1) {
342	/* Add empty EXT_Payload with same EXT_Type */
343	rpchannel[4 + 16 + 1] = decrypted[1];
344	}
345	} else if (failed)
346	rpchannel[4 + 16] = EAP_PSK_R_FLAG_DONE_FAILURE << 6;
347	else
348	rpchannel[4 + 16] = EAP_PSK_R_FLAG_DONE_SUCCESS << 6;
349
350	wpa_hexdump(MSG_DEBUG, "EAP-PSK: reply message (plaintext)",
351	rpchannel + 4 + 16, data_len);
352	if (aes_128_eax_encrypt(data->tek, nonce, sizeof(nonce),
353	wpabuf_head(resp),
354	sizeof(struct eap_hdr) + 1 + sizeof(*hdr4),
355	rpchannel + 4 + 16, data_len, rpchannel + 4)) {
356	os_free(decrypted);
357	wpabuf_free(resp);
358	return NULL;
359	}
360	wpa_hexdump(MSG_DEBUG, "EAP-PSK: reply message (PCHANNEL)",
361	rpchannel, 4 + 16 + data_len);
362
363	wpa_printf(MSG_DEBUG, "EAP-PSK: Completed %ssuccessfully",
364	failed ? "un" : "");
365	data->state = PSK_DONE;
366	ret->methodState = METHOD_DONE;
367	ret->decision = failed ? DECISION_FAIL : DECISION_UNCOND_SUCC;
368
369	os_free(decrypted);
370
371	return resp;
372	}
373
374
375	static struct wpabuf * eap_psk_process(struct eap_sm sm, void priv,
376	struct eap_method_ret *ret,
377	const struct wpabuf *reqData)
378	{
379	struct eap_psk_data *data = priv;
380	const u8 *pos;
381	struct wpabuf *resp = NULL;
382	size_t len;
383
384	pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_PSK, reqData, &len);
385	if (pos == NULL) {
386	ret->ignore = TRUE;
387	return NULL;
388	}
389
390	ret->ignore = FALSE;
391	ret->methodState = METHOD_MAY_CONT;
392	ret->decision = DECISION_FAIL;
393	ret->allowNotifications = TRUE;
394
395	switch (data->state) {
396	case PSK_INIT:
397	resp = eap_psk_process_1(data, ret, reqData);
398	break;
399	case PSK_MAC_SENT:
400	resp = eap_psk_process_3(data, ret, reqData);
401	break;
402	case PSK_DONE:
403	wpa_printf(MSG_DEBUG, "EAP-PSK: in DONE state - ignore "
404	"unexpected message");
405	ret->ignore = TRUE;
406	return NULL;
407	}
408
409	if (ret->methodState == METHOD_DONE) {
410	ret->allowNotifications = FALSE;
411	}
412
413	return resp;
414	}
415
416
417	static Boolean eap_psk_isKeyAvailable(struct eap_sm sm, void priv)
418	{
419	struct eap_psk_data *data = priv;
420	return data->state == PSK_DONE;
421	}
422
423
424	static u8 * eap_psk_getKey(struct eap_sm sm, void priv, size_t *len)
425	{
426	struct eap_psk_data *data = priv;
427	u8 *key;
428
429	if (data->state != PSK_DONE)
430	return NULL;
431
432	key = os_malloc(EAP_MSK_LEN);
433	if (key == NULL)
434	return NULL;
435
436	*len = EAP_MSK_LEN;
437	os_memcpy(key, data->msk, EAP_MSK_LEN);
438
439	return key;
440	}
441
442
443	static u8 * eap_psk_get_emsk(struct eap_sm sm, void priv, size_t *len)
444	{
445	struct eap_psk_data *data = priv;
446	u8 *key;
447
448	if (data->state != PSK_DONE)
449	return NULL;
450
451	key = os_malloc(EAP_EMSK_LEN);
452	if (key == NULL)
453	return NULL;
454
455	*len = EAP_EMSK_LEN;
456	os_memcpy(key, data->emsk, EAP_EMSK_LEN);
457
458	return key;
459	}
460
461
462	int eap_peer_psk_register(void)
463	{
464	struct eap_method *eap;
465	int ret;
466
467	eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION,
468	EAP_VENDOR_IETF, EAP_TYPE_PSK, "PSK");
469	if (eap == NULL)
470	return -1;
471
472	eap->init = eap_psk_init;
473	eap->deinit = eap_psk_deinit;
474	eap->process = eap_psk_process;
475	eap->isKeyAvailable = eap_psk_isKeyAvailable;
476	eap->getKey = eap_psk_getKey;
477	eap->get_emsk = eap_psk_get_emsk;
478
479	ret = eap_peer_method_register(eap);
480	if (ret)
481	eap_peer_method_free(eap);
482	return ret;
483	}