]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | /* |
2 | * EAP peer method: EAP-SAKE (RFC 4763) | |
3 | * Copyright (c) 2006-2008, Jouni Malinen <j@w1.fi> | |
4 | * | |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
6fc6879b JM |
7 | */ |
8 | ||
9 | #include "includes.h" | |
10 | ||
11 | #include "common.h" | |
3642c431 | 12 | #include "crypto/random.h" |
6fc6879b JM |
13 | #include "eap_peer/eap_i.h" |
14 | #include "eap_common/eap_sake_common.h" | |
15 | ||
16 | struct eap_sake_data { | |
17 | enum { IDENTITY, CHALLENGE, CONFIRM, SUCCESS, FAILURE } state; | |
18 | u8 root_secret_a[EAP_SAKE_ROOT_SECRET_LEN]; | |
19 | u8 root_secret_b[EAP_SAKE_ROOT_SECRET_LEN]; | |
20 | u8 rand_s[EAP_SAKE_RAND_LEN]; | |
21 | u8 rand_p[EAP_SAKE_RAND_LEN]; | |
22 | struct { | |
23 | u8 auth[EAP_SAKE_TEK_AUTH_LEN]; | |
24 | u8 cipher[EAP_SAKE_TEK_CIPHER_LEN]; | |
25 | } tek; | |
26 | u8 msk[EAP_MSK_LEN]; | |
27 | u8 emsk[EAP_EMSK_LEN]; | |
28 | u8 session_id; | |
29 | int session_id_set; | |
30 | u8 *peerid; | |
31 | size_t peerid_len; | |
32 | u8 *serverid; | |
33 | size_t serverid_len; | |
34 | }; | |
35 | ||
36 | ||
37 | static const char * eap_sake_state_txt(int state) | |
38 | { | |
39 | switch (state) { | |
40 | case IDENTITY: | |
41 | return "IDENTITY"; | |
42 | case CHALLENGE: | |
43 | return "CHALLENGE"; | |
44 | case CONFIRM: | |
45 | return "CONFIRM"; | |
46 | case SUCCESS: | |
47 | return "SUCCESS"; | |
48 | case FAILURE: | |
49 | return "FAILURE"; | |
50 | default: | |
51 | return "?"; | |
52 | } | |
53 | } | |
54 | ||
55 | ||
56 | static void eap_sake_state(struct eap_sake_data *data, int state) | |
57 | { | |
58 | wpa_printf(MSG_DEBUG, "EAP-SAKE: %s -> %s", | |
59 | eap_sake_state_txt(data->state), | |
60 | eap_sake_state_txt(state)); | |
61 | data->state = state; | |
62 | } | |
63 | ||
64 | ||
65 | static void eap_sake_deinit(struct eap_sm *sm, void *priv); | |
66 | ||
67 | ||
68 | static void * eap_sake_init(struct eap_sm *sm) | |
69 | { | |
70 | struct eap_sake_data *data; | |
71 | const u8 *identity, *password; | |
72 | size_t identity_len, password_len; | |
73 | ||
74 | password = eap_get_config_password(sm, &password_len); | |
75 | if (!password || password_len != 2 * EAP_SAKE_ROOT_SECRET_LEN) { | |
76 | wpa_printf(MSG_INFO, "EAP-SAKE: No key of correct length " | |
77 | "configured"); | |
78 | return NULL; | |
79 | } | |
80 | ||
81 | data = os_zalloc(sizeof(*data)); | |
82 | if (data == NULL) | |
83 | return NULL; | |
84 | data->state = IDENTITY; | |
85 | ||
86 | identity = eap_get_config_identity(sm, &identity_len); | |
87 | if (identity) { | |
88 | data->peerid = os_malloc(identity_len); | |
89 | if (data->peerid == NULL) { | |
90 | eap_sake_deinit(sm, data); | |
91 | return NULL; | |
92 | } | |
93 | os_memcpy(data->peerid, identity, identity_len); | |
94 | data->peerid_len = identity_len; | |
95 | } | |
96 | ||
97 | os_memcpy(data->root_secret_a, password, EAP_SAKE_ROOT_SECRET_LEN); | |
98 | os_memcpy(data->root_secret_b, | |
99 | password + EAP_SAKE_ROOT_SECRET_LEN, | |
100 | EAP_SAKE_ROOT_SECRET_LEN); | |
101 | ||
102 | return data; | |
103 | } | |
104 | ||
105 | ||
106 | static void eap_sake_deinit(struct eap_sm *sm, void *priv) | |
107 | { | |
108 | struct eap_sake_data *data = priv; | |
109 | os_free(data->serverid); | |
110 | os_free(data->peerid); | |
111 | os_free(data); | |
112 | } | |
113 | ||
114 | ||
115 | static struct wpabuf * eap_sake_build_msg(struct eap_sake_data *data, | |
116 | int id, size_t length, u8 subtype) | |
117 | { | |
118 | struct eap_sake_hdr *sake; | |
119 | struct wpabuf *msg; | |
120 | size_t plen; | |
121 | ||
122 | plen = length + sizeof(struct eap_sake_hdr); | |
123 | ||
124 | msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_SAKE, plen, | |
125 | EAP_CODE_RESPONSE, id); | |
126 | if (msg == NULL) { | |
127 | wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to allocate memory " | |
128 | "request"); | |
129 | return NULL; | |
130 | } | |
131 | ||
132 | sake = wpabuf_put(msg, sizeof(*sake)); | |
133 | sake->version = EAP_SAKE_VERSION; | |
134 | sake->session_id = data->session_id; | |
135 | sake->subtype = subtype; | |
136 | ||
137 | return msg; | |
138 | } | |
139 | ||
140 | ||
141 | static struct wpabuf * eap_sake_process_identity(struct eap_sm *sm, | |
142 | struct eap_sake_data *data, | |
143 | struct eap_method_ret *ret, | |
144 | const struct wpabuf *reqData, | |
145 | const u8 *payload, | |
146 | size_t payload_len) | |
147 | { | |
148 | struct eap_sake_parse_attr attr; | |
149 | struct wpabuf *resp; | |
150 | ||
151 | if (data->state != IDENTITY) { | |
152 | ret->ignore = TRUE; | |
153 | return NULL; | |
154 | } | |
155 | ||
156 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Identity"); | |
157 | ||
158 | if (eap_sake_parse_attributes(payload, payload_len, &attr)) | |
159 | return NULL; | |
160 | ||
161 | if (!attr.perm_id_req && !attr.any_id_req) { | |
162 | wpa_printf(MSG_INFO, "EAP-SAKE: No AT_PERM_ID_REQ or " | |
163 | "AT_ANY_ID_REQ in Request/Identity"); | |
164 | return NULL; | |
165 | } | |
166 | ||
167 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Identity"); | |
168 | ||
169 | resp = eap_sake_build_msg(data, eap_get_id(reqData), | |
170 | 2 + data->peerid_len, | |
171 | EAP_SAKE_SUBTYPE_IDENTITY); | |
172 | if (resp == NULL) | |
173 | return NULL; | |
174 | ||
175 | wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID"); | |
176 | eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID, | |
177 | data->peerid, data->peerid_len); | |
178 | ||
179 | eap_sake_state(data, CHALLENGE); | |
180 | ||
181 | return resp; | |
182 | } | |
183 | ||
184 | ||
185 | static struct wpabuf * eap_sake_process_challenge(struct eap_sm *sm, | |
186 | struct eap_sake_data *data, | |
187 | struct eap_method_ret *ret, | |
188 | const struct wpabuf *reqData, | |
189 | const u8 *payload, | |
190 | size_t payload_len) | |
191 | { | |
192 | struct eap_sake_parse_attr attr; | |
193 | struct wpabuf *resp; | |
194 | u8 *rpos; | |
195 | size_t rlen; | |
196 | ||
197 | if (data->state != IDENTITY && data->state != CHALLENGE) { | |
198 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Challenge received " | |
199 | "in unexpected state (%d)", data->state); | |
200 | ret->ignore = TRUE; | |
201 | return NULL; | |
202 | } | |
203 | if (data->state == IDENTITY) | |
204 | eap_sake_state(data, CHALLENGE); | |
205 | ||
206 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Challenge"); | |
207 | ||
208 | if (eap_sake_parse_attributes(payload, payload_len, &attr)) | |
209 | return NULL; | |
210 | ||
211 | if (!attr.rand_s) { | |
212 | wpa_printf(MSG_INFO, "EAP-SAKE: Request/Challenge did not " | |
213 | "include AT_RAND_S"); | |
214 | return NULL; | |
215 | } | |
216 | ||
217 | os_memcpy(data->rand_s, attr.rand_s, EAP_SAKE_RAND_LEN); | |
218 | wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)", | |
219 | data->rand_s, EAP_SAKE_RAND_LEN); | |
220 | ||
3642c431 | 221 | if (random_get_bytes(data->rand_p, EAP_SAKE_RAND_LEN)) { |
6fc6879b JM |
222 | wpa_printf(MSG_ERROR, "EAP-SAKE: Failed to get random data"); |
223 | return NULL; | |
224 | } | |
225 | wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_P (peer rand)", | |
226 | data->rand_p, EAP_SAKE_RAND_LEN); | |
227 | ||
228 | os_free(data->serverid); | |
229 | data->serverid = NULL; | |
230 | data->serverid_len = 0; | |
231 | if (attr.serverid) { | |
232 | wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-SAKE: SERVERID", | |
233 | attr.serverid, attr.serverid_len); | |
234 | data->serverid = os_malloc(attr.serverid_len); | |
235 | if (data->serverid == NULL) | |
236 | return NULL; | |
237 | os_memcpy(data->serverid, attr.serverid, attr.serverid_len); | |
238 | data->serverid_len = attr.serverid_len; | |
239 | } | |
240 | ||
241 | eap_sake_derive_keys(data->root_secret_a, data->root_secret_b, | |
242 | data->rand_s, data->rand_p, | |
243 | (u8 *) &data->tek, data->msk, data->emsk); | |
244 | ||
245 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Challenge"); | |
246 | ||
247 | rlen = 2 + EAP_SAKE_RAND_LEN + 2 + EAP_SAKE_MIC_LEN; | |
248 | if (data->peerid) | |
249 | rlen += 2 + data->peerid_len; | |
250 | resp = eap_sake_build_msg(data, eap_get_id(reqData), rlen, | |
251 | EAP_SAKE_SUBTYPE_CHALLENGE); | |
252 | if (resp == NULL) | |
253 | return NULL; | |
254 | ||
255 | wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_RAND_P"); | |
256 | eap_sake_add_attr(resp, EAP_SAKE_AT_RAND_P, | |
257 | data->rand_p, EAP_SAKE_RAND_LEN); | |
258 | ||
259 | if (data->peerid) { | |
260 | wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_PEERID"); | |
261 | eap_sake_add_attr(resp, EAP_SAKE_AT_PEERID, | |
262 | data->peerid, data->peerid_len); | |
263 | } | |
264 | ||
265 | wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P"); | |
266 | wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P); | |
267 | wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN); | |
268 | rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN); | |
269 | if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p, | |
270 | data->serverid, data->serverid_len, | |
271 | data->peerid, data->peerid_len, 1, | |
272 | wpabuf_head(resp), wpabuf_len(resp), rpos, | |
273 | rpos)) { | |
274 | wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC"); | |
275 | wpabuf_free(resp); | |
276 | return NULL; | |
277 | } | |
278 | ||
279 | eap_sake_state(data, CONFIRM); | |
280 | ||
281 | return resp; | |
282 | } | |
283 | ||
284 | ||
285 | static struct wpabuf * eap_sake_process_confirm(struct eap_sm *sm, | |
286 | struct eap_sake_data *data, | |
287 | struct eap_method_ret *ret, | |
288 | const struct wpabuf *reqData, | |
289 | const u8 *payload, | |
290 | size_t payload_len) | |
291 | { | |
292 | struct eap_sake_parse_attr attr; | |
293 | u8 mic_s[EAP_SAKE_MIC_LEN]; | |
294 | struct wpabuf *resp; | |
295 | u8 *rpos; | |
296 | ||
297 | if (data->state != CONFIRM) { | |
298 | ret->ignore = TRUE; | |
299 | return NULL; | |
300 | } | |
301 | ||
302 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Received Request/Confirm"); | |
303 | ||
304 | if (eap_sake_parse_attributes(payload, payload_len, &attr)) | |
305 | return NULL; | |
306 | ||
307 | if (!attr.mic_s) { | |
308 | wpa_printf(MSG_INFO, "EAP-SAKE: Request/Confirm did not " | |
309 | "include AT_MIC_S"); | |
310 | return NULL; | |
311 | } | |
312 | ||
313 | eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p, | |
314 | data->serverid, data->serverid_len, | |
315 | data->peerid, data->peerid_len, 0, | |
316 | wpabuf_head(reqData), wpabuf_len(reqData), | |
317 | attr.mic_s, mic_s); | |
318 | if (os_memcmp(attr.mic_s, mic_s, EAP_SAKE_MIC_LEN) != 0) { | |
319 | wpa_printf(MSG_INFO, "EAP-SAKE: Incorrect AT_MIC_S"); | |
320 | eap_sake_state(data, FAILURE); | |
321 | ret->methodState = METHOD_DONE; | |
322 | ret->decision = DECISION_FAIL; | |
323 | ret->allowNotifications = FALSE; | |
324 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending " | |
325 | "Response/Auth-Reject"); | |
326 | return eap_sake_build_msg(data, eap_get_id(reqData), 0, | |
327 | EAP_SAKE_SUBTYPE_AUTH_REJECT); | |
328 | } | |
329 | ||
330 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Sending Response/Confirm"); | |
331 | ||
332 | resp = eap_sake_build_msg(data, eap_get_id(reqData), | |
333 | 2 + EAP_SAKE_MIC_LEN, | |
334 | EAP_SAKE_SUBTYPE_CONFIRM); | |
335 | if (resp == NULL) | |
336 | return NULL; | |
337 | ||
338 | wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_MIC_P"); | |
339 | wpabuf_put_u8(resp, EAP_SAKE_AT_MIC_P); | |
340 | wpabuf_put_u8(resp, 2 + EAP_SAKE_MIC_LEN); | |
341 | rpos = wpabuf_put(resp, EAP_SAKE_MIC_LEN); | |
342 | if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p, | |
343 | data->serverid, data->serverid_len, | |
344 | data->peerid, data->peerid_len, 1, | |
345 | wpabuf_head(resp), wpabuf_len(resp), rpos, | |
346 | rpos)) { | |
347 | wpa_printf(MSG_INFO, "EAP-SAKE: Failed to compute MIC"); | |
348 | wpabuf_free(resp); | |
349 | return NULL; | |
350 | } | |
351 | ||
352 | eap_sake_state(data, SUCCESS); | |
353 | ret->methodState = METHOD_DONE; | |
354 | ret->decision = DECISION_UNCOND_SUCC; | |
355 | ret->allowNotifications = FALSE; | |
356 | ||
357 | return resp; | |
358 | } | |
359 | ||
360 | ||
361 | static struct wpabuf * eap_sake_process(struct eap_sm *sm, void *priv, | |
362 | struct eap_method_ret *ret, | |
363 | const struct wpabuf *reqData) | |
364 | { | |
365 | struct eap_sake_data *data = priv; | |
366 | const struct eap_sake_hdr *req; | |
367 | struct wpabuf *resp; | |
368 | const u8 *pos, *end; | |
369 | size_t len; | |
370 | u8 subtype, session_id; | |
371 | ||
372 | pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_SAKE, reqData, &len); | |
373 | if (pos == NULL || len < sizeof(struct eap_sake_hdr)) { | |
374 | ret->ignore = TRUE; | |
375 | return NULL; | |
376 | } | |
377 | ||
378 | req = (const struct eap_sake_hdr *) pos; | |
379 | end = pos + len; | |
380 | subtype = req->subtype; | |
381 | session_id = req->session_id; | |
382 | pos = (const u8 *) (req + 1); | |
383 | ||
384 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Received frame: subtype %d " | |
385 | "session_id %d", subtype, session_id); | |
386 | wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Received attributes", | |
387 | pos, end - pos); | |
388 | ||
389 | if (data->session_id_set && data->session_id != session_id) { | |
390 | wpa_printf(MSG_INFO, "EAP-SAKE: Session ID mismatch (%d,%d)", | |
391 | session_id, data->session_id); | |
392 | ret->ignore = TRUE; | |
393 | return NULL; | |
394 | } | |
395 | data->session_id = session_id; | |
396 | data->session_id_set = 1; | |
397 | ||
398 | ret->ignore = FALSE; | |
399 | ret->methodState = METHOD_MAY_CONT; | |
400 | ret->decision = DECISION_FAIL; | |
401 | ret->allowNotifications = TRUE; | |
402 | ||
403 | switch (subtype) { | |
404 | case EAP_SAKE_SUBTYPE_IDENTITY: | |
405 | resp = eap_sake_process_identity(sm, data, ret, reqData, | |
406 | pos, end - pos); | |
407 | break; | |
408 | case EAP_SAKE_SUBTYPE_CHALLENGE: | |
409 | resp = eap_sake_process_challenge(sm, data, ret, reqData, | |
410 | pos, end - pos); | |
411 | break; | |
412 | case EAP_SAKE_SUBTYPE_CONFIRM: | |
413 | resp = eap_sake_process_confirm(sm, data, ret, reqData, | |
414 | pos, end - pos); | |
415 | break; | |
416 | default: | |
417 | wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring message with " | |
418 | "unknown subtype %d", subtype); | |
419 | ret->ignore = TRUE; | |
420 | return NULL; | |
421 | } | |
422 | ||
423 | if (ret->methodState == METHOD_DONE) | |
424 | ret->allowNotifications = FALSE; | |
425 | ||
426 | return resp; | |
427 | } | |
428 | ||
429 | ||
430 | static Boolean eap_sake_isKeyAvailable(struct eap_sm *sm, void *priv) | |
431 | { | |
432 | struct eap_sake_data *data = priv; | |
433 | return data->state == SUCCESS; | |
434 | } | |
435 | ||
436 | ||
437 | static u8 * eap_sake_getKey(struct eap_sm *sm, void *priv, size_t *len) | |
438 | { | |
439 | struct eap_sake_data *data = priv; | |
440 | u8 *key; | |
441 | ||
442 | if (data->state != SUCCESS) | |
443 | return NULL; | |
444 | ||
445 | key = os_malloc(EAP_MSK_LEN); | |
446 | if (key == NULL) | |
447 | return NULL; | |
448 | os_memcpy(key, data->msk, EAP_MSK_LEN); | |
449 | *len = EAP_MSK_LEN; | |
450 | ||
451 | return key; | |
452 | } | |
453 | ||
454 | ||
9ca84274 JM |
455 | static u8 * eap_sake_get_session_id(struct eap_sm *sm, void *priv, size_t *len) |
456 | { | |
457 | struct eap_sake_data *data = priv; | |
458 | u8 *id; | |
459 | ||
460 | if (data->state != SUCCESS) | |
461 | return NULL; | |
462 | ||
463 | *len = 1 + 2 * EAP_SAKE_RAND_LEN; | |
464 | id = os_malloc(*len); | |
465 | if (id == NULL) | |
466 | return NULL; | |
467 | ||
468 | id[0] = EAP_TYPE_SAKE; | |
469 | os_memcpy(id + 1, data->rand_s, EAP_SAKE_RAND_LEN); | |
470 | os_memcpy(id + 1 + EAP_SAKE_RAND_LEN, data->rand_s, EAP_SAKE_RAND_LEN); | |
471 | wpa_hexdump(MSG_DEBUG, "EAP-SAKE: Derived Session-Id", id, *len); | |
472 | ||
473 | return id; | |
474 | } | |
475 | ||
476 | ||
6fc6879b JM |
477 | static u8 * eap_sake_get_emsk(struct eap_sm *sm, void *priv, size_t *len) |
478 | { | |
479 | struct eap_sake_data *data = priv; | |
480 | u8 *key; | |
481 | ||
482 | if (data->state != SUCCESS) | |
483 | return NULL; | |
484 | ||
485 | key = os_malloc(EAP_EMSK_LEN); | |
486 | if (key == NULL) | |
487 | return NULL; | |
488 | os_memcpy(key, data->emsk, EAP_EMSK_LEN); | |
489 | *len = EAP_EMSK_LEN; | |
490 | ||
491 | return key; | |
492 | } | |
493 | ||
494 | ||
495 | int eap_peer_sake_register(void) | |
496 | { | |
497 | struct eap_method *eap; | |
498 | int ret; | |
499 | ||
500 | eap = eap_peer_method_alloc(EAP_PEER_METHOD_INTERFACE_VERSION, | |
501 | EAP_VENDOR_IETF, EAP_TYPE_SAKE, "SAKE"); | |
502 | if (eap == NULL) | |
503 | return -1; | |
504 | ||
505 | eap->init = eap_sake_init; | |
506 | eap->deinit = eap_sake_deinit; | |
507 | eap->process = eap_sake_process; | |
508 | eap->isKeyAvailable = eap_sake_isKeyAvailable; | |
509 | eap->getKey = eap_sake_getKey; | |
9ca84274 | 510 | eap->getSessionId = eap_sake_get_session_id; |
6fc6879b JM |
511 | eap->get_emsk = eap_sake_get_emsk; |
512 | ||
513 | ret = eap_peer_method_register(eap); | |
514 | if (ret) | |
515 | eap_peer_method_free(eap); | |
516 | return ret; | |
517 | } |