EAP-pwd: Use abstract crypto API
This makes it easier to use EAP-pwd with other crypto libraries than OpenSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
This commit is contained in:
Sean Parkinson
Jouni Malinen
parent
0c3d49afd8
commit
04b1bcc5f3
8 changed files with 319 additions and 541 deletions
|
|
@ -455,6 +455,7 @@ ifdef CONFIG_EAP_PWD
|
|||
L_CFLAGS += -DEAP_SERVER_PWD
|
||||
OBJS += src/eap_server/eap_server_pwd.c src/eap_common/eap_pwd_common.c
|
||||
NEED_SHA256=y
|
||||
NEED_ECC=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_EAP_EKE
|
||||
|
|
|
|||
|
|
@ -489,6 +489,7 @@ ifdef CONFIG_EAP_PWD
|
|||
CFLAGS += -DEAP_SERVER_PWD
|
||||
OBJS += ../src/eap_server/eap_server_pwd.o ../src/eap_common/eap_pwd_common.o
|
||||
NEED_SHA256=y
|
||||
NEED_ECC=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_EAP_EKE
|
||||
|
|
|
|||
|
|
@ -91,91 +91,33 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
const u8 *id_peer, size_t id_peer_len,
|
||||
const u8 *token)
|
||||
{
|
||||
BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||
struct crypto_hash *hash;
|
||||
unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
|
||||
int nid, is_odd, ret = 0;
|
||||
int is_odd, ret = 0;
|
||||
size_t primebytelen, primebitlen;
|
||||
|
||||
switch (num) { /* from IANA registry for IKE D-H groups */
|
||||
case 19:
|
||||
nid = NID_X9_62_prime256v1;
|
||||
break;
|
||||
case 20:
|
||||
nid = NID_secp384r1;
|
||||
break;
|
||||
case 21:
|
||||
nid = NID_secp521r1;
|
||||
break;
|
||||
#ifndef OPENSSL_IS_BORINGSSL
|
||||
case 25:
|
||||
nid = NID_X9_62_prime192v1;
|
||||
break;
|
||||
#endif /* OPENSSL_IS_BORINGSSL */
|
||||
case 26:
|
||||
nid = NID_secp224r1;
|
||||
break;
|
||||
#ifdef NID_brainpoolP224r1
|
||||
case 27:
|
||||
nid = NID_brainpoolP224r1;
|
||||
break;
|
||||
#endif /* NID_brainpoolP224r1 */
|
||||
#ifdef NID_brainpoolP256r1
|
||||
case 28:
|
||||
nid = NID_brainpoolP256r1;
|
||||
break;
|
||||
#endif /* NID_brainpoolP256r1 */
|
||||
#ifdef NID_brainpoolP384r1
|
||||
case 29:
|
||||
nid = NID_brainpoolP384r1;
|
||||
break;
|
||||
#endif /* NID_brainpoolP384r1 */
|
||||
#ifdef NID_brainpoolP512r1
|
||||
case 30:
|
||||
nid = NID_brainpoolP512r1;
|
||||
break;
|
||||
#endif /* NID_brainpoolP512r1 */
|
||||
default:
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num);
|
||||
return -1;
|
||||
}
|
||||
struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL;
|
||||
|
||||
grp->pwe = NULL;
|
||||
grp->order = NULL;
|
||||
grp->prime = NULL;
|
||||
|
||||
if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP");
|
||||
grp->group = crypto_ec_init(num);
|
||||
if (!grp->group) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (((rnd = BN_new()) == NULL) ||
|
||||
((cofactor = BN_new()) == NULL) ||
|
||||
((grp->pwe = EC_POINT_new(grp->group)) == NULL) ||
|
||||
((grp->order = BN_new()) == NULL) ||
|
||||
((grp->prime = BN_new()) == NULL) ||
|
||||
((x_candidate = BN_new()) == NULL)) {
|
||||
cofactor = crypto_bignum_init();
|
||||
grp->pwe = crypto_ec_point_init(grp->group);
|
||||
if (!cofactor || !grp->pwe) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL))
|
||||
{
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp "
|
||||
"curve");
|
||||
goto fail;
|
||||
}
|
||||
if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve");
|
||||
goto fail;
|
||||
}
|
||||
if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) {
|
||||
if (crypto_ec_cofactor(grp->group, cofactor) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for "
|
||||
"curve");
|
||||
goto fail;
|
||||
}
|
||||
primebitlen = BN_num_bits(grp->prime);
|
||||
primebytelen = BN_num_bytes(grp->prime);
|
||||
primebitlen = crypto_ec_prime_len_bits(grp->group);
|
||||
primebytelen = crypto_ec_prime_len(grp->group);
|
||||
if ((prfbuf = os_malloc(primebytelen)) == NULL) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
|
||||
"buffer");
|
||||
|
|
@ -207,15 +149,25 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
eap_pwd_h_update(hash, &ctr, sizeof(ctr));
|
||||
eap_pwd_h_final(hash, pwe_digest);
|
||||
|
||||
BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd);
|
||||
|
||||
crypto_bignum_deinit(rnd, 1);
|
||||
rnd = crypto_bignum_init_set(pwe_digest, SHA256_MAC_LEN);
|
||||
if (!rnd) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: unable to create rnd");
|
||||
goto fail;
|
||||
}
|
||||
if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
|
||||
(u8 *) "EAP-pwd Hunting And Pecking",
|
||||
os_strlen("EAP-pwd Hunting And Pecking"),
|
||||
prfbuf, primebitlen) < 0)
|
||||
goto fail;
|
||||
|
||||
BN_bin2bn(prfbuf, primebytelen, x_candidate);
|
||||
crypto_bignum_deinit(x_candidate, 1);
|
||||
x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
|
||||
if (!x_candidate) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"EAP-pwd: unable to create x_candidate");
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/*
|
||||
* eap_pwd_kdf() returns a string of bits 0..primebitlen but
|
||||
|
|
@ -224,11 +176,14 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
* then excessive bits-- those _after_ primebitlen-- so now
|
||||
* we have to shift right the amount we masked off.
|
||||
*/
|
||||
if (primebitlen % 8)
|
||||
BN_rshift(x_candidate, x_candidate,
|
||||
(8 - (primebitlen % 8)));
|
||||
if ((primebitlen % 8) &&
|
||||
crypto_bignum_rshift(x_candidate,
|
||||
(8 - (primebitlen % 8)),
|
||||
x_candidate) < 0)
|
||||
goto fail;
|
||||
|
||||
if (BN_ucmp(x_candidate, grp->prime) >= 0)
|
||||
if (crypto_bignum_cmp(x_candidate,
|
||||
crypto_ec_get_prime(grp->group)) >= 0)
|
||||
continue;
|
||||
|
||||
wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate",
|
||||
|
|
@ -238,40 +193,38 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
* need to unambiguously identify the solution, if there is
|
||||
* one...
|
||||
*/
|
||||
if (BN_is_odd(rnd))
|
||||
is_odd = 1;
|
||||
else
|
||||
is_odd = 0;
|
||||
is_odd = crypto_bignum_is_odd(rnd);
|
||||
|
||||
/*
|
||||
* solve the quadratic equation, if it's not solvable then we
|
||||
* don't have a point
|
||||
*/
|
||||
if (!EC_POINT_set_compressed_coordinates_GFp(grp->group,
|
||||
grp->pwe,
|
||||
x_candidate,
|
||||
is_odd, NULL))
|
||||
if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe,
|
||||
x_candidate, is_odd) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
|
||||
continue;
|
||||
}
|
||||
/*
|
||||
* If there's a solution to the equation then the point must be
|
||||
* on the curve so why check again explicitly? OpenSSL code
|
||||
* says this is required by X9.62. We're not X9.62 but it can't
|
||||
* hurt just to be sure.
|
||||
*/
|
||||
if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) {
|
||||
if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
|
||||
continue;
|
||||
}
|
||||
|
||||
if (BN_cmp(cofactor, BN_value_one())) {
|
||||
if (!crypto_bignum_is_one(cofactor)) {
|
||||
/* make sure the point is not in a small sub-group */
|
||||
if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe,
|
||||
cofactor, NULL)) {
|
||||
if (crypto_ec_point_mul(grp->group, grp->pwe,
|
||||
cofactor, grp->pwe) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: cannot "
|
||||
"multiply generator by order");
|
||||
continue;
|
||||
}
|
||||
if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) {
|
||||
if (crypto_ec_point_is_at_infinity(grp->group,
|
||||
grp->pwe)) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd: point is at "
|
||||
"infinity");
|
||||
continue;
|
||||
|
|
@ -284,37 +237,38 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
grp->group_num = num;
|
||||
if (0) {
|
||||
fail:
|
||||
EC_GROUP_free(grp->group);
|
||||
crypto_ec_deinit(grp->group);
|
||||
grp->group = NULL;
|
||||
EC_POINT_clear_free(grp->pwe);
|
||||
crypto_ec_point_deinit(grp->pwe, 1);
|
||||
grp->pwe = NULL;
|
||||
BN_clear_free(grp->order);
|
||||
grp->order = NULL;
|
||||
BN_clear_free(grp->prime);
|
||||
grp->prime = NULL;
|
||||
ret = 1;
|
||||
}
|
||||
/* cleanliness and order.... */
|
||||
BN_clear_free(cofactor);
|
||||
BN_clear_free(x_candidate);
|
||||
BN_clear_free(rnd);
|
||||
crypto_bignum_deinit(cofactor, 1);
|
||||
crypto_bignum_deinit(x_candidate, 1);
|
||||
crypto_bignum_deinit(rnd, 1);
|
||||
os_free(prfbuf);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k,
|
||||
const BIGNUM *peer_scalar, const BIGNUM *server_scalar,
|
||||
int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
|
||||
const struct crypto_bignum *peer_scalar,
|
||||
const struct crypto_bignum *server_scalar,
|
||||
const u8 *confirm_peer, const u8 *confirm_server,
|
||||
const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id)
|
||||
{
|
||||
struct crypto_hash *hash;
|
||||
u8 mk[SHA256_MAC_LEN], *cruft;
|
||||
u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN];
|
||||
int offset;
|
||||
size_t prime_len, order_len;
|
||||
|
||||
if ((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL)
|
||||
prime_len = crypto_ec_prime_len(grp->group);
|
||||
order_len = crypto_ec_order_len(grp->group);
|
||||
|
||||
cruft = os_malloc(prime_len);
|
||||
if (!cruft)
|
||||
return -1;
|
||||
|
||||
/*
|
||||
|
|
@ -328,14 +282,10 @@ int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k,
|
|||
return -1;
|
||||
}
|
||||
eap_pwd_h_update(hash, (const u8 *) ciphersuite, sizeof(u32));
|
||||
offset = BN_num_bytes(grp->order) - BN_num_bytes(peer_scalar);
|
||||
os_memset(cruft, 0, BN_num_bytes(grp->prime));
|
||||
BN_bn2bin(peer_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order));
|
||||
offset = BN_num_bytes(grp->order) - BN_num_bytes(server_scalar);
|
||||
os_memset(cruft, 0, BN_num_bytes(grp->prime));
|
||||
BN_bn2bin(server_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order));
|
||||
crypto_bignum_to_bin(peer_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
crypto_bignum_to_bin(server_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
eap_pwd_h_final(hash, &session_id[1]);
|
||||
|
||||
/* then compute MK = H(k | confirm-peer | confirm-server) */
|
||||
|
|
@ -344,10 +294,8 @@ int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k,
|
|||
os_free(cruft);
|
||||
return -1;
|
||||
}
|
||||
offset = BN_num_bytes(grp->prime) - BN_num_bytes(k);
|
||||
os_memset(cruft, 0, BN_num_bytes(grp->prime));
|
||||
BN_bn2bin(k, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->prime));
|
||||
crypto_bignum_to_bin(k, cruft, prime_len, prime_len);
|
||||
eap_pwd_h_update(hash, cruft, prime_len);
|
||||
os_free(cruft);
|
||||
eap_pwd_h_update(hash, confirm_peer, SHA256_MAC_LEN);
|
||||
eap_pwd_h_update(hash, confirm_server, SHA256_MAC_LEN);
|
||||
|
|
|
|||
|
|
@ -9,20 +9,14 @@
|
|||
#ifndef EAP_PWD_COMMON_H
|
||||
#define EAP_PWD_COMMON_H
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/ec.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
/*
|
||||
* definition of a finite cyclic group
|
||||
* TODO: support one based on a prime field
|
||||
*/
|
||||
typedef struct group_definition_ {
|
||||
u16 group_num;
|
||||
EC_GROUP *group;
|
||||
EC_POINT *pwe;
|
||||
BIGNUM *order;
|
||||
BIGNUM *prime;
|
||||
struct crypto_ec *group;
|
||||
struct crypto_ec_point *pwe;
|
||||
} EAP_PWD_group;
|
||||
|
||||
/*
|
||||
|
|
@ -61,8 +55,9 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
|
|||
const u8 *id_server, size_t id_server_len,
|
||||
const u8 *id_peer, size_t id_peer_len,
|
||||
const u8 *token);
|
||||
int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k,
|
||||
const BIGNUM *peer_scalar, const BIGNUM *server_scalar,
|
||||
int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
|
||||
const struct crypto_bignum *peer_scalar,
|
||||
const struct crypto_bignum *server_scalar,
|
||||
const u8 *confirm_peer, const u8 *confirm_server,
|
||||
const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id);
|
||||
struct crypto_hash * eap_pwd_h_init(void);
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@
|
|||
#include "common.h"
|
||||
#include "crypto/sha256.h"
|
||||
#include "crypto/ms_funcs.h"
|
||||
#include "crypto/crypto.h"
|
||||
#include "eap_peer/eap_i.h"
|
||||
#include "eap_common/eap_pwd_common.h"
|
||||
|
||||
|
|
@ -36,18 +37,16 @@ struct eap_pwd_data {
|
|||
size_t out_frag_pos;
|
||||
size_t mtu;
|
||||
|
||||
BIGNUM *k;
|
||||
BIGNUM *private_value;
|
||||
BIGNUM *server_scalar;
|
||||
BIGNUM *my_scalar;
|
||||
EC_POINT *my_element;
|
||||
EC_POINT *server_element;
|
||||
struct crypto_bignum *k;
|
||||
struct crypto_bignum *private_value;
|
||||
struct crypto_bignum *server_scalar;
|
||||
struct crypto_bignum *my_scalar;
|
||||
struct crypto_ec_point *my_element;
|
||||
struct crypto_ec_point *server_element;
|
||||
|
||||
u8 msk[EAP_MSK_LEN];
|
||||
u8 emsk[EAP_EMSK_LEN];
|
||||
u8 session_id[1 + SHA256_MAC_LEN];
|
||||
|
||||
BN_CTX *bnctx;
|
||||
};
|
||||
|
||||
|
||||
|
|
@ -107,15 +106,8 @@ static void * eap_pwd_init(struct eap_sm *sm)
|
|||
return NULL;
|
||||
}
|
||||
|
||||
if ((data->bnctx = BN_CTX_new()) == NULL) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail");
|
||||
os_free(data);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ((data->id_peer = os_malloc(identity_len)) == NULL) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail");
|
||||
BN_CTX_free(data->bnctx);
|
||||
os_free(data);
|
||||
return NULL;
|
||||
}
|
||||
|
|
@ -125,7 +117,6 @@ static void * eap_pwd_init(struct eap_sm *sm)
|
|||
|
||||
if ((data->password = os_malloc(password_len)) == NULL) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD: memory allocation psk fail");
|
||||
BN_CTX_free(data->bnctx);
|
||||
bin_clear_free(data->id_peer, data->id_peer_len);
|
||||
os_free(data);
|
||||
return NULL;
|
||||
|
|
@ -152,21 +143,18 @@ static void eap_pwd_deinit(struct eap_sm *sm, void *priv)
|
|||
{
|
||||
struct eap_pwd_data *data = priv;
|
||||
|
||||
BN_clear_free(data->private_value);
|
||||
BN_clear_free(data->server_scalar);
|
||||
BN_clear_free(data->my_scalar);
|
||||
BN_clear_free(data->k);
|
||||
BN_CTX_free(data->bnctx);
|
||||
EC_POINT_clear_free(data->my_element);
|
||||
EC_POINT_clear_free(data->server_element);
|
||||
crypto_bignum_deinit(data->private_value, 1);
|
||||
crypto_bignum_deinit(data->server_scalar, 1);
|
||||
crypto_bignum_deinit(data->my_scalar, 1);
|
||||
crypto_bignum_deinit(data->k, 1);
|
||||
crypto_ec_point_deinit(data->my_element, 1);
|
||||
crypto_ec_point_deinit(data->server_element, 1);
|
||||
bin_clear_free(data->id_peer, data->id_peer_len);
|
||||
bin_clear_free(data->id_server, data->id_server_len);
|
||||
bin_clear_free(data->password, data->password_len);
|
||||
if (data->grp) {
|
||||
EC_GROUP_free(data->grp->group);
|
||||
EC_POINT_clear_free(data->grp->pwe);
|
||||
BN_clear_free(data->grp->order);
|
||||
BN_clear_free(data->grp->prime);
|
||||
crypto_ec_deinit(data->grp->group);
|
||||
crypto_ec_point_deinit(data->grp->pwe, 1);
|
||||
os_free(data->grp);
|
||||
}
|
||||
wpabuf_free(data->inbuf);
|
||||
|
|
@ -331,7 +319,7 @@ eap_pwd_perform_id_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
}
|
||||
|
||||
wpa_printf(MSG_DEBUG, "EAP-PWD (peer): computed %d bit PWE...",
|
||||
BN_num_bits(data->grp->prime));
|
||||
(int) crypto_ec_prime_len_bits(data->grp->group));
|
||||
|
||||
data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +
|
||||
data->id_peer_len);
|
||||
|
|
@ -356,10 +344,10 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
const struct wpabuf *reqData,
|
||||
const u8 *payload, size_t payload_len)
|
||||
{
|
||||
EC_POINT *K = NULL, *point = NULL;
|
||||
BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
|
||||
u16 offset;
|
||||
u8 *ptr, *scalar = NULL, *element = NULL;
|
||||
struct crypto_ec_point *K = NULL, *point = NULL;
|
||||
struct crypto_bignum *mask = NULL, *cofactor = NULL;
|
||||
const u8 *ptr;
|
||||
u8 *scalar = NULL, *element = NULL;
|
||||
size_t prime_len, order_len;
|
||||
|
||||
if (data->state != PWD_Commit_Req) {
|
||||
|
|
@ -367,8 +355,8 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
goto fin;
|
||||
}
|
||||
|
||||
prime_len = BN_num_bytes(data->grp->prime);
|
||||
order_len = BN_num_bytes(data->grp->order);
|
||||
prime_len = crypto_ec_prime_len(data->grp->group);
|
||||
order_len = crypto_ec_order_len(data->grp->group);
|
||||
|
||||
if (payload_len != 2 * prime_len + order_len) {
|
||||
wpa_printf(MSG_INFO,
|
||||
|
|
@ -378,87 +366,85 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
goto fin;
|
||||
}
|
||||
|
||||
if (((data->private_value = BN_new()) == NULL) ||
|
||||
((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
|
||||
((cofactor = BN_new()) == NULL) ||
|
||||
((data->my_scalar = BN_new()) == NULL) ||
|
||||
((mask = BN_new()) == NULL)) {
|
||||
data->private_value = crypto_bignum_init();
|
||||
data->my_element = crypto_ec_point_init(data->grp->group);
|
||||
cofactor = crypto_bignum_init();
|
||||
data->my_scalar = crypto_bignum_init();
|
||||
mask = crypto_bignum_init();
|
||||
if (!data->private_value || !data->my_element || !cofactor ||
|
||||
!data->my_scalar || !mask) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
|
||||
if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor "
|
||||
"for curve");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (BN_rand_range(data->private_value, data->grp->order) != 1 ||
|
||||
BN_rand_range(mask, data->grp->order) != 1 ||
|
||||
BN_add(data->my_scalar, data->private_value, mask) != 1 ||
|
||||
BN_mod(data->my_scalar, data->my_scalar, data->grp->order,
|
||||
data->bnctx) != 1) {
|
||||
if (crypto_bignum_rand(data->private_value,
|
||||
crypto_ec_get_order(data->grp->group)) < 0 ||
|
||||
crypto_bignum_rand(mask,
|
||||
crypto_ec_get_order(data->grp->group)) < 0 ||
|
||||
crypto_bignum_add(data->private_value, mask,
|
||||
data->my_scalar) < 0 ||
|
||||
crypto_bignum_mod(data->my_scalar,
|
||||
crypto_ec_get_order(data->grp->group),
|
||||
data->my_scalar) < 0) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"EAP-pwd (peer): unable to get randomness");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (!EC_POINT_mul(data->grp->group, data->my_element, NULL,
|
||||
data->grp->pwe, mask, data->bnctx)) {
|
||||
if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask,
|
||||
data->my_element) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): element allocation "
|
||||
"fail");
|
||||
eap_pwd_state(data, FAILURE);
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx))
|
||||
{
|
||||
if (crypto_ec_point_invert(data->grp->group, data->my_element) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): element inversion fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (((x = BN_new()) == NULL) ||
|
||||
((y = BN_new()) == NULL)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): point allocation fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
/* process the request */
|
||||
if (((data->server_scalar = BN_new()) == NULL) ||
|
||||
((data->k = BN_new()) == NULL) ||
|
||||
((K = EC_POINT_new(data->grp->group)) == NULL) ||
|
||||
((point = EC_POINT_new(data->grp->group)) == NULL) ||
|
||||
((data->server_element = EC_POINT_new(data->grp->group)) == NULL))
|
||||
{
|
||||
data->k = crypto_bignum_init();
|
||||
K = crypto_ec_point_init(data->grp->group);
|
||||
point = crypto_ec_point_init(data->grp->group);
|
||||
if (!data->k || !K || !point) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
/* element, x then y, followed by scalar */
|
||||
ptr = (u8 *) payload;
|
||||
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
|
||||
ptr += BN_num_bytes(data->grp->prime);
|
||||
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
|
||||
ptr += BN_num_bytes(data->grp->prime);
|
||||
BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->server_scalar);
|
||||
if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
|
||||
data->server_element, x, y,
|
||||
data->bnctx)) {
|
||||
ptr = payload;
|
||||
data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr);
|
||||
if (!data->server_element) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
ptr += prime_len * 2;
|
||||
data->server_scalar = crypto_bignum_init_set(ptr, order_len);
|
||||
if (!data->server_scalar) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"EAP-PWD (peer): setting peer scalar fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
/* check to ensure server's element is not in a small sub-group */
|
||||
if (BN_cmp(cofactor, BN_value_one())) {
|
||||
if (!EC_POINT_mul(data->grp->group, point, NULL,
|
||||
data->server_element, cofactor, NULL)) {
|
||||
if (!crypto_bignum_is_one(cofactor)) {
|
||||
if (crypto_ec_point_mul(data->grp->group, data->server_element,
|
||||
cofactor, point) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
|
||||
"server element by order!\n");
|
||||
goto fin;
|
||||
}
|
||||
if (EC_POINT_is_at_infinity(data->grp->group, point)) {
|
||||
if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): server element "
|
||||
"is at infinity!\n");
|
||||
goto fin;
|
||||
|
|
@ -466,21 +452,20 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
}
|
||||
|
||||
/* compute the shared key, k */
|
||||
if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
|
||||
data->server_scalar, data->bnctx)) ||
|
||||
(!EC_POINT_add(data->grp->group, K, K, data->server_element,
|
||||
data->bnctx)) ||
|
||||
(!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value,
|
||||
data->bnctx))) {
|
||||
if (crypto_ec_point_mul(data->grp->group, data->grp->pwe,
|
||||
data->server_scalar, K) < 0 ||
|
||||
crypto_ec_point_add(data->grp->group, K, data->server_element,
|
||||
K) < 0 ||
|
||||
crypto_ec_point_mul(data->grp->group, K, data->private_value,
|
||||
K) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): computing shared key "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
/* ensure that the shared key isn't in a small sub-group */
|
||||
if (BN_cmp(cofactor, BN_value_one())) {
|
||||
if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor,
|
||||
NULL)) {
|
||||
if (!crypto_bignum_is_one(cofactor)) {
|
||||
if (crypto_ec_point_mul(data->grp->group, K, cofactor, K) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply "
|
||||
"shared key point by order");
|
||||
goto fin;
|
||||
|
|
@ -493,30 +478,22 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
* never going to happen it is a simple and safe check "just to be
|
||||
* sure" so let's be safe.
|
||||
*/
|
||||
if (EC_POINT_is_at_infinity(data->grp->group, K)) {
|
||||
if (crypto_ec_point_is_at_infinity(data->grp->group, K)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): shared key point is at "
|
||||
"infinity!\n");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k,
|
||||
NULL, data->bnctx)) {
|
||||
if (crypto_ec_point_x(data->grp->group, K, data->k) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to extract "
|
||||
"shared secret from point");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
/* now do the response */
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->my_element, x, y,
|
||||
data->bnctx)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) ||
|
||||
((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) ==
|
||||
NULL)) {
|
||||
scalar = os_zalloc(order_len);
|
||||
element = os_zalloc(prime_len * 2);
|
||||
if (!scalar || !element) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): data allocation fail");
|
||||
goto fin;
|
||||
}
|
||||
|
|
@ -526,36 +503,28 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
* sufficiently smaller than the prime or order might need pre-pending
|
||||
* with zeros.
|
||||
*/
|
||||
os_memset(scalar, 0, BN_num_bytes(data->grp->order));
|
||||
os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2);
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->my_scalar);
|
||||
BN_bn2bin(data->my_scalar, scalar + offset);
|
||||
crypto_bignum_to_bin(data->my_scalar, scalar, order_len, order_len);
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->my_element, element,
|
||||
element + prime_len) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, element + offset);
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset);
|
||||
|
||||
data->outbuf = wpabuf_alloc(BN_num_bytes(data->grp->order) +
|
||||
2 * BN_num_bytes(data->grp->prime));
|
||||
data->outbuf = wpabuf_alloc(order_len + 2 * prime_len);
|
||||
if (data->outbuf == NULL)
|
||||
goto fin;
|
||||
|
||||
/* we send the element as (x,y) follwed by the scalar */
|
||||
wpabuf_put_data(data->outbuf, element,
|
||||
2 * BN_num_bytes(data->grp->prime));
|
||||
wpabuf_put_data(data->outbuf, scalar, BN_num_bytes(data->grp->order));
|
||||
wpabuf_put_data(data->outbuf, element, 2 * prime_len);
|
||||
wpabuf_put_data(data->outbuf, scalar, order_len);
|
||||
|
||||
fin:
|
||||
os_free(scalar);
|
||||
os_free(element);
|
||||
BN_clear_free(x);
|
||||
BN_clear_free(y);
|
||||
BN_clear_free(mask);
|
||||
BN_clear_free(cofactor);
|
||||
EC_POINT_clear_free(K);
|
||||
EC_POINT_clear_free(point);
|
||||
crypto_bignum_deinit(mask, 1);
|
||||
crypto_bignum_deinit(cofactor, 1);
|
||||
crypto_ec_point_deinit(K, 1);
|
||||
crypto_ec_point_deinit(point, 1);
|
||||
if (data->outbuf == NULL)
|
||||
eap_pwd_state(data, FAILURE);
|
||||
else
|
||||
|
|
@ -569,12 +538,11 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
const struct wpabuf *reqData,
|
||||
const u8 *payload, size_t payload_len)
|
||||
{
|
||||
BIGNUM *x = NULL, *y = NULL;
|
||||
struct crypto_hash *hash;
|
||||
u32 cs;
|
||||
u16 grp;
|
||||
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
|
||||
int offset;
|
||||
size_t prime_len = 0, order_len = 0;
|
||||
|
||||
if (data->state != PWD_Confirm_Req) {
|
||||
ret->ignore = TRUE;
|
||||
|
|
@ -588,6 +556,9 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
goto fin;
|
||||
}
|
||||
|
||||
prime_len = crypto_ec_prime_len(data->grp->group);
|
||||
order_len = crypto_ec_order_len(data->grp->group);
|
||||
|
||||
/*
|
||||
* first build up the ciphersuite which is group | random_function |
|
||||
* prf
|
||||
|
|
@ -600,9 +571,9 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
ptr += sizeof(u8);
|
||||
*ptr = EAP_PWD_DEFAULT_PRF;
|
||||
|
||||
/* each component of the cruft will be at most as big as the prime */
|
||||
if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) ||
|
||||
((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
|
||||
/* each component of the point will be at most as big as the prime */
|
||||
cruft = os_malloc(prime_len * 2);
|
||||
if (!cruft) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): confirm allocation "
|
||||
"fail");
|
||||
goto fin;
|
||||
|
|
@ -620,59 +591,34 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
* zero the memory each time because this is mod prime math and some
|
||||
* value may start with a few zeros and the previous one did not.
|
||||
*/
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
|
||||
BN_bn2bin(data->k, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len);
|
||||
eap_pwd_h_update(hash, cruft, prime_len);
|
||||
|
||||
/* server element: x, y */
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->server_element, x, y,
|
||||
data->bnctx)) {
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->server_element,
|
||||
cruft, cruft + prime_len) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
|
||||
"assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
eap_pwd_h_update(hash, cruft, prime_len * 2);
|
||||
|
||||
/* server scalar */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->server_scalar);
|
||||
BN_bn2bin(data->server_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
|
||||
crypto_bignum_to_bin(data->server_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
|
||||
/* my element: x, y */
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->my_element, x, y,
|
||||
data->bnctx)) {
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft,
|
||||
cruft + prime_len) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
|
||||
"assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
eap_pwd_h_update(hash, cruft, prime_len * 2);
|
||||
|
||||
/* my scalar */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->my_scalar);
|
||||
BN_bn2bin(data->my_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
|
||||
crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
|
||||
/* the ciphersuite */
|
||||
eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
|
||||
|
|
@ -698,58 +644,34 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
goto fin;
|
||||
|
||||
/* k */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
|
||||
BN_bn2bin(data->k, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len);
|
||||
eap_pwd_h_update(hash, cruft, prime_len);
|
||||
|
||||
/* my element */
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->my_element, x, y,
|
||||
data->bnctx)) {
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft,
|
||||
cruft + prime_len) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
|
||||
"assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
eap_pwd_h_update(hash, cruft, prime_len * 2);
|
||||
|
||||
/* my scalar */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->my_scalar);
|
||||
BN_bn2bin(data->my_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
|
||||
crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
|
||||
/* server element: x, y */
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->server_element, x, y,
|
||||
data->bnctx)) {
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->server_element,
|
||||
cruft, cruft + prime_len) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point "
|
||||
"assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
eap_pwd_h_update(hash, cruft, prime_len * 2);
|
||||
|
||||
/* server scalar */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->server_scalar);
|
||||
BN_bn2bin(data->server_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
|
||||
crypto_bignum_to_bin(data->server_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
|
||||
/* the ciphersuite */
|
||||
eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
|
||||
|
|
@ -757,7 +679,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
/* all done */
|
||||
eap_pwd_h_final(hash, conf);
|
||||
|
||||
if (compute_keys(data->grp, data->bnctx, data->k,
|
||||
if (compute_keys(data->grp, data->k,
|
||||
data->my_scalar, data->server_scalar, conf, ptr,
|
||||
&cs, data->msk, data->emsk, data->session_id) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute MSK | "
|
||||
|
|
@ -772,10 +694,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
|
||||
|
||||
fin:
|
||||
if (data->grp)
|
||||
bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
|
||||
BN_clear_free(x);
|
||||
BN_clear_free(y);
|
||||
bin_clear_free(cruft, prime_len * 2);
|
||||
if (data->outbuf == NULL) {
|
||||
ret->methodState = METHOD_DONE;
|
||||
ret->decision = DECISION_FAIL;
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@
|
|||
#include "common.h"
|
||||
#include "crypto/sha256.h"
|
||||
#include "crypto/ms_funcs.h"
|
||||
#include "crypto/crypto.h"
|
||||
#include "eap_server/eap_i.h"
|
||||
#include "eap_common/eap_pwd_common.h"
|
||||
|
||||
|
|
@ -36,20 +37,18 @@ struct eap_pwd_data {
|
|||
size_t out_frag_pos;
|
||||
size_t mtu;
|
||||
|
||||
BIGNUM *k;
|
||||
BIGNUM *private_value;
|
||||
BIGNUM *peer_scalar;
|
||||
BIGNUM *my_scalar;
|
||||
EC_POINT *my_element;
|
||||
EC_POINT *peer_element;
|
||||
struct crypto_bignum *k;
|
||||
struct crypto_bignum *private_value;
|
||||
struct crypto_bignum *peer_scalar;
|
||||
struct crypto_bignum *my_scalar;
|
||||
struct crypto_ec_point *my_element;
|
||||
struct crypto_ec_point *peer_element;
|
||||
|
||||
u8 my_confirm[SHA256_MAC_LEN];
|
||||
|
||||
u8 msk[EAP_MSK_LEN];
|
||||
u8 emsk[EAP_EMSK_LEN];
|
||||
u8 session_id[1 + SHA256_MAC_LEN];
|
||||
|
||||
BN_CTX *bnctx;
|
||||
};
|
||||
|
||||
|
||||
|
|
@ -116,15 +115,6 @@ static void * eap_pwd_init(struct eap_sm *sm)
|
|||
os_memcpy(data->password, sm->user->password, data->password_len);
|
||||
data->password_hash = sm->user->password_hash;
|
||||
|
||||
data->bnctx = BN_CTX_new();
|
||||
if (data->bnctx == NULL) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail");
|
||||
bin_clear_free(data->password, data->password_len);
|
||||
bin_clear_free(data->id_server, data->id_server_len);
|
||||
os_free(data);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
data->in_frag_pos = data->out_frag_pos = 0;
|
||||
data->inbuf = data->outbuf = NULL;
|
||||
/* use default MTU from RFC 5931 if not configured otherwise */
|
||||
|
|
@ -138,21 +128,18 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv)
|
|||
{
|
||||
struct eap_pwd_data *data = priv;
|
||||
|
||||
BN_clear_free(data->private_value);
|
||||
BN_clear_free(data->peer_scalar);
|
||||
BN_clear_free(data->my_scalar);
|
||||
BN_clear_free(data->k);
|
||||
BN_CTX_free(data->bnctx);
|
||||
EC_POINT_clear_free(data->my_element);
|
||||
EC_POINT_clear_free(data->peer_element);
|
||||
crypto_bignum_deinit(data->private_value, 1);
|
||||
crypto_bignum_deinit(data->peer_scalar, 1);
|
||||
crypto_bignum_deinit(data->my_scalar, 1);
|
||||
crypto_bignum_deinit(data->k, 1);
|
||||
crypto_ec_point_deinit(data->my_element, 1);
|
||||
crypto_ec_point_deinit(data->peer_element, 1);
|
||||
bin_clear_free(data->id_peer, data->id_peer_len);
|
||||
bin_clear_free(data->id_server, data->id_server_len);
|
||||
bin_clear_free(data->password, data->password_len);
|
||||
if (data->grp) {
|
||||
EC_GROUP_free(data->grp->group);
|
||||
EC_POINT_clear_free(data->grp->pwe);
|
||||
BN_clear_free(data->grp->order);
|
||||
BN_clear_free(data->grp->prime);
|
||||
crypto_ec_deinit(data->grp->group);
|
||||
crypto_ec_point_deinit(data->grp->pwe, 1);
|
||||
os_free(data->grp);
|
||||
}
|
||||
wpabuf_free(data->inbuf);
|
||||
|
|
@ -198,9 +185,9 @@ static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
static void eap_pwd_build_commit_req(struct eap_sm *sm,
|
||||
struct eap_pwd_data *data, u8 id)
|
||||
{
|
||||
BIGNUM *mask = NULL, *x = NULL, *y = NULL;
|
||||
struct crypto_bignum *mask = NULL;
|
||||
u8 *scalar = NULL, *element = NULL;
|
||||
u16 offset;
|
||||
size_t prime_len, order_len;
|
||||
|
||||
wpa_printf(MSG_DEBUG, "EAP-pwd: Commit/Request");
|
||||
/*
|
||||
|
|
@ -210,93 +197,75 @@ static void eap_pwd_build_commit_req(struct eap_sm *sm,
|
|||
if (data->out_frag_pos)
|
||||
return;
|
||||
|
||||
if (((data->private_value = BN_new()) == NULL) ||
|
||||
((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
|
||||
((data->my_scalar = BN_new()) == NULL) ||
|
||||
((mask = BN_new()) == NULL)) {
|
||||
prime_len = crypto_ec_prime_len(data->grp->group);
|
||||
order_len = crypto_ec_order_len(data->grp->group);
|
||||
|
||||
data->private_value = crypto_bignum_init();
|
||||
data->my_element = crypto_ec_point_init(data->grp->group);
|
||||
data->my_scalar = crypto_bignum_init();
|
||||
mask = crypto_bignum_init();
|
||||
if (!data->private_value || !data->my_element || !data->my_scalar ||
|
||||
!mask) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): scalar allocation "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (BN_rand_range(data->private_value, data->grp->order) != 1 ||
|
||||
BN_rand_range(mask, data->grp->order) != 1 ||
|
||||
BN_add(data->my_scalar, data->private_value, mask) != 1 ||
|
||||
BN_mod(data->my_scalar, data->my_scalar, data->grp->order,
|
||||
data->bnctx) != 1) {
|
||||
if (crypto_bignum_rand(data->private_value,
|
||||
crypto_ec_get_order(data->grp->group)) < 0 ||
|
||||
crypto_bignum_rand(mask,
|
||||
crypto_ec_get_order(data->grp->group)) < 0 ||
|
||||
crypto_bignum_add(data->private_value, mask, data->my_scalar) < 0 ||
|
||||
crypto_bignum_mod(data->my_scalar,
|
||||
crypto_ec_get_order(data->grp->group),
|
||||
data->my_scalar) < 0) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"EAP-pwd (server): unable to get randomness");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (!EC_POINT_mul(data->grp->group, data->my_element, NULL,
|
||||
data->grp->pwe, mask, data->bnctx)) {
|
||||
if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask,
|
||||
data->my_element) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): element allocation "
|
||||
"fail");
|
||||
eap_pwd_state(data, FAILURE);
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx))
|
||||
{
|
||||
if (crypto_ec_point_invert(data->grp->group, data->my_element) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): element inversion "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
BN_clear_free(mask);
|
||||
|
||||
if (((x = BN_new()) == NULL) ||
|
||||
((y = BN_new()) == NULL)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): point allocation "
|
||||
"fail");
|
||||
scalar = os_malloc(order_len);
|
||||
element = os_malloc(prime_len * 2);
|
||||
if (!scalar || !element) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): data allocation fail");
|
||||
goto fin;
|
||||
}
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->my_element, x, y,
|
||||
data->bnctx)) {
|
||||
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->my_element, element,
|
||||
element + prime_len) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): point assignment "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) ||
|
||||
((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) ==
|
||||
NULL)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): data allocation fail");
|
||||
goto fin;
|
||||
}
|
||||
crypto_bignum_to_bin(data->my_scalar, scalar, order_len, order_len);
|
||||
|
||||
/*
|
||||
* bignums occupy as little memory as possible so one that is
|
||||
* sufficiently smaller than the prime or order might need pre-pending
|
||||
* with zeros.
|
||||
*/
|
||||
os_memset(scalar, 0, BN_num_bytes(data->grp->order));
|
||||
os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2);
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->my_scalar);
|
||||
BN_bn2bin(data->my_scalar, scalar + offset);
|
||||
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, element + offset);
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset);
|
||||
|
||||
data->outbuf = wpabuf_alloc(2 * BN_num_bytes(data->grp->prime) +
|
||||
BN_num_bytes(data->grp->order));
|
||||
data->outbuf = wpabuf_alloc(2 * prime_len + order_len);
|
||||
if (data->outbuf == NULL)
|
||||
goto fin;
|
||||
|
||||
/* We send the element as (x,y) followed by the scalar */
|
||||
wpabuf_put_data(data->outbuf, element,
|
||||
2 * BN_num_bytes(data->grp->prime));
|
||||
wpabuf_put_data(data->outbuf, scalar, BN_num_bytes(data->grp->order));
|
||||
wpabuf_put_data(data->outbuf, element, 2 * prime_len);
|
||||
wpabuf_put_data(data->outbuf, scalar, order_len);
|
||||
|
||||
fin:
|
||||
crypto_bignum_deinit(mask, 1);
|
||||
os_free(scalar);
|
||||
os_free(element);
|
||||
BN_clear_free(x);
|
||||
BN_clear_free(y);
|
||||
if (data->outbuf == NULL)
|
||||
eap_pwd_state(data, FAILURE);
|
||||
}
|
||||
|
|
@ -305,11 +274,10 @@ fin:
|
|||
static void eap_pwd_build_confirm_req(struct eap_sm *sm,
|
||||
struct eap_pwd_data *data, u8 id)
|
||||
{
|
||||
BIGNUM *x = NULL, *y = NULL;
|
||||
struct crypto_hash *hash;
|
||||
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
|
||||
u16 grp;
|
||||
int offset;
|
||||
size_t prime_len, order_len;
|
||||
|
||||
wpa_printf(MSG_DEBUG, "EAP-pwd: Confirm/Request");
|
||||
/*
|
||||
|
|
@ -319,9 +287,12 @@ static void eap_pwd_build_confirm_req(struct eap_sm *sm,
|
|||
if (data->out_frag_pos)
|
||||
return;
|
||||
|
||||
prime_len = crypto_ec_prime_len(data->grp->group);
|
||||
order_len = crypto_ec_order_len(data->grp->group);
|
||||
|
||||
/* Each component of the cruft will be at most as big as the prime */
|
||||
if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) ||
|
||||
((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
|
||||
cruft = os_malloc(prime_len * 2);
|
||||
if (!cruft) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): debug allocation "
|
||||
"fail");
|
||||
goto fin;
|
||||
|
|
@ -341,64 +312,38 @@ static void eap_pwd_build_confirm_req(struct eap_sm *sm,
|
|||
*
|
||||
* First is k
|
||||
*/
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
|
||||
BN_bn2bin(data->k, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len);
|
||||
eap_pwd_h_update(hash, cruft, prime_len);
|
||||
|
||||
/* server element: x, y */
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->my_element, x, y,
|
||||
data->bnctx)) {
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft,
|
||||
cruft + prime_len) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
|
||||
"assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
eap_pwd_h_update(hash, cruft, prime_len * 2);
|
||||
|
||||
/* server scalar */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->my_scalar);
|
||||
BN_bn2bin(data->my_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
|
||||
crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
|
||||
/* peer element: x, y */
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->peer_element, x, y,
|
||||
data->bnctx)) {
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->peer_element, cruft,
|
||||
cruft + prime_len) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
|
||||
"assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
eap_pwd_h_update(hash, cruft, prime_len * 2);
|
||||
|
||||
/* peer scalar */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->peer_scalar);
|
||||
BN_bn2bin(data->peer_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
|
||||
crypto_bignum_to_bin(data->peer_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
|
||||
/* ciphersuite */
|
||||
grp = htons(data->group_num);
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
os_memset(cruft, 0, prime_len);
|
||||
ptr = cruft;
|
||||
os_memcpy(ptr, &grp, sizeof(u16));
|
||||
ptr += sizeof(u16);
|
||||
|
|
@ -419,9 +364,7 @@ static void eap_pwd_build_confirm_req(struct eap_sm *sm,
|
|||
wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
|
||||
|
||||
fin:
|
||||
bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
|
||||
BN_clear_free(x);
|
||||
BN_clear_free(y);
|
||||
bin_clear_free(cruft, prime_len * 2);
|
||||
if (data->outbuf == NULL)
|
||||
eap_pwd_state(data, FAILURE);
|
||||
}
|
||||
|
|
@ -649,7 +592,7 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm,
|
|||
return;
|
||||
}
|
||||
wpa_printf(MSG_DEBUG, "EAP-PWD (server): computed %d bit PWE...",
|
||||
BN_num_bits(data->grp->prime));
|
||||
(int) crypto_ec_prime_len_bits(data->grp->group));
|
||||
|
||||
eap_pwd_state(data, PWD_Commit_Req);
|
||||
}
|
||||
|
|
@ -659,16 +602,16 @@ static void
|
|||
eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
||||
const u8 *payload, size_t payload_len)
|
||||
{
|
||||
u8 *ptr;
|
||||
BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
|
||||
EC_POINT *K = NULL, *point = NULL;
|
||||
const u8 *ptr;
|
||||
struct crypto_bignum *cofactor = NULL;
|
||||
struct crypto_ec_point *K = NULL, *point = NULL;
|
||||
int res = 0;
|
||||
size_t prime_len, order_len;
|
||||
|
||||
wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
|
||||
|
||||
prime_len = BN_num_bytes(data->grp->prime);
|
||||
order_len = BN_num_bytes(data->grp->order);
|
||||
prime_len = crypto_ec_prime_len(data->grp->group);
|
||||
order_len = crypto_ec_order_len(data->grp->group);
|
||||
|
||||
if (payload_len != 2 * prime_len + order_len) {
|
||||
wpa_printf(MSG_INFO,
|
||||
|
|
@ -678,49 +621,47 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
goto fin;
|
||||
}
|
||||
|
||||
if (((data->peer_scalar = BN_new()) == NULL) ||
|
||||
((data->k = BN_new()) == NULL) ||
|
||||
((cofactor = BN_new()) == NULL) ||
|
||||
((x = BN_new()) == NULL) ||
|
||||
((y = BN_new()) == NULL) ||
|
||||
((point = EC_POINT_new(data->grp->group)) == NULL) ||
|
||||
((K = EC_POINT_new(data->grp->group)) == NULL) ||
|
||||
((data->peer_element = EC_POINT_new(data->grp->group)) == NULL)) {
|
||||
data->k = crypto_bignum_init();
|
||||
cofactor = crypto_bignum_init();
|
||||
point = crypto_ec_point_init(data->grp->group);
|
||||
K = crypto_ec_point_init(data->grp->group);
|
||||
if (!data->k || !cofactor || !point || !K) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) {
|
||||
if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): unable to get "
|
||||
"cofactor for curve");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
/* element, x then y, followed by scalar */
|
||||
ptr = (u8 *) payload;
|
||||
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x);
|
||||
ptr += BN_num_bytes(data->grp->prime);
|
||||
BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y);
|
||||
ptr += BN_num_bytes(data->grp->prime);
|
||||
BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->peer_scalar);
|
||||
if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group,
|
||||
data->peer_element, x, y,
|
||||
data->bnctx)) {
|
||||
ptr = payload;
|
||||
data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr);
|
||||
if (!data->peer_element) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
ptr += prime_len * 2;
|
||||
data->peer_scalar = crypto_bignum_init_set(ptr, order_len);
|
||||
if (!data->peer_scalar) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
/* check to ensure peer's element is not in a small sub-group */
|
||||
if (BN_cmp(cofactor, BN_value_one())) {
|
||||
if (!EC_POINT_mul(data->grp->group, point, NULL,
|
||||
data->peer_element, cofactor, NULL)) {
|
||||
if (!crypto_bignum_is_one(cofactor)) {
|
||||
if (crypto_ec_point_mul(data->grp->group, data->peer_element,
|
||||
cofactor, point) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
|
||||
"multiply peer element by order");
|
||||
goto fin;
|
||||
}
|
||||
if (EC_POINT_is_at_infinity(data->grp->group, point)) {
|
||||
if (crypto_ec_point_is_at_infinity(data->grp->group, point)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): peer element "
|
||||
"is at infinity!\n");
|
||||
goto fin;
|
||||
|
|
@ -728,21 +669,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
}
|
||||
|
||||
/* compute the shared key, k */
|
||||
if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe,
|
||||
data->peer_scalar, data->bnctx)) ||
|
||||
(!EC_POINT_add(data->grp->group, K, K, data->peer_element,
|
||||
data->bnctx)) ||
|
||||
(!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value,
|
||||
data->bnctx))) {
|
||||
if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe,
|
||||
data->peer_scalar, K) < 0) ||
|
||||
(crypto_ec_point_add(data->grp->group, K, data->peer_element,
|
||||
K) < 0) ||
|
||||
(crypto_ec_point_mul(data->grp->group, K, data->private_value,
|
||||
K) < 0)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): computing shared key "
|
||||
"fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
/* ensure that the shared key isn't in a small sub-group */
|
||||
if (BN_cmp(cofactor, BN_value_one())) {
|
||||
if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor,
|
||||
NULL)) {
|
||||
if (!crypto_bignum_is_one(cofactor)) {
|
||||
if (crypto_ec_point_mul(data->grp->group, K, cofactor,
|
||||
K) != 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): cannot "
|
||||
"multiply shared key point by order!\n");
|
||||
goto fin;
|
||||
|
|
@ -755,13 +696,12 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
* never going to happen it is a simple and safe check "just to be
|
||||
* sure" so let's be safe.
|
||||
*/
|
||||
if (EC_POINT_is_at_infinity(data->grp->group, K)) {
|
||||
if (crypto_ec_point_is_at_infinity(data->grp->group, K)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): shared key point is "
|
||||
"at infinity");
|
||||
goto fin;
|
||||
}
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k,
|
||||
NULL, data->bnctx)) {
|
||||
if (crypto_ec_point_x(data->grp->group, K, data->k)) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): unable to extract "
|
||||
"shared secret from secret point");
|
||||
goto fin;
|
||||
|
|
@ -769,11 +709,9 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
res = 1;
|
||||
|
||||
fin:
|
||||
EC_POINT_clear_free(K);
|
||||
EC_POINT_clear_free(point);
|
||||
BN_clear_free(cofactor);
|
||||
BN_clear_free(x);
|
||||
BN_clear_free(y);
|
||||
crypto_ec_point_deinit(K, 1);
|
||||
crypto_ec_point_deinit(point, 1);
|
||||
crypto_bignum_deinit(cofactor, 1);
|
||||
|
||||
if (res)
|
||||
eap_pwd_state(data, PWD_Confirm_Req);
|
||||
|
|
@ -786,12 +724,14 @@ static void
|
|||
eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
||||
const u8 *payload, size_t payload_len)
|
||||
{
|
||||
BIGNUM *x = NULL, *y = NULL;
|
||||
struct crypto_hash *hash;
|
||||
u32 cs;
|
||||
u16 grp;
|
||||
u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
|
||||
int offset;
|
||||
size_t prime_len, order_len;
|
||||
|
||||
prime_len = crypto_ec_prime_len(data->grp->group);
|
||||
order_len = crypto_ec_order_len(data->grp->group);
|
||||
|
||||
if (payload_len != SHA256_MAC_LEN) {
|
||||
wpa_printf(MSG_INFO,
|
||||
|
|
@ -810,8 +750,8 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
*ptr = EAP_PWD_DEFAULT_PRF;
|
||||
|
||||
/* each component of the cruft will be at most as big as the prime */
|
||||
if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) ||
|
||||
((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) {
|
||||
cruft = os_malloc(prime_len * 2);
|
||||
if (!cruft) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (peer): allocation fail");
|
||||
goto fin;
|
||||
}
|
||||
|
|
@ -825,62 +765,36 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
goto fin;
|
||||
|
||||
/* k */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k);
|
||||
BN_bn2bin(data->k, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len);
|
||||
eap_pwd_h_update(hash, cruft, prime_len);
|
||||
|
||||
/* peer element: x, y */
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->peer_element, x, y,
|
||||
data->bnctx)) {
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->peer_element, cruft,
|
||||
cruft + prime_len) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
|
||||
"assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
eap_pwd_h_update(hash, cruft, prime_len * 2);
|
||||
|
||||
/* peer scalar */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->peer_scalar);
|
||||
BN_bn2bin(data->peer_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
|
||||
crypto_bignum_to_bin(data->peer_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
|
||||
/* server element: x, y */
|
||||
if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group,
|
||||
data->my_element, x, y,
|
||||
data->bnctx)) {
|
||||
if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft,
|
||||
cruft + prime_len) < 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point "
|
||||
"assignment fail");
|
||||
goto fin;
|
||||
}
|
||||
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x);
|
||||
BN_bn2bin(x, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y);
|
||||
BN_bn2bin(y, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime));
|
||||
eap_pwd_h_update(hash, cruft, prime_len * 2);
|
||||
|
||||
/* server scalar */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
offset = BN_num_bytes(data->grp->order) -
|
||||
BN_num_bytes(data->my_scalar);
|
||||
BN_bn2bin(data->my_scalar, cruft + offset);
|
||||
eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order));
|
||||
crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len);
|
||||
eap_pwd_h_update(hash, cruft, order_len);
|
||||
|
||||
/* ciphersuite */
|
||||
os_memset(cruft, 0, BN_num_bytes(data->grp->prime));
|
||||
eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32));
|
||||
|
||||
/* all done */
|
||||
|
|
@ -894,7 +808,7 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
}
|
||||
|
||||
wpa_printf(MSG_DEBUG, "EAP-pwd (server): confirm verified");
|
||||
if (compute_keys(data->grp, data->bnctx, data->k,
|
||||
if (compute_keys(data->grp, data->k,
|
||||
data->peer_scalar, data->my_scalar, conf,
|
||||
data->my_confirm, &cs, data->msk, data->emsk,
|
||||
data->session_id) < 0)
|
||||
|
|
@ -903,9 +817,7 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
|
|||
eap_pwd_state(data, SUCCESS);
|
||||
|
||||
fin:
|
||||
bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
|
||||
BN_clear_free(x);
|
||||
BN_clear_free(y);
|
||||
bin_clear_free(cruft, prime_len * 2);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -684,6 +684,7 @@ L_CFLAGS += -DEAP_PWD
|
|||
OBJS += src/eap_peer/eap_pwd.c src/eap_common/eap_pwd_common.c
|
||||
CONFIG_IEEE8021X_EAPOL=y
|
||||
NEED_SHA256=y
|
||||
NEED_ECC=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_EAP_EKE
|
||||
|
|
|
|||
|
|
@ -712,6 +712,7 @@ CFLAGS += -DEAP_PWD
|
|||
OBJS += ../src/eap_peer/eap_pwd.o ../src/eap_common/eap_pwd_common.o
|
||||
CONFIG_IEEE8021X_EAPOL=y
|
||||
NEED_SHA256=y
|
||||
NEED_ECC=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_EAP_EKE
|
||||
|
|
|
|||
Loading…
Reference in a new issue