77 static void eap_pwd_state(struct eap_pwd_data *data, int state)  in eap_pwd_state()  argument
80 		   eap_pwd_state_txt(data->state), eap_pwd_state_txt(state));  in eap_pwd_state()
81 	data->state = state;  in eap_pwd_state()
87 	struct eap_pwd_data *data;  in eap_pwd_init()  local
96 	data = os_zalloc(sizeof(*data));  in eap_pwd_init()
97 	if (data == NULL)  in eap_pwd_init()
100 	data->group_num = sm->cfg->pwd_group;  in eap_pwd_init()
102 		   data->group_num);  in eap_pwd_init()
103 	data->state = PWD_ID_Req;  in eap_pwd_init()
105 	data->id_server = (u8 *) os_strdup("server");  in eap_pwd_init()
106 	if (data->id_server)  in eap_pwd_init()
107 		data->id_server_len = os_strlen((char *) data->id_server);  in eap_pwd_init()
109 	data->password = os_malloc(sm->user->password_len);  in eap_pwd_init()
110 	if (data->password == NULL) {  in eap_pwd_init()
113 		bin_clear_free(data->id_server, data->id_server_len);  in eap_pwd_init()
114 		os_free(data);  in eap_pwd_init()
117 	data->password_len = sm->user->password_len;  in eap_pwd_init()
118 	os_memcpy(data->password, sm->user->password, data->password_len);  in eap_pwd_init()
119 	data->password_hash = sm->user->password_hash;  in eap_pwd_init()
121 	data->salt_len = sm->user->salt_len;  in eap_pwd_init()
122 	if (data->salt_len) {  in eap_pwd_init()
123 		data->salt = os_memdup(sm->user->salt, sm->user->salt_len);  in eap_pwd_init()
124 		if (!data->salt) {  in eap_pwd_init()
127 			bin_clear_free(data->id_server, data->id_server_len);  in eap_pwd_init()
128 			bin_clear_free(data->password, data->password_len);  in eap_pwd_init()
129 			os_free(data);  in eap_pwd_init()
134 	data->in_frag_pos = data->out_frag_pos = 0;  in eap_pwd_init()
135 	data->inbuf = data->outbuf = NULL;  in eap_pwd_init()
137 	data->mtu = sm->cfg->fragment_size > 0 ? sm->cfg->fragment_size : 1020;  in eap_pwd_init()
139 	return data;  in eap_pwd_init()
145 	struct eap_pwd_data *data = priv;  in eap_pwd_reset()  local
147 	crypto_bignum_deinit(data->private_value, 1);  in eap_pwd_reset()
148 	crypto_bignum_deinit(data->peer_scalar, 1);  in eap_pwd_reset()
149 	crypto_bignum_deinit(data->my_scalar, 1);  in eap_pwd_reset()
150 	crypto_bignum_deinit(data->k, 1);  in eap_pwd_reset()
151 	crypto_ec_point_deinit(data->my_element, 1);  in eap_pwd_reset()
152 	crypto_ec_point_deinit(data->peer_element, 1);  in eap_pwd_reset()
153 	bin_clear_free(data->id_peer, data->id_peer_len);  in eap_pwd_reset()
154 	bin_clear_free(data->id_server, data->id_server_len);  in eap_pwd_reset()
155 	bin_clear_free(data->password, data->password_len);  in eap_pwd_reset()
156 	bin_clear_free(data->salt, data->salt_len);  in eap_pwd_reset()
157 	if (data->grp) {  in eap_pwd_reset()
158 		crypto_ec_deinit(data->grp->group);  in eap_pwd_reset()
159 		crypto_ec_point_deinit(data->grp->pwe, 1);  in eap_pwd_reset()
160 		os_free(data->grp);  in eap_pwd_reset()
162 	wpabuf_free(data->inbuf);  in eap_pwd_reset()
163 	wpabuf_free(data->outbuf);  in eap_pwd_reset()
164 	bin_clear_free(data, sizeof(*data));  in eap_pwd_reset()
168 static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data,  in eap_pwd_build_id_req()  argument
175 	if (data->out_frag_pos)  in eap_pwd_build_id_req()
178 	data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +  in eap_pwd_build_id_req()
179 				    data->id_server_len);  in eap_pwd_build_id_req()
180 	if (data->outbuf == NULL) {  in eap_pwd_build_id_req()
181 		eap_pwd_state(data, FAILURE);  in eap_pwd_build_id_req()
185 	if (os_get_random((u8 *) &data->token, sizeof(data->token)) < 0) {  in eap_pwd_build_id_req()
186 		wpabuf_free(data->outbuf);  in eap_pwd_build_id_req()
187 		data->outbuf = NULL;  in eap_pwd_build_id_req()
188 		eap_pwd_state(data, FAILURE);  in eap_pwd_build_id_req()
193 			data->password, data->password_len);  in eap_pwd_build_id_req()
194 	if (data->salt_len)  in eap_pwd_build_id_req()
196 			    data->salt, data->salt_len);  in eap_pwd_build_id_req()
202 	if (data->salt_len) {  in eap_pwd_build_id_req()
203 		switch (data->password_len) {  in eap_pwd_build_id_req()
205 			data->password_prep = EAP_PWD_PREP_SSHA1;  in eap_pwd_build_id_req()
208 			data->password_prep = EAP_PWD_PREP_SSHA256;  in eap_pwd_build_id_req()
211 			data->password_prep = EAP_PWD_PREP_SSHA512;  in eap_pwd_build_id_req()
216 				   (int) data->password_len);  in eap_pwd_build_id_req()
217 			eap_pwd_state(data, FAILURE);  in eap_pwd_build_id_req()
222 		data->password_prep = data->password_hash ? EAP_PWD_PREP_MS :  in eap_pwd_build_id_req()
226 	wpabuf_put_be16(data->outbuf, data->group_num);  in eap_pwd_build_id_req()
227 	wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);  in eap_pwd_build_id_req()
228 	wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);  in eap_pwd_build_id_req()
229 	wpabuf_put_data(data->outbuf, &data->token, sizeof(data->token));  in eap_pwd_build_id_req()
230 	wpabuf_put_u8(data->outbuf, data->password_prep);  in eap_pwd_build_id_req()
231 	wpabuf_put_data(data->outbuf, data->id_server, data->id_server_len);  in eap_pwd_build_id_req()
236 				     struct eap_pwd_data *data, u8 id)  in eap_pwd_build_commit_req()  argument
247 	if (data->out_frag_pos)  in eap_pwd_build_commit_req()
250 	prime_len = crypto_ec_prime_len(data->grp->group);  in eap_pwd_build_commit_req()
251 	order_len = crypto_ec_order_len(data->grp->group);  in eap_pwd_build_commit_req()
253 	data->private_value = crypto_bignum_init();  in eap_pwd_build_commit_req()
254 	data->my_element = crypto_ec_point_init(data->grp->group);  in eap_pwd_build_commit_req()
255 	data->my_scalar = crypto_bignum_init();  in eap_pwd_build_commit_req()
257 	if (!data->private_value || !data->my_element || !data->my_scalar ||  in eap_pwd_build_commit_req()
264 	if (eap_pwd_get_rand_mask(data->grp, data->private_value, mask,  in eap_pwd_build_commit_req()
265 				  data->my_scalar) < 0)  in eap_pwd_build_commit_req()
268 	if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask,  in eap_pwd_build_commit_req()
269 				data->my_element) < 0) {  in eap_pwd_build_commit_req()
272 		eap_pwd_state(data, FAILURE);  in eap_pwd_build_commit_req()
276 	if (crypto_ec_point_invert(data->grp->group, data->my_element) < 0) {  in eap_pwd_build_commit_req()
282 	data->outbuf = wpabuf_alloc(2 * prime_len + order_len +  in eap_pwd_build_commit_req()
283 				    (data->salt ? 1 + data->salt_len : 0));  in eap_pwd_build_commit_req()
284 	if (data->outbuf == NULL)  in eap_pwd_build_commit_req()
288 	if (data->salt_len) {  in eap_pwd_build_commit_req()
289 		wpabuf_put_u8(data->outbuf, data->salt_len);  in eap_pwd_build_commit_req()
290 		wpabuf_put_data(data->outbuf, data->salt, data->salt_len);  in eap_pwd_build_commit_req()
294 	element = wpabuf_put(data->outbuf, 2 * prime_len);  in eap_pwd_build_commit_req()
295 	scalar = wpabuf_put(data->outbuf, order_len);  in eap_pwd_build_commit_req()
296 	crypto_bignum_to_bin(data->my_scalar, scalar, order_len, order_len);  in eap_pwd_build_commit_req()
297 	if (crypto_ec_point_to_bin(data->grp->group, data->my_element, element,  in eap_pwd_build_commit_req()
306 	if (data->outbuf == NULL)  in eap_pwd_build_commit_req()
307 		eap_pwd_state(data, FAILURE);  in eap_pwd_build_commit_req()
312 				      struct eap_pwd_data *data, u8 id)  in eap_pwd_build_confirm_req()  argument
324 	if (data->out_frag_pos)  in eap_pwd_build_confirm_req()
327 	prime_len = crypto_ec_prime_len(data->grp->group);  in eap_pwd_build_confirm_req()
328 	order_len = crypto_ec_order_len(data->grp->group);  in eap_pwd_build_confirm_req()
352 	crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len);  in eap_pwd_build_confirm_req()
356 	if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft,  in eap_pwd_build_confirm_req()
365 	crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len);  in eap_pwd_build_confirm_req()
369 	if (crypto_ec_point_to_bin(data->grp->group, data->peer_element, cruft,  in eap_pwd_build_confirm_req()
378 	crypto_bignum_to_bin(data->peer_scalar, cruft, order_len, order_len);  in eap_pwd_build_confirm_req()
382 	grp = htons(data->group_num);  in eap_pwd_build_confirm_req()
396 	os_memcpy(data->my_confirm, conf, SHA256_MAC_LEN);  in eap_pwd_build_confirm_req()
398 	data->outbuf = wpabuf_alloc(SHA256_MAC_LEN);  in eap_pwd_build_confirm_req()
399 	if (data->outbuf == NULL)  in eap_pwd_build_confirm_req()
402 	wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);  in eap_pwd_build_confirm_req()
406 	if (data->outbuf == NULL)  in eap_pwd_build_confirm_req()
407 		eap_pwd_state(data, FAILURE);  in eap_pwd_build_confirm_req()
415 	struct eap_pwd_data *data = priv;  in eap_pwd_build_req()  local
425 	if (data->in_frag_pos) {  in eap_pwd_build_req()
430 			eap_pwd_state(data, FAILURE);  in eap_pwd_build_req()
433 		switch (data->state) {  in eap_pwd_build_req()
444 			eap_pwd_state(data, FAILURE);   /* just to be sure */  in eap_pwd_build_req()
454 	switch (data->state) {  in eap_pwd_build_req()
456 		eap_pwd_build_id_req(sm, data, id);  in eap_pwd_build_req()
460 		eap_pwd_build_commit_req(sm, data, id);  in eap_pwd_build_req()
464 		eap_pwd_build_confirm_req(sm, data, id);  in eap_pwd_build_req()
469 			   data->state);  in eap_pwd_build_req()
470 		eap_pwd_state(data, FAILURE);  in eap_pwd_build_req()
475 	if (data->state == FAILURE)  in eap_pwd_build_req()
481 	len = wpabuf_len(data->outbuf) - data->out_frag_pos;  in eap_pwd_build_req()
482 	if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {  in eap_pwd_build_req()
483 		len = data->mtu - EAP_PWD_HDR_SIZE;  in eap_pwd_build_req()
489 		if (data->out_frag_pos == 0) {  in eap_pwd_build_req()
491 			totlen = wpabuf_len(data->outbuf) +  in eap_pwd_build_req()
509 		eap_pwd_state(data, FAILURE);  in eap_pwd_build_req()
517 	buf = wpabuf_head_u8(data->outbuf);  in eap_pwd_build_req()
518 	wpabuf_put_data(req, buf + data->out_frag_pos, len);  in eap_pwd_build_req()
519 	data->out_frag_pos += len;  in eap_pwd_build_req()
523 	if (data->out_frag_pos >= wpabuf_len(data->outbuf)) {  in eap_pwd_build_req()
524 		wpabuf_free(data->outbuf);  in eap_pwd_build_req()
525 		data->outbuf = NULL;  in eap_pwd_build_req()
526 		data->out_frag_pos = 0;  in eap_pwd_build_req()
536 	struct eap_pwd_data *data = priv;  in eap_pwd_check()  local
549 	if (data->state == PWD_ID_Req &&  in eap_pwd_check()
553 	if (data->state == PWD_Commit_Req &&  in eap_pwd_check()
557 	if (data->state == PWD_Confirm_Req &&  in eap_pwd_check()
562 		   *pos, data->state);  in eap_pwd_check()
569 				    struct eap_pwd_data *data,  in eap_pwd_process_id_resp()  argument
584 	if ((data->group_num != be_to_host16(id->group_num)) ||  in eap_pwd_process_id_resp()
586 	    (os_memcmp(id->token, (u8 *)&data->token, sizeof(data->token))) ||  in eap_pwd_process_id_resp()
588 	    (id->prep != data->password_prep)) {  in eap_pwd_process_id_resp()
590 		eap_pwd_state(data, FAILURE);  in eap_pwd_process_id_resp()
593 	if (data->id_peer || data->grp) {  in eap_pwd_process_id_resp()
597 	data->id_peer = os_malloc(payload_len - sizeof(struct eap_pwd_id));  in eap_pwd_process_id_resp()
598 	if (data->id_peer == NULL) {  in eap_pwd_process_id_resp()
602 	data->id_peer_len = payload_len - sizeof(struct eap_pwd_id);  in eap_pwd_process_id_resp()
603 	os_memcpy(data->id_peer, id->identity, data->id_peer_len);  in eap_pwd_process_id_resp()
605 			  data->id_peer, data->id_peer_len);  in eap_pwd_process_id_resp()
607 	data->grp = get_eap_pwd_group(data->group_num);  in eap_pwd_process_id_resp()
608 	if (data->grp == NULL) {  in eap_pwd_process_id_resp()
619 	if (data->password_prep == EAP_PWD_PREP_MS) {  in eap_pwd_process_id_resp()
620 		res = hash_nt_password_hash(data->password, pwhashhash);  in eap_pwd_process_id_resp()
626 		password = data->password;  in eap_pwd_process_id_resp()
627 		password_len = data->password_len;  in eap_pwd_process_id_resp()
630 	res = compute_password_element(data->grp, data->group_num,  in eap_pwd_process_id_resp()
632 				       data->id_server, data->id_server_len,  in eap_pwd_process_id_resp()
633 				       data->id_peer, data->id_peer_len,  in eap_pwd_process_id_resp()
634 				       (u8 *) &data->token);  in eap_pwd_process_id_resp()
642 		   (int) crypto_ec_prime_len_bits(data->grp->group));  in eap_pwd_process_id_resp()
644 	eap_pwd_state(data, PWD_Commit_Req);  in eap_pwd_process_id_resp()
649 eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,  in eap_pwd_process_commit_resp()  argument
659 	prime_len = crypto_ec_prime_len(data->grp->group);  in eap_pwd_process_commit_resp()
660 	order_len = crypto_ec_order_len(data->grp->group);  in eap_pwd_process_commit_resp()
670 	data->k = crypto_bignum_init();  in eap_pwd_process_commit_resp()
671 	K = crypto_ec_point_init(data->grp->group);  in eap_pwd_process_commit_resp()
672 	if (!data->k || !K) {  in eap_pwd_process_commit_resp()
680 	data->peer_element = eap_pwd_get_element(data->grp, ptr);  in eap_pwd_process_commit_resp()
681 	if (!data->peer_element) {  in eap_pwd_process_commit_resp()
687 	data->peer_scalar = eap_pwd_get_scalar(data->grp, ptr);  in eap_pwd_process_commit_resp()
688 	if (!data->peer_scalar) {  in eap_pwd_process_commit_resp()
695 	if (crypto_bignum_cmp(data->my_scalar, data->peer_scalar) == 0 ||  in eap_pwd_process_commit_resp()
696 	    crypto_ec_point_cmp(data->grp->group, data->my_element,  in eap_pwd_process_commit_resp()
697 				data->peer_element) == 0) {  in eap_pwd_process_commit_resp()
704 	if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe,  in eap_pwd_process_commit_resp()
705 				 data->peer_scalar, K) < 0) ||  in eap_pwd_process_commit_resp()
706 	    (crypto_ec_point_add(data->grp->group, K, data->peer_element,  in eap_pwd_process_commit_resp()
708 	    (crypto_ec_point_mul(data->grp->group, K, data->private_value,  in eap_pwd_process_commit_resp()
721 	if (crypto_ec_point_is_at_infinity(data->grp->group, K)) {  in eap_pwd_process_commit_resp()
726 	if (crypto_ec_point_x(data->grp->group, K, data->k)) {  in eap_pwd_process_commit_resp()
737 		eap_pwd_state(data, PWD_Confirm_Req);  in eap_pwd_process_commit_resp()
739 		eap_pwd_state(data, FAILURE);  in eap_pwd_process_commit_resp()
744 eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,  in eap_pwd_process_confirm_resp()  argument
753 	prime_len = crypto_ec_prime_len(data->grp->group);  in eap_pwd_process_confirm_resp()
754 	order_len = crypto_ec_order_len(data->grp->group);  in eap_pwd_process_confirm_resp()
764 	grp = htons(data->group_num);  in eap_pwd_process_confirm_resp()
788 	crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len);  in eap_pwd_process_confirm_resp()
792 	if (crypto_ec_point_to_bin(data->grp->group, data->peer_element, cruft,  in eap_pwd_process_confirm_resp()
801 	crypto_bignum_to_bin(data->peer_scalar, cruft, order_len, order_len);  in eap_pwd_process_confirm_resp()
805 	if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft,  in eap_pwd_process_confirm_resp()
814 	crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len);  in eap_pwd_process_confirm_resp()
832 	if (compute_keys(data->grp, data->k,  in eap_pwd_process_confirm_resp()
833 			 data->peer_scalar, data->my_scalar, conf,  in eap_pwd_process_confirm_resp()
834 			 data->my_confirm, &cs, data->msk, data->emsk,  in eap_pwd_process_confirm_resp()
835 			 data->session_id) < 0)  in eap_pwd_process_confirm_resp()
836 		eap_pwd_state(data, FAILURE);  in eap_pwd_process_confirm_resp()
838 		eap_pwd_state(data, SUCCESS);  in eap_pwd_process_confirm_resp()
849 	struct eap_pwd_data *data = priv;  in eap_pwd_process()  local
871 	if (data->out_frag_pos) {  in eap_pwd_process()
896 		if (data->inbuf) {  in eap_pwd_process()
901 		data->inbuf = wpabuf_alloc(tot_len);  in eap_pwd_process()
902 		if (data->inbuf == NULL) {  in eap_pwd_process()
907 		data->in_frag_pos = 0;  in eap_pwd_process()
914 	if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {  in eap_pwd_process()
915 		if (!data->inbuf) {  in eap_pwd_process()
918 			eap_pwd_state(data, FAILURE);  in eap_pwd_process()
921 		if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {  in eap_pwd_process()
924 				   (int) data->in_frag_pos, (int) len,  in eap_pwd_process()
925 				   (int) wpabuf_size(data->inbuf));  in eap_pwd_process()
926 			eap_pwd_state(data, FAILURE);  in eap_pwd_process()
929 		wpabuf_put_data(data->inbuf, pos, len);  in eap_pwd_process()
930 		data->in_frag_pos += len;  in eap_pwd_process()
941 	if (data->in_frag_pos && data->inbuf) {  in eap_pwd_process()
942 		pos = wpabuf_head_u8(data->inbuf);  in eap_pwd_process()
943 		len = data->in_frag_pos;  in eap_pwd_process()
949 		eap_pwd_process_id_resp(sm, data, pos, len);  in eap_pwd_process()
952 		eap_pwd_process_commit_resp(sm, data, pos, len);  in eap_pwd_process()
955 		eap_pwd_process_confirm_resp(sm, data, pos, len);  in eap_pwd_process()
962 	if (data->in_frag_pos) {  in eap_pwd_process()
963 		wpabuf_free(data->inbuf);  in eap_pwd_process()
964 		data->inbuf = NULL;  in eap_pwd_process()
965 		data->in_frag_pos = 0;  in eap_pwd_process()
972 	struct eap_pwd_data *data = priv;  in eap_pwd_getkey()  local
975 	if (data->state != SUCCESS)  in eap_pwd_getkey()
978 	key = os_memdup(data->msk, EAP_MSK_LEN);  in eap_pwd_getkey()
990 	struct eap_pwd_data *data = priv;  in eap_pwd_get_emsk()  local
993 	if (data->state != SUCCESS)  in eap_pwd_get_emsk()
996 	key = os_memdup(data->emsk, EAP_EMSK_LEN);  in eap_pwd_get_emsk()
1008 	struct eap_pwd_data *data = priv;  in eap_pwd_is_success()  local
1009 	return data->state == SUCCESS;  in eap_pwd_is_success()
1015 	struct eap_pwd_data *data = priv;  in eap_pwd_is_done()  local
1016 	return (data->state == SUCCESS) || (data->state == FAILURE);  in eap_pwd_is_done()
1022 	struct eap_pwd_data *data = priv;  in eap_pwd_get_session_id()  local
1025 	if (data->state != SUCCESS)  in eap_pwd_get_session_id()
1028 	id = os_memdup(data->session_id, 1 + SHA256_MAC_LEN);  in eap_pwd_get_session_id()