tuxillo's projects / dragonfly.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'vendor/DIFFUTILS'
[dragonfly.git] / contrib / hostapd / src / eap_common / eap_sake_common.c
1 /*
2  * EAP server/peer: EAP-SAKE shared routines
3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "sha1.h"
19 #include "wpabuf.h"
20 #include "eap_defs.h"
21 #include "eap_sake_common.h"
22
23
24 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
25                                    const u8 *pos)
26 {
27         size_t i;
28
29         switch (pos[0]) {
30         case EAP_SAKE_AT_RAND_S:
31                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
32                 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
33                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
34                                    "invalid length %d", pos[1]);
35                         return -1;
36                 }
37                 attr->rand_s = pos + 2;
38                 break;
39         case EAP_SAKE_AT_RAND_P:
40                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
41                 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
42                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
43                                    "invalid length %d", pos[1]);
44                         return -1;
45                 }
46                 attr->rand_p = pos + 2;
47                 break;
48         case EAP_SAKE_AT_MIC_S:
49                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
50                 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
51                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
52                                    "invalid length %d", pos[1]);
53                         return -1;
54                 }
55                 attr->mic_s = pos + 2;
56                 break;
57         case EAP_SAKE_AT_MIC_P:
58                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
59                 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
60                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
61                                    "invalid length %d", pos[1]);
62                         return -1;
63                 }
64                 attr->mic_p = pos + 2;
65                 break;
66         case EAP_SAKE_AT_SERVERID:
67                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
68                 attr->serverid = pos + 2;
69                 attr->serverid_len = pos[1] - 2;
70                 break;
71         case EAP_SAKE_AT_PEERID:
72                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
73                 attr->peerid = pos + 2;
74                 attr->peerid_len = pos[1] - 2;
75                 break;
76         case EAP_SAKE_AT_SPI_S:
77                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
78                 attr->spi_s = pos + 2;
79                 attr->spi_s_len = pos[1] - 2;
80                 break;
81         case EAP_SAKE_AT_SPI_P:
82                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
83                 attr->spi_p = pos + 2;
84                 attr->spi_p_len = pos[1] - 2;
85                 break;
86         case EAP_SAKE_AT_ANY_ID_REQ:
87                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
88                 if (pos[1] != 4) {
89                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
90                                    " length %d", pos[1]);
91                         return -1;
92                 }
93                 attr->any_id_req = pos + 2;
94                 break;
95         case EAP_SAKE_AT_PERM_ID_REQ:
96                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
97                 if (pos[1] != 4) {
98                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
99                                    "AT_PERM_ID_REQ length %d", pos[1]);
100                         return -1;
101                 }
102                 attr->perm_id_req = pos + 2;
103                 break;
104         case EAP_SAKE_AT_ENCR_DATA:
105                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
106                 attr->encr_data = pos + 2;
107                 attr->encr_data_len = pos[1] - 2;
108                 break;
109         case EAP_SAKE_AT_IV:
110                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
111                 attr->iv = pos + 2;
112                 attr->iv_len = pos[1] - 2;
113                 break;
114         case EAP_SAKE_AT_PADDING:
115                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
116                 for (i = 2; i < pos[1]; i++) {
117                         if (pos[i]) {
118                                 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
119                                            "with non-zero pad byte");
120                                 return -1;
121                         }
122                 }
123                 break;
124         case EAP_SAKE_AT_NEXT_TMPID:
125                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
126                 attr->next_tmpid = pos + 2;
127                 attr->next_tmpid_len = pos[1] - 2;
128                 break;
129         case EAP_SAKE_AT_MSK_LIFE:
130                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
131                 if (pos[1] != 6) {
132                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
133                                    "AT_MSK_LIFE length %d", pos[1]);
134                         return -1;
135                 }
136                 attr->msk_life = pos + 2;
137                 break;
138         default:
139                 if (pos[0] < 128) {
140                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
141                                    " attribute %d", pos[0]);
142                         return -1;
143                 }
144                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
145                            "attribute %d", pos[0]);
146                 break;
147         }
148
149         if (attr->iv && !attr->encr_data) {
150                 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without "
151                            "AT_ENCR_DATA");
152                 return -1;
153         }
154
155         return 0;
156 }
157
158
159 /**
160  * eap_sake_parse_attributes - Parse EAP-SAKE attributes
161  * @buf: Packet payload (starting with the first attribute)
162  * @len: Payload length
163  * @attr: Structure to be filled with found attributes
164  * Returns: 0 on success or -1 on failure
165  */
166 int eap_sake_parse_attributes(const u8 *buf, size_t len,
167                               struct eap_sake_parse_attr *attr)
168 {
169         const u8 *pos = buf, *end = buf + len;
170
171         os_memset(attr, 0, sizeof(*attr));
172         while (pos < end) {
173                 if (end - pos < 2) {
174                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute");
175                         return -1;
176                 }
177
178                 if (pos[1] < 2) {
179                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute "
180                                    "length (%d)", pos[1]);
181                         return -1;
182                 }
183
184                 if (pos + pos[1] > end) {
185                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow");
186                         return -1;
187                 }
188
189                 if (eap_sake_parse_add_attr(attr, pos))
190                         return -1;
191
192                 pos += pos[1];
193         }
194
195         return 0;
196 }
197
198
199 /**
200  * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF)
201  * @key: Key for KDF
202  * @key_len: Length of the key in bytes
203  * @label: A unique label for each purpose of the KDF
204  * @data: Extra data (start) to bind into the key
205  * @data_len: Length of the data
206  * @data2: Extra data (end) to bind into the key
207  * @data2_len: Length of the data2
208  * @buf: Buffer for the generated pseudo-random key
209  * @buf_len: Number of bytes of key to generate
210  *
211  * This function is used to derive new, cryptographically separate keys from a
212  * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i.
213  */
214 static void eap_sake_kdf(const u8 *key, size_t key_len, const char *label,
215                          const u8 *data, size_t data_len,
216                          const u8 *data2, size_t data2_len,
217                          u8 *buf, size_t buf_len)
218 {
219         u8 counter = 0;
220         size_t pos, plen;
221         u8 hash[SHA1_MAC_LEN];
222         size_t label_len = os_strlen(label) + 1;
223         const unsigned char *addr[4];
224         size_t len[4];
225
226         addr[0] = (u8 *) label; /* Label | Y */
227         len[0] = label_len;
228         addr[1] = data; /* Msg[start] */
229         len[1] = data_len;
230         addr[2] = data2; /* Msg[end] */
231         len[2] = data2_len;
232         addr[3] = &counter; /* Length */
233         len[3] = 1;
234
235         pos = 0;
236         while (pos < buf_len) {
237                 plen = buf_len - pos;
238                 if (plen >= SHA1_MAC_LEN) {
239                         hmac_sha1_vector(key, key_len, 4, addr, len,
240                                          &buf[pos]);
241                         pos += SHA1_MAC_LEN;
242                 } else {
243                         hmac_sha1_vector(key, key_len, 4, addr, len,
244                                          hash);
245                         os_memcpy(&buf[pos], hash, plen);
246                         break;
247                 }
248                 counter++;
249         }
250 }
251
252
253 /**
254  * eap_sake_derive_keys - Derive EAP-SAKE keys
255  * @root_secret_a: 16-byte Root-Secret-A
256  * @root_secret_b: 16-byte Root-Secret-B
257  * @rand_s: 16-byte RAND_S
258  * @rand_p: 16-byte RAND_P
259  * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16])
260  * @msk: Buffer for 64-byte MSK
261  * @emsk: Buffer for 64-byte EMSK
262  *
263  * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6.
264  */
265 void eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b,
266                           const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk,
267                           u8 *emsk)
268 {
269         u8 sms_a[EAP_SAKE_SMS_LEN];
270         u8 sms_b[EAP_SAKE_SMS_LEN];
271         u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN];
272
273         wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys");
274
275         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A",
276                         root_secret_a, EAP_SAKE_ROOT_SECRET_LEN);
277         eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN,
278                      "SAKE Master Secret A",
279                      rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
280                      sms_a, EAP_SAKE_SMS_LEN);
281         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN);
282         eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key",
283                      rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
284                      tek, EAP_SAKE_TEK_LEN);
285         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth",
286                         tek, EAP_SAKE_TEK_AUTH_LEN);
287         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher",
288                         tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN);
289
290         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B",
291                         root_secret_b, EAP_SAKE_ROOT_SECRET_LEN);
292         eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN,
293                      "SAKE Master Secret B",
294                      rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
295                      sms_b, EAP_SAKE_SMS_LEN);
296         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN);
297         eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key",
298                      rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
299                      key_buf, sizeof(key_buf));
300         os_memcpy(msk, key_buf, EAP_MSK_LEN);
301         os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN);
302         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN);
303         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN);
304 }
305
306
307 /**
308  * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet
309  * @tek_auth: 16-byte TEK-Auth
310  * @rand_s: 16-byte RAND_S
311  * @rand_p: 16-byte RAND_P
312  * @serverid: SERVERID
313  * @serverid_len: SERVERID length
314  * @peerid: PEERID
315  * @peerid_len: PEERID length
316  * @peer: MIC calculation for 0 = Server, 1 = Peer message
317  * @eap: EAP packet
318  * @eap_len: EAP packet length
319  * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len])
320  * @mic: Buffer for the computed 16-byte MIC
321  */
322 int eap_sake_compute_mic(const u8 *tek_auth,
323                          const u8 *rand_s, const u8 *rand_p,
324                          const u8 *serverid, size_t serverid_len,
325                          const u8 *peerid, size_t peerid_len,
326                          int peer, const u8 *eap, size_t eap_len,
327                          const u8 *mic_pos, u8 *mic)
328 {
329         u8 _rand[2 * EAP_SAKE_RAND_LEN];
330         u8 *tmp, *pos;
331         size_t tmplen;
332
333         tmplen = serverid_len + 1 + peerid_len + 1 + eap_len;
334         tmp = os_malloc(tmplen);
335         if (tmp == NULL)
336                 return -1;
337         pos = tmp;
338         if (peer) {
339                 if (peerid) {
340                         os_memcpy(pos, peerid, peerid_len);
341                         pos += peerid_len;
342                 }
343                 *pos++ = 0x00;
344                 if (serverid) {
345                         os_memcpy(pos, serverid, serverid_len);
346                         pos += serverid_len;
347                 }
348                 *pos++ = 0x00;
349
350                 os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN);
351                 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p,
352                           EAP_SAKE_RAND_LEN);
353         } else {
354                 if (serverid) {
355                         os_memcpy(pos, serverid, serverid_len);
356                         pos += serverid_len;
357                 }
358                 *pos++ = 0x00;
359                 if (peerid) {
360                         os_memcpy(pos, peerid, peerid_len);
361                         pos += peerid_len;
362                 }
363                 *pos++ = 0x00;
364
365                 os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN);
366                 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s,
367                           EAP_SAKE_RAND_LEN);
368         }
369
370         os_memcpy(pos, eap, eap_len);
371         os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN);
372
373         eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN,
374                      peer ? "Peer MIC" : "Server MIC",
375                      _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen,
376                      mic, EAP_SAKE_MIC_LEN);
377
378         os_free(tmp);
379
380         return 0;
381 }
382
383
384 void eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data,
385                        size_t len)
386 {
387         wpabuf_put_u8(buf, type);
388         wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */
389         if (data)
390                 wpabuf_put_data(buf, data, len);
391         else
392                 os_memset(wpabuf_put(buf, len), 0, len);
393 }
WIP repository