Disconnect hostapd from building in base
[dragonfly.git] / contrib / hostapd / src / eap_common / eap_sake_common.c
1 /*
2  * EAP server/peer: EAP-SAKE shared routines
3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "wpabuf.h"
13 #include "crypto/sha1.h"
14 #include "eap_defs.h"
15 #include "eap_sake_common.h"
16
17
18 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
19                                    const u8 *pos)
20 {
21         size_t i;
22
23         switch (pos[0]) {
24         case EAP_SAKE_AT_RAND_S:
25                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
26                 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
27                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
28                                    "invalid length %d", pos[1]);
29                         return -1;
30                 }
31                 attr->rand_s = pos + 2;
32                 break;
33         case EAP_SAKE_AT_RAND_P:
34                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
35                 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
36                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
37                                    "invalid length %d", pos[1]);
38                         return -1;
39                 }
40                 attr->rand_p = pos + 2;
41                 break;
42         case EAP_SAKE_AT_MIC_S:
43                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
44                 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
45                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
46                                    "invalid length %d", pos[1]);
47                         return -1;
48                 }
49                 attr->mic_s = pos + 2;
50                 break;
51         case EAP_SAKE_AT_MIC_P:
52                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
53                 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
54                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
55                                    "invalid length %d", pos[1]);
56                         return -1;
57                 }
58                 attr->mic_p = pos + 2;
59                 break;
60         case EAP_SAKE_AT_SERVERID:
61                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
62                 attr->serverid = pos + 2;
63                 attr->serverid_len = pos[1] - 2;
64                 break;
65         case EAP_SAKE_AT_PEERID:
66                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
67                 attr->peerid = pos + 2;
68                 attr->peerid_len = pos[1] - 2;
69                 break;
70         case EAP_SAKE_AT_SPI_S:
71                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
72                 attr->spi_s = pos + 2;
73                 attr->spi_s_len = pos[1] - 2;
74                 break;
75         case EAP_SAKE_AT_SPI_P:
76                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
77                 attr->spi_p = pos + 2;
78                 attr->spi_p_len = pos[1] - 2;
79                 break;
80         case EAP_SAKE_AT_ANY_ID_REQ:
81                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
82                 if (pos[1] != 4) {
83                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
84                                    " length %d", pos[1]);
85                         return -1;
86                 }
87                 attr->any_id_req = pos + 2;
88                 break;
89         case EAP_SAKE_AT_PERM_ID_REQ:
90                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
91                 if (pos[1] != 4) {
92                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
93                                    "AT_PERM_ID_REQ length %d", pos[1]);
94                         return -1;
95                 }
96                 attr->perm_id_req = pos + 2;
97                 break;
98         case EAP_SAKE_AT_ENCR_DATA:
99                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
100                 attr->encr_data = pos + 2;
101                 attr->encr_data_len = pos[1] - 2;
102                 break;
103         case EAP_SAKE_AT_IV:
104                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
105                 attr->iv = pos + 2;
106                 attr->iv_len = pos[1] - 2;
107                 break;
108         case EAP_SAKE_AT_PADDING:
109                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
110                 for (i = 2; i < pos[1]; i++) {
111                         if (pos[i]) {
112                                 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
113                                            "with non-zero pad byte");
114                                 return -1;
115                         }
116                 }
117                 break;
118         case EAP_SAKE_AT_NEXT_TMPID:
119                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
120                 attr->next_tmpid = pos + 2;
121                 attr->next_tmpid_len = pos[1] - 2;
122                 break;
123         case EAP_SAKE_AT_MSK_LIFE:
124                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
125                 if (pos[1] != 6) {
126                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
127                                    "AT_MSK_LIFE length %d", pos[1]);
128                         return -1;
129                 }
130                 attr->msk_life = pos + 2;
131                 break;
132         default:
133                 if (pos[0] < 128) {
134                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
135                                    " attribute %d", pos[0]);
136                         return -1;
137                 }
138                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
139                            "attribute %d", pos[0]);
140                 break;
141         }
142
143         if (attr->iv && !attr->encr_data) {
144                 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without "
145                            "AT_ENCR_DATA");
146                 return -1;
147         }
148
149         return 0;
150 }
151
152
153 /**
154  * eap_sake_parse_attributes - Parse EAP-SAKE attributes
155  * @buf: Packet payload (starting with the first attribute)
156  * @len: Payload length
157  * @attr: Structure to be filled with found attributes
158  * Returns: 0 on success or -1 on failure
159  */
160 int eap_sake_parse_attributes(const u8 *buf, size_t len,
161                               struct eap_sake_parse_attr *attr)
162 {
163         const u8 *pos = buf, *end = buf + len;
164
165         os_memset(attr, 0, sizeof(*attr));
166         while (pos < end) {
167                 if (end - pos < 2) {
168                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute");
169                         return -1;
170                 }
171
172                 if (pos[1] < 2) {
173                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute "
174                                    "length (%d)", pos[1]);
175                         return -1;
176                 }
177
178                 if (pos + pos[1] > end) {
179                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow");
180                         return -1;
181                 }
182
183                 if (eap_sake_parse_add_attr(attr, pos))
184                         return -1;
185
186                 pos += pos[1];
187         }
188
189         return 0;
190 }
191
192
193 /**
194  * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF)
195  * @key: Key for KDF
196  * @key_len: Length of the key in bytes
197  * @label: A unique label for each purpose of the KDF
198  * @data: Extra data (start) to bind into the key
199  * @data_len: Length of the data
200  * @data2: Extra data (end) to bind into the key
201  * @data2_len: Length of the data2
202  * @buf: Buffer for the generated pseudo-random key
203  * @buf_len: Number of bytes of key to generate
204  *
205  * This function is used to derive new, cryptographically separate keys from a
206  * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i.
207  */
208 static void eap_sake_kdf(const u8 *key, size_t key_len, const char *label,
209                          const u8 *data, size_t data_len,
210                          const u8 *data2, size_t data2_len,
211                          u8 *buf, size_t buf_len)
212 {
213         u8 counter = 0;
214         size_t pos, plen;
215         u8 hash[SHA1_MAC_LEN];
216         size_t label_len = os_strlen(label) + 1;
217         const unsigned char *addr[4];
218         size_t len[4];
219
220         addr[0] = (u8 *) label; /* Label | Y */
221         len[0] = label_len;
222         addr[1] = data; /* Msg[start] */
223         len[1] = data_len;
224         addr[2] = data2; /* Msg[end] */
225         len[2] = data2_len;
226         addr[3] = &counter; /* Length */
227         len[3] = 1;
228
229         pos = 0;
230         while (pos < buf_len) {
231                 plen = buf_len - pos;
232                 if (plen >= SHA1_MAC_LEN) {
233                         hmac_sha1_vector(key, key_len, 4, addr, len,
234                                          &buf[pos]);
235                         pos += SHA1_MAC_LEN;
236                 } else {
237                         hmac_sha1_vector(key, key_len, 4, addr, len,
238                                          hash);
239                         os_memcpy(&buf[pos], hash, plen);
240                         break;
241                 }
242                 counter++;
243         }
244 }
245
246
247 /**
248  * eap_sake_derive_keys - Derive EAP-SAKE keys
249  * @root_secret_a: 16-byte Root-Secret-A
250  * @root_secret_b: 16-byte Root-Secret-B
251  * @rand_s: 16-byte RAND_S
252  * @rand_p: 16-byte RAND_P
253  * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16])
254  * @msk: Buffer for 64-byte MSK
255  * @emsk: Buffer for 64-byte EMSK
256  *
257  * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6.
258  */
259 void eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b,
260                           const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk,
261                           u8 *emsk)
262 {
263         u8 sms_a[EAP_SAKE_SMS_LEN];
264         u8 sms_b[EAP_SAKE_SMS_LEN];
265         u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN];
266
267         wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys");
268
269         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A",
270                         root_secret_a, EAP_SAKE_ROOT_SECRET_LEN);
271         eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN,
272                      "SAKE Master Secret A",
273                      rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
274                      sms_a, EAP_SAKE_SMS_LEN);
275         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN);
276         eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key",
277                      rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
278                      tek, EAP_SAKE_TEK_LEN);
279         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth",
280                         tek, EAP_SAKE_TEK_AUTH_LEN);
281         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher",
282                         tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN);
283
284         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B",
285                         root_secret_b, EAP_SAKE_ROOT_SECRET_LEN);
286         eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN,
287                      "SAKE Master Secret B",
288                      rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
289                      sms_b, EAP_SAKE_SMS_LEN);
290         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN);
291         eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key",
292                      rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
293                      key_buf, sizeof(key_buf));
294         os_memcpy(msk, key_buf, EAP_MSK_LEN);
295         os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN);
296         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN);
297         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN);
298 }
299
300
301 /**
302  * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet
303  * @tek_auth: 16-byte TEK-Auth
304  * @rand_s: 16-byte RAND_S
305  * @rand_p: 16-byte RAND_P
306  * @serverid: SERVERID
307  * @serverid_len: SERVERID length
308  * @peerid: PEERID
309  * @peerid_len: PEERID length
310  * @peer: MIC calculation for 0 = Server, 1 = Peer message
311  * @eap: EAP packet
312  * @eap_len: EAP packet length
313  * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len])
314  * @mic: Buffer for the computed 16-byte MIC
315  */
316 int eap_sake_compute_mic(const u8 *tek_auth,
317                          const u8 *rand_s, const u8 *rand_p,
318                          const u8 *serverid, size_t serverid_len,
319                          const u8 *peerid, size_t peerid_len,
320                          int peer, const u8 *eap, size_t eap_len,
321                          const u8 *mic_pos, u8 *mic)
322 {
323         u8 _rand[2 * EAP_SAKE_RAND_LEN];
324         u8 *tmp, *pos;
325         size_t tmplen;
326
327         tmplen = serverid_len + 1 + peerid_len + 1 + eap_len;
328         tmp = os_malloc(tmplen);
329         if (tmp == NULL)
330                 return -1;
331         pos = tmp;
332         if (peer) {
333                 if (peerid) {
334                         os_memcpy(pos, peerid, peerid_len);
335                         pos += peerid_len;
336                 }
337                 *pos++ = 0x00;
338                 if (serverid) {
339                         os_memcpy(pos, serverid, serverid_len);
340                         pos += serverid_len;
341                 }
342                 *pos++ = 0x00;
343
344                 os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN);
345                 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p,
346                           EAP_SAKE_RAND_LEN);
347         } else {
348                 if (serverid) {
349                         os_memcpy(pos, serverid, serverid_len);
350                         pos += serverid_len;
351                 }
352                 *pos++ = 0x00;
353                 if (peerid) {
354                         os_memcpy(pos, peerid, peerid_len);
355                         pos += peerid_len;
356                 }
357                 *pos++ = 0x00;
358
359                 os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN);
360                 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s,
361                           EAP_SAKE_RAND_LEN);
362         }
363
364         os_memcpy(pos, eap, eap_len);
365         os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN);
366
367         eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN,
368                      peer ? "Peer MIC" : "Server MIC",
369                      _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen,
370                      mic, EAP_SAKE_MIC_LEN);
371
372         os_free(tmp);
373
374         return 0;
375 }
376
377
378 void eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data,
379                        size_t len)
380 {
381         wpabuf_put_u8(buf, type);
382         wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */
383         if (data)
384                 wpabuf_put_data(buf, data, len);
385         else
386                 os_memset(wpabuf_put(buf, len), 0, len);
387 }