contrib/wpa_supplicant-0.5.8/eap_sake_common.c

   1 /*
   2  * EAP server/peer: EAP-SAKE shared routines
   3  * Copyright (c) 2006, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "sha1.h"
  19 #include "eap_defs.h"
  20 #include "eap_sake_common.h"
  21
  22
  23 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
  24                                    const u8 *pos)
  25 {
  26         size_t i;
  27
  28         switch (pos[0]) {
  29         case EAP_SAKE_AT_RAND_S:
  30                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
  31                 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
  32                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
  33                                    "invalid length %d", pos[1]);
  34                         return -1;
  35                 }
  36                 attr->rand_s = pos + 2;
  37                 break;
  38         case EAP_SAKE_AT_RAND_P:
  39                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
  40                 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
  41                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
  42                                    "invalid length %d", pos[1]);
  43                         return -1;
  44                 }
  45                 attr->rand_p = pos + 2;
  46                 break;
  47         case EAP_SAKE_AT_MIC_S:
  48                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
  49                 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
  50                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
  51                                    "invalid length %d", pos[1]);
  52                         return -1;
  53                 }
  54                 attr->mic_s = pos + 2;
  55                 break;
  56         case EAP_SAKE_AT_MIC_P:
  57                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
  58                 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
  59                         wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
  60                                    "invalid length %d", pos[1]);
  61                         return -1;
  62                 }
  63                 attr->mic_p = pos + 2;
  64                 break;
  65         case EAP_SAKE_AT_SERVERID:
  66                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
  67                 attr->serverid = pos + 2;
  68                 attr->serverid_len = pos[1] - 2;
  69                 break;
  70         case EAP_SAKE_AT_PEERID:
  71                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
  72                 attr->peerid = pos + 2;
  73                 attr->peerid_len = pos[1] - 2;
  74                 break;
  75         case EAP_SAKE_AT_SPI_S:
  76                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
  77                 attr->spi_s = pos + 2;
  78                 attr->spi_s_len = pos[1] - 2;
  79                 break;
  80         case EAP_SAKE_AT_SPI_P:
  81                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
  82                 attr->spi_p = pos + 2;
  83                 attr->spi_p_len = pos[1] - 2;
  84                 break;
  85         case EAP_SAKE_AT_ANY_ID_REQ:
  86                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
  87                 if (pos[1] != 4) {
  88                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
  89                                    " length %d", pos[1]);
  90                         return -1;
  91                 }
  92                 attr->any_id_req = pos + 2;
  93                 break;
  94         case EAP_SAKE_AT_PERM_ID_REQ:
  95                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
  96                 if (pos[1] != 4) {
  97                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
  98                                    "AT_PERM_ID_REQ length %d", pos[1]);
  99                         return -1;
 100                 }
 101                 attr->perm_id_req = pos + 2;
 102                 break;
 103         case EAP_SAKE_AT_ENCR_DATA:
 104                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
 105                 attr->encr_data = pos + 2;
 106                 attr->encr_data_len = pos[1] - 2;
 107                 break;
 108         case EAP_SAKE_AT_IV:
 109                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
 110                 attr->iv = pos + 2;
 111                 attr->iv_len = pos[1] - 2;
 112                 break;
 113         case EAP_SAKE_AT_PADDING:
 114                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
 115                 for (i = 2; i < pos[1]; i++) {
 116                         if (pos[i]) {
 117                                 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
 118                                            "with non-zero pad byte");
 119                                 return -1;
 120                         }
 121                 }
 122                 break;
 123         case EAP_SAKE_AT_NEXT_TMPID:
 124                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
 125                 attr->next_tmpid = pos + 2;
 126                 attr->next_tmpid_len = pos[1] - 2;
 127                 break;
 128         case EAP_SAKE_AT_MSK_LIFE:
 129                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
 130                 if (pos[1] != 6) {
 131                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
 132                                    "AT_MSK_LIFE length %d", pos[1]);
 133                         return -1;
 134                 }
 135                 attr->msk_life = pos + 2;
 136                 break;
 137         default:
 138                 if (pos[0] < 128) {
 139                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
 140                                    " attribute %d", pos[0]);
 141                         return -1;
 142                 }
 143                 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
 144                            "attribute %d", pos[0]);
 145                 break;
 146         }
 147
 148         if (attr->iv && !attr->encr_data) {
 149                 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without "
 150                            "AT_ENCR_DATA");
 151                 return -1;
 152         }
 153
 154         return 0;
 155 }
 156
 157
 158 /**
 159  * eap_sake_parse_attributes - Parse EAP-SAKE attributes
 160  * @buf: Packet payload (starting with the first attribute)
 161  * @len: Payload length
 162  * @attr: Structure to be filled with found attributes
 163  * Returns: 0 on success or -1 on failure
 164  */
 165 int eap_sake_parse_attributes(const u8 *buf, size_t len,
 166                               struct eap_sake_parse_attr *attr)
 167 {
 168         const u8 *pos = buf, *end = buf + len;
 169
 170         os_memset(attr, 0, sizeof(*attr));
 171         while (pos < end) {
 172                 if (end - pos < 2) {
 173                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute");
 174                         return -1;
 175                 }
 176
 177                 if (pos[1] < 2) {
 178                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute "
 179                                    "length (%d)", pos[1]);
 180                         return -1;
 181                 }
 182
 183                 if (pos + pos[1] > end) {
 184                         wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow");
 185                         return -1;
 186                 }
 187
 188                 if (eap_sake_parse_add_attr(attr, pos))
 189                         return -1;
 190
 191                 pos += pos[1];
 192         }
 193
 194         return 0;
 195 }
 196
 197
 198 /**
 199  * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF)
 200  * @key: Key for KDF
 201  * @key_len: Length of the key in bytes
 202  * @label: A unique label for each purpose of the KDF
 203  * @data: Extra data (start) to bind into the key
 204  * @data_len: Length of the data
 205  * @data2: Extra data (end) to bind into the key
 206  * @data2_len: Length of the data2
 207  * @buf: Buffer for the generated pseudo-random key
 208  * @buf_len: Number of bytes of key to generate
 209  *
 210  * This function is used to derive new, cryptographically separate keys from a
 211  * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i.
 212  */
 213 static void eap_sake_kdf(const u8 *key, size_t key_len, const char *label,
 214                          const u8 *data, size_t data_len,
 215                          const u8 *data2, size_t data2_len,
 216                          u8 *buf, size_t buf_len)
 217 {
 218         u8 counter = 0;
 219         size_t pos, plen;
 220         u8 hash[SHA1_MAC_LEN];
 221         size_t label_len = os_strlen(label) + 1;
 222         const unsigned char *addr[4];
 223         size_t len[4];
 224
 225         addr[0] = (u8 *) label; /* Label | Y */
 226         len[0] = label_len;
 227         addr[1] = data; /* Msg[start] */
 228         len[1] = data_len;
 229         addr[2] = data2; /* Msg[end] */
 230         len[2] = data2_len;
 231         addr[3] = &counter; /* Length */
 232         len[3] = 1;
 233
 234         pos = 0;
 235         while (pos < buf_len) {
 236                 plen = buf_len - pos;
 237                 if (plen >= SHA1_MAC_LEN) {
 238                         hmac_sha1_vector(key, key_len, 4, addr, len,
 239                                          &buf[pos]);
 240                         pos += SHA1_MAC_LEN;
 241                 } else {
 242                         hmac_sha1_vector(key, key_len, 4, addr, len,
 243                                          hash);
 244                         os_memcpy(&buf[pos], hash, plen);
 245                         break;
 246                 }
 247                 counter++;
 248         }
 249 }
 250
 251
 252 /**
 253  * eap_sake_derive_keys - Derive EAP-SAKE keys
 254  * @root_secret_a: 16-byte Root-Secret-A
 255  * @root_secret_b: 16-byte Root-Secret-B
 256  * @rand_s: 16-byte RAND_S
 257  * @rand_p: 16-byte RAND_P
 258  * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16])
 259  * @msk: Buffer for 64-byte MSK
 260  * @emsk: Buffer for 64-byte EMSK
 261  *
 262  * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6.
 263  */
 264 void eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b,
 265                           const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk,
 266                           u8 *emsk)
 267 {
 268         u8 sms_a[EAP_SAKE_SMS_LEN];
 269         u8 sms_b[EAP_SAKE_SMS_LEN];
 270         u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN];
 271
 272         wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys");
 273
 274         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A",
 275                         root_secret_a, EAP_SAKE_ROOT_SECRET_LEN);
 276         eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN,
 277                      "SAKE Master Secret A",
 278                      rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
 279                      sms_a, EAP_SAKE_SMS_LEN);
 280         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN);
 281         eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key",
 282                      rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
 283                      tek, EAP_SAKE_TEK_LEN);
 284         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth",
 285                         tek, EAP_SAKE_TEK_AUTH_LEN);
 286         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher",
 287                         tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN);
 288
 289         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B",
 290                         root_secret_b, EAP_SAKE_ROOT_SECRET_LEN);
 291         eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN,
 292                      "SAKE Master Secret B",
 293                      rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
 294                      sms_b, EAP_SAKE_SMS_LEN);
 295         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN);
 296         eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key",
 297                      rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
 298                      key_buf, sizeof(key_buf));
 299         os_memcpy(msk, key_buf, EAP_MSK_LEN);
 300         os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN);
 301         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN);
 302         wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN);
 303 }
 304
 305
 306 /**
 307  * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet
 308  * @tek_auth: 16-byte TEK-Auth
 309  * @rand_s: 16-byte RAND_S
 310  * @rand_p: 16-byte RAND_P
 311  * @serverid: SERVERID
 312  * @serverid_len: SERVERID length
 313  * @peerid: PEERID
 314  * @peerid_len: PEERID length
 315  * @peer: MIC calculation for 0 = Server, 1 = Peer message
 316  * @eap: EAP packet
 317  * @eap_len: EAP packet length
 318  * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len])
 319  * @mic: Buffer for the computed 16-byte MIC
 320  */
 321 int eap_sake_compute_mic(const u8 *tek_auth,
 322                          const u8 *rand_s, const u8 *rand_p,
 323                          const u8 *serverid, size_t serverid_len,
 324                          const u8 *peerid, size_t peerid_len,
 325                          int peer, const u8 *eap, size_t eap_len,
 326                          const u8 *mic_pos, u8 *mic)
 327 {
 328         u8 _rand[2 * EAP_SAKE_RAND_LEN];
 329         u8 *tmp, *pos;
 330         size_t tmplen;
 331
 332         tmplen = serverid_len + 1 + peerid_len + 1 + eap_len;
 333         tmp = os_malloc(tmplen);
 334         if (tmp == NULL)
 335                 return -1;
 336         pos = tmp;
 337         if (peer) {
 338                 if (peerid) {
 339                         os_memcpy(pos, peerid, peerid_len);
 340                         pos += peerid_len;
 341                 }
 342                 *pos++ = 0x00;
 343                 if (serverid) {
 344                         os_memcpy(pos, serverid, serverid_len);
 345                         pos += serverid_len;
 346                 }
 347                 *pos++ = 0x00;
 348
 349                 os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN);
 350                 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p,
 351                           EAP_SAKE_RAND_LEN);
 352         } else {
 353                 if (serverid) {
 354                         os_memcpy(pos, serverid, serverid_len);
 355                         pos += serverid_len;
 356                 }
 357                 *pos++ = 0x00;
 358                 if (peerid) {
 359                         os_memcpy(pos, peerid, peerid_len);
 360                         pos += peerid_len;
 361                 }
 362                 *pos++ = 0x00;
 363
 364                 os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN);
 365                 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s,
 366                           EAP_SAKE_RAND_LEN);
 367         }
 368
 369         os_memcpy(pos, eap, eap_len);
 370         os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN);
 371
 372         eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN,
 373                      peer ? "Peer MIC" : "Server MIC",
 374                      _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen,
 375                      mic, EAP_SAKE_MIC_LEN);
 376
 377         os_free(tmp);
 378
 379         return 0;
 380 }