2 * EAP-FAST common helper functions (RFC 4851)
3 * Copyright (c) 2008, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
15 #include "eap_tlv_common.h"
16 #include "eap_fast_common.h"
19 void eap_fast_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len)
21 struct pac_tlv_hdr hdr;
22 hdr.type = host_to_be16(type);
23 hdr.len = host_to_be16(len);
24 wpabuf_put_data(buf, &hdr, sizeof(hdr));
28 void eap_fast_put_tlv(struct wpabuf *buf, u16 type, const void *data,
31 eap_fast_put_tlv_hdr(buf, type, len);
32 wpabuf_put_data(buf, data, len);
36 void eap_fast_put_tlv_buf(struct wpabuf *buf, u16 type,
37 const struct wpabuf *data)
39 eap_fast_put_tlv_hdr(buf, type, wpabuf_len(data));
40 wpabuf_put_buf(buf, data);
44 struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf)
51 /* Encapsulate EAP packet in EAP-Payload TLV */
52 wpa_printf(MSG_DEBUG, "EAP-FAST: Add EAP-Payload TLV");
53 e = wpabuf_alloc(sizeof(struct pac_tlv_hdr) + wpabuf_len(buf));
55 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
56 "for TLV encapsulation");
60 eap_fast_put_tlv_buf(e,
61 EAP_TLV_TYPE_MANDATORY | EAP_TLV_EAP_PAYLOAD_TLV,
68 void eap_fast_derive_master_secret(const u8 *pac_key, const u8 *server_random,
69 const u8 *client_random, u8 *master_secret)
71 #define TLS_RANDOM_LEN 32
72 #define TLS_MASTER_SECRET_LEN 48
73 u8 seed[2 * TLS_RANDOM_LEN];
75 wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random",
76 client_random, TLS_RANDOM_LEN);
77 wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random",
78 server_random, TLS_RANDOM_LEN);
81 * RFC 4851, Section 5.1:
82 * master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
83 * server_random + client_random, 48)
85 os_memcpy(seed, server_random, TLS_RANDOM_LEN);
86 os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN);
87 sha1_t_prf(pac_key, EAP_FAST_PAC_KEY_LEN,
88 "PAC to master secret label hash",
89 seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN);
91 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret",
92 master_secret, TLS_MASTER_SECRET_LEN);
96 u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn,
97 const char *label, size_t len)
100 u8 *rnd = NULL, *out;
103 block_size = tls_connection_get_keyblock_size(ssl_ctx, conn);
107 out = os_malloc(block_size + len);
111 if (tls_connection_prf(ssl_ctx, conn, label, 1, out, block_size + len)
113 os_memmove(out, out + block_size, len);
117 if (tls_connection_get_keys(ssl_ctx, conn, &keys))
120 rnd = os_malloc(keys.client_random_len + keys.server_random_len);
124 os_memcpy(rnd, keys.server_random, keys.server_random_len);
125 os_memcpy(rnd + keys.server_random_len, keys.client_random,
126 keys.client_random_len);
128 wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: master_secret for key "
129 "expansion", keys.master_key, keys.master_key_len);
130 if (tls_prf_sha1_md5(keys.master_key, keys.master_key_len,
131 label, rnd, keys.client_random_len +
132 keys.server_random_len, out, block_size + len))
135 os_memmove(out, out + block_size, len);
145 void eap_fast_derive_eap_msk(const u8 *simck, u8 *msk)
148 * RFC 4851, Section 5.4: EAP Master Session Key Generation
149 * MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64)
152 sha1_t_prf(simck, EAP_FAST_SIMCK_LEN,
153 "Session Key Generating Function", (u8 *) "", 0,
154 msk, EAP_FAST_KEY_LEN);
155 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)",
156 msk, EAP_FAST_KEY_LEN);
160 void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk)
163 * RFC 4851, Section 5.4: EAP Master Session Key Genreration
164 * EMSK = T-PRF(S-IMCK[j],
165 * "Extended Session Key Generating Function", 64)
168 sha1_t_prf(simck, EAP_FAST_SIMCK_LEN,
169 "Extended Session Key Generating Function", (u8 *) "", 0,
171 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)",
176 int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
177 int tlv_type, u8 *pos, int len)
180 case EAP_TLV_EAP_PAYLOAD_TLV:
181 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP-Payload TLV",
183 if (tlv->eap_payload_tlv) {
184 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
185 "EAP-Payload TLV in the message");
186 tlv->iresult = EAP_TLV_RESULT_FAILURE;
189 tlv->eap_payload_tlv = pos;
190 tlv->eap_payload_tlv_len = len;
192 case EAP_TLV_RESULT_TLV:
193 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len);
195 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
196 "Result TLV in the message");
197 tlv->result = EAP_TLV_RESULT_FAILURE;
201 wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
203 tlv->result = EAP_TLV_RESULT_FAILURE;
206 tlv->result = WPA_GET_BE16(pos);
207 if (tlv->result != EAP_TLV_RESULT_SUCCESS &&
208 tlv->result != EAP_TLV_RESULT_FAILURE) {
209 wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d",
211 tlv->result = EAP_TLV_RESULT_FAILURE;
213 wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s",
214 tlv->result == EAP_TLV_RESULT_SUCCESS ?
215 "Success" : "Failure");
217 case EAP_TLV_INTERMEDIATE_RESULT_TLV:
218 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV",
221 wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
222 "Intermediate-Result TLV");
223 tlv->iresult = EAP_TLV_RESULT_FAILURE;
227 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
228 "Intermediate-Result TLV in the message");
229 tlv->iresult = EAP_TLV_RESULT_FAILURE;
232 tlv->iresult = WPA_GET_BE16(pos);
233 if (tlv->iresult != EAP_TLV_RESULT_SUCCESS &&
234 tlv->iresult != EAP_TLV_RESULT_FAILURE) {
235 wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate "
236 "Result %d", tlv->iresult);
237 tlv->iresult = EAP_TLV_RESULT_FAILURE;
239 wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s",
240 tlv->iresult == EAP_TLV_RESULT_SUCCESS ?
241 "Success" : "Failure");
243 case EAP_TLV_CRYPTO_BINDING_TLV:
244 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV",
246 if (tlv->crypto_binding) {
247 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
248 "Crypto-Binding TLV in the message");
249 tlv->iresult = EAP_TLV_RESULT_FAILURE;
252 tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len;
253 if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) {
254 wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
255 "Crypto-Binding TLV");
256 tlv->iresult = EAP_TLV_RESULT_FAILURE;
259 tlv->crypto_binding = (struct eap_tlv_crypto_binding_tlv *)
260 (pos - sizeof(struct eap_tlv_hdr));
262 case EAP_TLV_REQUEST_ACTION_TLV:
263 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Request-Action TLV",
265 if (tlv->request_action) {
266 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
267 "Request-Action TLV in the message");
268 tlv->iresult = EAP_TLV_RESULT_FAILURE;
272 wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
273 "Request-Action TLV");
274 tlv->iresult = EAP_TLV_RESULT_FAILURE;
277 tlv->request_action = WPA_GET_BE16(pos);
278 wpa_printf(MSG_DEBUG, "EAP-FAST: Request-Action: %d",
279 tlv->request_action);
281 case EAP_TLV_PAC_TLV:
282 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len);
284 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
285 "PAC TLV in the message");
286 tlv->iresult = EAP_TLV_RESULT_FAILURE;