2 * EAP server/peer: EAP-EKE shared routines
3 * Copyright (c) 2011-2013, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/aes.h"
13 #include "crypto/aes_wrap.h"
14 #include "crypto/crypto.h"
15 #include "crypto/dh_groups.h"
16 #include "crypto/random.h"
17 #include "crypto/sha1.h"
18 #include "crypto/sha256.h"
19 #include "eap_common/eap_defs.h"
20 #include "eap_eke_common.h"
23 static int eap_eke_dh_len(u8 group)
26 case EAP_EKE_DHGROUP_EKE_2:
28 case EAP_EKE_DHGROUP_EKE_5:
30 case EAP_EKE_DHGROUP_EKE_14:
32 case EAP_EKE_DHGROUP_EKE_15:
34 case EAP_EKE_DHGROUP_EKE_16:
42 static int eap_eke_dhcomp_len(u8 dhgroup, u8 encr)
46 dhlen = eap_eke_dh_len(dhgroup);
49 if (encr != EAP_EKE_ENCR_AES128_CBC)
51 return AES_BLOCK_SIZE + dhlen;
55 static const struct dh_group * eap_eke_dh_group(u8 group)
58 case EAP_EKE_DHGROUP_EKE_2:
59 return dh_groups_get(2);
60 case EAP_EKE_DHGROUP_EKE_5:
61 return dh_groups_get(5);
62 case EAP_EKE_DHGROUP_EKE_14:
63 return dh_groups_get(14);
64 case EAP_EKE_DHGROUP_EKE_15:
65 return dh_groups_get(15);
66 case EAP_EKE_DHGROUP_EKE_16:
67 return dh_groups_get(16);
74 static int eap_eke_dh_generator(u8 group)
77 case EAP_EKE_DHGROUP_EKE_2:
79 case EAP_EKE_DHGROUP_EKE_5:
81 case EAP_EKE_DHGROUP_EKE_14:
83 case EAP_EKE_DHGROUP_EKE_15:
85 case EAP_EKE_DHGROUP_EKE_16:
93 static int eap_eke_pnonce_len(u8 mac)
97 if (mac == EAP_EKE_MAC_HMAC_SHA1)
98 mac_len = SHA1_MAC_LEN;
99 else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
100 mac_len = SHA256_MAC_LEN;
104 return AES_BLOCK_SIZE + 16 + mac_len;
108 static int eap_eke_pnonce_ps_len(u8 mac)
112 if (mac == EAP_EKE_MAC_HMAC_SHA1)
113 mac_len = SHA1_MAC_LEN;
114 else if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
115 mac_len = SHA256_MAC_LEN;
119 return AES_BLOCK_SIZE + 2 * 16 + mac_len;
123 static int eap_eke_prf_len(u8 prf)
125 if (prf == EAP_EKE_PRF_HMAC_SHA1)
127 if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
133 static int eap_eke_nonce_len(u8 prf)
137 prf_len = eap_eke_prf_len(prf);
141 if (prf_len > 2 * 16)
142 return (prf_len + 1) / 2;
148 static int eap_eke_auth_len(u8 prf)
151 case EAP_EKE_PRF_HMAC_SHA1:
153 case EAP_EKE_PRF_HMAC_SHA2_256:
154 return SHA256_MAC_LEN;
161 int eap_eke_dh_init(u8 group, u8 *ret_priv, u8 *ret_pub)
165 const struct dh_group *dh;
168 generator = eap_eke_dh_generator(group);
169 if (generator < 0 || generator > 255)
173 dh = eap_eke_dh_group(group);
177 /* x = random number 2 .. p-1 */
178 if (random_get_bytes(ret_priv, dh->prime_len))
180 if (os_memcmp(ret_priv, dh->prime, dh->prime_len) > 0) {
181 /* Make sure private value is smaller than prime */
184 for (i = 0; i < dh->prime_len - 1; i++) {
188 if (i == dh->prime_len - 1 && (ret_priv[i] == 0 || ret_priv[i] == 1))
190 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: DH private value",
191 ret_priv, dh->prime_len);
193 /* y = g ^ x (mod p) */
194 pub_len = dh->prime_len;
195 if (crypto_mod_exp(&gen, 1, ret_priv, dh->prime_len,
196 dh->prime, dh->prime_len, ret_pub, &pub_len) < 0)
198 if (pub_len < dh->prime_len) {
199 size_t pad = dh->prime_len - pub_len;
200 os_memmove(ret_pub + pad, ret_pub, pub_len);
201 os_memset(ret_pub, 0, pad);
204 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DH public value",
205 ret_pub, dh->prime_len);
211 static int eap_eke_prf(u8 prf, const u8 *key, size_t key_len, const u8 *data,
212 size_t data_len, const u8 *data2, size_t data2_len,
227 if (prf == EAP_EKE_PRF_HMAC_SHA1)
228 return hmac_sha1_vector(key, key_len, num_elem, addr, len, res);
229 if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
230 return hmac_sha256_vector(key, key_len, num_elem, addr, len,
236 static int eap_eke_prf_hmac_sha1(const u8 *key, size_t key_len, const u8 *data,
237 size_t data_len, u8 *res, size_t len)
239 u8 hash[SHA1_MAC_LEN];
247 vlen[0] = SHA1_MAC_LEN;
256 ret = hmac_sha1_vector(key, key_len, 2, &addr[1],
259 ret = hmac_sha1_vector(key, key_len, 3, addr, vlen,
263 if (len > SHA1_MAC_LEN) {
264 os_memcpy(res, hash, SHA1_MAC_LEN);
268 os_memcpy(res, hash, len);
277 static int eap_eke_prf_hmac_sha256(const u8 *key, size_t key_len, const u8 *data,
278 size_t data_len, u8 *res, size_t len)
280 u8 hash[SHA256_MAC_LEN];
288 vlen[0] = SHA256_MAC_LEN;
297 ret = hmac_sha256_vector(key, key_len, 2, &addr[1],
300 ret = hmac_sha256_vector(key, key_len, 3, addr, vlen,
304 if (len > SHA256_MAC_LEN) {
305 os_memcpy(res, hash, SHA256_MAC_LEN);
306 res += SHA256_MAC_LEN;
307 len -= SHA256_MAC_LEN;
309 os_memcpy(res, hash, len);
318 static int eap_eke_prfplus(u8 prf, const u8 *key, size_t key_len,
319 const u8 *data, size_t data_len, u8 *res, size_t len)
321 if (prf == EAP_EKE_PRF_HMAC_SHA1)
322 return eap_eke_prf_hmac_sha1(key, key_len, data, data_len, res,
324 if (prf == EAP_EKE_PRF_HMAC_SHA2_256)
325 return eap_eke_prf_hmac_sha256(key, key_len, data, data_len,
331 int eap_eke_derive_key(struct eap_eke_session *sess,
332 const u8 *password, size_t password_len,
333 const u8 *id_s, size_t id_s_len, const u8 *id_p,
334 size_t id_p_len, u8 *key)
336 u8 zeros[EAP_EKE_MAX_HASH_LEN];
337 u8 temp[EAP_EKE_MAX_HASH_LEN];
338 size_t key_len = 16; /* Only AES-128-CBC is used here */
341 /* temp = prf(0+, password) */
342 os_memset(zeros, 0, sess->prf_len);
343 if (eap_eke_prf(sess->prf, zeros, sess->prf_len,
344 password, password_len, NULL, 0, temp) < 0)
346 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: temp = prf(0+, password)",
347 temp, sess->prf_len);
349 /* key = prf+(temp, ID_S | ID_P) */
350 id = os_malloc(id_s_len + id_p_len);
353 os_memcpy(id, id_s, id_s_len);
354 os_memcpy(id + id_s_len, id_p, id_p_len);
355 wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: ID_S | ID_P",
356 id, id_s_len + id_p_len);
357 if (eap_eke_prfplus(sess->prf, temp, sess->prf_len,
358 id, id_s_len + id_p_len, key, key_len) < 0) {
363 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: key = prf+(temp, ID_S | ID_P)",
370 int eap_eke_dhcomp(struct eap_eke_session *sess, const u8 *key, const u8 *dhpub,
373 u8 pub[EAP_EKE_MAX_DH_LEN];
375 u8 iv[AES_BLOCK_SIZE];
377 dh_len = eap_eke_dh_len(sess->dhgroup);
382 * DHComponent = Encr(key, y)
384 * All defined DH groups use primes that have length devisible by 16, so
385 * no need to do extra padding for y (= pub).
387 if (sess->encr != EAP_EKE_ENCR_AES128_CBC)
389 if (random_get_bytes(iv, AES_BLOCK_SIZE))
391 wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Encr(key, y)",
393 os_memcpy(pub, dhpub, dh_len);
394 if (aes_128_cbc_encrypt(key, iv, pub, dh_len) < 0)
396 os_memcpy(ret_dhcomp, iv, AES_BLOCK_SIZE);
397 os_memcpy(ret_dhcomp + AES_BLOCK_SIZE, pub, dh_len);
398 wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent = Encr(key, y)",
399 ret_dhcomp, AES_BLOCK_SIZE + dh_len);
405 int eap_eke_shared_secret(struct eap_eke_session *sess, const u8 *key,
406 const u8 *dhpriv, const u8 *peer_dhcomp)
408 u8 zeros[EAP_EKE_MAX_HASH_LEN];
409 u8 peer_pub[EAP_EKE_MAX_DH_LEN];
410 u8 modexp[EAP_EKE_MAX_DH_LEN];
412 const struct dh_group *dh;
414 if (sess->encr != EAP_EKE_ENCR_AES128_CBC)
417 dh = eap_eke_dh_group(sess->dhgroup);
421 /* Decrypt peer DHComponent */
422 os_memcpy(peer_pub, peer_dhcomp + AES_BLOCK_SIZE, dh->prime_len);
423 if (aes_128_cbc_decrypt(key, peer_dhcomp, peer_pub, dh->prime_len) < 0) {
424 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt DHComponent");
427 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted peer DH pubkey",
428 peer_pub, dh->prime_len);
430 /* SharedSecret = prf(0+, g ^ (x_s * x_p) (mod p)) */
432 if (crypto_mod_exp(peer_pub, dh->prime_len, dhpriv, dh->prime_len,
433 dh->prime, dh->prime_len, modexp, &len) < 0)
435 if (len < dh->prime_len) {
436 size_t pad = dh->prime_len - len;
437 os_memmove(modexp + pad, modexp, len);
438 os_memset(modexp, 0, pad);
441 os_memset(zeros, 0, sess->auth_len);
442 if (eap_eke_prf(sess->prf, zeros, sess->auth_len, modexp, dh->prime_len,
443 NULL, 0, sess->shared_secret) < 0)
445 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: SharedSecret",
446 sess->shared_secret, sess->auth_len);
452 int eap_eke_derive_ke_ki(struct eap_eke_session *sess,
453 const u8 *id_s, size_t id_s_len,
454 const u8 *id_p, size_t id_p_len)
456 u8 buf[EAP_EKE_MAX_KE_LEN + EAP_EKE_MAX_KI_LEN];
457 size_t ke_len, ki_len;
460 const char *label = "EAP-EKE Keys";
464 * Ke | Ki = prf+(SharedSecret, "EAP-EKE Keys" | ID_S | ID_P)
465 * Ke = encryption key
466 * Ki = integrity protection key
467 * Length of each key depends on the selected algorithms.
470 if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
475 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
477 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
482 label_len = os_strlen(label);
483 data_len = label_len + id_s_len + id_p_len;
484 data = os_malloc(data_len);
487 os_memcpy(data, label, label_len);
488 os_memcpy(data + label_len, id_s, id_s_len);
489 os_memcpy(data + label_len + id_s_len, id_p, id_p_len);
490 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
491 data, data_len, buf, ke_len + ki_len) < 0) {
496 os_memcpy(sess->ke, buf, ke_len);
497 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ke", sess->ke, ke_len);
498 os_memcpy(sess->ki, buf + ke_len, ki_len);
499 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ki", sess->ki, ki_len);
506 int eap_eke_derive_ka(struct eap_eke_session *sess,
507 const u8 *id_s, size_t id_s_len,
508 const u8 *id_p, size_t id_p_len,
509 const u8 *nonce_p, const u8 *nonce_s)
513 const char *label = "EAP-EKE Ka";
517 * Ka = prf+(SharedSecret, "EAP-EKE Ka" | ID_S | ID_P | Nonce_P |
519 * Ka = authentication key
520 * Length of the key depends on the selected algorithms.
523 label_len = os_strlen(label);
524 data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
525 data = os_malloc(data_len);
529 os_memcpy(pos, label, label_len);
531 os_memcpy(pos, id_s, id_s_len);
533 os_memcpy(pos, id_p, id_p_len);
535 os_memcpy(pos, nonce_p, sess->nonce_len);
536 pos += sess->nonce_len;
537 os_memcpy(pos, nonce_s, sess->nonce_len);
538 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
539 data, data_len, sess->ka, sess->prf_len) < 0) {
545 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka", sess->ka, sess->prf_len);
551 int eap_eke_derive_msk(struct eap_eke_session *sess,
552 const u8 *id_s, size_t id_s_len,
553 const u8 *id_p, size_t id_p_len,
554 const u8 *nonce_p, const u8 *nonce_s,
559 const char *label = "EAP-EKE Exported Keys";
561 u8 buf[EAP_MSK_LEN + EAP_EMSK_LEN];
564 * MSK | EMSK = prf+(SharedSecret, "EAP-EKE Exported Keys" | ID_S |
565 * ID_P | Nonce_P | Nonce_S)
568 label_len = os_strlen(label);
569 data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len;
570 data = os_malloc(data_len);
574 os_memcpy(pos, label, label_len);
576 os_memcpy(pos, id_s, id_s_len);
578 os_memcpy(pos, id_p, id_p_len);
580 os_memcpy(pos, nonce_p, sess->nonce_len);
581 pos += sess->nonce_len;
582 os_memcpy(pos, nonce_s, sess->nonce_len);
583 if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len,
584 data, data_len, buf, EAP_MSK_LEN + EAP_EMSK_LEN) <
591 os_memcpy(msk, buf, EAP_MSK_LEN);
592 os_memcpy(emsk, buf + EAP_MSK_LEN, EAP_EMSK_LEN);
593 os_memset(buf, 0, sizeof(buf));
595 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: MSK", msk, EAP_MSK_LEN);
596 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: EMSK", msk, EAP_EMSK_LEN);
602 static int eap_eke_mac(u8 mac, const u8 *key, const u8 *data, size_t data_len,
605 if (mac == EAP_EKE_MAC_HMAC_SHA1)
606 return hmac_sha1(key, SHA1_MAC_LEN, data, data_len, res);
607 if (mac == EAP_EKE_MAC_HMAC_SHA2_256)
608 return hmac_sha256(key, SHA256_MAC_LEN, data, data_len, res);
613 int eap_eke_prot(struct eap_eke_session *sess,
614 const u8 *data, size_t data_len,
615 u8 *prot, size_t *prot_len)
617 size_t block_size, icv_len, pad;
620 if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
621 block_size = AES_BLOCK_SIZE;
625 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
626 icv_len = SHA1_MAC_LEN;
627 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
628 icv_len = SHA256_MAC_LEN;
632 pad = data_len % block_size;
634 pad = block_size - pad;
636 if (*prot_len < block_size + data_len + pad + icv_len) {
637 wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for Prot() data");
641 if (random_get_bytes(pos, block_size))
644 wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Prot()", iv, block_size);
648 os_memcpy(pos, data, data_len);
651 if (random_get_bytes(pos, pad))
656 if (aes_128_cbc_encrypt(sess->ke, iv, e, data_len + pad) < 0)
659 if (eap_eke_mac(sess->mac, sess->ki, e, data_len + pad, pos) < 0)
663 *prot_len = pos - prot;
668 int eap_eke_decrypt_prot(struct eap_eke_session *sess,
669 const u8 *prot, size_t prot_len,
670 u8 *data, size_t *data_len)
672 size_t block_size, icv_len;
673 u8 icv[EAP_EKE_MAX_HASH_LEN];
675 if (sess->encr == EAP_EKE_ENCR_AES128_CBC)
676 block_size = AES_BLOCK_SIZE;
680 if (sess->mac == EAP_EKE_PRF_HMAC_SHA1)
681 icv_len = SHA1_MAC_LEN;
682 else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256)
683 icv_len = SHA256_MAC_LEN;
687 if (prot_len < 2 * block_size + icv_len)
689 if ((prot_len - icv_len) % block_size)
692 if (eap_eke_mac(sess->mac, sess->ki, prot + block_size,
693 prot_len - block_size - icv_len, icv) < 0)
695 if (os_memcmp(icv, prot + prot_len - icv_len, icv_len) != 0) {
696 wpa_printf(MSG_INFO, "EAP-EKE: ICV mismatch in Prot() data");
700 if (*data_len < prot_len - block_size - icv_len) {
701 wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for decrypted Prot() data");
705 *data_len = prot_len - block_size - icv_len;
706 os_memcpy(data, prot + block_size, *data_len);
707 if (aes_128_cbc_decrypt(sess->ke, prot, data, *data_len) < 0) {
708 wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt Prot() data");
711 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted Prot() data",
718 int eap_eke_auth(struct eap_eke_session *sess, const char *label,
719 const struct wpabuf *msgs, u8 *auth)
721 wpa_printf(MSG_DEBUG, "EAP-EKE: Auth(%s)", label);
722 wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka for Auth",
723 sess->ka, sess->auth_len);
724 wpa_hexdump_buf(MSG_MSGDUMP, "EAP-EKE: Messages for Auth", msgs);
725 return eap_eke_prf(sess->prf, sess->ka, sess->auth_len,
726 (const u8 *) label, os_strlen(label),
727 wpabuf_head(msgs), wpabuf_len(msgs), auth);
731 int eap_eke_session_init(struct eap_eke_session *sess, u8 dhgroup, u8 encr,
734 sess->dhgroup = dhgroup;
739 sess->prf_len = eap_eke_prf_len(prf);
740 if (sess->prf_len < 0)
742 sess->nonce_len = eap_eke_nonce_len(prf);
743 if (sess->nonce_len < 0)
745 sess->auth_len = eap_eke_auth_len(prf);
746 if (sess->auth_len < 0)
748 sess->dhcomp_len = eap_eke_dhcomp_len(sess->dhgroup, sess->encr);
749 if (sess->dhcomp_len < 0)
751 sess->pnonce_len = eap_eke_pnonce_len(sess->mac);
752 if (sess->pnonce_len < 0)
754 sess->pnonce_ps_len = eap_eke_pnonce_ps_len(sess->mac);
755 if (sess->pnonce_ps_len < 0)
762 void eap_eke_session_clean(struct eap_eke_session *sess)
764 os_memset(sess->shared_secret, 0, EAP_EKE_MAX_HASH_LEN);
765 os_memset(sess->ke, 0, EAP_EKE_MAX_KE_LEN);
766 os_memset(sess->ki, 0, EAP_EKE_MAX_KI_LEN);
767 os_memset(sess->ka, 0, EAP_EKE_MAX_KA_LEN);