eap_sake_common.c revision 214734
1254721Semaste/* 2254721Semaste * EAP server/peer: EAP-SAKE shared routines 3254721Semaste * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> 4254721Semaste * 5254721Semaste * This program is free software; you can redistribute it and/or modify 6254721Semaste * it under the terms of the GNU General Public License version 2 as 7254721Semaste * published by the Free Software Foundation. 8254721Semaste * 9254721Semaste * Alternatively, this software may be distributed under the terms of BSD 10254721Semaste * license. 11254721Semaste * 12254721Semaste * See README and COPYING for more details. 13254721Semaste */ 14254721Semaste 15254721Semaste#include "includes.h" 16254721Semaste 17254721Semaste#include "common.h" 18254721Semaste#include "wpabuf.h" 19254721Semaste#include "crypto/sha1.h" 20254721Semaste#include "eap_defs.h" 21254721Semaste#include "eap_sake_common.h" 22254721Semaste 23254721Semaste 24254721Semastestatic int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr, 25254721Semaste const u8 *pos) 26254721Semaste{ 27254721Semaste size_t i; 28254721Semaste 29254721Semaste switch (pos[0]) { 30254721Semaste case EAP_SAKE_AT_RAND_S: 31254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S"); 32254721Semaste if (pos[1] != 2 + EAP_SAKE_RAND_LEN) { 33254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with " 34254721Semaste "invalid length %d", pos[1]); 35254721Semaste return -1; 36254721Semaste } 37254721Semaste attr->rand_s = pos + 2; 38254721Semaste break; 39254721Semaste case EAP_SAKE_AT_RAND_P: 40254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P"); 41254721Semaste if (pos[1] != 2 + EAP_SAKE_RAND_LEN) { 42254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with " 43254721Semaste "invalid length %d", pos[1]); 44254721Semaste return -1; 45254721Semaste } 46254721Semaste attr->rand_p = pos + 2; 47254721Semaste break; 48254721Semaste case EAP_SAKE_AT_MIC_S: 49254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S"); 50254721Semaste if (pos[1] != 2 + EAP_SAKE_MIC_LEN) { 51254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with " 52254721Semaste "invalid length %d", pos[1]); 53254721Semaste return -1; 54254721Semaste } 55254721Semaste attr->mic_s = pos + 2; 56254721Semaste break; 57254721Semaste case EAP_SAKE_AT_MIC_P: 58254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P"); 59254721Semaste if (pos[1] != 2 + EAP_SAKE_MIC_LEN) { 60254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with " 61254721Semaste "invalid length %d", pos[1]); 62254721Semaste return -1; 63254721Semaste } 64254721Semaste attr->mic_p = pos + 2; 65254721Semaste break; 66254721Semaste case EAP_SAKE_AT_SERVERID: 67254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID"); 68254721Semaste attr->serverid = pos + 2; 69254721Semaste attr->serverid_len = pos[1] - 2; 70254721Semaste break; 71254721Semaste case EAP_SAKE_AT_PEERID: 72254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID"); 73254721Semaste attr->peerid = pos + 2; 74254721Semaste attr->peerid_len = pos[1] - 2; 75254721Semaste break; 76254721Semaste case EAP_SAKE_AT_SPI_S: 77254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S"); 78254721Semaste attr->spi_s = pos + 2; 79254721Semaste attr->spi_s_len = pos[1] - 2; 80254721Semaste break; 81254721Semaste case EAP_SAKE_AT_SPI_P: 82254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P"); 83254721Semaste attr->spi_p = pos + 2; 84254721Semaste attr->spi_p_len = pos[1] - 2; 85254721Semaste break; 86254721Semaste case EAP_SAKE_AT_ANY_ID_REQ: 87254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ"); 88254721Semaste if (pos[1] != 4) { 89254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ" 90254721Semaste " length %d", pos[1]); 91254721Semaste return -1; 92254721Semaste } 93254721Semaste attr->any_id_req = pos + 2; 94254721Semaste break; 95254721Semaste case EAP_SAKE_AT_PERM_ID_REQ: 96254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ"); 97254721Semaste if (pos[1] != 4) { 98254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid " 99254721Semaste "AT_PERM_ID_REQ length %d", pos[1]); 100254721Semaste return -1; 101254721Semaste } 102254721Semaste attr->perm_id_req = pos + 2; 103254721Semaste break; 104254721Semaste case EAP_SAKE_AT_ENCR_DATA: 105254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA"); 106254721Semaste attr->encr_data = pos + 2; 107254721Semaste attr->encr_data_len = pos[1] - 2; 108254721Semaste break; 109254721Semaste case EAP_SAKE_AT_IV: 110254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV"); 111254721Semaste attr->iv = pos + 2; 112254721Semaste attr->iv_len = pos[1] - 2; 113254721Semaste break; 114254721Semaste case EAP_SAKE_AT_PADDING: 115254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING"); 116254721Semaste for (i = 2; i < pos[1]; i++) { 117254721Semaste if (pos[i]) { 118254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING " 119254721Semaste "with non-zero pad byte"); 120254721Semaste return -1; 121254721Semaste } 122254721Semaste } 123254721Semaste break; 124254721Semaste case EAP_SAKE_AT_NEXT_TMPID: 125254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID"); 126254721Semaste attr->next_tmpid = pos + 2; 127254721Semaste attr->next_tmpid_len = pos[1] - 2; 128254721Semaste break; 129254721Semaste case EAP_SAKE_AT_MSK_LIFE: 130254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV"); 131254721Semaste if (pos[1] != 6) { 132254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid " 133254721Semaste "AT_MSK_LIFE length %d", pos[1]); 134254721Semaste return -1; 135254721Semaste } 136254721Semaste attr->msk_life = pos + 2; 137254721Semaste break; 138254721Semaste default: 139254721Semaste if (pos[0] < 128) { 140254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable" 141254721Semaste " attribute %d", pos[0]); 142254721Semaste return -1; 143254721Semaste } 144254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable " 145254721Semaste "attribute %d", pos[0]); 146254721Semaste break; 147254721Semaste } 148254721Semaste 149254721Semaste if (attr->iv && !attr->encr_data) { 150254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without " 151254721Semaste "AT_ENCR_DATA"); 152254721Semaste return -1; 153254721Semaste } 154254721Semaste 155254721Semaste return 0; 156254721Semaste} 157254721Semaste 158254721Semaste 159254721Semaste/** 160254721Semaste * eap_sake_parse_attributes - Parse EAP-SAKE attributes 161254721Semaste * @buf: Packet payload (starting with the first attribute) 162254721Semaste * @len: Payload length 163254721Semaste * @attr: Structure to be filled with found attributes 164254721Semaste * Returns: 0 on success or -1 on failure 165254721Semaste */ 166254721Semasteint eap_sake_parse_attributes(const u8 *buf, size_t len, 167254721Semaste struct eap_sake_parse_attr *attr) 168254721Semaste{ 169254721Semaste const u8 *pos = buf, *end = buf + len; 170254721Semaste 171254721Semaste os_memset(attr, 0, sizeof(*attr)); 172254721Semaste while (pos < end) { 173254721Semaste if (end - pos < 2) { 174254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute"); 175254721Semaste return -1; 176254721Semaste } 177254721Semaste 178254721Semaste if (pos[1] < 2) { 179254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute " 180254721Semaste "length (%d)", pos[1]); 181254721Semaste return -1; 182254721Semaste } 183254721Semaste 184254721Semaste if (pos + pos[1] > end) { 185254721Semaste wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow"); 186254721Semaste return -1; 187254721Semaste } 188254721Semaste 189254721Semaste if (eap_sake_parse_add_attr(attr, pos)) 190254721Semaste return -1; 191254721Semaste 192254721Semaste pos += pos[1]; 193254721Semaste } 194254721Semaste 195254721Semaste return 0; 196254721Semaste} 197254721Semaste 198254721Semaste 199254721Semaste/** 200254721Semaste * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF) 201254721Semaste * @key: Key for KDF 202 * @key_len: Length of the key in bytes 203 * @label: A unique label for each purpose of the KDF 204 * @data: Extra data (start) to bind into the key 205 * @data_len: Length of the data 206 * @data2: Extra data (end) to bind into the key 207 * @data2_len: Length of the data2 208 * @buf: Buffer for the generated pseudo-random key 209 * @buf_len: Number of bytes of key to generate 210 * 211 * This function is used to derive new, cryptographically separate keys from a 212 * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i. 213 */ 214static void eap_sake_kdf(const u8 *key, size_t key_len, const char *label, 215 const u8 *data, size_t data_len, 216 const u8 *data2, size_t data2_len, 217 u8 *buf, size_t buf_len) 218{ 219 u8 counter = 0; 220 size_t pos, plen; 221 u8 hash[SHA1_MAC_LEN]; 222 size_t label_len = os_strlen(label) + 1; 223 const unsigned char *addr[4]; 224 size_t len[4]; 225 226 addr[0] = (u8 *) label; /* Label | Y */ 227 len[0] = label_len; 228 addr[1] = data; /* Msg[start] */ 229 len[1] = data_len; 230 addr[2] = data2; /* Msg[end] */ 231 len[2] = data2_len; 232 addr[3] = &counter; /* Length */ 233 len[3] = 1; 234 235 pos = 0; 236 while (pos < buf_len) { 237 plen = buf_len - pos; 238 if (plen >= SHA1_MAC_LEN) { 239 hmac_sha1_vector(key, key_len, 4, addr, len, 240 &buf[pos]); 241 pos += SHA1_MAC_LEN; 242 } else { 243 hmac_sha1_vector(key, key_len, 4, addr, len, 244 hash); 245 os_memcpy(&buf[pos], hash, plen); 246 break; 247 } 248 counter++; 249 } 250} 251 252 253/** 254 * eap_sake_derive_keys - Derive EAP-SAKE keys 255 * @root_secret_a: 16-byte Root-Secret-A 256 * @root_secret_b: 16-byte Root-Secret-B 257 * @rand_s: 16-byte RAND_S 258 * @rand_p: 16-byte RAND_P 259 * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16]) 260 * @msk: Buffer for 64-byte MSK 261 * @emsk: Buffer for 64-byte EMSK 262 * 263 * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6. 264 */ 265void eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b, 266 const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk, 267 u8 *emsk) 268{ 269 u8 sms_a[EAP_SAKE_SMS_LEN]; 270 u8 sms_b[EAP_SAKE_SMS_LEN]; 271 u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN]; 272 273 wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys"); 274 275 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A", 276 root_secret_a, EAP_SAKE_ROOT_SECRET_LEN); 277 eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN, 278 "SAKE Master Secret A", 279 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN, 280 sms_a, EAP_SAKE_SMS_LEN); 281 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN); 282 eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key", 283 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN, 284 tek, EAP_SAKE_TEK_LEN); 285 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth", 286 tek, EAP_SAKE_TEK_AUTH_LEN); 287 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher", 288 tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN); 289 290 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B", 291 root_secret_b, EAP_SAKE_ROOT_SECRET_LEN); 292 eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN, 293 "SAKE Master Secret B", 294 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN, 295 sms_b, EAP_SAKE_SMS_LEN); 296 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN); 297 eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key", 298 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN, 299 key_buf, sizeof(key_buf)); 300 os_memcpy(msk, key_buf, EAP_MSK_LEN); 301 os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN); 302 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN); 303 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN); 304} 305 306 307/** 308 * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet 309 * @tek_auth: 16-byte TEK-Auth 310 * @rand_s: 16-byte RAND_S 311 * @rand_p: 16-byte RAND_P 312 * @serverid: SERVERID 313 * @serverid_len: SERVERID length 314 * @peerid: PEERID 315 * @peerid_len: PEERID length 316 * @peer: MIC calculation for 0 = Server, 1 = Peer message 317 * @eap: EAP packet 318 * @eap_len: EAP packet length 319 * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len]) 320 * @mic: Buffer for the computed 16-byte MIC 321 */ 322int eap_sake_compute_mic(const u8 *tek_auth, 323 const u8 *rand_s, const u8 *rand_p, 324 const u8 *serverid, size_t serverid_len, 325 const u8 *peerid, size_t peerid_len, 326 int peer, const u8 *eap, size_t eap_len, 327 const u8 *mic_pos, u8 *mic) 328{ 329 u8 _rand[2 * EAP_SAKE_RAND_LEN]; 330 u8 *tmp, *pos; 331 size_t tmplen; 332 333 tmplen = serverid_len + 1 + peerid_len + 1 + eap_len; 334 tmp = os_malloc(tmplen); 335 if (tmp == NULL) 336 return -1; 337 pos = tmp; 338 if (peer) { 339 if (peerid) { 340 os_memcpy(pos, peerid, peerid_len); 341 pos += peerid_len; 342 } 343 *pos++ = 0x00; 344 if (serverid) { 345 os_memcpy(pos, serverid, serverid_len); 346 pos += serverid_len; 347 } 348 *pos++ = 0x00; 349 350 os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN); 351 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p, 352 EAP_SAKE_RAND_LEN); 353 } else { 354 if (serverid) { 355 os_memcpy(pos, serverid, serverid_len); 356 pos += serverid_len; 357 } 358 *pos++ = 0x00; 359 if (peerid) { 360 os_memcpy(pos, peerid, peerid_len); 361 pos += peerid_len; 362 } 363 *pos++ = 0x00; 364 365 os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN); 366 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s, 367 EAP_SAKE_RAND_LEN); 368 } 369 370 os_memcpy(pos, eap, eap_len); 371 os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN); 372 373 eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN, 374 peer ? "Peer MIC" : "Server MIC", 375 _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen, 376 mic, EAP_SAKE_MIC_LEN); 377 378 os_free(tmp); 379 380 return 0; 381} 382 383 384void eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data, 385 size_t len) 386{ 387 wpabuf_put_u8(buf, type); 388 wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */ 389 if (data) 390 wpabuf_put_data(buf, data, len); 391 else 392 os_memset(wpabuf_put(buf, len), 0, len); 393} 394