1189251Ssam/* 2189251Ssam * EAP server/peer: EAP-SAKE shared routines 3346981Scy * Copyright (c) 2006-2019, Jouni Malinen <j@w1.fi> 4189251Ssam * 5252726Srpaulo * This software may be distributed under the terms of the BSD license. 6252726Srpaulo * See README for more details. 7189251Ssam */ 8189251Ssam 9189251Ssam#include "includes.h" 10189251Ssam 11189251Ssam#include "common.h" 12189251Ssam#include "wpabuf.h" 13214734Srpaulo#include "crypto/sha1.h" 14189251Ssam#include "eap_defs.h" 15189251Ssam#include "eap_sake_common.h" 16189251Ssam 17189251Ssam 18189251Ssamstatic int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr, 19289549Srpaulo u8 attr_id, u8 len, const u8 *data) 20189251Ssam{ 21189251Ssam size_t i; 22189251Ssam 23289549Srpaulo switch (attr_id) { 24189251Ssam case EAP_SAKE_AT_RAND_S: 25189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S"); 26289549Srpaulo if (len != EAP_SAKE_RAND_LEN) { 27189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with " 28289549Srpaulo "invalid payload length %d", len); 29189251Ssam return -1; 30189251Ssam } 31289549Srpaulo attr->rand_s = data; 32189251Ssam break; 33189251Ssam case EAP_SAKE_AT_RAND_P: 34189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P"); 35289549Srpaulo if (len != EAP_SAKE_RAND_LEN) { 36189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with " 37289549Srpaulo "invalid payload length %d", len); 38189251Ssam return -1; 39189251Ssam } 40289549Srpaulo attr->rand_p = data; 41189251Ssam break; 42189251Ssam case EAP_SAKE_AT_MIC_S: 43189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S"); 44289549Srpaulo if (len != EAP_SAKE_MIC_LEN) { 45189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with " 46289549Srpaulo "invalid payload length %d", len); 47189251Ssam return -1; 48189251Ssam } 49289549Srpaulo attr->mic_s = data; 50189251Ssam break; 51189251Ssam case EAP_SAKE_AT_MIC_P: 52189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P"); 53289549Srpaulo if (len != EAP_SAKE_MIC_LEN) { 54189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with " 55289549Srpaulo "invalid payload length %d", len); 56189251Ssam return -1; 57189251Ssam } 58289549Srpaulo attr->mic_p = data; 59189251Ssam break; 60189251Ssam case EAP_SAKE_AT_SERVERID: 61189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID"); 62289549Srpaulo attr->serverid = data; 63289549Srpaulo attr->serverid_len = len; 64189251Ssam break; 65189251Ssam case EAP_SAKE_AT_PEERID: 66189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID"); 67289549Srpaulo attr->peerid = data; 68289549Srpaulo attr->peerid_len = len; 69189251Ssam break; 70189251Ssam case EAP_SAKE_AT_SPI_S: 71189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S"); 72289549Srpaulo attr->spi_s = data; 73289549Srpaulo attr->spi_s_len = len; 74189251Ssam break; 75189251Ssam case EAP_SAKE_AT_SPI_P: 76189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P"); 77289549Srpaulo attr->spi_p = data; 78289549Srpaulo attr->spi_p_len = len; 79189251Ssam break; 80189251Ssam case EAP_SAKE_AT_ANY_ID_REQ: 81189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ"); 82289549Srpaulo if (len != 2) { 83189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ" 84289549Srpaulo " payload length %d", len); 85189251Ssam return -1; 86189251Ssam } 87289549Srpaulo attr->any_id_req = data; 88189251Ssam break; 89189251Ssam case EAP_SAKE_AT_PERM_ID_REQ: 90189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ"); 91289549Srpaulo if (len != 2) { 92189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid " 93289549Srpaulo "AT_PERM_ID_REQ payload length %d", len); 94189251Ssam return -1; 95189251Ssam } 96289549Srpaulo attr->perm_id_req = data; 97189251Ssam break; 98189251Ssam case EAP_SAKE_AT_ENCR_DATA: 99189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA"); 100289549Srpaulo attr->encr_data = data; 101289549Srpaulo attr->encr_data_len = len; 102189251Ssam break; 103189251Ssam case EAP_SAKE_AT_IV: 104189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV"); 105289549Srpaulo attr->iv = data; 106289549Srpaulo attr->iv_len = len; 107189251Ssam break; 108189251Ssam case EAP_SAKE_AT_PADDING: 109189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING"); 110289549Srpaulo for (i = 0; i < len; i++) { 111289549Srpaulo if (data[i]) { 112189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING " 113189251Ssam "with non-zero pad byte"); 114189251Ssam return -1; 115189251Ssam } 116189251Ssam } 117189251Ssam break; 118189251Ssam case EAP_SAKE_AT_NEXT_TMPID: 119189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID"); 120289549Srpaulo attr->next_tmpid = data; 121289549Srpaulo attr->next_tmpid_len = len; 122189251Ssam break; 123189251Ssam case EAP_SAKE_AT_MSK_LIFE: 124337817Scy wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MSK_LIFE"); 125289549Srpaulo if (len != 4) { 126189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid " 127289549Srpaulo "AT_MSK_LIFE payload length %d", len); 128189251Ssam return -1; 129189251Ssam } 130289549Srpaulo attr->msk_life = data; 131189251Ssam break; 132189251Ssam default: 133289549Srpaulo if (attr_id < 128) { 134189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable" 135289549Srpaulo " attribute %d", attr_id); 136189251Ssam return -1; 137189251Ssam } 138189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable " 139289549Srpaulo "attribute %d", attr_id); 140189251Ssam break; 141189251Ssam } 142189251Ssam 143189251Ssam if (attr->iv && !attr->encr_data) { 144189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without " 145189251Ssam "AT_ENCR_DATA"); 146189251Ssam return -1; 147189251Ssam } 148189251Ssam 149189251Ssam return 0; 150189251Ssam} 151189251Ssam 152189251Ssam 153189251Ssam/** 154189251Ssam * eap_sake_parse_attributes - Parse EAP-SAKE attributes 155189251Ssam * @buf: Packet payload (starting with the first attribute) 156189251Ssam * @len: Payload length 157189251Ssam * @attr: Structure to be filled with found attributes 158189251Ssam * Returns: 0 on success or -1 on failure 159189251Ssam */ 160189251Ssamint eap_sake_parse_attributes(const u8 *buf, size_t len, 161189251Ssam struct eap_sake_parse_attr *attr) 162189251Ssam{ 163189251Ssam const u8 *pos = buf, *end = buf + len; 164189251Ssam 165189251Ssam os_memset(attr, 0, sizeof(*attr)); 166189251Ssam while (pos < end) { 167189251Ssam if (end - pos < 2) { 168189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute"); 169189251Ssam return -1; 170189251Ssam } 171189251Ssam 172189251Ssam if (pos[1] < 2) { 173189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute " 174189251Ssam "length (%d)", pos[1]); 175189251Ssam return -1; 176189251Ssam } 177189251Ssam 178189251Ssam if (pos + pos[1] > end) { 179189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow"); 180189251Ssam return -1; 181189251Ssam } 182189251Ssam 183289549Srpaulo if (eap_sake_parse_add_attr(attr, pos[0], pos[1] - 2, pos + 2)) 184189251Ssam return -1; 185189251Ssam 186189251Ssam pos += pos[1]; 187189251Ssam } 188189251Ssam 189189251Ssam return 0; 190189251Ssam} 191189251Ssam 192189251Ssam 193189251Ssam/** 194189251Ssam * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF) 195189251Ssam * @key: Key for KDF 196189251Ssam * @key_len: Length of the key in bytes 197189251Ssam * @label: A unique label for each purpose of the KDF 198189251Ssam * @data: Extra data (start) to bind into the key 199189251Ssam * @data_len: Length of the data 200189251Ssam * @data2: Extra data (end) to bind into the key 201189251Ssam * @data2_len: Length of the data2 202189251Ssam * @buf: Buffer for the generated pseudo-random key 203189251Ssam * @buf_len: Number of bytes of key to generate 204346981Scy * Returns: 0 on success or -1 on failure 205189251Ssam * 206189251Ssam * This function is used to derive new, cryptographically separate keys from a 207189251Ssam * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i. 208189251Ssam */ 209346981Scystatic int eap_sake_kdf(const u8 *key, size_t key_len, const char *label, 210346981Scy const u8 *data, size_t data_len, 211346981Scy const u8 *data2, size_t data2_len, 212346981Scy u8 *buf, size_t buf_len) 213189251Ssam{ 214189251Ssam u8 counter = 0; 215189251Ssam size_t pos, plen; 216189251Ssam u8 hash[SHA1_MAC_LEN]; 217189251Ssam size_t label_len = os_strlen(label) + 1; 218189251Ssam const unsigned char *addr[4]; 219189251Ssam size_t len[4]; 220189251Ssam 221189251Ssam addr[0] = (u8 *) label; /* Label | Y */ 222189251Ssam len[0] = label_len; 223189251Ssam addr[1] = data; /* Msg[start] */ 224189251Ssam len[1] = data_len; 225189251Ssam addr[2] = data2; /* Msg[end] */ 226189251Ssam len[2] = data2_len; 227189251Ssam addr[3] = &counter; /* Length */ 228189251Ssam len[3] = 1; 229189251Ssam 230189251Ssam pos = 0; 231189251Ssam while (pos < buf_len) { 232189251Ssam plen = buf_len - pos; 233189251Ssam if (plen >= SHA1_MAC_LEN) { 234346981Scy if (hmac_sha1_vector(key, key_len, 4, addr, len, 235346981Scy &buf[pos]) < 0) 236346981Scy return -1; 237189251Ssam pos += SHA1_MAC_LEN; 238189251Ssam } else { 239346981Scy if (hmac_sha1_vector(key, key_len, 4, addr, len, 240346981Scy hash) < 0) 241346981Scy return -1; 242189251Ssam os_memcpy(&buf[pos], hash, plen); 243189251Ssam break; 244189251Ssam } 245189251Ssam counter++; 246189251Ssam } 247346981Scy 248346981Scy return 0; 249189251Ssam} 250189251Ssam 251189251Ssam 252189251Ssam/** 253189251Ssam * eap_sake_derive_keys - Derive EAP-SAKE keys 254189251Ssam * @root_secret_a: 16-byte Root-Secret-A 255189251Ssam * @root_secret_b: 16-byte Root-Secret-B 256189251Ssam * @rand_s: 16-byte RAND_S 257189251Ssam * @rand_p: 16-byte RAND_P 258189251Ssam * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16]) 259189251Ssam * @msk: Buffer for 64-byte MSK 260189251Ssam * @emsk: Buffer for 64-byte EMSK 261346981Scy * Returns: 0 on success or -1 on failure 262189251Ssam * 263189251Ssam * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6. 264189251Ssam */ 265346981Scyint eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b, 266346981Scy const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk, 267346981Scy u8 *emsk) 268189251Ssam{ 269189251Ssam u8 sms_a[EAP_SAKE_SMS_LEN]; 270189251Ssam u8 sms_b[EAP_SAKE_SMS_LEN]; 271189251Ssam u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN]; 272189251Ssam 273189251Ssam wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys"); 274189251Ssam 275189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A", 276189251Ssam root_secret_a, EAP_SAKE_ROOT_SECRET_LEN); 277346981Scy if (eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN, 278346981Scy "SAKE Master Secret A", 279346981Scy rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN, 280346981Scy sms_a, EAP_SAKE_SMS_LEN) < 0) 281346981Scy return -1; 282189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN); 283346981Scy if (eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key", 284346981Scy rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN, 285346981Scy tek, EAP_SAKE_TEK_LEN) < 0) 286346981Scy return -1; 287189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth", 288189251Ssam tek, EAP_SAKE_TEK_AUTH_LEN); 289189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher", 290189251Ssam tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN); 291189251Ssam 292189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B", 293189251Ssam root_secret_b, EAP_SAKE_ROOT_SECRET_LEN); 294346981Scy if (eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN, 295346981Scy "SAKE Master Secret B", 296346981Scy rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN, 297346981Scy sms_b, EAP_SAKE_SMS_LEN) < 0) 298346981Scy return -1; 299189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN); 300346981Scy if (eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key", 301346981Scy rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN, 302346981Scy key_buf, sizeof(key_buf)) < 0) 303346981Scy return -1; 304189251Ssam os_memcpy(msk, key_buf, EAP_MSK_LEN); 305189251Ssam os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN); 306189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN); 307189251Ssam wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN); 308346981Scy return 0; 309189251Ssam} 310189251Ssam 311189251Ssam 312189251Ssam/** 313189251Ssam * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet 314189251Ssam * @tek_auth: 16-byte TEK-Auth 315189251Ssam * @rand_s: 16-byte RAND_S 316189251Ssam * @rand_p: 16-byte RAND_P 317189251Ssam * @serverid: SERVERID 318189251Ssam * @serverid_len: SERVERID length 319189251Ssam * @peerid: PEERID 320189251Ssam * @peerid_len: PEERID length 321189251Ssam * @peer: MIC calculation for 0 = Server, 1 = Peer message 322189251Ssam * @eap: EAP packet 323189251Ssam * @eap_len: EAP packet length 324189251Ssam * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len]) 325189251Ssam * @mic: Buffer for the computed 16-byte MIC 326346981Scy * Returns: 0 on success or -1 on failure 327189251Ssam */ 328189251Ssamint eap_sake_compute_mic(const u8 *tek_auth, 329189251Ssam const u8 *rand_s, const u8 *rand_p, 330189251Ssam const u8 *serverid, size_t serverid_len, 331189251Ssam const u8 *peerid, size_t peerid_len, 332189251Ssam int peer, const u8 *eap, size_t eap_len, 333189251Ssam const u8 *mic_pos, u8 *mic) 334189251Ssam{ 335189251Ssam u8 _rand[2 * EAP_SAKE_RAND_LEN]; 336189251Ssam u8 *tmp, *pos; 337189251Ssam size_t tmplen; 338346981Scy int ret; 339189251Ssam 340189251Ssam tmplen = serverid_len + 1 + peerid_len + 1 + eap_len; 341189251Ssam tmp = os_malloc(tmplen); 342189251Ssam if (tmp == NULL) 343189251Ssam return -1; 344189251Ssam pos = tmp; 345189251Ssam if (peer) { 346189251Ssam if (peerid) { 347189251Ssam os_memcpy(pos, peerid, peerid_len); 348189251Ssam pos += peerid_len; 349189251Ssam } 350189251Ssam *pos++ = 0x00; 351189251Ssam if (serverid) { 352189251Ssam os_memcpy(pos, serverid, serverid_len); 353189251Ssam pos += serverid_len; 354189251Ssam } 355189251Ssam *pos++ = 0x00; 356189251Ssam 357189251Ssam os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN); 358189251Ssam os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p, 359189251Ssam EAP_SAKE_RAND_LEN); 360189251Ssam } else { 361189251Ssam if (serverid) { 362189251Ssam os_memcpy(pos, serverid, serverid_len); 363189251Ssam pos += serverid_len; 364189251Ssam } 365189251Ssam *pos++ = 0x00; 366189251Ssam if (peerid) { 367189251Ssam os_memcpy(pos, peerid, peerid_len); 368189251Ssam pos += peerid_len; 369189251Ssam } 370189251Ssam *pos++ = 0x00; 371189251Ssam 372189251Ssam os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN); 373189251Ssam os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s, 374189251Ssam EAP_SAKE_RAND_LEN); 375189251Ssam } 376189251Ssam 377189251Ssam os_memcpy(pos, eap, eap_len); 378189251Ssam os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN); 379189251Ssam 380346981Scy ret = eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN, 381346981Scy peer ? "Peer MIC" : "Server MIC", 382346981Scy _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen, 383346981Scy mic, EAP_SAKE_MIC_LEN); 384189251Ssam 385189251Ssam os_free(tmp); 386189251Ssam 387346981Scy return ret; 388189251Ssam} 389189251Ssam 390189251Ssam 391189251Ssamvoid eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data, 392189251Ssam size_t len) 393189251Ssam{ 394189251Ssam wpabuf_put_u8(buf, type); 395189251Ssam wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */ 396189251Ssam if (data) 397189251Ssam wpabuf_put_data(buf, data, len); 398189251Ssam else 399189251Ssam os_memset(wpabuf_put(buf, len), 0, len); 400189251Ssam} 401