1189251Ssam/*
2189251Ssam * EAP server/peer: EAP-PAX shared routines
3189251Ssam * Copyright (c) 2005, Jouni Malinen <j@w1.fi>
4189251Ssam *
5189251Ssam * This program is free software; you can redistribute it and/or modify
6189251Ssam * it under the terms of the GNU General Public License version 2 as
7189251Ssam * published by the Free Software Foundation.
8189251Ssam *
9189251Ssam * Alternatively, this software may be distributed under the terms of BSD
10189251Ssam * license.
11189251Ssam *
12189251Ssam * See README and COPYING for more details.
13189251Ssam */
14189251Ssam
15189251Ssam#include "includes.h"
16189251Ssam
17189251Ssam#include "common.h"
18214734Srpaulo#include "crypto/sha1.h"
19189251Ssam#include "eap_pax_common.h"
20189251Ssam
21189251Ssam
22189251Ssam/**
23189251Ssam * eap_pax_kdf - PAX Key Derivation Function
24189251Ssam * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
25189251Ssam * @key: Secret key (X)
26189251Ssam * @key_len: Length of the secret key in bytes
27189251Ssam * @identifier: Public identifier for the key (Y)
28189251Ssam * @entropy: Exchanged entropy to seed the KDF (Z)
29189251Ssam * @entropy_len: Length of the entropy in bytes
30189251Ssam * @output_len: Output len in bytes (W)
31189251Ssam * @output: Buffer for the derived key
32189251Ssam * Returns: 0 on success, -1 failed
33189251Ssam *
34189251Ssam * RFC 4746, Section 2.6: PAX-KDF-W(X, Y, Z)
35189251Ssam */
36189251Ssamint eap_pax_kdf(u8 mac_id, const u8 *key, size_t key_len,
37189251Ssam		const char *identifier,
38189251Ssam		const u8 *entropy, size_t entropy_len,
39189251Ssam		size_t output_len, u8 *output)
40189251Ssam{
41189251Ssam	u8 mac[SHA1_MAC_LEN];
42189251Ssam	u8 counter, *pos;
43189251Ssam	const u8 *addr[3];
44189251Ssam	size_t len[3];
45189251Ssam	size_t num_blocks, left;
46189251Ssam
47189251Ssam	num_blocks = (output_len + EAP_PAX_MAC_LEN - 1) / EAP_PAX_MAC_LEN;
48189251Ssam	if (identifier == NULL || num_blocks >= 255)
49189251Ssam		return -1;
50189251Ssam
51189251Ssam	/* TODO: add support for EAP_PAX_HMAC_SHA256_128 */
52189251Ssam	if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128)
53189251Ssam		return -1;
54189251Ssam
55189251Ssam	addr[0] = (const u8 *) identifier;
56189251Ssam	len[0] = os_strlen(identifier);
57189251Ssam	addr[1] = entropy;
58189251Ssam	len[1] = entropy_len;
59189251Ssam	addr[2] = &counter;
60189251Ssam	len[2] = 1;
61189251Ssam
62189251Ssam	pos = output;
63189251Ssam	left = output_len;
64189251Ssam	for (counter = 1; counter <= (u8) num_blocks; counter++) {
65189251Ssam		size_t clen = left > EAP_PAX_MAC_LEN ? EAP_PAX_MAC_LEN : left;
66189251Ssam		hmac_sha1_vector(key, key_len, 3, addr, len, mac);
67189251Ssam		os_memcpy(pos, mac, clen);
68189251Ssam		pos += clen;
69189251Ssam		left -= clen;
70189251Ssam	}
71189251Ssam
72189251Ssam	return 0;
73189251Ssam}
74189251Ssam
75189251Ssam
76189251Ssam/**
77189251Ssam * eap_pax_mac - EAP-PAX MAC
78189251Ssam * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
79189251Ssam * @key: Secret key
80189251Ssam * @key_len: Length of the secret key in bytes
81189251Ssam * @data1: Optional data, first block; %NULL if not used
82189251Ssam * @data1_len: Length of data1 in bytes
83189251Ssam * @data2: Optional data, second block; %NULL if not used
84189251Ssam * @data2_len: Length of data2 in bytes
85189251Ssam * @data3: Optional data, third block; %NULL if not used
86189251Ssam * @data3_len: Length of data3 in bytes
87189251Ssam * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes)
88189251Ssam * Returns: 0 on success, -1 on failure
89189251Ssam *
90189251Ssam * Wrapper function to calculate EAP-PAX MAC.
91189251Ssam */
92189251Ssamint eap_pax_mac(u8 mac_id, const u8 *key, size_t key_len,
93189251Ssam		const u8 *data1, size_t data1_len,
94189251Ssam		const u8 *data2, size_t data2_len,
95189251Ssam		const u8 *data3, size_t data3_len,
96189251Ssam		u8 *mac)
97189251Ssam{
98189251Ssam	u8 hash[SHA1_MAC_LEN];
99189251Ssam	const u8 *addr[3];
100189251Ssam	size_t len[3];
101189251Ssam	size_t count;
102189251Ssam
103189251Ssam	/* TODO: add support for EAP_PAX_HMAC_SHA256_128 */
104189251Ssam	if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128)
105189251Ssam		return -1;
106189251Ssam
107189251Ssam	addr[0] = data1;
108189251Ssam	len[0] = data1_len;
109189251Ssam	addr[1] = data2;
110189251Ssam	len[1] = data2_len;
111189251Ssam	addr[2] = data3;
112189251Ssam	len[2] = data3_len;
113189251Ssam
114189251Ssam	count = (data1 ? 1 : 0) + (data2 ? 1 : 0) + (data3 ? 1 : 0);
115189251Ssam	hmac_sha1_vector(key, key_len, count, addr, len, hash);
116189251Ssam	os_memcpy(mac, hash, EAP_PAX_MAC_LEN);
117189251Ssam
118189251Ssam	return 0;
119189251Ssam}
120189251Ssam
121189251Ssam
122189251Ssam/**
123189251Ssam * eap_pax_initial_key_derivation - EAP-PAX initial key derivation
124189251Ssam * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
125189251Ssam * @ak: Authentication Key
126189251Ssam * @e: Entropy
127189251Ssam * @mk: Buffer for the derived Master Key
128189251Ssam * @ck: Buffer for the derived Confirmation Key
129189251Ssam * @ick: Buffer for the derived Integrity Check Key
130189251Ssam * Returns: 0 on success, -1 on failure
131189251Ssam */
132189251Ssamint eap_pax_initial_key_derivation(u8 mac_id, const u8 *ak, const u8 *e,
133189251Ssam				   u8 *mk, u8 *ck, u8 *ick)
134189251Ssam{
135189251Ssam	wpa_printf(MSG_DEBUG, "EAP-PAX: initial key derivation");
136189251Ssam	if (eap_pax_kdf(mac_id, ak, EAP_PAX_AK_LEN, "Master Key",
137189251Ssam			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MK_LEN, mk) ||
138189251Ssam	    eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Confirmation Key",
139189251Ssam			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_CK_LEN, ck) ||
140189251Ssam	    eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Integrity Check Key",
141189251Ssam			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_ICK_LEN, ick))
142189251Ssam		return -1;
143189251Ssam
144189251Ssam	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: AK", ak, EAP_PAX_AK_LEN);
145189251Ssam	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MK", mk, EAP_PAX_MK_LEN);
146189251Ssam	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: CK", ck, EAP_PAX_CK_LEN);
147189251Ssam	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: ICK", ick, EAP_PAX_ICK_LEN);
148189251Ssam
149189251Ssam	return 0;
150189251Ssam}
151