eap_pax_common.c revision 189261 
13114SN/A/*
23114SN/A * EAP server/peer: EAP-PAX shared routines
33114SN/A * Copyright (c) 2005, Jouni Malinen <j@w1.fi>
43114SN/A *
53114SN/A * This program is free software; you can redistribute it and/or modify
63114SN/A * it under the terms of the GNU General Public License version 2 as
73114SN/A * published by the Free Software Foundation.
83114SN/A *
93114SN/A * Alternatively, this software may be distributed under the terms of BSD
103114SN/A * license.
113114SN/A *
123114SN/A * See README and COPYING for more details.
133114SN/A */
143114SN/A
153114SN/A#include "includes.h"
163114SN/A
173114SN/A#include "common.h"
183114SN/A#include "sha1.h"
193114SN/A#include "eap_pax_common.h"
203114SN/A
213114SN/A
223114SN/A/**
233114SN/A * eap_pax_kdf - PAX Key Derivation Function
243114SN/A * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
253114SN/A * @key: Secret key (X)
263114SN/A * @key_len: Length of the secret key in bytes
273114SN/A * @identifier: Public identifier for the key (Y)
283114SN/A * @entropy: Exchanged entropy to seed the KDF (Z)
293114SN/A * @entropy_len: Length of the entropy in bytes
303114SN/A * @output_len: Output len in bytes (W)
313114SN/A * @output: Buffer for the derived key
323114SN/A * Returns: 0 on success, -1 failed
333114SN/A *
343114SN/A * RFC 4746, Section 2.6: PAX-KDF-W(X, Y, Z)
353114SN/A */
363114SN/Aint eap_pax_kdf(u8 mac_id, const u8 *key, size_t key_len,
373114SN/A		const char *identifier,
383114SN/A		const u8 *entropy, size_t entropy_len,
393114SN/A		size_t output_len, u8 *output)
403114SN/A{
413114SN/A	u8 mac[SHA1_MAC_LEN];
423114SN/A	u8 counter, *pos;
433114SN/A	const u8 *addr[3];
443114SN/A	size_t len[3];
453114SN/A	size_t num_blocks, left;
463114SN/A
473114SN/A	num_blocks = (output_len + EAP_PAX_MAC_LEN - 1) / EAP_PAX_MAC_LEN;
483114SN/A	if (identifier == NULL || num_blocks >= 255)
493114SN/A		return -1;
503114SN/A
513114SN/A	/* TODO: add support for EAP_PAX_HMAC_SHA256_128 */
523114SN/A	if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128)
533114SN/A		return -1;
543114SN/A
553114SN/A	addr[0] = (const u8 *) identifier;
563114SN/A	len[0] = os_strlen(identifier);
573114SN/A	addr[1] = entropy;
583114SN/A	len[1] = entropy_len;
593114SN/A	addr[2] = &counter;
603114SN/A	len[2] = 1;
613114SN/A
623114SN/A	pos = output;
633114SN/A	left = output_len;
643114SN/A	for (counter = 1; counter <= (u8) num_blocks; counter++) {
653114SN/A		size_t clen = left > EAP_PAX_MAC_LEN ? EAP_PAX_MAC_LEN : left;
663114SN/A		hmac_sha1_vector(key, key_len, 3, addr, len, mac);
673114SN/A		os_memcpy(pos, mac, clen);
683114SN/A		pos += clen;
693114SN/A		left -= clen;
703114SN/A	}
713114SN/A
723114SN/A	return 0;
733114SN/A}
743114SN/A
753114SN/A
763114SN/A/**
773114SN/A * eap_pax_mac - EAP-PAX MAC
783114SN/A * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
793114SN/A * @key: Secret key
803114SN/A * @key_len: Length of the secret key in bytes
813114SN/A * @data1: Optional data, first block; %NULL if not used
823114SN/A * @data1_len: Length of data1 in bytes
833114SN/A * @data2: Optional data, second block; %NULL if not used
843114SN/A * @data2_len: Length of data2 in bytes
853114SN/A * @data3: Optional data, third block; %NULL if not used
863114SN/A * @data3_len: Length of data3 in bytes
873114SN/A * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes)
883114SN/A * Returns: 0 on success, -1 on failure
893114SN/A *
903114SN/A * Wrapper function to calculate EAP-PAX MAC.
913114SN/A */
923114SN/Aint eap_pax_mac(u8 mac_id, const u8 *key, size_t key_len,
933114SN/A		const u8 *data1, size_t data1_len,
943114SN/A		const u8 *data2, size_t data2_len,
953114SN/A		const u8 *data3, size_t data3_len,
963114SN/A		u8 *mac)
973114SN/A{
983114SN/A	u8 hash[SHA1_MAC_LEN];
993114SN/A	const u8 *addr[3];
1003114SN/A	size_t len[3];
1013114SN/A	size_t count;
1023114SN/A
1033114SN/A	/* TODO: add support for EAP_PAX_HMAC_SHA256_128 */
1043114SN/A	if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128)
1053114SN/A		return -1;
1063114SN/A
1073114SN/A	addr[0] = data1;
1083114SN/A	len[0] = data1_len;
1093114SN/A	addr[1] = data2;
1103114SN/A	len[1] = data2_len;
1113114SN/A	addr[2] = data3;
1123114SN/A	len[2] = data3_len;
1133114SN/A
1143114SN/A	count = (data1 ? 1 : 0) + (data2 ? 1 : 0) + (data3 ? 1 : 0);
1153114SN/A	hmac_sha1_vector(key, key_len, count, addr, len, hash);
1163114SN/A	os_memcpy(mac, hash, EAP_PAX_MAC_LEN);
1173114SN/A
1183114SN/A	return 0;
1193114SN/A}
1203114SN/A
1213114SN/A
1223114SN/A/**
1233114SN/A * eap_pax_initial_key_derivation - EAP-PAX initial key derivation
1243114SN/A * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
1253114SN/A * @ak: Authentication Key
1263114SN/A * @e: Entropy
1273114SN/A * @mk: Buffer for the derived Master Key
1283114SN/A * @ck: Buffer for the derived Confirmation Key
1293114SN/A * @ick: Buffer for the derived Integrity Check Key
1303114SN/A * Returns: 0 on success, -1 on failure
1313114SN/A */
1323114SN/Aint eap_pax_initial_key_derivation(u8 mac_id, const u8 *ak, const u8 *e,
1333114SN/A				   u8 *mk, u8 *ck, u8 *ick)
1343114SN/A{
1353114SN/A	wpa_printf(MSG_DEBUG, "EAP-PAX: initial key derivation");
1363114SN/A	if (eap_pax_kdf(mac_id, ak, EAP_PAX_AK_LEN, "Master Key",
1373114SN/A			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MK_LEN, mk) ||
1383114SN/A	    eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Confirmation Key",
1393114SN/A			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_CK_LEN, ck) ||
1403114SN/A	    eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Integrity Check Key",
1413114SN/A			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_ICK_LEN, ick))
1423114SN/A		return -1;
1433114SN/A
1443114SN/A	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: AK", ak, EAP_PAX_AK_LEN);
1453114SN/A	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MK", mk, EAP_PAX_MK_LEN);
1463114SN/A	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: CK", ck, EAP_PAX_CK_LEN);
1473114SN/A	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: ICK", ick, EAP_PAX_ICK_LEN);
1483114SN/A
1493114SN/A	return 0;
1503114SN/A}
1513114SN/A