eap_pax_common.c revision 189261
13114SN/A/* 23114SN/A * EAP server/peer: EAP-PAX shared routines 33114SN/A * Copyright (c) 2005, Jouni Malinen <j@w1.fi> 43114SN/A * 53114SN/A * This program is free software; you can redistribute it and/or modify 63114SN/A * it under the terms of the GNU General Public License version 2 as 73114SN/A * published by the Free Software Foundation. 83114SN/A * 93114SN/A * Alternatively, this software may be distributed under the terms of BSD 103114SN/A * license. 113114SN/A * 123114SN/A * See README and COPYING for more details. 133114SN/A */ 143114SN/A 153114SN/A#include "includes.h" 163114SN/A 173114SN/A#include "common.h" 183114SN/A#include "sha1.h" 193114SN/A#include "eap_pax_common.h" 203114SN/A 213114SN/A 223114SN/A/** 233114SN/A * eap_pax_kdf - PAX Key Derivation Function 243114SN/A * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported 253114SN/A * @key: Secret key (X) 263114SN/A * @key_len: Length of the secret key in bytes 273114SN/A * @identifier: Public identifier for the key (Y) 283114SN/A * @entropy: Exchanged entropy to seed the KDF (Z) 293114SN/A * @entropy_len: Length of the entropy in bytes 303114SN/A * @output_len: Output len in bytes (W) 313114SN/A * @output: Buffer for the derived key 323114SN/A * Returns: 0 on success, -1 failed 333114SN/A * 343114SN/A * RFC 4746, Section 2.6: PAX-KDF-W(X, Y, Z) 353114SN/A */ 363114SN/Aint eap_pax_kdf(u8 mac_id, const u8 *key, size_t key_len, 373114SN/A const char *identifier, 383114SN/A const u8 *entropy, size_t entropy_len, 393114SN/A size_t output_len, u8 *output) 403114SN/A{ 413114SN/A u8 mac[SHA1_MAC_LEN]; 423114SN/A u8 counter, *pos; 433114SN/A const u8 *addr[3]; 443114SN/A size_t len[3]; 453114SN/A size_t num_blocks, left; 463114SN/A 473114SN/A num_blocks = (output_len + EAP_PAX_MAC_LEN - 1) / EAP_PAX_MAC_LEN; 483114SN/A if (identifier == NULL || num_blocks >= 255) 493114SN/A return -1; 503114SN/A 513114SN/A /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ 523114SN/A if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) 533114SN/A return -1; 543114SN/A 553114SN/A addr[0] = (const u8 *) identifier; 563114SN/A len[0] = os_strlen(identifier); 573114SN/A addr[1] = entropy; 583114SN/A len[1] = entropy_len; 593114SN/A addr[2] = &counter; 603114SN/A len[2] = 1; 613114SN/A 623114SN/A pos = output; 633114SN/A left = output_len; 643114SN/A for (counter = 1; counter <= (u8) num_blocks; counter++) { 653114SN/A size_t clen = left > EAP_PAX_MAC_LEN ? EAP_PAX_MAC_LEN : left; 663114SN/A hmac_sha1_vector(key, key_len, 3, addr, len, mac); 673114SN/A os_memcpy(pos, mac, clen); 683114SN/A pos += clen; 693114SN/A left -= clen; 703114SN/A } 713114SN/A 723114SN/A return 0; 733114SN/A} 743114SN/A 753114SN/A 763114SN/A/** 773114SN/A * eap_pax_mac - EAP-PAX MAC 783114SN/A * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported 793114SN/A * @key: Secret key 803114SN/A * @key_len: Length of the secret key in bytes 813114SN/A * @data1: Optional data, first block; %NULL if not used 823114SN/A * @data1_len: Length of data1 in bytes 833114SN/A * @data2: Optional data, second block; %NULL if not used 843114SN/A * @data2_len: Length of data2 in bytes 853114SN/A * @data3: Optional data, third block; %NULL if not used 863114SN/A * @data3_len: Length of data3 in bytes 873114SN/A * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes) 883114SN/A * Returns: 0 on success, -1 on failure 893114SN/A * 903114SN/A * Wrapper function to calculate EAP-PAX MAC. 913114SN/A */ 923114SN/Aint eap_pax_mac(u8 mac_id, const u8 *key, size_t key_len, 933114SN/A const u8 *data1, size_t data1_len, 943114SN/A const u8 *data2, size_t data2_len, 953114SN/A const u8 *data3, size_t data3_len, 963114SN/A u8 *mac) 973114SN/A{ 983114SN/A u8 hash[SHA1_MAC_LEN]; 993114SN/A const u8 *addr[3]; 1003114SN/A size_t len[3]; 1013114SN/A size_t count; 1023114SN/A 1033114SN/A /* TODO: add support for EAP_PAX_HMAC_SHA256_128 */ 1043114SN/A if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128) 1053114SN/A return -1; 1063114SN/A 1073114SN/A addr[0] = data1; 1083114SN/A len[0] = data1_len; 1093114SN/A addr[1] = data2; 1103114SN/A len[1] = data2_len; 1113114SN/A addr[2] = data3; 1123114SN/A len[2] = data3_len; 1133114SN/A 1143114SN/A count = (data1 ? 1 : 0) + (data2 ? 1 : 0) + (data3 ? 1 : 0); 1153114SN/A hmac_sha1_vector(key, key_len, count, addr, len, hash); 1163114SN/A os_memcpy(mac, hash, EAP_PAX_MAC_LEN); 1173114SN/A 1183114SN/A return 0; 1193114SN/A} 1203114SN/A 1213114SN/A 1223114SN/A/** 1233114SN/A * eap_pax_initial_key_derivation - EAP-PAX initial key derivation 1243114SN/A * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported 1253114SN/A * @ak: Authentication Key 1263114SN/A * @e: Entropy 1273114SN/A * @mk: Buffer for the derived Master Key 1283114SN/A * @ck: Buffer for the derived Confirmation Key 1293114SN/A * @ick: Buffer for the derived Integrity Check Key 1303114SN/A * Returns: 0 on success, -1 on failure 1313114SN/A */ 1323114SN/Aint eap_pax_initial_key_derivation(u8 mac_id, const u8 *ak, const u8 *e, 1333114SN/A u8 *mk, u8 *ck, u8 *ick) 1343114SN/A{ 1353114SN/A wpa_printf(MSG_DEBUG, "EAP-PAX: initial key derivation"); 1363114SN/A if (eap_pax_kdf(mac_id, ak, EAP_PAX_AK_LEN, "Master Key", 1373114SN/A e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MK_LEN, mk) || 1383114SN/A eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Confirmation Key", 1393114SN/A e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_CK_LEN, ck) || 1403114SN/A eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Integrity Check Key", 1413114SN/A e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_ICK_LEN, ick)) 1423114SN/A return -1; 1433114SN/A 1443114SN/A wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: AK", ak, EAP_PAX_AK_LEN); 1453114SN/A wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MK", mk, EAP_PAX_MK_LEN); 1463114SN/A wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: CK", ck, EAP_PAX_CK_LEN); 1473114SN/A wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: ICK", ick, EAP_PAX_ICK_LEN); 1483114SN/A 1493114SN/A return 0; 1503114SN/A} 1513114SN/A