1 /* 2 * EAP server/peer: EAP-SAKE shared routines 3 * Copyright (c) 2006, Jouni Malinen <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "sha1.h" 19 #include "eap_defs.h" 20 #include "eap_sake_common.h" 21 22 23 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr, 24 const u8 *pos) 25 { 26 size_t i; 27 28 switch (pos[0]) { 29 case EAP_SAKE_AT_RAND_S: 30 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S"); 31 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) { 32 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with " 33 "invalid length %d", pos[1]); 34 return -1; 35 } 36 attr->rand_s = pos + 2; 37 break; 38 case EAP_SAKE_AT_RAND_P: 39 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P"); 40 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) { 41 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with " 42 "invalid length %d", pos[1]); 43 return -1; 44 } 45 attr->rand_p = pos + 2; 46 break; 47 case EAP_SAKE_AT_MIC_S: 48 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S"); 49 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) { 50 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with " 51 "invalid length %d", pos[1]); 52 return -1; 53 } 54 attr->mic_s = pos + 2; 55 break; 56 case EAP_SAKE_AT_MIC_P: 57 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P"); 58 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) { 59 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with " 60 "invalid length %d", pos[1]); 61 return -1; 62 } 63 attr->mic_p = pos + 2; 64 break; 65 case EAP_SAKE_AT_SERVERID: 66 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID"); 67 attr->serverid = pos + 2; 68 attr->serverid_len = pos[1] - 2; 69 break; 70 case EAP_SAKE_AT_PEERID: 71 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID"); 72 attr->peerid = pos + 2; 73 attr->peerid_len = pos[1] - 2; 74 break; 75 case EAP_SAKE_AT_SPI_S: 76 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S"); 77 attr->spi_s = pos + 2; 78 attr->spi_s_len = pos[1] - 2; 79 break; 80 case EAP_SAKE_AT_SPI_P: 81 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P"); 82 attr->spi_p = pos + 2; 83 attr->spi_p_len = pos[1] - 2; 84 break; 85 case EAP_SAKE_AT_ANY_ID_REQ: 86 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ"); 87 if (pos[1] != 4) { 88 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ" 89 " length %d", pos[1]); 90 return -1; 91 } 92 attr->any_id_req = pos + 2; 93 break; 94 case EAP_SAKE_AT_PERM_ID_REQ: 95 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ"); 96 if (pos[1] != 4) { 97 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid " 98 "AT_PERM_ID_REQ length %d", pos[1]); 99 return -1; 100 } 101 attr->perm_id_req = pos + 2; 102 break; 103 case EAP_SAKE_AT_ENCR_DATA: 104 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA"); 105 attr->encr_data = pos + 2; 106 attr->encr_data_len = pos[1] - 2; 107 break; 108 case EAP_SAKE_AT_IV: 109 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV"); 110 attr->iv = pos + 2; 111 attr->iv_len = pos[1] - 2; 112 break; 113 case EAP_SAKE_AT_PADDING: 114 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING"); 115 for (i = 2; i < pos[1]; i++) { 116 if (pos[i]) { 117 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING " 118 "with non-zero pad byte"); 119 return -1; 120 } 121 } 122 break; 123 case EAP_SAKE_AT_NEXT_TMPID: 124 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID"); 125 attr->next_tmpid = pos + 2; 126 attr->next_tmpid_len = pos[1] - 2; 127 break; 128 case EAP_SAKE_AT_MSK_LIFE: 129 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV"); 130 if (pos[1] != 6) { 131 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid " 132 "AT_MSK_LIFE length %d", pos[1]); 133 return -1; 134 } 135 attr->msk_life = pos + 2; 136 break; 137 default: 138 if (pos[0] < 128) { 139 wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable" 140 " attribute %d", pos[0]); 141 return -1; 142 } 143 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable " 144 "attribute %d", pos[0]); 145 break; 146 } 147 148 if (attr->iv && !attr->encr_data) { 149 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without " 150 "AT_ENCR_DATA"); 151 return -1; 152 } 153 154 return 0; 155 } 156 157 158 /** 159 * eap_sake_parse_attributes - Parse EAP-SAKE attributes 160 * @buf: Packet payload (starting with the first attribute) 161 * @len: Payload length 162 * @attr: Structure to be filled with found attributes 163 * Returns: 0 on success or -1 on failure 164 */ 165 int eap_sake_parse_attributes(const u8 *buf, size_t len, 166 struct eap_sake_parse_attr *attr) 167 { 168 const u8 *pos = buf, *end = buf + len; 169 170 os_memset(attr, 0, sizeof(*attr)); 171 while (pos < end) { 172 if (end - pos < 2) { 173 wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute"); 174 return -1; 175 } 176 177 if (pos[1] < 2) { 178 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute " 179 "length (%d)", pos[1]); 180 return -1; 181 } 182 183 if (pos + pos[1] > end) { 184 wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow"); 185 return -1; 186 } 187 188 if (eap_sake_parse_add_attr(attr, pos)) 189 return -1; 190 191 pos += pos[1]; 192 } 193 194 return 0; 195 } 196 197 198 /** 199 * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF) 200 * @key: Key for KDF 201 * @key_len: Length of the key in bytes 202 * @label: A unique label for each purpose of the KDF 203 * @data: Extra data (start) to bind into the key 204 * @data_len: Length of the data 205 * @data2: Extra data (end) to bind into the key 206 * @data2_len: Length of the data2 207 * @buf: Buffer for the generated pseudo-random key 208 * @buf_len: Number of bytes of key to generate 209 * 210 * This function is used to derive new, cryptographically separate keys from a 211 * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i. 212 */ 213 static void eap_sake_kdf(const u8 *key, size_t key_len, const char *label, 214 const u8 *data, size_t data_len, 215 const u8 *data2, size_t data2_len, 216 u8 *buf, size_t buf_len) 217 { 218 u8 counter = 0; 219 size_t pos, plen; 220 u8 hash[SHA1_MAC_LEN]; 221 size_t label_len = os_strlen(label) + 1; 222 const unsigned char *addr[4]; 223 size_t len[4]; 224 225 addr[0] = (u8 *) label; /* Label | Y */ 226 len[0] = label_len; 227 addr[1] = data; /* Msg[start] */ 228 len[1] = data_len; 229 addr[2] = data2; /* Msg[end] */ 230 len[2] = data2_len; 231 addr[3] = &counter; /* Length */ 232 len[3] = 1; 233 234 pos = 0; 235 while (pos < buf_len) { 236 plen = buf_len - pos; 237 if (plen >= SHA1_MAC_LEN) { 238 hmac_sha1_vector(key, key_len, 4, addr, len, 239 &buf[pos]); 240 pos += SHA1_MAC_LEN; 241 } else { 242 hmac_sha1_vector(key, key_len, 4, addr, len, 243 hash); 244 os_memcpy(&buf[pos], hash, plen); 245 break; 246 } 247 counter++; 248 } 249 } 250 251 252 /** 253 * eap_sake_derive_keys - Derive EAP-SAKE keys 254 * @root_secret_a: 16-byte Root-Secret-A 255 * @root_secret_b: 16-byte Root-Secret-B 256 * @rand_s: 16-byte RAND_S 257 * @rand_p: 16-byte RAND_P 258 * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16]) 259 * @msk: Buffer for 64-byte MSK 260 * @emsk: Buffer for 64-byte EMSK 261 * 262 * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6. 263 */ 264 void eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b, 265 const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk, 266 u8 *emsk) 267 { 268 u8 sms_a[EAP_SAKE_SMS_LEN]; 269 u8 sms_b[EAP_SAKE_SMS_LEN]; 270 u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN]; 271 272 wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys"); 273 274 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A", 275 root_secret_a, EAP_SAKE_ROOT_SECRET_LEN); 276 eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN, 277 "SAKE Master Secret A", 278 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN, 279 sms_a, EAP_SAKE_SMS_LEN); 280 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN); 281 eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key", 282 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN, 283 tek, EAP_SAKE_TEK_LEN); 284 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth", 285 tek, EAP_SAKE_TEK_AUTH_LEN); 286 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher", 287 tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN); 288 289 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B", 290 root_secret_b, EAP_SAKE_ROOT_SECRET_LEN); 291 eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN, 292 "SAKE Master Secret B", 293 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN, 294 sms_b, EAP_SAKE_SMS_LEN); 295 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN); 296 eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key", 297 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN, 298 key_buf, sizeof(key_buf)); 299 os_memcpy(msk, key_buf, EAP_MSK_LEN); 300 os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN); 301 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN); 302 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN); 303 } 304 305 306 /** 307 * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet 308 * @tek_auth: 16-byte TEK-Auth 309 * @rand_s: 16-byte RAND_S 310 * @rand_p: 16-byte RAND_P 311 * @serverid: SERVERID 312 * @serverid_len: SERVERID length 313 * @peerid: PEERID 314 * @peerid_len: PEERID length 315 * @peer: MIC calculation for 0 = Server, 1 = Peer message 316 * @eap: EAP packet 317 * @eap_len: EAP packet length 318 * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len]) 319 * @mic: Buffer for the computed 16-byte MIC 320 */ 321 int eap_sake_compute_mic(const u8 *tek_auth, 322 const u8 *rand_s, const u8 *rand_p, 323 const u8 *serverid, size_t serverid_len, 324 const u8 *peerid, size_t peerid_len, 325 int peer, const u8 *eap, size_t eap_len, 326 const u8 *mic_pos, u8 *mic) 327 { 328 u8 _rand[2 * EAP_SAKE_RAND_LEN]; 329 u8 *tmp, *pos; 330 size_t tmplen; 331 332 tmplen = serverid_len + 1 + peerid_len + 1 + eap_len; 333 tmp = os_malloc(tmplen); 334 if (tmp == NULL) 335 return -1; 336 pos = tmp; 337 if (peer) { 338 if (peerid) { 339 os_memcpy(pos, peerid, peerid_len); 340 pos += peerid_len; 341 } 342 *pos++ = 0x00; 343 if (serverid) { 344 os_memcpy(pos, serverid, serverid_len); 345 pos += serverid_len; 346 } 347 *pos++ = 0x00; 348 349 os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN); 350 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p, 351 EAP_SAKE_RAND_LEN); 352 } else { 353 if (serverid) { 354 os_memcpy(pos, serverid, serverid_len); 355 pos += serverid_len; 356 } 357 *pos++ = 0x00; 358 if (peerid) { 359 os_memcpy(pos, peerid, peerid_len); 360 pos += peerid_len; 361 } 362 *pos++ = 0x00; 363 364 os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN); 365 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s, 366 EAP_SAKE_RAND_LEN); 367 } 368 369 os_memcpy(pos, eap, eap_len); 370 os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN); 371 372 eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN, 373 peer ? "Peer MIC" : "Server MIC", 374 _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen, 375 mic, EAP_SAKE_MIC_LEN); 376 377 os_free(tmp); 378 379 return 0; 380 } 381