Home | History | Annotate | Download | only in wpa_supplicant 
      1 /*
      2  * EAP server/peer: EAP-PAX shared routines
      3  * Copyright (c) 2005, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This program is free software; you can redistribute it and/or modify
      6  * it under the terms of the GNU General Public License version 2 as
      7  * published by the Free Software Foundation.
      8  *
      9  * Alternatively, this software may be distributed under the terms of BSD
     10  * license.
     11  *
     12  * See README and COPYING for more details.
     13  */
     14 
     15 #include "includes.h"
     16 
     17 #include "common.h"
     18 #include "sha1.h"
     19 #include "eap_pax_common.h"
     20 
     21 
     22 /**
     23  * eap_pax_kdf - PAX Key Derivation Function
     24  * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
     25  * @key: Secret key (X)
     26  * @key_len: Length of the secret key in bytes
     27  * @identifier: Public identifier for the key (Y)
     28  * @entropy: Exchanged entropy to seed the KDF (Z)
     29  * @entropy_len: Length of the entropy in bytes
     30  * @output_len: Output len in bytes (W)
     31  * @output: Buffer for the derived key
     32  * Returns: 0 on success, -1 failed
     33  *
     34  * RFC 4746, Section 2.6: PAX-KDF-W(X, Y, Z)
     35  */
     36 int eap_pax_kdf(u8 mac_id, const u8 *key, size_t key_len,
     37 		const char *identifier,
     38 		const u8 *entropy, size_t entropy_len,
     39 		size_t output_len, u8 *output)
     40 {
     41 	u8 mac[SHA1_MAC_LEN];
     42 	u8 counter, *pos;
     43 	const u8 *addr[3];
     44 	size_t len[3];
     45 	size_t num_blocks, left;
     46 
     47 	num_blocks = (output_len + EAP_PAX_MAC_LEN - 1) / EAP_PAX_MAC_LEN;
     48 	if (identifier == NULL || num_blocks >= 255)
     49 		return -1;
     50 
     51 	/* TODO: add support for EAP_PAX_HMAC_SHA256_128 */
     52 	if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128)
     53 		return -1;
     54 
     55 	addr[0] = (const u8 *) identifier;
     56 	len[0] = os_strlen(identifier);
     57 	addr[1] = entropy;
     58 	len[1] = entropy_len;
     59 	addr[2] = &counter;
     60 	len[2] = 1;
     61 
     62 	pos = output;
     63 	left = output_len;
     64 	for (counter = 1; counter <= (u8) num_blocks; counter++) {
     65 		size_t clen = left > EAP_PAX_MAC_LEN ? EAP_PAX_MAC_LEN : left;
     66 		hmac_sha1_vector(key, key_len, 3, addr, len, mac);
     67 		os_memcpy(pos, mac, clen);
     68 		pos += clen;
     69 		left -= clen;
     70 	}
     71 
     72 	return 0;
     73 }
     74 
     75 
     76 /**
     77  * eap_pax_mac - EAP-PAX MAC
     78  * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
     79  * @key: Secret key
     80  * @key_len: Length of the secret key in bytes
     81  * @data1: Optional data, first block; %NULL if not used
     82  * @data1_len: Length of data1 in bytes
     83  * @data2: Optional data, second block; %NULL if not used
     84  * @data2_len: Length of data2 in bytes
     85  * @data3: Optional data, third block; %NULL if not used
     86  * @data3_len: Length of data3 in bytes
     87  * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes)
     88  * Returns: 0 on success, -1 on failure
     89  *
     90  * Wrapper function to calculate EAP-PAX MAC.
     91  */
     92 int eap_pax_mac(u8 mac_id, const u8 *key, size_t key_len,
     93 		const u8 *data1, size_t data1_len,
     94 		const u8 *data2, size_t data2_len,
     95 		const u8 *data3, size_t data3_len,
     96 		u8 *mac)
     97 {
     98 	u8 hash[SHA1_MAC_LEN];
     99 	const u8 *addr[3];
    100 	size_t len[3];
    101 	size_t count;
    102 
    103 	/* TODO: add support for EAP_PAX_HMAC_SHA256_128 */
    104 	if (mac_id != EAP_PAX_MAC_HMAC_SHA1_128)
    105 		return -1;
    106 
    107 	addr[0] = data1;
    108 	len[0] = data1_len;
    109 	addr[1] = data2;
    110 	len[1] = data2_len;
    111 	addr[2] = data3;
    112 	len[2] = data3_len;
    113 
    114 	count = (data1 ? 1 : 0) + (data2 ? 1 : 0) + (data3 ? 1 : 0);
    115 	hmac_sha1_vector(key, key_len, count, addr, len, hash);
    116 	os_memcpy(mac, hash, EAP_PAX_MAC_LEN);
    117 
    118 	return 0;
    119 }
    120 
    121 
    122 /**
    123  * eap_pax_initial_key_derivation - EAP-PAX initial key derivation
    124  * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
    125  * @ak: Authentication Key
    126  * @e: Entropy
    127  * @mk: Buffer for the derived Master Key
    128  * @ck: Buffer for the derived Confirmation Key
    129  * @ick: Buffer for the derived Integrity Check Key
    130  * Returns: 0 on success, -1 on failure
    131  */
    132 int eap_pax_initial_key_derivation(u8 mac_id, const u8 *ak, const u8 *e,
    133 				   u8 *mk, u8 *ck, u8 *ick)
    134 {
    135 	wpa_printf(MSG_DEBUG, "EAP-PAX: initial key derivation");
    136 	if (eap_pax_kdf(mac_id, ak, EAP_PAX_AK_LEN, "Master Key",
    137 			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_MK_LEN, mk) ||
    138 	    eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Confirmation Key",
    139 			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_CK_LEN, ck) ||
    140 	    eap_pax_kdf(mac_id, mk, EAP_PAX_MK_LEN, "Integrity Check Key",
    141 			e, 2 * EAP_PAX_RAND_LEN, EAP_PAX_ICK_LEN, ick))
    142 		return -1;
    143 
    144 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: AK", ak, EAP_PAX_AK_LEN);
    145 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: MK", mk, EAP_PAX_MK_LEN);
    146 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: CK", ck, EAP_PAX_CK_LEN);
    147 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-PAX: ICK", ick, EAP_PAX_ICK_LEN);
    148 
    149 	return 0;
    150 }
    151