Home | History | Annotate | Download | only in eap_common
      1 /*
      2  * EAP server/peer: EAP-SAKE shared routines
      3  * Copyright (c) 2006-2007, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This program is free software; you can redistribute it and/or modify
      6  * it under the terms of the GNU General Public License version 2 as
      7  * published by the Free Software Foundation.
      8  *
      9  * Alternatively, this software may be distributed under the terms of BSD
     10  * license.
     11  *
     12  * See README and COPYING for more details.
     13  */
     14 
     15 #include "includes.h"
     16 
     17 #include "common.h"
     18 #include "wpabuf.h"
     19 #include "crypto/sha1.h"
     20 #include "eap_defs.h"
     21 #include "eap_sake_common.h"
     22 
     23 
     24 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
     25 				   const u8 *pos)
     26 {
     27 	size_t i;
     28 
     29 	switch (pos[0]) {
     30 	case EAP_SAKE_AT_RAND_S:
     31 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
     32 		if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
     33 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
     34 				   "invalid length %d", pos[1]);
     35 			return -1;
     36 		}
     37 		attr->rand_s = pos + 2;
     38 		break;
     39 	case EAP_SAKE_AT_RAND_P:
     40 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
     41 		if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
     42 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
     43 				   "invalid length %d", pos[1]);
     44 			return -1;
     45 		}
     46 		attr->rand_p = pos + 2;
     47 		break;
     48 	case EAP_SAKE_AT_MIC_S:
     49 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
     50 		if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
     51 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
     52 				   "invalid length %d", pos[1]);
     53 			return -1;
     54 		}
     55 		attr->mic_s = pos + 2;
     56 		break;
     57 	case EAP_SAKE_AT_MIC_P:
     58 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
     59 		if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
     60 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
     61 				   "invalid length %d", pos[1]);
     62 			return -1;
     63 		}
     64 		attr->mic_p = pos + 2;
     65 		break;
     66 	case EAP_SAKE_AT_SERVERID:
     67 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
     68 		attr->serverid = pos + 2;
     69 		attr->serverid_len = pos[1] - 2;
     70 		break;
     71 	case EAP_SAKE_AT_PEERID:
     72 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
     73 		attr->peerid = pos + 2;
     74 		attr->peerid_len = pos[1] - 2;
     75 		break;
     76 	case EAP_SAKE_AT_SPI_S:
     77 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
     78 		attr->spi_s = pos + 2;
     79 		attr->spi_s_len = pos[1] - 2;
     80 		break;
     81 	case EAP_SAKE_AT_SPI_P:
     82 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
     83 		attr->spi_p = pos + 2;
     84 		attr->spi_p_len = pos[1] - 2;
     85 		break;
     86 	case EAP_SAKE_AT_ANY_ID_REQ:
     87 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
     88 		if (pos[1] != 4) {
     89 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
     90 				   " length %d", pos[1]);
     91 			return -1;
     92 		}
     93 		attr->any_id_req = pos + 2;
     94 		break;
     95 	case EAP_SAKE_AT_PERM_ID_REQ:
     96 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
     97 		if (pos[1] != 4) {
     98 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
     99 				   "AT_PERM_ID_REQ length %d", pos[1]);
    100 			return -1;
    101 		}
    102 		attr->perm_id_req = pos + 2;
    103 		break;
    104 	case EAP_SAKE_AT_ENCR_DATA:
    105 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
    106 		attr->encr_data = pos + 2;
    107 		attr->encr_data_len = pos[1] - 2;
    108 		break;
    109 	case EAP_SAKE_AT_IV:
    110 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
    111 		attr->iv = pos + 2;
    112 		attr->iv_len = pos[1] - 2;
    113 		break;
    114 	case EAP_SAKE_AT_PADDING:
    115 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
    116 		for (i = 2; i < pos[1]; i++) {
    117 			if (pos[i]) {
    118 				wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
    119 					   "with non-zero pad byte");
    120 				return -1;
    121 			}
    122 		}
    123 		break;
    124 	case EAP_SAKE_AT_NEXT_TMPID:
    125 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
    126 		attr->next_tmpid = pos + 2;
    127 		attr->next_tmpid_len = pos[1] - 2;
    128 		break;
    129 	case EAP_SAKE_AT_MSK_LIFE:
    130 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
    131 		if (pos[1] != 6) {
    132 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
    133 				   "AT_MSK_LIFE length %d", pos[1]);
    134 			return -1;
    135 		}
    136 		attr->msk_life = pos + 2;
    137 		break;
    138 	default:
    139 		if (pos[0] < 128) {
    140 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
    141 				   " attribute %d", pos[0]);
    142 			return -1;
    143 		}
    144 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
    145 			   "attribute %d", pos[0]);
    146 		break;
    147 	}
    148 
    149 	if (attr->iv && !attr->encr_data) {
    150 		wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without "
    151 			   "AT_ENCR_DATA");
    152 		return -1;
    153 	}
    154 
    155 	return 0;
    156 }
    157 
    158 
    159 /**
    160  * eap_sake_parse_attributes - Parse EAP-SAKE attributes
    161  * @buf: Packet payload (starting with the first attribute)
    162  * @len: Payload length
    163  * @attr: Structure to be filled with found attributes
    164  * Returns: 0 on success or -1 on failure
    165  */
    166 int eap_sake_parse_attributes(const u8 *buf, size_t len,
    167 			      struct eap_sake_parse_attr *attr)
    168 {
    169 	const u8 *pos = buf, *end = buf + len;
    170 
    171 	os_memset(attr, 0, sizeof(*attr));
    172 	while (pos < end) {
    173 		if (end - pos < 2) {
    174 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute");
    175 			return -1;
    176 		}
    177 
    178 		if (pos[1] < 2) {
    179 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute "
    180 				   "length (%d)", pos[1]);
    181 			return -1;
    182 		}
    183 
    184 		if (pos + pos[1] > end) {
    185 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow");
    186 			return -1;
    187 		}
    188 
    189 		if (eap_sake_parse_add_attr(attr, pos))
    190 			return -1;
    191 
    192 		pos += pos[1];
    193 	}
    194 
    195 	return 0;
    196 }
    197 
    198 
    199 /**
    200  * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF)
    201  * @key: Key for KDF
    202  * @key_len: Length of the key in bytes
    203  * @label: A unique label for each purpose of the KDF
    204  * @data: Extra data (start) to bind into the key
    205  * @data_len: Length of the data
    206  * @data2: Extra data (end) to bind into the key
    207  * @data2_len: Length of the data2
    208  * @buf: Buffer for the generated pseudo-random key
    209  * @buf_len: Number of bytes of key to generate
    210  *
    211  * This function is used to derive new, cryptographically separate keys from a
    212  * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i.
    213  */
    214 static void eap_sake_kdf(const u8 *key, size_t key_len, const char *label,
    215 			 const u8 *data, size_t data_len,
    216 			 const u8 *data2, size_t data2_len,
    217 			 u8 *buf, size_t buf_len)
    218 {
    219 	u8 counter = 0;
    220 	size_t pos, plen;
    221 	u8 hash[SHA1_MAC_LEN];
    222 	size_t label_len = os_strlen(label) + 1;
    223 	const unsigned char *addr[4];
    224 	size_t len[4];
    225 
    226 	addr[0] = (u8 *) label; /* Label | Y */
    227 	len[0] = label_len;
    228 	addr[1] = data; /* Msg[start] */
    229 	len[1] = data_len;
    230 	addr[2] = data2; /* Msg[end] */
    231 	len[2] = data2_len;
    232 	addr[3] = &counter; /* Length */
    233 	len[3] = 1;
    234 
    235 	pos = 0;
    236 	while (pos < buf_len) {
    237 		plen = buf_len - pos;
    238 		if (plen >= SHA1_MAC_LEN) {
    239 			hmac_sha1_vector(key, key_len, 4, addr, len,
    240 					 &buf[pos]);
    241 			pos += SHA1_MAC_LEN;
    242 		} else {
    243 			hmac_sha1_vector(key, key_len, 4, addr, len,
    244 					 hash);
    245 			os_memcpy(&buf[pos], hash, plen);
    246 			break;
    247 		}
    248 		counter++;
    249 	}
    250 }
    251 
    252 
    253 /**
    254  * eap_sake_derive_keys - Derive EAP-SAKE keys
    255  * @root_secret_a: 16-byte Root-Secret-A
    256  * @root_secret_b: 16-byte Root-Secret-B
    257  * @rand_s: 16-byte RAND_S
    258  * @rand_p: 16-byte RAND_P
    259  * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16])
    260  * @msk: Buffer for 64-byte MSK
    261  * @emsk: Buffer for 64-byte EMSK
    262  *
    263  * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6.
    264  */
    265 void eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b,
    266 			  const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk,
    267 			  u8 *emsk)
    268 {
    269 	u8 sms_a[EAP_SAKE_SMS_LEN];
    270 	u8 sms_b[EAP_SAKE_SMS_LEN];
    271 	u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN];
    272 
    273 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys");
    274 
    275 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A",
    276 			root_secret_a, EAP_SAKE_ROOT_SECRET_LEN);
    277 	eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN,
    278 		     "SAKE Master Secret A",
    279 		     rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
    280 		     sms_a, EAP_SAKE_SMS_LEN);
    281 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN);
    282 	eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key",
    283 		     rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
    284 		     tek, EAP_SAKE_TEK_LEN);
    285 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth",
    286 			tek, EAP_SAKE_TEK_AUTH_LEN);
    287 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher",
    288 			tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN);
    289 
    290 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B",
    291 			root_secret_b, EAP_SAKE_ROOT_SECRET_LEN);
    292 	eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN,
    293 		     "SAKE Master Secret B",
    294 		     rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
    295 		     sms_b, EAP_SAKE_SMS_LEN);
    296 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN);
    297 	eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key",
    298 		     rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
    299 		     key_buf, sizeof(key_buf));
    300 	os_memcpy(msk, key_buf, EAP_MSK_LEN);
    301 	os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN);
    302 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN);
    303 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN);
    304 }
    305 
    306 
    307 /**
    308  * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet
    309  * @tek_auth: 16-byte TEK-Auth
    310  * @rand_s: 16-byte RAND_S
    311  * @rand_p: 16-byte RAND_P
    312  * @serverid: SERVERID
    313  * @serverid_len: SERVERID length
    314  * @peerid: PEERID
    315  * @peerid_len: PEERID length
    316  * @peer: MIC calculation for 0 = Server, 1 = Peer message
    317  * @eap: EAP packet
    318  * @eap_len: EAP packet length
    319  * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len])
    320  * @mic: Buffer for the computed 16-byte MIC
    321  */
    322 int eap_sake_compute_mic(const u8 *tek_auth,
    323 			 const u8 *rand_s, const u8 *rand_p,
    324 			 const u8 *serverid, size_t serverid_len,
    325 			 const u8 *peerid, size_t peerid_len,
    326 			 int peer, const u8 *eap, size_t eap_len,
    327 			 const u8 *mic_pos, u8 *mic)
    328 {
    329 	u8 _rand[2 * EAP_SAKE_RAND_LEN];
    330 	u8 *tmp, *pos;
    331 	size_t tmplen;
    332 
    333 	tmplen = serverid_len + 1 + peerid_len + 1 + eap_len;
    334 	tmp = os_malloc(tmplen);
    335 	if (tmp == NULL)
    336 		return -1;
    337 	pos = tmp;
    338 	if (peer) {
    339 		if (peerid) {
    340 			os_memcpy(pos, peerid, peerid_len);
    341 			pos += peerid_len;
    342 		}
    343 		*pos++ = 0x00;
    344 		if (serverid) {
    345 			os_memcpy(pos, serverid, serverid_len);
    346 			pos += serverid_len;
    347 		}
    348 		*pos++ = 0x00;
    349 
    350 		os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN);
    351 		os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p,
    352 			  EAP_SAKE_RAND_LEN);
    353 	} else {
    354 		if (serverid) {
    355 			os_memcpy(pos, serverid, serverid_len);
    356 			pos += serverid_len;
    357 		}
    358 		*pos++ = 0x00;
    359 		if (peerid) {
    360 			os_memcpy(pos, peerid, peerid_len);
    361 			pos += peerid_len;
    362 		}
    363 		*pos++ = 0x00;
    364 
    365 		os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN);
    366 		os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s,
    367 			  EAP_SAKE_RAND_LEN);
    368 	}
    369 
    370 	os_memcpy(pos, eap, eap_len);
    371 	os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN);
    372 
    373 	eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN,
    374 		     peer ? "Peer MIC" : "Server MIC",
    375 		     _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen,
    376 		     mic, EAP_SAKE_MIC_LEN);
    377 
    378 	os_free(tmp);
    379 
    380 	return 0;
    381 }
    382 
    383 
    384 void eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data,
    385 		       size_t len)
    386 {
    387 	wpabuf_put_u8(buf, type);
    388 	wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */
    389 	if (data)
    390 		wpabuf_put_data(buf, data, len);
    391 	else
    392 		os_memset(wpabuf_put(buf, len), 0, len);
    393 }
    394