1 /* 2 * EAP server/peer: EAP-pwd shared routines 3 * Copyright (c) 2010, Dan Harkins <dharkins (at) lounge.org> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include "common.h" 11 #include "eap_defs.h" 12 #include "eap_pwd_common.h" 13 14 /* The random function H(x) = HMAC-SHA256(0^32, x) */ 15 void H_Init(HMAC_CTX *ctx) 16 { 17 u8 allzero[SHA256_DIGEST_LENGTH]; 18 19 os_memset(allzero, 0, SHA256_DIGEST_LENGTH); 20 HMAC_Init(ctx, allzero, SHA256_DIGEST_LENGTH, EVP_sha256()); 21 } 22 23 24 void H_Update(HMAC_CTX *ctx, const u8 *data, int len) 25 { 26 HMAC_Update(ctx, data, len); 27 } 28 29 30 void H_Final(HMAC_CTX *ctx, u8 *digest) 31 { 32 unsigned int mdlen = SHA256_DIGEST_LENGTH; 33 34 HMAC_Final(ctx, digest, &mdlen); 35 HMAC_CTX_cleanup(ctx); 36 } 37 38 39 /* a counter-based KDF based on NIST SP800-108 */ 40 void eap_pwd_kdf(u8 *key, int keylen, u8 *label, int labellen, 41 u8 *result, int resultbitlen) 42 { 43 HMAC_CTX hctx; 44 unsigned char digest[SHA256_DIGEST_LENGTH]; 45 u16 i, ctr, L; 46 int resultbytelen, len = 0; 47 unsigned int mdlen = SHA256_DIGEST_LENGTH; 48 unsigned char mask = 0xff; 49 50 resultbytelen = (resultbitlen + 7)/8; 51 ctr = 0; 52 L = htons(resultbitlen); 53 while (len < resultbytelen) { 54 ctr++; i = htons(ctr); 55 HMAC_Init(&hctx, key, keylen, EVP_sha256()); 56 if (ctr > 1) 57 HMAC_Update(&hctx, digest, mdlen); 58 HMAC_Update(&hctx, (u8 *) &i, sizeof(u16)); 59 HMAC_Update(&hctx, label, labellen); 60 HMAC_Update(&hctx, (u8 *) &L, sizeof(u16)); 61 HMAC_Final(&hctx, digest, &mdlen); 62 if ((len + (int) mdlen) > resultbytelen) 63 os_memcpy(result + len, digest, resultbytelen - len); 64 else 65 os_memcpy(result + len, digest, mdlen); 66 len += mdlen; 67 HMAC_CTX_cleanup(&hctx); 68 } 69 70 /* since we're expanding to a bit length, mask off the excess */ 71 if (resultbitlen % 8) { 72 mask <<= (8 - (resultbitlen % 8)); 73 result[resultbytelen - 1] &= mask; 74 } 75 } 76 77 78 /* 79 * compute a "random" secret point on an elliptic curve based 80 * on the password and identities. 81 */ 82 int compute_password_element(EAP_PWD_group *grp, u16 num, 83 u8 *password, int password_len, 84 u8 *id_server, int id_server_len, 85 u8 *id_peer, int id_peer_len, u8 *token) 86 { 87 BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL; 88 HMAC_CTX ctx; 89 unsigned char pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr; 90 int nid, is_odd, primebitlen, primebytelen, ret = 0; 91 92 switch (num) { /* from IANA registry for IKE D-H groups */ 93 case 19: 94 nid = NID_X9_62_prime256v1; 95 break; 96 case 20: 97 nid = NID_secp384r1; 98 break; 99 case 21: 100 nid = NID_secp521r1; 101 break; 102 case 25: 103 nid = NID_X9_62_prime192v1; 104 break; 105 case 26: 106 nid = NID_secp224r1; 107 break; 108 default: 109 wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num); 110 return -1; 111 } 112 113 grp->pwe = NULL; 114 grp->order = NULL; 115 grp->prime = NULL; 116 117 if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) { 118 wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP"); 119 goto fail; 120 } 121 122 if (((rnd = BN_new()) == NULL) || 123 ((cofactor = BN_new()) == NULL) || 124 ((grp->pwe = EC_POINT_new(grp->group)) == NULL) || 125 ((grp->order = BN_new()) == NULL) || 126 ((grp->prime = BN_new()) == NULL) || 127 ((x_candidate = BN_new()) == NULL)) { 128 wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums"); 129 goto fail; 130 } 131 132 if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL)) 133 { 134 wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp " 135 "curve"); 136 goto fail; 137 } 138 if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) { 139 wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve"); 140 goto fail; 141 } 142 if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) { 143 wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for " 144 "curve"); 145 goto fail; 146 } 147 primebitlen = BN_num_bits(grp->prime); 148 primebytelen = BN_num_bytes(grp->prime); 149 if ((prfbuf = os_malloc(primebytelen)) == NULL) { 150 wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " 151 "buffer"); 152 goto fail; 153 } 154 os_memset(prfbuf, 0, primebytelen); 155 ctr = 0; 156 while (1) { 157 if (ctr > 10) { 158 wpa_printf(MSG_INFO, "EAP-pwd: unable to find random " 159 "point on curve for group %d, something's " 160 "fishy", num); 161 goto fail; 162 } 163 ctr++; 164 165 /* 166 * compute counter-mode password value and stretch to prime 167 * pwd-seed = H(token | peer-id | server-id | password | 168 * counter) 169 */ 170 H_Init(&ctx); 171 H_Update(&ctx, token, sizeof(u32)); 172 H_Update(&ctx, id_peer, id_peer_len); 173 H_Update(&ctx, id_server, id_server_len); 174 H_Update(&ctx, password, password_len); 175 H_Update(&ctx, &ctr, sizeof(ctr)); 176 H_Final(&ctx, pwe_digest); 177 178 BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd); 179 180 eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, 181 (unsigned char *) "EAP-pwd Hunting And Pecking", 182 os_strlen("EAP-pwd Hunting And Pecking"), 183 prfbuf, primebitlen); 184 185 BN_bin2bn(prfbuf, primebytelen, x_candidate); 186 187 /* 188 * eap_pwd_kdf() returns a string of bits 0..primebitlen but 189 * BN_bin2bn will treat that string of bits as a big endian 190 * number. If the primebitlen is not an even multiple of 8 191 * then excessive bits-- those _after_ primebitlen-- so now 192 * we have to shift right the amount we masked off. 193 */ 194 if (primebitlen % 8) 195 BN_rshift(x_candidate, x_candidate, 196 (8 - (primebitlen % 8))); 197 198 if (BN_ucmp(x_candidate, grp->prime) >= 0) 199 continue; 200 201 wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate", 202 prfbuf, primebytelen); 203 204 /* 205 * need to unambiguously identify the solution, if there is 206 * one... 207 */ 208 if (BN_is_odd(rnd)) 209 is_odd = 1; 210 else 211 is_odd = 0; 212 213 /* 214 * solve the quadratic equation, if it's not solvable then we 215 * don't have a point 216 */ 217 if (!EC_POINT_set_compressed_coordinates_GFp(grp->group, 218 grp->pwe, 219 x_candidate, 220 is_odd, NULL)) 221 continue; 222 /* 223 * If there's a solution to the equation then the point must be 224 * on the curve so why check again explicitly? OpenSSL code 225 * says this is required by X9.62. We're not X9.62 but it can't 226 * hurt just to be sure. 227 */ 228 if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) { 229 wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve"); 230 continue; 231 } 232 233 if (BN_cmp(cofactor, BN_value_one())) { 234 /* make sure the point is not in a small sub-group */ 235 if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe, 236 cofactor, NULL)) { 237 wpa_printf(MSG_INFO, "EAP-pwd: cannot " 238 "multiply generator by order"); 239 continue; 240 } 241 if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) { 242 wpa_printf(MSG_INFO, "EAP-pwd: point is at " 243 "infinity"); 244 continue; 245 } 246 } 247 /* if we got here then we have a new generator. */ 248 break; 249 } 250 wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr); 251 grp->group_num = num; 252 if (0) { 253 fail: 254 EC_GROUP_free(grp->group); 255 EC_POINT_free(grp->pwe); 256 BN_free(grp->order); 257 BN_free(grp->prime); 258 os_free(grp); 259 grp = NULL; 260 ret = 1; 261 } 262 /* cleanliness and order.... */ 263 BN_free(cofactor); 264 BN_free(x_candidate); 265 BN_free(rnd); 266 os_free(prfbuf); 267 268 return ret; 269 } 270 271 272 int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, BIGNUM *k, 273 BIGNUM *peer_scalar, BIGNUM *server_scalar, 274 u8 *confirm_peer, u8 *confirm_server, 275 u32 *ciphersuite, u8 *msk, u8 *emsk) 276 { 277 HMAC_CTX ctx; 278 u8 mk[SHA256_DIGEST_LENGTH], *cruft; 279 u8 session_id[SHA256_DIGEST_LENGTH + 1]; 280 u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN]; 281 int offset; 282 283 if ((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL) 284 return -1; 285 286 /* 287 * first compute the session-id = TypeCode | H(ciphersuite | scal_p | 288 * scal_s) 289 */ 290 session_id[0] = EAP_TYPE_PWD; 291 H_Init(&ctx); 292 H_Update(&ctx, (u8 *)ciphersuite, sizeof(u32)); 293 offset = BN_num_bytes(grp->order) - BN_num_bytes(peer_scalar); 294 os_memset(cruft, 0, BN_num_bytes(grp->prime)); 295 BN_bn2bin(peer_scalar, cruft + offset); 296 H_Update(&ctx, cruft, BN_num_bytes(grp->order)); 297 offset = BN_num_bytes(grp->order) - BN_num_bytes(server_scalar); 298 os_memset(cruft, 0, BN_num_bytes(grp->prime)); 299 BN_bn2bin(server_scalar, cruft + offset); 300 H_Update(&ctx, cruft, BN_num_bytes(grp->order)); 301 H_Final(&ctx, &session_id[1]); 302 303 /* then compute MK = H(k | confirm-peer | confirm-server) */ 304 H_Init(&ctx); 305 offset = BN_num_bytes(grp->prime) - BN_num_bytes(k); 306 os_memset(cruft, 0, BN_num_bytes(grp->prime)); 307 BN_bn2bin(k, cruft + offset); 308 H_Update(&ctx, cruft, BN_num_bytes(grp->prime)); 309 H_Update(&ctx, confirm_peer, SHA256_DIGEST_LENGTH); 310 H_Update(&ctx, confirm_server, SHA256_DIGEST_LENGTH); 311 H_Final(&ctx, mk); 312 313 /* stretch the mk with the session-id to get MSK | EMSK */ 314 eap_pwd_kdf(mk, SHA256_DIGEST_LENGTH, 315 session_id, SHA256_DIGEST_LENGTH+1, 316 msk_emsk, (EAP_MSK_LEN + EAP_EMSK_LEN) * 8); 317 318 os_memcpy(msk, msk_emsk, EAP_MSK_LEN); 319 os_memcpy(emsk, msk_emsk + EAP_MSK_LEN, EAP_EMSK_LEN); 320 321 os_free(cruft); 322 323 return 1; 324 } 325
