1 /* 2 * EAP server/peer: EAP-pwd shared routines 3 * Copyright (c) 2010, Dan Harkins <dharkins (at) lounge.org> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include "common.h" 11 #include "crypto/sha256.h" 12 #include "crypto/crypto.h" 13 #include "eap_defs.h" 14 #include "eap_pwd_common.h" 15 16 /* The random function H(x) = HMAC-SHA256(0^32, x) */ 17 struct crypto_hash * eap_pwd_h_init(void) 18 { 19 u8 allzero[SHA256_MAC_LEN]; 20 os_memset(allzero, 0, SHA256_MAC_LEN); 21 return crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256, allzero, 22 SHA256_MAC_LEN); 23 } 24 25 26 void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len) 27 { 28 crypto_hash_update(hash, data, len); 29 } 30 31 32 void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest) 33 { 34 size_t len = SHA256_MAC_LEN; 35 crypto_hash_finish(hash, digest, &len); 36 } 37 38 39 /* a counter-based KDF based on NIST SP800-108 */ 40 static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label, 41 size_t labellen, u8 *result, size_t resultbitlen) 42 { 43 struct crypto_hash *hash; 44 u8 digest[SHA256_MAC_LEN]; 45 u16 i, ctr, L; 46 size_t resultbytelen, len = 0, mdlen; 47 48 resultbytelen = (resultbitlen + 7) / 8; 49 ctr = 0; 50 L = htons(resultbitlen); 51 while (len < resultbytelen) { 52 ctr++; 53 i = htons(ctr); 54 hash = crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256, 55 key, keylen); 56 if (hash == NULL) 57 return -1; 58 if (ctr > 1) 59 crypto_hash_update(hash, digest, SHA256_MAC_LEN); 60 crypto_hash_update(hash, (u8 *) &i, sizeof(u16)); 61 crypto_hash_update(hash, label, labellen); 62 crypto_hash_update(hash, (u8 *) &L, sizeof(u16)); 63 mdlen = SHA256_MAC_LEN; 64 if (crypto_hash_finish(hash, digest, &mdlen) < 0) 65 return -1; 66 if ((len + mdlen) > resultbytelen) 67 os_memcpy(result + len, digest, resultbytelen - len); 68 else 69 os_memcpy(result + len, digest, mdlen); 70 len += mdlen; 71 } 72 73 /* since we're expanding to a bit length, mask off the excess */ 74 if (resultbitlen % 8) { 75 u8 mask = 0xff; 76 mask <<= (8 - (resultbitlen % 8)); 77 result[resultbytelen - 1] &= mask; 78 } 79 80 return 0; 81 } 82 83 84 /* 85 * compute a "random" secret point on an elliptic curve based 86 * on the password and identities. 87 */ 88 int compute_password_element(EAP_PWD_group *grp, u16 num, 89 const u8 *password, size_t password_len, 90 const u8 *id_server, size_t id_server_len, 91 const u8 *id_peer, size_t id_peer_len, 92 const u8 *token) 93 { 94 BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL; 95 struct crypto_hash *hash; 96 unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; 97 int nid, is_odd, ret = 0; 98 size_t primebytelen, primebitlen; 99 100 switch (num) { /* from IANA registry for IKE D-H groups */ 101 case 19: 102 nid = NID_X9_62_prime256v1; 103 break; 104 case 20: 105 nid = NID_secp384r1; 106 break; 107 case 21: 108 nid = NID_secp521r1; 109 break; 110 #ifndef OPENSSL_IS_BORINGSSL 111 case 25: 112 nid = NID_X9_62_prime192v1; 113 break; 114 #endif /* OPENSSL_IS_BORINGSSL */ 115 case 26: 116 nid = NID_secp224r1; 117 break; 118 #ifdef NID_brainpoolP224r1 119 case 27: 120 nid = NID_brainpoolP224r1; 121 break; 122 #endif /* NID_brainpoolP224r1 */ 123 #ifdef NID_brainpoolP256r1 124 case 28: 125 nid = NID_brainpoolP256r1; 126 break; 127 #endif /* NID_brainpoolP256r1 */ 128 #ifdef NID_brainpoolP384r1 129 case 29: 130 nid = NID_brainpoolP384r1; 131 break; 132 #endif /* NID_brainpoolP384r1 */ 133 #ifdef NID_brainpoolP512r1 134 case 30: 135 nid = NID_brainpoolP512r1; 136 break; 137 #endif /* NID_brainpoolP512r1 */ 138 default: 139 wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num); 140 return -1; 141 } 142 143 grp->pwe = NULL; 144 grp->order = NULL; 145 grp->prime = NULL; 146 147 if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) { 148 wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP"); 149 goto fail; 150 } 151 152 if (((rnd = BN_new()) == NULL) || 153 ((cofactor = BN_new()) == NULL) || 154 ((grp->pwe = EC_POINT_new(grp->group)) == NULL) || 155 ((grp->order = BN_new()) == NULL) || 156 ((grp->prime = BN_new()) == NULL) || 157 ((x_candidate = BN_new()) == NULL)) { 158 wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums"); 159 goto fail; 160 } 161 162 if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL)) 163 { 164 wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp " 165 "curve"); 166 goto fail; 167 } 168 if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) { 169 wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve"); 170 goto fail; 171 } 172 if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) { 173 wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for " 174 "curve"); 175 goto fail; 176 } 177 primebitlen = BN_num_bits(grp->prime); 178 primebytelen = BN_num_bytes(grp->prime); 179 if ((prfbuf = os_malloc(primebytelen)) == NULL) { 180 wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " 181 "buffer"); 182 goto fail; 183 } 184 os_memset(prfbuf, 0, primebytelen); 185 ctr = 0; 186 while (1) { 187 if (ctr > 30) { 188 wpa_printf(MSG_INFO, "EAP-pwd: unable to find random " 189 "point on curve for group %d, something's " 190 "fishy", num); 191 goto fail; 192 } 193 ctr++; 194 195 /* 196 * compute counter-mode password value and stretch to prime 197 * pwd-seed = H(token | peer-id | server-id | password | 198 * counter) 199 */ 200 hash = eap_pwd_h_init(); 201 if (hash == NULL) 202 goto fail; 203 eap_pwd_h_update(hash, token, sizeof(u32)); 204 eap_pwd_h_update(hash, id_peer, id_peer_len); 205 eap_pwd_h_update(hash, id_server, id_server_len); 206 eap_pwd_h_update(hash, password, password_len); 207 eap_pwd_h_update(hash, &ctr, sizeof(ctr)); 208 eap_pwd_h_final(hash, pwe_digest); 209 210 BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd); 211 212 if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN, 213 (u8 *) "EAP-pwd Hunting And Pecking", 214 os_strlen("EAP-pwd Hunting And Pecking"), 215 prfbuf, primebitlen) < 0) 216 goto fail; 217 218 BN_bin2bn(prfbuf, primebytelen, x_candidate); 219 220 /* 221 * eap_pwd_kdf() returns a string of bits 0..primebitlen but 222 * BN_bin2bn will treat that string of bits as a big endian 223 * number. If the primebitlen is not an even multiple of 8 224 * then excessive bits-- those _after_ primebitlen-- so now 225 * we have to shift right the amount we masked off. 226 */ 227 if (primebitlen % 8) 228 BN_rshift(x_candidate, x_candidate, 229 (8 - (primebitlen % 8))); 230 231 if (BN_ucmp(x_candidate, grp->prime) >= 0) 232 continue; 233 234 wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate", 235 prfbuf, primebytelen); 236 237 /* 238 * need to unambiguously identify the solution, if there is 239 * one... 240 */ 241 if (BN_is_odd(rnd)) 242 is_odd = 1; 243 else 244 is_odd = 0; 245 246 /* 247 * solve the quadratic equation, if it's not solvable then we 248 * don't have a point 249 */ 250 if (!EC_POINT_set_compressed_coordinates_GFp(grp->group, 251 grp->pwe, 252 x_candidate, 253 is_odd, NULL)) 254 continue; 255 /* 256 * If there's a solution to the equation then the point must be 257 * on the curve so why check again explicitly? OpenSSL code 258 * says this is required by X9.62. We're not X9.62 but it can't 259 * hurt just to be sure. 260 */ 261 if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) { 262 wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve"); 263 continue; 264 } 265 266 if (BN_cmp(cofactor, BN_value_one())) { 267 /* make sure the point is not in a small sub-group */ 268 if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe, 269 cofactor, NULL)) { 270 wpa_printf(MSG_INFO, "EAP-pwd: cannot " 271 "multiply generator by order"); 272 continue; 273 } 274 if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) { 275 wpa_printf(MSG_INFO, "EAP-pwd: point is at " 276 "infinity"); 277 continue; 278 } 279 } 280 /* if we got here then we have a new generator. */ 281 break; 282 } 283 wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %d tries", ctr); 284 grp->group_num = num; 285 if (0) { 286 fail: 287 EC_GROUP_free(grp->group); 288 grp->group = NULL; 289 EC_POINT_clear_free(grp->pwe); 290 grp->pwe = NULL; 291 BN_clear_free(grp->order); 292 grp->order = NULL; 293 BN_clear_free(grp->prime); 294 grp->prime = NULL; 295 ret = 1; 296 } 297 /* cleanliness and order.... */ 298 BN_clear_free(cofactor); 299 BN_clear_free(x_candidate); 300 BN_clear_free(rnd); 301 os_free(prfbuf); 302 303 return ret; 304 } 305 306 307 int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k, 308 const BIGNUM *peer_scalar, const BIGNUM *server_scalar, 309 const u8 *confirm_peer, const u8 *confirm_server, 310 const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id) 311 { 312 struct crypto_hash *hash; 313 u8 mk[SHA256_MAC_LEN], *cruft; 314 u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN]; 315 int offset; 316 317 if ((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL) 318 return -1; 319 320 /* 321 * first compute the session-id = TypeCode | H(ciphersuite | scal_p | 322 * scal_s) 323 */ 324 session_id[0] = EAP_TYPE_PWD; 325 hash = eap_pwd_h_init(); 326 if (hash == NULL) { 327 os_free(cruft); 328 return -1; 329 } 330 eap_pwd_h_update(hash, (const u8 *) ciphersuite, sizeof(u32)); 331 offset = BN_num_bytes(grp->order) - BN_num_bytes(peer_scalar); 332 os_memset(cruft, 0, BN_num_bytes(grp->prime)); 333 BN_bn2bin(peer_scalar, cruft + offset); 334 eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order)); 335 offset = BN_num_bytes(grp->order) - BN_num_bytes(server_scalar); 336 os_memset(cruft, 0, BN_num_bytes(grp->prime)); 337 BN_bn2bin(server_scalar, cruft + offset); 338 eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order)); 339 eap_pwd_h_final(hash, &session_id[1]); 340 341 /* then compute MK = H(k | confirm-peer | confirm-server) */ 342 hash = eap_pwd_h_init(); 343 if (hash == NULL) { 344 os_free(cruft); 345 return -1; 346 } 347 offset = BN_num_bytes(grp->prime) - BN_num_bytes(k); 348 os_memset(cruft, 0, BN_num_bytes(grp->prime)); 349 BN_bn2bin(k, cruft + offset); 350 eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->prime)); 351 os_free(cruft); 352 eap_pwd_h_update(hash, confirm_peer, SHA256_MAC_LEN); 353 eap_pwd_h_update(hash, confirm_server, SHA256_MAC_LEN); 354 eap_pwd_h_final(hash, mk); 355 356 /* stretch the mk with the session-id to get MSK | EMSK */ 357 if (eap_pwd_kdf(mk, SHA256_MAC_LEN, 358 session_id, SHA256_MAC_LEN + 1, 359 msk_emsk, (EAP_MSK_LEN + EAP_EMSK_LEN) * 8) < 0) { 360 return -1; 361 } 362 363 os_memcpy(msk, msk_emsk, EAP_MSK_LEN); 364 os_memcpy(emsk, msk_emsk + EAP_MSK_LEN, EAP_EMSK_LEN); 365 366 return 1; 367 } 368
