Merge commit 'crater/master'
[dragonfly.git] / contrib / hostapd-0.5.8 / eap_sake_common.c
blob4b5476f101c80283c78cc2c6f06c83ba4892c080
1 /*
2 * EAP server/peer: EAP-SAKE shared routines
3 * Copyright (c) 2006, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
12 * See README and COPYING for more details.
15 #include "includes.h"
17 #include "common.h"
18 #include "sha1.h"
19 #include "eap_defs.h"
20 #include "eap_sake_common.h"
23 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
24 const u8 *pos)
26 size_t i;
28 switch (pos[0]) {
29 case EAP_SAKE_AT_RAND_S:
30 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
31 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
32 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
33 "invalid length %d", pos[1]);
34 return -1;
36 attr->rand_s = pos + 2;
37 break;
38 case EAP_SAKE_AT_RAND_P:
39 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
40 if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
41 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
42 "invalid length %d", pos[1]);
43 return -1;
45 attr->rand_p = pos + 2;
46 break;
47 case EAP_SAKE_AT_MIC_S:
48 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
49 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
50 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
51 "invalid length %d", pos[1]);
52 return -1;
54 attr->mic_s = pos + 2;
55 break;
56 case EAP_SAKE_AT_MIC_P:
57 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
58 if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
59 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
60 "invalid length %d", pos[1]);
61 return -1;
63 attr->mic_p = pos + 2;
64 break;
65 case EAP_SAKE_AT_SERVERID:
66 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
67 attr->serverid = pos + 2;
68 attr->serverid_len = pos[1] - 2;
69 break;
70 case EAP_SAKE_AT_PEERID:
71 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
72 attr->peerid = pos + 2;
73 attr->peerid_len = pos[1] - 2;
74 break;
75 case EAP_SAKE_AT_SPI_S:
76 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
77 attr->spi_s = pos + 2;
78 attr->spi_s_len = pos[1] - 2;
79 break;
80 case EAP_SAKE_AT_SPI_P:
81 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
82 attr->spi_p = pos + 2;
83 attr->spi_p_len = pos[1] - 2;
84 break;
85 case EAP_SAKE_AT_ANY_ID_REQ:
86 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
87 if (pos[1] != 4) {
88 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
89 " length %d", pos[1]);
90 return -1;
92 attr->any_id_req = pos + 2;
93 break;
94 case EAP_SAKE_AT_PERM_ID_REQ:
95 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
96 if (pos[1] != 4) {
97 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
98 "AT_PERM_ID_REQ length %d", pos[1]);
99 return -1;
101 attr->perm_id_req = pos + 2;
102 break;
103 case EAP_SAKE_AT_ENCR_DATA:
104 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
105 attr->encr_data = pos + 2;
106 attr->encr_data_len = pos[1] - 2;
107 break;
108 case EAP_SAKE_AT_IV:
109 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
110 attr->iv = pos + 2;
111 attr->iv_len = pos[1] - 2;
112 break;
113 case EAP_SAKE_AT_PADDING:
114 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
115 for (i = 2; i < pos[1]; i++) {
116 if (pos[i]) {
117 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
118 "with non-zero pad byte");
119 return -1;
122 break;
123 case EAP_SAKE_AT_NEXT_TMPID:
124 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
125 attr->next_tmpid = pos + 2;
126 attr->next_tmpid_len = pos[1] - 2;
127 break;
128 case EAP_SAKE_AT_MSK_LIFE:
129 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
130 if (pos[1] != 6) {
131 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
132 "AT_MSK_LIFE length %d", pos[1]);
133 return -1;
135 attr->msk_life = pos + 2;
136 break;
137 default:
138 if (pos[0] < 128) {
139 wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
140 " attribute %d", pos[0]);
141 return -1;
143 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
144 "attribute %d", pos[0]);
145 break;
148 if (attr->iv && !attr->encr_data) {
149 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without "
150 "AT_ENCR_DATA");
151 return -1;
154 return 0;
159 * eap_sake_parse_attributes - Parse EAP-SAKE attributes
160 * @buf: Packet payload (starting with the first attribute)
161 * @len: Payload length
162 * @attr: Structure to be filled with found attributes
163 * Returns: 0 on success or -1 on failure
165 int eap_sake_parse_attributes(const u8 *buf, size_t len,
166 struct eap_sake_parse_attr *attr)
168 const u8 *pos = buf, *end = buf + len;
170 os_memset(attr, 0, sizeof(*attr));
171 while (pos < end) {
172 if (end - pos < 2) {
173 wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute");
174 return -1;
177 if (pos[1] < 2) {
178 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute "
179 "length (%d)", pos[1]);
180 return -1;
183 if (pos + pos[1] > end) {
184 wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow");
185 return -1;
188 if (eap_sake_parse_add_attr(attr, pos))
189 return -1;
191 pos += pos[1];
194 return 0;
199 * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF)
200 * @key: Key for KDF
201 * @key_len: Length of the key in bytes
202 * @label: A unique label for each purpose of the KDF
203 * @data: Extra data (start) to bind into the key
204 * @data_len: Length of the data
205 * @data2: Extra data (end) to bind into the key
206 * @data2_len: Length of the data2
207 * @buf: Buffer for the generated pseudo-random key
208 * @buf_len: Number of bytes of key to generate
210 * This function is used to derive new, cryptographically separate keys from a
211 * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i.
213 static void eap_sake_kdf(const u8 *key, size_t key_len, const char *label,
214 const u8 *data, size_t data_len,
215 const u8 *data2, size_t data2_len,
216 u8 *buf, size_t buf_len)
218 u8 counter = 0;
219 size_t pos, plen;
220 u8 hash[SHA1_MAC_LEN];
221 size_t label_len = os_strlen(label) + 1;
222 const unsigned char *addr[4];
223 size_t len[4];
225 addr[0] = (u8 *) label; /* Label | Y */
226 len[0] = label_len;
227 addr[1] = data; /* Msg[start] */
228 len[1] = data_len;
229 addr[2] = data2; /* Msg[end] */
230 len[2] = data2_len;
231 addr[3] = &counter; /* Length */
232 len[3] = 1;
234 pos = 0;
235 while (pos < buf_len) {
236 plen = buf_len - pos;
237 if (plen >= SHA1_MAC_LEN) {
238 hmac_sha1_vector(key, key_len, 4, addr, len,
239 &buf[pos]);
240 pos += SHA1_MAC_LEN;
241 } else {
242 hmac_sha1_vector(key, key_len, 4, addr, len,
243 hash);
244 os_memcpy(&buf[pos], hash, plen);
245 break;
247 counter++;
253 * eap_sake_derive_keys - Derive EAP-SAKE keys
254 * @root_secret_a: 16-byte Root-Secret-A
255 * @root_secret_b: 16-byte Root-Secret-B
256 * @rand_s: 16-byte RAND_S
257 * @rand_p: 16-byte RAND_P
258 * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16])
259 * @msk: Buffer for 64-byte MSK
260 * @emsk: Buffer for 64-byte EMSK
262 * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6.
264 void eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b,
265 const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk,
266 u8 *emsk)
268 u8 sms_a[EAP_SAKE_SMS_LEN];
269 u8 sms_b[EAP_SAKE_SMS_LEN];
270 u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN];
272 wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys");
274 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A",
275 root_secret_a, EAP_SAKE_ROOT_SECRET_LEN);
276 eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN,
277 "SAKE Master Secret A",
278 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
279 sms_a, EAP_SAKE_SMS_LEN);
280 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN);
281 eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key",
282 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
283 tek, EAP_SAKE_TEK_LEN);
284 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth",
285 tek, EAP_SAKE_TEK_AUTH_LEN);
286 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher",
287 tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN);
289 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B",
290 root_secret_b, EAP_SAKE_ROOT_SECRET_LEN);
291 eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN,
292 "SAKE Master Secret B",
293 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
294 sms_b, EAP_SAKE_SMS_LEN);
295 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN);
296 eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key",
297 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
298 key_buf, sizeof(key_buf));
299 os_memcpy(msk, key_buf, EAP_MSK_LEN);
300 os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN);
301 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN);
302 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN);
307 * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet
308 * @tek_auth: 16-byte TEK-Auth
309 * @rand_s: 16-byte RAND_S
310 * @rand_p: 16-byte RAND_P
311 * @serverid: SERVERID
312 * @serverid_len: SERVERID length
313 * @peerid: PEERID
314 * @peerid_len: PEERID length
315 * @peer: MIC calculation for 0 = Server, 1 = Peer message
316 * @eap: EAP packet
317 * @eap_len: EAP packet length
318 * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len])
319 * @mic: Buffer for the computed 16-byte MIC
321 int eap_sake_compute_mic(const u8 *tek_auth,
322 const u8 *rand_s, const u8 *rand_p,
323 const u8 *serverid, size_t serverid_len,
324 const u8 *peerid, size_t peerid_len,
325 int peer, const u8 *eap, size_t eap_len,
326 const u8 *mic_pos, u8 *mic)
328 u8 _rand[2 * EAP_SAKE_RAND_LEN];
329 u8 *tmp, *pos;
330 size_t tmplen;
332 tmplen = serverid_len + 1 + peerid_len + 1 + eap_len;
333 tmp = os_malloc(tmplen);
334 if (tmp == NULL)
335 return -1;
336 pos = tmp;
337 if (peer) {
338 if (peerid) {
339 os_memcpy(pos, peerid, peerid_len);
340 pos += peerid_len;
342 *pos++ = 0x00;
343 if (serverid) {
344 os_memcpy(pos, serverid, serverid_len);
345 pos += serverid_len;
347 *pos++ = 0x00;
349 os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN);
350 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p,
351 EAP_SAKE_RAND_LEN);
352 } else {
353 if (serverid) {
354 os_memcpy(pos, serverid, serverid_len);
355 pos += serverid_len;
357 *pos++ = 0x00;
358 if (peerid) {
359 os_memcpy(pos, peerid, peerid_len);
360 pos += peerid_len;
362 *pos++ = 0x00;
364 os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN);
365 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s,
366 EAP_SAKE_RAND_LEN);
369 os_memcpy(pos, eap, eap_len);
370 os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN);
372 eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN,
373 peer ? "Peer MIC" : "Server MIC",
374 _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen,
375 mic, EAP_SAKE_MIC_LEN);
377 os_free(tmp);
379 return 0;