2 * WPA Supplicant / EAP-PAX shared routines
3 * Copyright (c) 2005, Jouni Malinen <jkmaline@cc.hut.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
21 #include "eap_pax_common.h"
25 * eap_pax_kdf - PAX Key Derivation Function
26 * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
27 * @key: Secret key (X)
28 * @key_len: Length of the secret key in bytes
29 * @identifier: Public identifier for the key (Y)
30 * @entropy: Exchanged entropy to seed the KDF (Z)
31 * @entropy_len: Length of the entropy in bytes
32 * @output_len: Output len in bytes (W)
33 * @output: Buffer for the derived key
34 * Returns: 0 on success, -1 failed
36 * draft-clancy-eap-pax-04.txt, chap. 2.5: PAX-KDF-W(X, Y, Z)
38 int eap_pax_kdf(u8 mac_id
, const u8
*key
, size_t key_len
,
39 const char *identifier
,
40 const u8
*entropy
, size_t entropy_len
,
41 size_t output_len
, u8
*output
)
47 size_t num_blocks
, left
;
49 num_blocks
= (output_len
+ EAP_PAX_MAC_LEN
- 1) / EAP_PAX_MAC_LEN
;
50 if (identifier
== NULL
|| num_blocks
>= 255)
53 /* TODO: add support for EAP_PAX_MAC_AES_CBC_MAC_128 */
54 if (mac_id
!= EAP_PAX_MAC_HMAC_SHA1_128
)
57 addr
[0] = (const u8
*) identifier
;
58 len
[0] = strlen(identifier
);
66 for (counter
= 1; counter
<= (u8
) num_blocks
; counter
++) {
67 size_t clen
= left
> EAP_PAX_MAC_LEN
? EAP_PAX_MAC_LEN
: left
;
68 hmac_sha1_vector(key
, key_len
, 3, addr
, len
, mac
);
69 memcpy(pos
, mac
, clen
);
79 * eap_pax_mac - EAP-PAX MAC
80 * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
82 * @key_len: Length of the secret key in bytes
83 * @data1: Optional data, first block; %NULL if not used
84 * @data1_len: Length of data1 in bytes
85 * @data2: Optional data, second block; %NULL if not used
86 * @data2_len: Length of data2 in bytes
87 * @data3: Optional data, third block; %NULL if not used
88 * @data3_len: Length of data3 in bytes
89 * @mac: Buffer for the MAC value (EAP_PAX_MAC_LEN = 16 bytes)
90 * Returns: 0 on success, -1 on failure
92 * Wrapper function to calculate EAP-PAX MAC.
94 int eap_pax_mac(u8 mac_id
, const u8
*key
, size_t key_len
,
95 const u8
*data1
, size_t data1_len
,
96 const u8
*data2
, size_t data2_len
,
97 const u8
*data3
, size_t data3_len
,
100 u8 hash
[SHA1_MAC_LEN
];
105 /* TODO: add support for EAP_PAX_MAC_AES_CBC_MAC_128 */
106 if (mac_id
!= EAP_PAX_MAC_HMAC_SHA1_128
)
116 count
= (data1
? 1 : 0) + (data2
? 1 : 0) + (data3
? 1 : 0);
117 hmac_sha1_vector(key
, key_len
, count
, addr
, len
, hash
);
118 memcpy(mac
, hash
, EAP_PAX_MAC_LEN
);
125 * eap_pax_initial_key_derivation - EAP-PAX initial key derivation
126 * @mac_id: MAC ID (EAP_PAX_MAC_*) / currently, only HMAC_SHA1_128 is supported
127 * @ak: Authentication Key
129 * @mk: Buffer for the derived Master Key
130 * @ck: Buffer for the derived Confirmation Key
131 * @ick: Buffer for the derived Integrity Check Key
132 * Returns: 0 on success, -1 on failure
134 int eap_pax_initial_key_derivation(u8 mac_id
, const u8
*ak
, const u8
*e
,
135 u8
*mk
, u8
*ck
, u8
*ick
)
137 wpa_printf(MSG_DEBUG
, "EAP-PAX: initial key derivation");
138 if (eap_pax_kdf(mac_id
, ak
, EAP_PAX_AK_LEN
, "Master Key",
139 e
, 2 * EAP_PAX_RAND_LEN
, EAP_PAX_MK_LEN
, mk
) ||
140 eap_pax_kdf(mac_id
, mk
, EAP_PAX_MK_LEN
, "Confirmation Key",
141 e
, 2 * EAP_PAX_RAND_LEN
, EAP_PAX_CK_LEN
, ck
) ||
142 eap_pax_kdf(mac_id
, mk
, EAP_PAX_MK_LEN
, "Integrity Check Key",
143 e
, 2 * EAP_PAX_RAND_LEN
, EAP_PAX_ICK_LEN
, ick
))
146 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-PAX: AK", ak
, EAP_PAX_AK_LEN
);
147 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-PAX: MK", mk
, EAP_PAX_MK_LEN
);
148 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-PAX: CK", ck
, EAP_PAX_CK_LEN
);
149 wpa_hexdump_key(MSG_MSGDUMP
, "EAP-PAX: ICK", ick
, EAP_PAX_ICK_LEN
);