xref: /freebsd/contrib/wpa/src/eap_common/eap_fast_common.c (revision 7750ad47a9a7dbc83f87158464170c8640723293)
1 /*
2  * EAP-FAST common helper functions (RFC 4851)
3  * Copyright (c) 2008, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "crypto/sha1.h"
19 #include "crypto/tls.h"
20 #include "eap_defs.h"
21 #include "eap_tlv_common.h"
22 #include "eap_fast_common.h"
23 
24 
25 void eap_fast_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len)
26 {
27 	struct pac_tlv_hdr hdr;
28 	hdr.type = host_to_be16(type);
29 	hdr.len = host_to_be16(len);
30 	wpabuf_put_data(buf, &hdr, sizeof(hdr));
31 }
32 
33 
34 void eap_fast_put_tlv(struct wpabuf *buf, u16 type, const void *data,
35 			     u16 len)
36 {
37 	eap_fast_put_tlv_hdr(buf, type, len);
38 	wpabuf_put_data(buf, data, len);
39 }
40 
41 
42 void eap_fast_put_tlv_buf(struct wpabuf *buf, u16 type,
43 				 const struct wpabuf *data)
44 {
45 	eap_fast_put_tlv_hdr(buf, type, wpabuf_len(data));
46 	wpabuf_put_buf(buf, data);
47 }
48 
49 
50 struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf)
51 {
52 	struct wpabuf *e;
53 
54 	if (buf == NULL)
55 		return NULL;
56 
57 	/* Encapsulate EAP packet in EAP-Payload TLV */
58 	wpa_printf(MSG_DEBUG, "EAP-FAST: Add EAP-Payload TLV");
59 	e = wpabuf_alloc(sizeof(struct pac_tlv_hdr) + wpabuf_len(buf));
60 	if (e == NULL) {
61 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
62 			   "for TLV encapsulation");
63 		wpabuf_free(buf);
64 		return NULL;
65 	}
66 	eap_fast_put_tlv_buf(e,
67 			     EAP_TLV_TYPE_MANDATORY | EAP_TLV_EAP_PAYLOAD_TLV,
68 			     buf);
69 	wpabuf_free(buf);
70 	return e;
71 }
72 
73 
74 void eap_fast_derive_master_secret(const u8 *pac_key, const u8 *server_random,
75 				   const u8 *client_random, u8 *master_secret)
76 {
77 #define TLS_RANDOM_LEN 32
78 #define TLS_MASTER_SECRET_LEN 48
79 	u8 seed[2 * TLS_RANDOM_LEN];
80 
81 	wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random",
82 		    client_random, TLS_RANDOM_LEN);
83 	wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random",
84 		    server_random, TLS_RANDOM_LEN);
85 
86 	/*
87 	 * RFC 4851, Section 5.1:
88 	 * master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
89 	 *                       server_random + client_random, 48)
90 	 */
91 	os_memcpy(seed, server_random, TLS_RANDOM_LEN);
92 	os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN);
93 	sha1_t_prf(pac_key, EAP_FAST_PAC_KEY_LEN,
94 		   "PAC to master secret label hash",
95 		   seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN);
96 
97 	wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret",
98 			master_secret, TLS_MASTER_SECRET_LEN);
99 }
100 
101 
102 u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn,
103 			 const char *label, size_t len)
104 {
105 	struct tls_keys keys;
106 	u8 *rnd = NULL, *out;
107 	int block_size;
108 
109 	block_size = tls_connection_get_keyblock_size(ssl_ctx, conn);
110 	if (block_size < 0)
111 		return NULL;
112 
113 	out = os_malloc(block_size + len);
114 	if (out == NULL)
115 		return NULL;
116 
117 	if (tls_connection_prf(ssl_ctx, conn, label, 1, out, block_size + len)
118 	    == 0) {
119 		os_memmove(out, out + block_size, len);
120 		return out;
121 	}
122 
123 	if (tls_connection_get_keys(ssl_ctx, conn, &keys))
124 		goto fail;
125 
126 	rnd = os_malloc(keys.client_random_len + keys.server_random_len);
127 	if (rnd == NULL)
128 		goto fail;
129 
130 	os_memcpy(rnd, keys.server_random, keys.server_random_len);
131 	os_memcpy(rnd + keys.server_random_len, keys.client_random,
132 		  keys.client_random_len);
133 
134 	wpa_hexdump_key(MSG_MSGDUMP, "EAP-FAST: master_secret for key "
135 			"expansion", keys.master_key, keys.master_key_len);
136 	if (tls_prf(keys.master_key, keys.master_key_len,
137 		    label, rnd, keys.client_random_len +
138 		    keys.server_random_len, out, block_size + len))
139 		goto fail;
140 	os_free(rnd);
141 	os_memmove(out, out + block_size, len);
142 	return out;
143 
144 fail:
145 	os_free(rnd);
146 	os_free(out);
147 	return NULL;
148 }
149 
150 
151 void eap_fast_derive_eap_msk(const u8 *simck, u8 *msk)
152 {
153 	/*
154 	 * RFC 4851, Section 5.4: EAP Master Session Key Generation
155 	 * MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64)
156 	 */
157 
158 	sha1_t_prf(simck, EAP_FAST_SIMCK_LEN,
159 		   "Session Key Generating Function", (u8 *) "", 0,
160 		   msk, EAP_FAST_KEY_LEN);
161 	wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)",
162 			msk, EAP_FAST_KEY_LEN);
163 }
164 
165 
166 void eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk)
167 {
168 	/*
169 	 * RFC 4851, Section 5.4: EAP Master Session Key Genreration
170 	 * EMSK = T-PRF(S-IMCK[j],
171 	 *        "Extended Session Key Generating Function", 64)
172 	 */
173 
174 	sha1_t_prf(simck, EAP_FAST_SIMCK_LEN,
175 		   "Extended Session Key Generating Function", (u8 *) "", 0,
176 		   emsk, EAP_EMSK_LEN);
177 	wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)",
178 			emsk, EAP_EMSK_LEN);
179 }
180 
181 
182 int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
183 		       int tlv_type, u8 *pos, int len)
184 {
185 	switch (tlv_type) {
186 	case EAP_TLV_EAP_PAYLOAD_TLV:
187 		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP-Payload TLV",
188 			    pos, len);
189 		if (tlv->eap_payload_tlv) {
190 			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
191 				   "EAP-Payload TLV in the message");
192 			tlv->iresult = EAP_TLV_RESULT_FAILURE;
193 			return -2;
194 		}
195 		tlv->eap_payload_tlv = pos;
196 		tlv->eap_payload_tlv_len = len;
197 		break;
198 	case EAP_TLV_RESULT_TLV:
199 		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len);
200 		if (tlv->result) {
201 			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
202 				   "Result TLV in the message");
203 			tlv->result = EAP_TLV_RESULT_FAILURE;
204 			return -2;
205 		}
206 		if (len < 2) {
207 			wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
208 				   "Result TLV");
209 			tlv->result = EAP_TLV_RESULT_FAILURE;
210 			break;
211 		}
212 		tlv->result = WPA_GET_BE16(pos);
213 		if (tlv->result != EAP_TLV_RESULT_SUCCESS &&
214 		    tlv->result != EAP_TLV_RESULT_FAILURE) {
215 			wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d",
216 				   tlv->result);
217 			tlv->result = EAP_TLV_RESULT_FAILURE;
218 		}
219 		wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s",
220 			   tlv->result == EAP_TLV_RESULT_SUCCESS ?
221 			   "Success" : "Failure");
222 		break;
223 	case EAP_TLV_INTERMEDIATE_RESULT_TLV:
224 		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV",
225 			    pos, len);
226 		if (len < 2) {
227 			wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
228 				   "Intermediate-Result TLV");
229 			tlv->iresult = EAP_TLV_RESULT_FAILURE;
230 			break;
231 		}
232 		if (tlv->iresult) {
233 			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
234 				   "Intermediate-Result TLV in the message");
235 			tlv->iresult = EAP_TLV_RESULT_FAILURE;
236 			return -2;
237 		}
238 		tlv->iresult = WPA_GET_BE16(pos);
239 		if (tlv->iresult != EAP_TLV_RESULT_SUCCESS &&
240 		    tlv->iresult != EAP_TLV_RESULT_FAILURE) {
241 			wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate "
242 				   "Result %d", tlv->iresult);
243 			tlv->iresult = EAP_TLV_RESULT_FAILURE;
244 		}
245 		wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s",
246 			   tlv->iresult == EAP_TLV_RESULT_SUCCESS ?
247 			   "Success" : "Failure");
248 		break;
249 	case EAP_TLV_CRYPTO_BINDING_TLV:
250 		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV",
251 			    pos, len);
252 		if (tlv->crypto_binding) {
253 			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
254 				   "Crypto-Binding TLV in the message");
255 			tlv->iresult = EAP_TLV_RESULT_FAILURE;
256 			return -2;
257 		}
258 		tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len;
259 		if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) {
260 			wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
261 				   "Crypto-Binding TLV");
262 			tlv->iresult = EAP_TLV_RESULT_FAILURE;
263 			return -2;
264 		}
265 		tlv->crypto_binding = (struct eap_tlv_crypto_binding_tlv *)
266 			(pos - sizeof(struct eap_tlv_hdr));
267 		break;
268 	case EAP_TLV_REQUEST_ACTION_TLV:
269 		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Request-Action TLV",
270 			    pos, len);
271 		if (tlv->request_action) {
272 			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
273 				   "Request-Action TLV in the message");
274 			tlv->iresult = EAP_TLV_RESULT_FAILURE;
275 			return -2;
276 		}
277 		if (len < 2) {
278 			wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
279 				   "Request-Action TLV");
280 			tlv->iresult = EAP_TLV_RESULT_FAILURE;
281 			break;
282 		}
283 		tlv->request_action = WPA_GET_BE16(pos);
284 		wpa_printf(MSG_DEBUG, "EAP-FAST: Request-Action: %d",
285 			   tlv->request_action);
286 		break;
287 	case EAP_TLV_PAC_TLV:
288 		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len);
289 		if (tlv->pac) {
290 			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
291 				   "PAC TLV in the message");
292 			tlv->iresult = EAP_TLV_RESULT_FAILURE;
293 			return -2;
294 		}
295 		tlv->pac = pos;
296 		tlv->pac_len = len;
297 		break;
298 	default:
299 		/* Unknown TLV */
300 		return -1;
301 	}
302 
303 	return 0;
304 }
305