1 /*
2 * EAP server/peer: EAP-SAKE shared routines
3 * Copyright (c) 2006-2019, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "wpabuf.h"
13 #include "crypto/sha1.h"
14 #include "eap_defs.h"
15 #include "eap_sake_common.h"
16
17
eap_sake_parse_add_attr(struct eap_sake_parse_attr * attr,u8 attr_id,u8 len,const u8 * data)18 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
19 u8 attr_id, u8 len, const u8 *data)
20 {
21 size_t i;
22
23 switch (attr_id) {
24 case EAP_SAKE_AT_RAND_S:
25 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
26 if (len != EAP_SAKE_RAND_LEN) {
27 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
28 "invalid payload length %d", len);
29 return -1;
30 }
31 attr->rand_s = data;
32 break;
33 case EAP_SAKE_AT_RAND_P:
34 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
35 if (len != EAP_SAKE_RAND_LEN) {
36 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
37 "invalid payload length %d", len);
38 return -1;
39 }
40 attr->rand_p = data;
41 break;
42 case EAP_SAKE_AT_MIC_S:
43 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
44 if (len != EAP_SAKE_MIC_LEN) {
45 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
46 "invalid payload length %d", len);
47 return -1;
48 }
49 attr->mic_s = data;
50 break;
51 case EAP_SAKE_AT_MIC_P:
52 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
53 if (len != EAP_SAKE_MIC_LEN) {
54 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
55 "invalid payload length %d", len);
56 return -1;
57 }
58 attr->mic_p = data;
59 break;
60 case EAP_SAKE_AT_SERVERID:
61 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
62 attr->serverid = data;
63 attr->serverid_len = len;
64 break;
65 case EAP_SAKE_AT_PEERID:
66 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
67 attr->peerid = data;
68 attr->peerid_len = len;
69 break;
70 case EAP_SAKE_AT_SPI_S:
71 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
72 attr->spi_s = data;
73 attr->spi_s_len = len;
74 break;
75 case EAP_SAKE_AT_SPI_P:
76 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
77 attr->spi_p = data;
78 attr->spi_p_len = len;
79 break;
80 case EAP_SAKE_AT_ANY_ID_REQ:
81 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
82 if (len != 2) {
83 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
84 " payload length %d", len);
85 return -1;
86 }
87 attr->any_id_req = data;
88 break;
89 case EAP_SAKE_AT_PERM_ID_REQ:
90 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
91 if (len != 2) {
92 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
93 "AT_PERM_ID_REQ payload length %d", len);
94 return -1;
95 }
96 attr->perm_id_req = data;
97 break;
98 case EAP_SAKE_AT_ENCR_DATA:
99 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
100 attr->encr_data = data;
101 attr->encr_data_len = len;
102 break;
103 case EAP_SAKE_AT_IV:
104 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
105 attr->iv = data;
106 attr->iv_len = len;
107 break;
108 case EAP_SAKE_AT_PADDING:
109 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
110 for (i = 0; i < len; i++) {
111 if (data[i]) {
112 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
113 "with non-zero pad byte");
114 return -1;
115 }
116 }
117 break;
118 case EAP_SAKE_AT_NEXT_TMPID:
119 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
120 attr->next_tmpid = data;
121 attr->next_tmpid_len = len;
122 break;
123 case EAP_SAKE_AT_MSK_LIFE:
124 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MSK_LIFE");
125 if (len != 4) {
126 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
127 "AT_MSK_LIFE payload length %d", len);
128 return -1;
129 }
130 attr->msk_life = data;
131 break;
132 default:
133 if (attr_id < 128) {
134 wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
135 " attribute %d", attr_id);
136 return -1;
137 }
138 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
139 "attribute %d", attr_id);
140 break;
141 }
142
143 if (attr->iv && !attr->encr_data) {
144 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without "
145 "AT_ENCR_DATA");
146 return -1;
147 }
148
149 return 0;
150 }
151
152
153 /**
154 * eap_sake_parse_attributes - Parse EAP-SAKE attributes
155 * @buf: Packet payload (starting with the first attribute)
156 * @len: Payload length
157 * @attr: Structure to be filled with found attributes
158 * Returns: 0 on success or -1 on failure
159 */
eap_sake_parse_attributes(const u8 * buf,size_t len,struct eap_sake_parse_attr * attr)160 int eap_sake_parse_attributes(const u8 *buf, size_t len,
161 struct eap_sake_parse_attr *attr)
162 {
163 const u8 *pos = buf, *end = buf + len;
164
165 os_memset(attr, 0, sizeof(*attr));
166 while (pos < end) {
167 u8 attr_id, attr_len;
168
169 if (end - pos < 2) {
170 wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute");
171 return -1;
172 }
173
174 attr_id = *pos++;
175 attr_len = *pos++;
176 /* Attribute length value includes the Type and Length fields */
177 if (attr_len < 2) {
178 wpa_printf(MSG_DEBUG,
179 "EAP-SAKE: Invalid attribute length (%d)",
180 attr_len);
181 return -1;
182 }
183 attr_len -= 2;
184
185 if (attr_len > end - pos) {
186 wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow");
187 return -1;
188 }
189
190 if (eap_sake_parse_add_attr(attr, attr_id, attr_len, pos))
191 return -1;
192
193 pos += attr_len;
194 }
195
196 return 0;
197 }
198
199
200 /**
201 * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF)
202 * @key: Key for KDF
203 * @key_len: Length of the key in bytes
204 * @label: A unique label for each purpose of the KDF
205 * @data: Extra data (start) to bind into the key
206 * @data_len: Length of the data
207 * @data2: Extra data (end) to bind into the key
208 * @data2_len: Length of the data2
209 * @buf: Buffer for the generated pseudo-random key
210 * @buf_len: Number of bytes of key to generate
211 * Returns: 0 on success or -1 on failure
212 *
213 * This function is used to derive new, cryptographically separate keys from a
214 * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i.
215 */
eap_sake_kdf(const u8 * key,size_t key_len,const char * label,const u8 * data,size_t data_len,const u8 * data2,size_t data2_len,u8 * buf,size_t buf_len)216 static int eap_sake_kdf(const u8 *key, size_t key_len, const char *label,
217 const u8 *data, size_t data_len,
218 const u8 *data2, size_t data2_len,
219 u8 *buf, size_t buf_len)
220 {
221 u8 counter = 0;
222 size_t pos, plen;
223 u8 hash[SHA1_MAC_LEN];
224 size_t label_len = os_strlen(label) + 1;
225 const unsigned char *addr[4];
226 size_t len[4];
227
228 addr[0] = (u8 *) label; /* Label | Y */
229 len[0] = label_len;
230 addr[1] = data; /* Msg[start] */
231 len[1] = data_len;
232 addr[2] = data2; /* Msg[end] */
233 len[2] = data2_len;
234 addr[3] = &counter; /* Length */
235 len[3] = 1;
236
237 pos = 0;
238 while (pos < buf_len) {
239 plen = buf_len - pos;
240 if (plen >= SHA1_MAC_LEN) {
241 if (hmac_sha1_vector(key, key_len, 4, addr, len,
242 &buf[pos]) < 0)
243 return -1;
244 pos += SHA1_MAC_LEN;
245 } else {
246 if (hmac_sha1_vector(key, key_len, 4, addr, len,
247 hash) < 0)
248 return -1;
249 os_memcpy(&buf[pos], hash, plen);
250 break;
251 }
252 counter++;
253 }
254
255 return 0;
256 }
257
258
259 /**
260 * eap_sake_derive_keys - Derive EAP-SAKE keys
261 * @root_secret_a: 16-byte Root-Secret-A
262 * @root_secret_b: 16-byte Root-Secret-B
263 * @rand_s: 16-byte RAND_S
264 * @rand_p: 16-byte RAND_P
265 * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16])
266 * @msk: Buffer for 64-byte MSK
267 * @emsk: Buffer for 64-byte EMSK
268 * Returns: 0 on success or -1 on failure
269 *
270 * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6.
271 */
eap_sake_derive_keys(const u8 * root_secret_a,const u8 * root_secret_b,const u8 * rand_s,const u8 * rand_p,u8 * tek,u8 * msk,u8 * emsk)272 int eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b,
273 const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk,
274 u8 *emsk)
275 {
276 u8 sms_a[EAP_SAKE_SMS_LEN];
277 u8 sms_b[EAP_SAKE_SMS_LEN];
278 u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN];
279
280 wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys");
281
282 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A",
283 root_secret_a, EAP_SAKE_ROOT_SECRET_LEN);
284 if (eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN,
285 "SAKE Master Secret A",
286 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
287 sms_a, EAP_SAKE_SMS_LEN) < 0)
288 return -1;
289 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN);
290 if (eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key",
291 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
292 tek, EAP_SAKE_TEK_LEN) < 0)
293 return -1;
294 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth",
295 tek, EAP_SAKE_TEK_AUTH_LEN);
296 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher",
297 tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN);
298
299 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B",
300 root_secret_b, EAP_SAKE_ROOT_SECRET_LEN);
301 if (eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN,
302 "SAKE Master Secret B",
303 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
304 sms_b, EAP_SAKE_SMS_LEN) < 0)
305 return -1;
306 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN);
307 if (eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key",
308 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
309 key_buf, sizeof(key_buf)) < 0)
310 return -1;
311 os_memcpy(msk, key_buf, EAP_MSK_LEN);
312 os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN);
313 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN);
314 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN);
315 return 0;
316 }
317
318
319 /**
320 * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet
321 * @tek_auth: 16-byte TEK-Auth
322 * @rand_s: 16-byte RAND_S
323 * @rand_p: 16-byte RAND_P
324 * @serverid: SERVERID
325 * @serverid_len: SERVERID length
326 * @peerid: PEERID
327 * @peerid_len: PEERID length
328 * @peer: MIC calculation for 0 = Server, 1 = Peer message
329 * @eap: EAP packet
330 * @eap_len: EAP packet length
331 * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len])
332 * @mic: Buffer for the computed 16-byte MIC
333 * Returns: 0 on success or -1 on failure
334 */
eap_sake_compute_mic(const u8 * tek_auth,const u8 * rand_s,const u8 * rand_p,const u8 * serverid,size_t serverid_len,const u8 * peerid,size_t peerid_len,int peer,const u8 * eap,size_t eap_len,const u8 * mic_pos,u8 * mic)335 int eap_sake_compute_mic(const u8 *tek_auth,
336 const u8 *rand_s, const u8 *rand_p,
337 const u8 *serverid, size_t serverid_len,
338 const u8 *peerid, size_t peerid_len,
339 int peer, const u8 *eap, size_t eap_len,
340 const u8 *mic_pos, u8 *mic)
341 {
342 u8 _rand[2 * EAP_SAKE_RAND_LEN];
343 u8 *tmp, *pos;
344 size_t tmplen;
345 int ret;
346
347 tmplen = serverid_len + 1 + peerid_len + 1 + eap_len;
348 tmp = os_malloc(tmplen);
349 if (tmp == NULL)
350 return -1;
351 pos = tmp;
352 if (peer) {
353 if (peerid) {
354 os_memcpy(pos, peerid, peerid_len);
355 pos += peerid_len;
356 }
357 *pos++ = 0x00;
358 if (serverid) {
359 os_memcpy(pos, serverid, serverid_len);
360 pos += serverid_len;
361 }
362 *pos++ = 0x00;
363
364 os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN);
365 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p,
366 EAP_SAKE_RAND_LEN);
367 } else {
368 if (serverid) {
369 os_memcpy(pos, serverid, serverid_len);
370 pos += serverid_len;
371 }
372 *pos++ = 0x00;
373 if (peerid) {
374 os_memcpy(pos, peerid, peerid_len);
375 pos += peerid_len;
376 }
377 *pos++ = 0x00;
378
379 os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN);
380 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s,
381 EAP_SAKE_RAND_LEN);
382 }
383
384 os_memcpy(pos, eap, eap_len);
385 os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN);
386
387 ret = eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN,
388 peer ? "Peer MIC" : "Server MIC",
389 _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen,
390 mic, EAP_SAKE_MIC_LEN);
391
392 os_free(tmp);
393
394 return ret;
395 }
396
397
eap_sake_add_attr(struct wpabuf * buf,u8 type,const u8 * data,size_t len)398 void eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data,
399 size_t len)
400 {
401 wpabuf_put_u8(buf, type);
402 wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */
403 if (data)
404 wpabuf_put_data(buf, data, len);
405 else
406 os_memset(wpabuf_put(buf, len), 0, len);
407 }
408