1 /* 2 * EAP server/peer: EAP-SAKE shared routines 3 * Copyright (c) 2006-2019, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "wpabuf.h" 13 #include "crypto/sha1.h" 14 #include "eap_defs.h" 15 #include "eap_sake_common.h" 16 17 18 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr, 19 u8 attr_id, u8 len, const u8 *data) 20 { 21 size_t i; 22 23 switch (attr_id) { 24 case EAP_SAKE_AT_RAND_S: 25 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S"); 26 if (len != EAP_SAKE_RAND_LEN) { 27 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with " 28 "invalid payload length %d", len); 29 return -1; 30 } 31 attr->rand_s = data; 32 break; 33 case EAP_SAKE_AT_RAND_P: 34 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P"); 35 if (len != EAP_SAKE_RAND_LEN) { 36 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with " 37 "invalid payload length %d", len); 38 return -1; 39 } 40 attr->rand_p = data; 41 break; 42 case EAP_SAKE_AT_MIC_S: 43 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S"); 44 if (len != EAP_SAKE_MIC_LEN) { 45 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with " 46 "invalid payload length %d", len); 47 return -1; 48 } 49 attr->mic_s = data; 50 break; 51 case EAP_SAKE_AT_MIC_P: 52 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P"); 53 if (len != EAP_SAKE_MIC_LEN) { 54 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with " 55 "invalid payload length %d", len); 56 return -1; 57 } 58 attr->mic_p = data; 59 break; 60 case EAP_SAKE_AT_SERVERID: 61 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID"); 62 attr->serverid = data; 63 attr->serverid_len = len; 64 break; 65 case EAP_SAKE_AT_PEERID: 66 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID"); 67 attr->peerid = data; 68 attr->peerid_len = len; 69 break; 70 case EAP_SAKE_AT_SPI_S: 71 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S"); 72 attr->spi_s = data; 73 attr->spi_s_len = len; 74 break; 75 case EAP_SAKE_AT_SPI_P: 76 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P"); 77 attr->spi_p = data; 78 attr->spi_p_len = len; 79 break; 80 case EAP_SAKE_AT_ANY_ID_REQ: 81 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ"); 82 if (len != 2) { 83 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ" 84 " payload length %d", len); 85 return -1; 86 } 87 attr->any_id_req = data; 88 break; 89 case EAP_SAKE_AT_PERM_ID_REQ: 90 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ"); 91 if (len != 2) { 92 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid " 93 "AT_PERM_ID_REQ payload length %d", len); 94 return -1; 95 } 96 attr->perm_id_req = data; 97 break; 98 case EAP_SAKE_AT_ENCR_DATA: 99 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA"); 100 attr->encr_data = data; 101 attr->encr_data_len = len; 102 break; 103 case EAP_SAKE_AT_IV: 104 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV"); 105 attr->iv = data; 106 attr->iv_len = len; 107 break; 108 case EAP_SAKE_AT_PADDING: 109 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING"); 110 for (i = 0; i < len; i++) { 111 if (data[i]) { 112 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING " 113 "with non-zero pad byte"); 114 return -1; 115 } 116 } 117 break; 118 case EAP_SAKE_AT_NEXT_TMPID: 119 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID"); 120 attr->next_tmpid = data; 121 attr->next_tmpid_len = len; 122 break; 123 case EAP_SAKE_AT_MSK_LIFE: 124 wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MSK_LIFE"); 125 if (len != 4) { 126 wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid " 127 "AT_MSK_LIFE payload length %d", len); 128 return -1; 129 } 130 attr->msk_life = data; 131 break; 132 default: 133 if (attr_id < 128) { 134 wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable" 135 " attribute %d", attr_id); 136 return -1; 137 } 138 wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable " 139 "attribute %d", attr_id); 140 break; 141 } 142 143 if (attr->iv && !attr->encr_data) { 144 wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without " 145 "AT_ENCR_DATA"); 146 return -1; 147 } 148 149 return 0; 150 } 151 152 153 /** 154 * eap_sake_parse_attributes - Parse EAP-SAKE attributes 155 * @buf: Packet payload (starting with the first attribute) 156 * @len: Payload length 157 * @attr: Structure to be filled with found attributes 158 * Returns: 0 on success or -1 on failure 159 */ 160 int eap_sake_parse_attributes(const u8 *buf, size_t len, 161 struct eap_sake_parse_attr *attr) 162 { 163 const u8 *pos = buf, *end = buf + len; 164 165 os_memset(attr, 0, sizeof(*attr)); 166 while (pos < end) { 167 u8 attr_id, attr_len; 168 169 if (end - pos < 2) { 170 wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute"); 171 return -1; 172 } 173 174 attr_id = *pos++; 175 attr_len = *pos++; 176 /* Attribute length value includes the Type and Length fields */ 177 if (attr_len < 2) { 178 wpa_printf(MSG_DEBUG, 179 "EAP-SAKE: Invalid attribute length (%d)", 180 attr_len); 181 return -1; 182 } 183 attr_len -= 2; 184 185 if (attr_len > end - pos) { 186 wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow"); 187 return -1; 188 } 189 190 if (eap_sake_parse_add_attr(attr, attr_id, attr_len, pos)) 191 return -1; 192 193 pos += attr_len; 194 } 195 196 return 0; 197 } 198 199 200 /** 201 * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF) 202 * @key: Key for KDF 203 * @key_len: Length of the key in bytes 204 * @label: A unique label for each purpose of the KDF 205 * @data: Extra data (start) to bind into the key 206 * @data_len: Length of the data 207 * @data2: Extra data (end) to bind into the key 208 * @data2_len: Length of the data2 209 * @buf: Buffer for the generated pseudo-random key 210 * @buf_len: Number of bytes of key to generate 211 * Returns: 0 on success or -1 on failure 212 * 213 * This function is used to derive new, cryptographically separate keys from a 214 * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i. 215 */ 216 static int eap_sake_kdf(const u8 *key, size_t key_len, const char *label, 217 const u8 *data, size_t data_len, 218 const u8 *data2, size_t data2_len, 219 u8 *buf, size_t buf_len) 220 { 221 u8 counter = 0; 222 size_t pos, plen; 223 u8 hash[SHA1_MAC_LEN]; 224 size_t label_len = os_strlen(label) + 1; 225 const unsigned char *addr[4]; 226 size_t len[4]; 227 228 addr[0] = (u8 *) label; /* Label | Y */ 229 len[0] = label_len; 230 addr[1] = data; /* Msg[start] */ 231 len[1] = data_len; 232 addr[2] = data2; /* Msg[end] */ 233 len[2] = data2_len; 234 addr[3] = &counter; /* Length */ 235 len[3] = 1; 236 237 pos = 0; 238 while (pos < buf_len) { 239 plen = buf_len - pos; 240 if (plen >= SHA1_MAC_LEN) { 241 if (hmac_sha1_vector(key, key_len, 4, addr, len, 242 &buf[pos]) < 0) 243 return -1; 244 pos += SHA1_MAC_LEN; 245 } else { 246 if (hmac_sha1_vector(key, key_len, 4, addr, len, 247 hash) < 0) 248 return -1; 249 os_memcpy(&buf[pos], hash, plen); 250 break; 251 } 252 counter++; 253 } 254 255 return 0; 256 } 257 258 259 /** 260 * eap_sake_derive_keys - Derive EAP-SAKE keys 261 * @root_secret_a: 16-byte Root-Secret-A 262 * @root_secret_b: 16-byte Root-Secret-B 263 * @rand_s: 16-byte RAND_S 264 * @rand_p: 16-byte RAND_P 265 * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16]) 266 * @msk: Buffer for 64-byte MSK 267 * @emsk: Buffer for 64-byte EMSK 268 * Returns: 0 on success or -1 on failure 269 * 270 * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6. 271 */ 272 int eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b, 273 const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk, 274 u8 *emsk) 275 { 276 u8 sms_a[EAP_SAKE_SMS_LEN]; 277 u8 sms_b[EAP_SAKE_SMS_LEN]; 278 u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN]; 279 280 wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys"); 281 282 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A", 283 root_secret_a, EAP_SAKE_ROOT_SECRET_LEN); 284 if (eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN, 285 "SAKE Master Secret A", 286 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN, 287 sms_a, EAP_SAKE_SMS_LEN) < 0) 288 return -1; 289 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN); 290 if (eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key", 291 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN, 292 tek, EAP_SAKE_TEK_LEN) < 0) 293 return -1; 294 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth", 295 tek, EAP_SAKE_TEK_AUTH_LEN); 296 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher", 297 tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN); 298 299 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B", 300 root_secret_b, EAP_SAKE_ROOT_SECRET_LEN); 301 if (eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN, 302 "SAKE Master Secret B", 303 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN, 304 sms_b, EAP_SAKE_SMS_LEN) < 0) 305 return -1; 306 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN); 307 if (eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key", 308 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN, 309 key_buf, sizeof(key_buf)) < 0) 310 return -1; 311 os_memcpy(msk, key_buf, EAP_MSK_LEN); 312 os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN); 313 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN); 314 wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN); 315 return 0; 316 } 317 318 319 /** 320 * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet 321 * @tek_auth: 16-byte TEK-Auth 322 * @rand_s: 16-byte RAND_S 323 * @rand_p: 16-byte RAND_P 324 * @serverid: SERVERID 325 * @serverid_len: SERVERID length 326 * @peerid: PEERID 327 * @peerid_len: PEERID length 328 * @peer: MIC calculation for 0 = Server, 1 = Peer message 329 * @eap: EAP packet 330 * @eap_len: EAP packet length 331 * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len]) 332 * @mic: Buffer for the computed 16-byte MIC 333 * Returns: 0 on success or -1 on failure 334 */ 335 int eap_sake_compute_mic(const u8 *tek_auth, 336 const u8 *rand_s, const u8 *rand_p, 337 const u8 *serverid, size_t serverid_len, 338 const u8 *peerid, size_t peerid_len, 339 int peer, const u8 *eap, size_t eap_len, 340 const u8 *mic_pos, u8 *mic) 341 { 342 u8 _rand[2 * EAP_SAKE_RAND_LEN]; 343 u8 *tmp, *pos; 344 size_t tmplen; 345 int ret; 346 347 tmplen = serverid_len + 1 + peerid_len + 1 + eap_len; 348 tmp = os_malloc(tmplen); 349 if (tmp == NULL) 350 return -1; 351 pos = tmp; 352 if (peer) { 353 if (peerid) { 354 os_memcpy(pos, peerid, peerid_len); 355 pos += peerid_len; 356 } 357 *pos++ = 0x00; 358 if (serverid) { 359 os_memcpy(pos, serverid, serverid_len); 360 pos += serverid_len; 361 } 362 *pos++ = 0x00; 363 364 os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN); 365 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p, 366 EAP_SAKE_RAND_LEN); 367 } else { 368 if (serverid) { 369 os_memcpy(pos, serverid, serverid_len); 370 pos += serverid_len; 371 } 372 *pos++ = 0x00; 373 if (peerid) { 374 os_memcpy(pos, peerid, peerid_len); 375 pos += peerid_len; 376 } 377 *pos++ = 0x00; 378 379 os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN); 380 os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s, 381 EAP_SAKE_RAND_LEN); 382 } 383 384 os_memcpy(pos, eap, eap_len); 385 os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN); 386 387 ret = eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN, 388 peer ? "Peer MIC" : "Server MIC", 389 _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen, 390 mic, EAP_SAKE_MIC_LEN); 391 392 os_free(tmp); 393 394 return ret; 395 } 396 397 398 void eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data, 399 size_t len) 400 { 401 wpabuf_put_u8(buf, type); 402 wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */ 403 if (data) 404 wpabuf_put_data(buf, data, len); 405 else 406 os_memset(wpabuf_put(buf, len), 0, len); 407 } 408