1/*
2 * EAP server/peer: EAP-SAKE shared routines
3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#include "includes.h"
16
17#include "common.h"
18#include "wpabuf.h"
19#include "crypto/sha1.h"
20#include "eap_defs.h"
21#include "eap_sake_common.h"
22
23
24static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
25				   const u8 *pos)
26{
27	size_t i;
28
29	switch (pos[0]) {
30	case EAP_SAKE_AT_RAND_S:
31		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
32		if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
33			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
34				   "invalid length %d", pos[1]);
35			return -1;
36		}
37		attr->rand_s = pos + 2;
38		break;
39	case EAP_SAKE_AT_RAND_P:
40		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
41		if (pos[1] != 2 + EAP_SAKE_RAND_LEN) {
42			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
43				   "invalid length %d", pos[1]);
44			return -1;
45		}
46		attr->rand_p = pos + 2;
47		break;
48	case EAP_SAKE_AT_MIC_S:
49		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
50		if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
51			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
52				   "invalid length %d", pos[1]);
53			return -1;
54		}
55		attr->mic_s = pos + 2;
56		break;
57	case EAP_SAKE_AT_MIC_P:
58		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
59		if (pos[1] != 2 + EAP_SAKE_MIC_LEN) {
60			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
61				   "invalid length %d", pos[1]);
62			return -1;
63		}
64		attr->mic_p = pos + 2;
65		break;
66	case EAP_SAKE_AT_SERVERID:
67		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
68		attr->serverid = pos + 2;
69		attr->serverid_len = pos[1] - 2;
70		break;
71	case EAP_SAKE_AT_PEERID:
72		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
73		attr->peerid = pos + 2;
74		attr->peerid_len = pos[1] - 2;
75		break;
76	case EAP_SAKE_AT_SPI_S:
77		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
78		attr->spi_s = pos + 2;
79		attr->spi_s_len = pos[1] - 2;
80		break;
81	case EAP_SAKE_AT_SPI_P:
82		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
83		attr->spi_p = pos + 2;
84		attr->spi_p_len = pos[1] - 2;
85		break;
86	case EAP_SAKE_AT_ANY_ID_REQ:
87		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
88		if (pos[1] != 4) {
89			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
90				   " length %d", pos[1]);
91			return -1;
92		}
93		attr->any_id_req = pos + 2;
94		break;
95	case EAP_SAKE_AT_PERM_ID_REQ:
96		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
97		if (pos[1] != 4) {
98			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
99				   "AT_PERM_ID_REQ length %d", pos[1]);
100			return -1;
101		}
102		attr->perm_id_req = pos + 2;
103		break;
104	case EAP_SAKE_AT_ENCR_DATA:
105		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
106		attr->encr_data = pos + 2;
107		attr->encr_data_len = pos[1] - 2;
108		break;
109	case EAP_SAKE_AT_IV:
110		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
111		attr->iv = pos + 2;
112		attr->iv_len = pos[1] - 2;
113		break;
114	case EAP_SAKE_AT_PADDING:
115		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
116		for (i = 2; i < pos[1]; i++) {
117			if (pos[i]) {
118				wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
119					   "with non-zero pad byte");
120				return -1;
121			}
122		}
123		break;
124	case EAP_SAKE_AT_NEXT_TMPID:
125		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
126		attr->next_tmpid = pos + 2;
127		attr->next_tmpid_len = pos[1] - 2;
128		break;
129	case EAP_SAKE_AT_MSK_LIFE:
130		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
131		if (pos[1] != 6) {
132			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
133				   "AT_MSK_LIFE length %d", pos[1]);
134			return -1;
135		}
136		attr->msk_life = pos + 2;
137		break;
138	default:
139		if (pos[0] < 128) {
140			wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
141				   " attribute %d", pos[0]);
142			return -1;
143		}
144		wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
145			   "attribute %d", pos[0]);
146		break;
147	}
148
149	if (attr->iv && !attr->encr_data) {
150		wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without "
151			   "AT_ENCR_DATA");
152		return -1;
153	}
154
155	return 0;
156}
157
158
159/**
160 * eap_sake_parse_attributes - Parse EAP-SAKE attributes
161 * @buf: Packet payload (starting with the first attribute)
162 * @len: Payload length
163 * @attr: Structure to be filled with found attributes
164 * Returns: 0 on success or -1 on failure
165 */
166int eap_sake_parse_attributes(const u8 *buf, size_t len,
167			      struct eap_sake_parse_attr *attr)
168{
169	const u8 *pos = buf, *end = buf + len;
170
171	os_memset(attr, 0, sizeof(*attr));
172	while (pos < end) {
173		if (end - pos < 2) {
174			wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute");
175			return -1;
176		}
177
178		if (pos[1] < 2) {
179			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute "
180				   "length (%d)", pos[1]);
181			return -1;
182		}
183
184		if (pos + pos[1] > end) {
185			wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow");
186			return -1;
187		}
188
189		if (eap_sake_parse_add_attr(attr, pos))
190			return -1;
191
192		pos += pos[1];
193	}
194
195	return 0;
196}
197
198
199/**
200 * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF)
201 * @key: Key for KDF
202 * @key_len: Length of the key in bytes
203 * @label: A unique label for each purpose of the KDF
204 * @data: Extra data (start) to bind into the key
205 * @data_len: Length of the data
206 * @data2: Extra data (end) to bind into the key
207 * @data2_len: Length of the data2
208 * @buf: Buffer for the generated pseudo-random key
209 * @buf_len: Number of bytes of key to generate
210 *
211 * This function is used to derive new, cryptographically separate keys from a
212 * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i.
213 */
214static void eap_sake_kdf(const u8 *key, size_t key_len, const char *label,
215			 const u8 *data, size_t data_len,
216			 const u8 *data2, size_t data2_len,
217			 u8 *buf, size_t buf_len)
218{
219	u8 counter = 0;
220	size_t pos, plen;
221	u8 hash[SHA1_MAC_LEN];
222	size_t label_len = os_strlen(label) + 1;
223	const unsigned char *addr[4];
224	size_t len[4];
225
226	addr[0] = (u8 *) label; /* Label | Y */
227	len[0] = label_len;
228	addr[1] = data; /* Msg[start] */
229	len[1] = data_len;
230	addr[2] = data2; /* Msg[end] */
231	len[2] = data2_len;
232	addr[3] = &counter; /* Length */
233	len[3] = 1;
234
235	pos = 0;
236	while (pos < buf_len) {
237		plen = buf_len - pos;
238		if (plen >= SHA1_MAC_LEN) {
239			hmac_sha1_vector(key, key_len, 4, addr, len,
240					 &buf[pos]);
241			pos += SHA1_MAC_LEN;
242		} else {
243			hmac_sha1_vector(key, key_len, 4, addr, len,
244					 hash);
245			os_memcpy(&buf[pos], hash, plen);
246			break;
247		}
248		counter++;
249	}
250}
251
252
253/**
254 * eap_sake_derive_keys - Derive EAP-SAKE keys
255 * @root_secret_a: 16-byte Root-Secret-A
256 * @root_secret_b: 16-byte Root-Secret-B
257 * @rand_s: 16-byte RAND_S
258 * @rand_p: 16-byte RAND_P
259 * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16])
260 * @msk: Buffer for 64-byte MSK
261 * @emsk: Buffer for 64-byte EMSK
262 *
263 * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6.
264 */
265void eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b,
266			  const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk,
267			  u8 *emsk)
268{
269	u8 sms_a[EAP_SAKE_SMS_LEN];
270	u8 sms_b[EAP_SAKE_SMS_LEN];
271	u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN];
272
273	wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys");
274
275	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A",
276			root_secret_a, EAP_SAKE_ROOT_SECRET_LEN);
277	eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN,
278		     "SAKE Master Secret A",
279		     rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
280		     sms_a, EAP_SAKE_SMS_LEN);
281	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN);
282	eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key",
283		     rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
284		     tek, EAP_SAKE_TEK_LEN);
285	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth",
286			tek, EAP_SAKE_TEK_AUTH_LEN);
287	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher",
288			tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN);
289
290	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B",
291			root_secret_b, EAP_SAKE_ROOT_SECRET_LEN);
292	eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN,
293		     "SAKE Master Secret B",
294		     rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
295		     sms_b, EAP_SAKE_SMS_LEN);
296	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN);
297	eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key",
298		     rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
299		     key_buf, sizeof(key_buf));
300	os_memcpy(msk, key_buf, EAP_MSK_LEN);
301	os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN);
302	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN);
303	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN);
304}
305
306
307/**
308 * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet
309 * @tek_auth: 16-byte TEK-Auth
310 * @rand_s: 16-byte RAND_S
311 * @rand_p: 16-byte RAND_P
312 * @serverid: SERVERID
313 * @serverid_len: SERVERID length
314 * @peerid: PEERID
315 * @peerid_len: PEERID length
316 * @peer: MIC calculation for 0 = Server, 1 = Peer message
317 * @eap: EAP packet
318 * @eap_len: EAP packet length
319 * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len])
320 * @mic: Buffer for the computed 16-byte MIC
321 */
322int eap_sake_compute_mic(const u8 *tek_auth,
323			 const u8 *rand_s, const u8 *rand_p,
324			 const u8 *serverid, size_t serverid_len,
325			 const u8 *peerid, size_t peerid_len,
326			 int peer, const u8 *eap, size_t eap_len,
327			 const u8 *mic_pos, u8 *mic)
328{
329	u8 _rand[2 * EAP_SAKE_RAND_LEN];
330	u8 *tmp, *pos;
331	size_t tmplen;
332
333	tmplen = serverid_len + 1 + peerid_len + 1 + eap_len;
334	tmp = os_malloc(tmplen);
335	if (tmp == NULL)
336		return -1;
337	pos = tmp;
338	if (peer) {
339		if (peerid) {
340			os_memcpy(pos, peerid, peerid_len);
341			pos += peerid_len;
342		}
343		*pos++ = 0x00;
344		if (serverid) {
345			os_memcpy(pos, serverid, serverid_len);
346			pos += serverid_len;
347		}
348		*pos++ = 0x00;
349
350		os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN);
351		os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p,
352			  EAP_SAKE_RAND_LEN);
353	} else {
354		if (serverid) {
355			os_memcpy(pos, serverid, serverid_len);
356			pos += serverid_len;
357		}
358		*pos++ = 0x00;
359		if (peerid) {
360			os_memcpy(pos, peerid, peerid_len);
361			pos += peerid_len;
362		}
363		*pos++ = 0x00;
364
365		os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN);
366		os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s,
367			  EAP_SAKE_RAND_LEN);
368	}
369
370	os_memcpy(pos, eap, eap_len);
371	os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN);
372
373	eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN,
374		     peer ? "Peer MIC" : "Server MIC",
375		     _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen,
376		     mic, EAP_SAKE_MIC_LEN);
377
378	os_free(tmp);
379
380	return 0;
381}
382
383
384void eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data,
385		       size_t len)
386{
387	wpabuf_put_u8(buf, type);
388	wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */
389	if (data)
390		wpabuf_put_data(buf, data, len);
391	else
392		os_memset(wpabuf_put(buf, len), 0, len);
393}
394