134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt/* 234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * EAP server/peer: EAP-EKE shared routines 334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * Copyright (c) 2011-2013, Jouni Malinen <j@w1.fi> 434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * 534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * This software may be distributed under the terms of the BSD license. 634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * See README for more details. 734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt */ 834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "includes.h" 1034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 1134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "common.h" 1234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "crypto/aes.h" 1334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "crypto/aes_wrap.h" 1434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "crypto/crypto.h" 1534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "crypto/dh_groups.h" 1634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "crypto/random.h" 1734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "crypto/sha1.h" 1834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "crypto/sha256.h" 1934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "eap_common/eap_defs.h" 2034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt#include "eap_eke_common.h" 2134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 2234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 2334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_dh_len(u8 group) 2434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 2534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt switch (group) { 2634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_2: 2734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 128; 2834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_5: 2934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 192; 3034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_14: 3134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 256; 3234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_15: 3334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 384; 3434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_16: 3534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 512; 3634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 3734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 3834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 3934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 4034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 4134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 4234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_dhcomp_len(u8 dhgroup, u8 encr) 4334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 4434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt int dhlen; 4534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 4634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt dhlen = eap_eke_dh_len(dhgroup); 4734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (dhlen < 0) 4834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 4934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (encr != EAP_EKE_ENCR_AES128_CBC) 5034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 5134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return AES_BLOCK_SIZE + dhlen; 5234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 5334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 5434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 5534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic const struct dh_group * eap_eke_dh_group(u8 group) 5634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 5734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt switch (group) { 5834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_2: 5934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return dh_groups_get(2); 6034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_5: 6134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return dh_groups_get(5); 6234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_14: 6334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return dh_groups_get(14); 6434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_15: 6534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return dh_groups_get(15); 6634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_16: 6734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return dh_groups_get(16); 6834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 6934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 7034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return NULL; 7134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 7234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 7334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 7434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_dh_generator(u8 group) 7534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 7634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt switch (group) { 7734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_2: 7834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 5; 7934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_5: 8034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 31; 8134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_14: 8234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 11; 8334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_15: 8434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 5; 8534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_DHGROUP_EKE_16: 8634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 5; 8734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 8834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 8934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 9034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 9134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 9234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 9334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_pnonce_len(u8 mac) 9434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 9534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt int mac_len; 9634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 9734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (mac == EAP_EKE_MAC_HMAC_SHA1) 9834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt mac_len = SHA1_MAC_LEN; 9934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else if (mac == EAP_EKE_MAC_HMAC_SHA2_256) 10034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt mac_len = SHA256_MAC_LEN; 10134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 10234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 10334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 10434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return AES_BLOCK_SIZE + 16 + mac_len; 10534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 10634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 10734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 10834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_pnonce_ps_len(u8 mac) 10934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 11034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt int mac_len; 11134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 11234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (mac == EAP_EKE_MAC_HMAC_SHA1) 11334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt mac_len = SHA1_MAC_LEN; 11434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else if (mac == EAP_EKE_MAC_HMAC_SHA2_256) 11534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt mac_len = SHA256_MAC_LEN; 11634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 11734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 11834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 11934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return AES_BLOCK_SIZE + 2 * 16 + mac_len; 12034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 12134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 12234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 12334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_prf_len(u8 prf) 12434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 12534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (prf == EAP_EKE_PRF_HMAC_SHA1) 12634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 20; 12734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (prf == EAP_EKE_PRF_HMAC_SHA2_256) 12834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 32; 12934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 13034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 13134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 13234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 13334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_nonce_len(u8 prf) 13434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 13534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt int prf_len; 13634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 13734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt prf_len = eap_eke_prf_len(prf); 13834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (prf_len < 0) 13934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 14034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 14134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (prf_len > 2 * 16) 14234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return (prf_len + 1) / 2; 14334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 14434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 16; 14534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 14634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 14734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 14834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_auth_len(u8 prf) 14934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 15034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt switch (prf) { 15134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_PRF_HMAC_SHA1: 15234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return SHA1_MAC_LEN; 15334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt case EAP_EKE_PRF_HMAC_SHA2_256: 15434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return SHA256_MAC_LEN; 15534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 15634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 15734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 15834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 15934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 16034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 16134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_dh_init(u8 group, u8 *ret_priv, u8 *ret_pub) 16234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 16334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt int generator; 16434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 gen; 16534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const struct dh_group *dh; 16634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t pub_len, i; 16734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 16834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt generator = eap_eke_dh_generator(group); 16934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (generator < 0 || generator > 255) 17034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 17134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt gen = generator; 17234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 17334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt dh = eap_eke_dh_group(group); 17434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (dh == NULL) 17534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 17634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 17734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* x = random number 2 .. p-1 */ 17834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (random_get_bytes(ret_priv, dh->prime_len)) 17934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 18034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (os_memcmp(ret_priv, dh->prime, dh->prime_len) > 0) { 18134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* Make sure private value is smaller than prime */ 18234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ret_priv[0] = 0; 18334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 18434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt for (i = 0; i < dh->prime_len - 1; i++) { 18534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (ret_priv[i]) 18634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt break; 18734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 18834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (i == dh->prime_len - 1 && (ret_priv[i] == 0 || ret_priv[i] == 1)) 18934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 19034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: DH private value", 19134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ret_priv, dh->prime_len); 19234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 19334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* y = g ^ x (mod p) */ 19434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pub_len = dh->prime_len; 19534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (crypto_mod_exp(&gen, 1, ret_priv, dh->prime_len, 19634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt dh->prime, dh->prime_len, ret_pub, &pub_len) < 0) 19734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 19834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (pub_len < dh->prime_len) { 19934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t pad = dh->prime_len - pub_len; 20034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memmove(ret_pub + pad, ret_pub, pub_len); 20134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memset(ret_pub, 0, pad); 20234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 20334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 20434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump(MSG_DEBUG, "EAP-EKE: DH public value", 20534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ret_pub, dh->prime_len); 20634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 20734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 20834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 20934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 21034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 21134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_prf(u8 prf, const u8 *key, size_t key_len, const u8 *data, 21234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t data_len, const u8 *data2, size_t data2_len, 21334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *res) 21434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 21534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *addr[2]; 21634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t len[2]; 21734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t num_elem = 1; 21834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 21934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt addr[0] = data; 22034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt len[0] = data_len; 22134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (data2) { 22234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt num_elem++; 22334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt addr[1] = data2; 22434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt len[1] = data2_len; 22534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 22634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 22734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (prf == EAP_EKE_PRF_HMAC_SHA1) 22834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return hmac_sha1_vector(key, key_len, num_elem, addr, len, res); 22934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (prf == EAP_EKE_PRF_HMAC_SHA2_256) 23034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return hmac_sha256_vector(key, key_len, num_elem, addr, len, 23134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt res); 23234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 23334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 23434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 23534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 23634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_prf_hmac_sha1(const u8 *key, size_t key_len, const u8 *data, 23734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t data_len, u8 *res, size_t len) 23834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 23934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 hash[SHA1_MAC_LEN]; 24034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 idx; 24134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *addr[3]; 24234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t vlen[3]; 24334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt int ret; 24434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 24534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt idx = 0; 24634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt addr[0] = hash; 24734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt vlen[0] = SHA1_MAC_LEN; 24834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt addr[1] = data; 24934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt vlen[1] = data_len; 25034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt addr[2] = &idx; 25134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt vlen[2] = 1; 25234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 25334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt while (len > 0) { 25434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt idx++; 25534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (idx == 1) 25634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ret = hmac_sha1_vector(key, key_len, 2, &addr[1], 25734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt &vlen[1], hash); 25834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 25934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ret = hmac_sha1_vector(key, key_len, 3, addr, vlen, 26034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt hash); 26134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (ret < 0) 26234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 26334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (len > SHA1_MAC_LEN) { 26434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(res, hash, SHA1_MAC_LEN); 26534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt res += SHA1_MAC_LEN; 26634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt len -= SHA1_MAC_LEN; 26734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } else { 26834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(res, hash, len); 26934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt len = 0; 27034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 27134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 27234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 27334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 27434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 27534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 27634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 27734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_prf_hmac_sha256(const u8 *key, size_t key_len, const u8 *data, 27834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t data_len, u8 *res, size_t len) 27934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 28034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 hash[SHA256_MAC_LEN]; 28134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 idx; 28234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *addr[3]; 28334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t vlen[3]; 28434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt int ret; 28534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 28634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt idx = 0; 28734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt addr[0] = hash; 28834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt vlen[0] = SHA256_MAC_LEN; 28934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt addr[1] = data; 29034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt vlen[1] = data_len; 29134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt addr[2] = &idx; 29234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt vlen[2] = 1; 29334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 29434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt while (len > 0) { 29534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt idx++; 29634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (idx == 1) 29734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ret = hmac_sha256_vector(key, key_len, 2, &addr[1], 29834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt &vlen[1], hash); 29934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 30034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ret = hmac_sha256_vector(key, key_len, 3, addr, vlen, 30134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt hash); 30234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (ret < 0) 30334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 30434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (len > SHA256_MAC_LEN) { 30534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(res, hash, SHA256_MAC_LEN); 30634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt res += SHA256_MAC_LEN; 30734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt len -= SHA256_MAC_LEN; 30834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } else { 30934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(res, hash, len); 31034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt len = 0; 31134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 31234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 31334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 31434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 31534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 31634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 31734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 31834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_prfplus(u8 prf, const u8 *key, size_t key_len, 31934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *data, size_t data_len, u8 *res, size_t len) 32034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 32134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (prf == EAP_EKE_PRF_HMAC_SHA1) 32234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return eap_eke_prf_hmac_sha1(key, key_len, data, data_len, res, 32334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt len); 32434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (prf == EAP_EKE_PRF_HMAC_SHA2_256) 32534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return eap_eke_prf_hmac_sha256(key, key_len, data, data_len, 32634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt res, len); 32734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 32834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 32934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 33034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 33134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_derive_key(struct eap_eke_session *sess, 33234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *password, size_t password_len, 33334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *id_s, size_t id_s_len, const u8 *id_p, 33434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t id_p_len, u8 *key) 33534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 33634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 zeros[EAP_EKE_MAX_HASH_LEN]; 33734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 temp[EAP_EKE_MAX_HASH_LEN]; 33834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t key_len = 16; /* Only AES-128-CBC is used here */ 33934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *id; 34034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 34134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* temp = prf(0+, password) */ 34234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memset(zeros, 0, sess->prf_len); 34334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (eap_eke_prf(sess->prf, zeros, sess->prf_len, 34434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt password, password_len, NULL, 0, temp) < 0) 34534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 34634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: temp = prf(0+, password)", 34734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt temp, sess->prf_len); 34834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 34934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* key = prf+(temp, ID_S | ID_P) */ 35034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt id = os_malloc(id_s_len + id_p_len); 35134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (id == NULL) 35234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 35334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(id, id_s, id_s_len); 35434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(id + id_s_len, id_p, id_p_len); 35534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_ascii(MSG_DEBUG, "EAP-EKE: ID_S | ID_P", 35634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt id, id_s_len + id_p_len); 35734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (eap_eke_prfplus(sess->prf, temp, sess->prf_len, 35834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt id, id_s_len + id_p_len, key, key_len) < 0) { 35934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_free(id); 36034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 36134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 36234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_free(id); 36334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: key = prf+(temp, ID_S | ID_P)", 36434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt key, key_len); 36534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 36634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 36734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 36834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 36934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 37034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_dhcomp(struct eap_eke_session *sess, const u8 *key, const u8 *dhpub, 37134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *ret_dhcomp) 37234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 37334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 pub[EAP_EKE_MAX_DH_LEN]; 37434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt int dh_len; 37534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 iv[AES_BLOCK_SIZE]; 37634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 37734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt dh_len = eap_eke_dh_len(sess->dhgroup); 37834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (dh_len < 0) 37934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 38034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 38134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* 38234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * DHComponent = Encr(key, y) 38334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * 38434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * All defined DH groups use primes that have length devisible by 16, so 38534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * no need to do extra padding for y (= pub). 38634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt */ 38734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->encr != EAP_EKE_ENCR_AES128_CBC) 38834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 38934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (random_get_bytes(iv, AES_BLOCK_SIZE)) 39034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 39134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Encr(key, y)", 39234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt iv, AES_BLOCK_SIZE); 39334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pub, dhpub, dh_len); 39434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (aes_128_cbc_encrypt(key, iv, pub, dh_len) < 0) 39534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 39634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(ret_dhcomp, iv, AES_BLOCK_SIZE); 39734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(ret_dhcomp + AES_BLOCK_SIZE, pub, dh_len); 39834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump(MSG_DEBUG, "EAP-EKE: DHComponent = Encr(key, y)", 39934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ret_dhcomp, AES_BLOCK_SIZE + dh_len); 40034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 40134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 40234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 40334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 40434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 40534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_shared_secret(struct eap_eke_session *sess, const u8 *key, 40634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *dhpriv, const u8 *peer_dhcomp) 40734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 40834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 zeros[EAP_EKE_MAX_HASH_LEN]; 40934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 peer_pub[EAP_EKE_MAX_DH_LEN]; 41034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 modexp[EAP_EKE_MAX_DH_LEN]; 41134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t len; 41234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const struct dh_group *dh; 41334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 41434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->encr != EAP_EKE_ENCR_AES128_CBC) 41534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 41634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 41734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt dh = eap_eke_dh_group(sess->dhgroup); 41834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (dh == NULL) 41934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 42034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 42134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* Decrypt peer DHComponent */ 42234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(peer_pub, peer_dhcomp + AES_BLOCK_SIZE, dh->prime_len); 42334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (aes_128_cbc_decrypt(key, peer_dhcomp, peer_pub, dh->prime_len) < 0) { 42434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt DHComponent"); 42534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 42634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 42734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted peer DH pubkey", 42834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt peer_pub, dh->prime_len); 42934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 43034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* SharedSecret = prf(0+, g ^ (x_s * x_p) (mod p)) */ 43134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt len = dh->prime_len; 43234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (crypto_mod_exp(peer_pub, dh->prime_len, dhpriv, dh->prime_len, 43334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt dh->prime, dh->prime_len, modexp, &len) < 0) 43434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 43534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (len < dh->prime_len) { 43634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t pad = dh->prime_len - len; 43734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memmove(modexp + pad, modexp, len); 43834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memset(modexp, 0, pad); 43934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 44034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 44134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memset(zeros, 0, sess->auth_len); 44234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (eap_eke_prf(sess->prf, zeros, sess->auth_len, modexp, dh->prime_len, 44334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt NULL, 0, sess->shared_secret) < 0) 44434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 44534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: SharedSecret", 44634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->shared_secret, sess->auth_len); 44734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 44834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 44934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 45034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 45134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 45234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_derive_ke_ki(struct eap_eke_session *sess, 45334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *id_s, size_t id_s_len, 45434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *id_p, size_t id_p_len) 45534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 45634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 buf[EAP_EKE_MAX_KE_LEN + EAP_EKE_MAX_KI_LEN]; 45734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t ke_len, ki_len; 45834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *data; 45934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t data_len; 46034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const char *label = "EAP-EKE Keys"; 46134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t label_len; 46234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 46334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* 46434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * Ke | Ki = prf+(SharedSecret, "EAP-EKE Keys" | ID_S | ID_P) 46534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * Ke = encryption key 46634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * Ki = integrity protection key 46734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * Length of each key depends on the selected algorithms. 46834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt */ 46934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 47034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->encr == EAP_EKE_ENCR_AES128_CBC) 47134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ke_len = 16; 47234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 47334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 47434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 47534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->mac == EAP_EKE_PRF_HMAC_SHA1) 47634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ki_len = 20; 47734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256) 47834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt ki_len = 32; 47934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 48034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 48134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 48234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt label_len = os_strlen(label); 48334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data_len = label_len + id_s_len + id_p_len; 48434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data = os_malloc(data_len); 48534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (data == NULL) 48634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 48734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(data, label, label_len); 48834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(data + label_len, id_s, id_s_len); 48934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(data + label_len + id_s_len, id_p, id_p_len); 49034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len, 49134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data, data_len, buf, ke_len + ki_len) < 0) { 49234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_free(data); 49334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 49434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 49534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 49634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(sess->ke, buf, ke_len); 49734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ke", sess->ke, ke_len); 49834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(sess->ki, buf + ke_len, ki_len); 49934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ki", sess->ki, ki_len); 50034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 50134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_free(data); 50234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 50334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 50434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 50534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 50634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_derive_ka(struct eap_eke_session *sess, 50734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *id_s, size_t id_s_len, 50834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *id_p, size_t id_p_len, 50934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *nonce_p, const u8 *nonce_s) 51034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 51134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *data, *pos; 51234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t data_len; 51334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const char *label = "EAP-EKE Ka"; 51434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t label_len; 51534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 51634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* 51734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * Ka = prf+(SharedSecret, "EAP-EKE Ka" | ID_S | ID_P | Nonce_P | 51834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * Nonce_S) 51934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * Ka = authentication key 52034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * Length of the key depends on the selected algorithms. 52134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt */ 52234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 52334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt label_len = os_strlen(label); 52434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len; 52534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data = os_malloc(data_len); 52634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (data == NULL) 52734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 52834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos = data; 52934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, label, label_len); 53034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += label_len; 53134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, id_s, id_s_len); 53234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += id_s_len; 53334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, id_p, id_p_len); 53434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += id_p_len; 53534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, nonce_p, sess->nonce_len); 53634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += sess->nonce_len; 53734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, nonce_s, sess->nonce_len); 53834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len, 53934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data, data_len, sess->ka, sess->prf_len) < 0) { 54034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_free(data); 54134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 54234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 54334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_free(data); 54434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 54534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka", sess->ka, sess->prf_len); 54634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 54734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 54834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 54934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 55034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 55134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_derive_msk(struct eap_eke_session *sess, 55234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *id_s, size_t id_s_len, 55334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *id_p, size_t id_p_len, 55434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *nonce_p, const u8 *nonce_s, 55534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *msk, u8 *emsk) 55634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 55734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *data, *pos; 55834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t data_len; 55934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const char *label = "EAP-EKE Exported Keys"; 56034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t label_len; 56134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 buf[EAP_MSK_LEN + EAP_EMSK_LEN]; 56234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 56334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt /* 56434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * MSK | EMSK = prf+(SharedSecret, "EAP-EKE Exported Keys" | ID_S | 56534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt * ID_P | Nonce_P | Nonce_S) 56634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt */ 56734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 56834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt label_len = os_strlen(label); 56934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data_len = label_len + id_s_len + id_p_len + 2 * sess->nonce_len; 57034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data = os_malloc(data_len); 57134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (data == NULL) 57234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 57334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos = data; 57434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, label, label_len); 57534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += label_len; 57634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, id_s, id_s_len); 57734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += id_s_len; 57834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, id_p, id_p_len); 57934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += id_p_len; 58034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, nonce_p, sess->nonce_len); 58134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += sess->nonce_len; 58234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, nonce_s, sess->nonce_len); 58334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (eap_eke_prfplus(sess->prf, sess->shared_secret, sess->prf_len, 58434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data, data_len, buf, EAP_MSK_LEN + EAP_EMSK_LEN) < 58534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 0) { 58634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_free(data); 58734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 58834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 58934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_free(data); 59034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 59134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(msk, buf, EAP_MSK_LEN); 59234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(emsk, buf + EAP_MSK_LEN, EAP_EMSK_LEN); 59334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memset(buf, 0, sizeof(buf)); 59434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 59534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: MSK", msk, EAP_MSK_LEN); 59634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: EMSK", msk, EAP_EMSK_LEN); 59734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 59834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 59934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 60034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 60134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 60234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtstatic int eap_eke_mac(u8 mac, const u8 *key, const u8 *data, size_t data_len, 60334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *res) 60434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 60534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (mac == EAP_EKE_MAC_HMAC_SHA1) 60634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return hmac_sha1(key, SHA1_MAC_LEN, data, data_len, res); 60734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (mac == EAP_EKE_MAC_HMAC_SHA2_256) 60834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return hmac_sha256(key, SHA256_MAC_LEN, data, data_len, res); 60934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 61034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 61134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 61234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 61334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_prot(struct eap_eke_session *sess, 61434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *data, size_t data_len, 61534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *prot, size_t *prot_len) 61634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 61734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t block_size, icv_len, pad; 61834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *pos, *iv, *e; 61934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 62034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->encr == EAP_EKE_ENCR_AES128_CBC) 62134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt block_size = AES_BLOCK_SIZE; 62234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 62334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 62434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 62534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->mac == EAP_EKE_PRF_HMAC_SHA1) 62634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt icv_len = SHA1_MAC_LEN; 62734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256) 62834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt icv_len = SHA256_MAC_LEN; 62934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 63034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 63134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 63234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pad = data_len % block_size; 63334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (pad) 63434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pad = block_size - pad; 63534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 63634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (*prot_len < block_size + data_len + pad + icv_len) { 63734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for Prot() data"); 63834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 63934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos = prot; 64034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 64134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (random_get_bytes(pos, block_size)) 64234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 64334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt iv = pos; 64434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump(MSG_DEBUG, "EAP-EKE: IV for Prot()", iv, block_size); 64534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += block_size; 64634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 64734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt e = pos; 64834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(pos, data, data_len); 64934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += data_len; 65034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (pad) { 65134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (random_get_bytes(pos, pad)) 65234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 65334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += pad; 65434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 65534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 65634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (aes_128_cbc_encrypt(sess->ke, iv, e, data_len + pad) < 0) 65734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 65834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 65934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (eap_eke_mac(sess->mac, sess->ki, e, data_len + pad, pos) < 0) 66034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 66134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt pos += icv_len; 66234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 66334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt *prot_len = pos - prot; 66434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 66534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 66634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 66734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 66834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_decrypt_prot(struct eap_eke_session *sess, 66934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const u8 *prot, size_t prot_len, 67034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 *data, size_t *data_len) 67134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 67234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt size_t block_size, icv_len; 67334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 icv[EAP_EKE_MAX_HASH_LEN]; 67434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 67534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->encr == EAP_EKE_ENCR_AES128_CBC) 67634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt block_size = AES_BLOCK_SIZE; 67734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 67834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 67934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 68034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->mac == EAP_EKE_PRF_HMAC_SHA1) 68134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt icv_len = SHA1_MAC_LEN; 68234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else if (sess->mac == EAP_EKE_PRF_HMAC_SHA2_256) 68334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt icv_len = SHA256_MAC_LEN; 68434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt else 68534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 68634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 68734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (prot_len < 2 * block_size + icv_len) 68834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 68934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if ((prot_len - icv_len) % block_size) 69034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 69134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 69234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (eap_eke_mac(sess->mac, sess->ki, prot + block_size, 69334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt prot_len - block_size - icv_len, icv) < 0) 69434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 695c28170251eb54dbf64a9074a07fee377587425b2Dmitry Shmidt if (os_memcmp_const(icv, prot + prot_len - icv_len, icv_len) != 0) { 69634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_printf(MSG_INFO, "EAP-EKE: ICV mismatch in Prot() data"); 69734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 69834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 69934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 70034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (*data_len < prot_len - block_size - icv_len) { 70134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_printf(MSG_INFO, "EAP-EKE: Not enough room for decrypted Prot() data"); 70234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 70334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 70434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 70534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt *data_len = prot_len - block_size - icv_len; 70634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memcpy(data, prot + block_size, *data_len); 70734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (aes_128_cbc_decrypt(sess->ke, prot, data, *data_len) < 0) { 70834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_printf(MSG_INFO, "EAP-EKE: Failed to decrypt Prot() data"); 70934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 71034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt } 71134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Decrypted Prot() data", 71234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt data, *data_len); 71334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 71434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 71534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 71634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 71734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 71834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_auth(struct eap_eke_session *sess, const char *label, 71934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt const struct wpabuf *msgs, u8 *auth) 72034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 72134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_printf(MSG_DEBUG, "EAP-EKE: Auth(%s)", label); 72234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_key(MSG_DEBUG, "EAP-EKE: Ka for Auth", 72334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->ka, sess->auth_len); 72434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpa_hexdump_buf(MSG_MSGDUMP, "EAP-EKE: Messages for Auth", msgs); 72534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return eap_eke_prf(sess->prf, sess->ka, sess->auth_len, 72634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt (const u8 *) label, os_strlen(label), 72734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt wpabuf_head(msgs), wpabuf_len(msgs), auth); 72834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 72934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 73034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 73134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtint eap_eke_session_init(struct eap_eke_session *sess, u8 dhgroup, u8 encr, 73234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt u8 prf, u8 mac) 73334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 73434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->dhgroup = dhgroup; 73534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->encr = encr; 73634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->prf = prf; 73734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->mac = mac; 73834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 73934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->prf_len = eap_eke_prf_len(prf); 74034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->prf_len < 0) 74134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 74234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->nonce_len = eap_eke_nonce_len(prf); 74334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->nonce_len < 0) 74434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 74534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->auth_len = eap_eke_auth_len(prf); 74634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->auth_len < 0) 74734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 74834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->dhcomp_len = eap_eke_dhcomp_len(sess->dhgroup, sess->encr); 74934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->dhcomp_len < 0) 75034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 75134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->pnonce_len = eap_eke_pnonce_len(sess->mac); 75234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->pnonce_len < 0) 75334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 75434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt sess->pnonce_ps_len = eap_eke_pnonce_ps_len(sess->mac); 75534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt if (sess->pnonce_ps_len < 0) 75634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return -1; 75734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 75834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt return 0; 75934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 76034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 76134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt 76234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidtvoid eap_eke_session_clean(struct eap_eke_session *sess) 76334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt{ 76434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memset(sess->shared_secret, 0, EAP_EKE_MAX_HASH_LEN); 76534af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memset(sess->ke, 0, EAP_EKE_MAX_KE_LEN); 76634af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memset(sess->ki, 0, EAP_EKE_MAX_KI_LEN); 76734af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt os_memset(sess->ka, 0, EAP_EKE_MAX_KA_LEN); 76834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt} 769