1/*
2 * EAP-FAST common helper functions (RFC 4851)
3 * Copyright (c) 2008, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/sha1.h"
13#include "crypto/tls.h"
14#include "eap_defs.h"
15#include "eap_tlv_common.h"
16#include "eap_fast_common.h"
17
18
19void eap_fast_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len)
20{
21	struct pac_tlv_hdr hdr;
22	hdr.type = host_to_be16(type);
23	hdr.len = host_to_be16(len);
24	wpabuf_put_data(buf, &hdr, sizeof(hdr));
25}
26
27
28void eap_fast_put_tlv(struct wpabuf *buf, u16 type, const void *data,
29			     u16 len)
30{
31	eap_fast_put_tlv_hdr(buf, type, len);
32	wpabuf_put_data(buf, data, len);
33}
34
35
36void eap_fast_put_tlv_buf(struct wpabuf *buf, u16 type,
37				 const struct wpabuf *data)
38{
39	eap_fast_put_tlv_hdr(buf, type, wpabuf_len(data));
40	wpabuf_put_buf(buf, data);
41}
42
43
44struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf)
45{
46	struct wpabuf *e;
47
48	if (buf == NULL)
49		return NULL;
50
51	/* Encapsulate EAP packet in EAP-Payload TLV */
52	wpa_printf(MSG_DEBUG, "EAP-FAST: Add EAP-Payload TLV");
53	e = wpabuf_alloc(sizeof(struct pac_tlv_hdr) + wpabuf_len(buf));
54	if (e == NULL) {
55		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory "
56			   "for TLV encapsulation");
57		wpabuf_free(buf);
58		return NULL;
59	}
60	eap_fast_put_tlv_buf(e,
61			     EAP_TLV_TYPE_MANDATORY | EAP_TLV_EAP_PAYLOAD_TLV,
62			     buf);
63	wpabuf_free(buf);
64	return e;
65}
66
67
68void eap_fast_derive_master_secret(const u8 *pac_key, const u8 *server_random,
69				   const u8 *client_random, u8 *master_secret)
70{
71#define TLS_RANDOM_LEN 32
72#define TLS_MASTER_SECRET_LEN 48
73	u8 seed[2 * TLS_RANDOM_LEN];
74
75	wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random",
76		    client_random, TLS_RANDOM_LEN);
77	wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random",
78		    server_random, TLS_RANDOM_LEN);
79
80	/*
81	 * RFC 4851, Section 5.1:
82	 * master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
83	 *                       server_random + client_random, 48)
84	 */
85	os_memcpy(seed, server_random, TLS_RANDOM_LEN);
86	os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN);
87	sha1_t_prf(pac_key, EAP_FAST_PAC_KEY_LEN,
88		   "PAC to master secret label hash",
89		   seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN);
90
91	wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret",
92			master_secret, TLS_MASTER_SECRET_LEN);
93}
94
95
96u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn,
97			 const char *label, size_t len)
98{
99	u8 *out;
100
101	out = os_malloc(len);
102	if (out == NULL)
103		return NULL;
104
105	if (tls_connection_prf(ssl_ctx, conn, label, 1, 1, out, len)) {
106		os_free(out);
107		return NULL;
108	}
109
110	return out;
111}
112
113
114int eap_fast_derive_eap_msk(const u8 *simck, u8 *msk)
115{
116	/*
117	 * RFC 4851, Section 5.4: EAP Master Session Key Generation
118	 * MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64)
119	 */
120
121	if (sha1_t_prf(simck, EAP_FAST_SIMCK_LEN,
122		       "Session Key Generating Function", (u8 *) "", 0,
123		       msk, EAP_FAST_KEY_LEN) < 0)
124		return -1;
125	wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)",
126			msk, EAP_FAST_KEY_LEN);
127	return 0;
128}
129
130
131int eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk)
132{
133	/*
134	 * RFC 4851, Section 5.4: EAP Master Session Key Genreration
135	 * EMSK = T-PRF(S-IMCK[j],
136	 *        "Extended Session Key Generating Function", 64)
137	 */
138
139	if (sha1_t_prf(simck, EAP_FAST_SIMCK_LEN,
140		       "Extended Session Key Generating Function", (u8 *) "", 0,
141		       emsk, EAP_EMSK_LEN) < 0)
142		return -1;
143	wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)",
144			emsk, EAP_EMSK_LEN);
145	return 0;
146}
147
148
149int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv,
150		       int tlv_type, u8 *pos, size_t len)
151{
152	switch (tlv_type) {
153	case EAP_TLV_EAP_PAYLOAD_TLV:
154		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP-Payload TLV",
155			    pos, len);
156		if (tlv->eap_payload_tlv) {
157			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
158				   "EAP-Payload TLV in the message");
159			tlv->iresult = EAP_TLV_RESULT_FAILURE;
160			return -2;
161		}
162		tlv->eap_payload_tlv = pos;
163		tlv->eap_payload_tlv_len = len;
164		break;
165	case EAP_TLV_RESULT_TLV:
166		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len);
167		if (tlv->result) {
168			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
169				   "Result TLV in the message");
170			tlv->result = EAP_TLV_RESULT_FAILURE;
171			return -2;
172		}
173		if (len < 2) {
174			wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
175				   "Result TLV");
176			tlv->result = EAP_TLV_RESULT_FAILURE;
177			break;
178		}
179		tlv->result = WPA_GET_BE16(pos);
180		if (tlv->result != EAP_TLV_RESULT_SUCCESS &&
181		    tlv->result != EAP_TLV_RESULT_FAILURE) {
182			wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d",
183				   tlv->result);
184			tlv->result = EAP_TLV_RESULT_FAILURE;
185		}
186		wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s",
187			   tlv->result == EAP_TLV_RESULT_SUCCESS ?
188			   "Success" : "Failure");
189		break;
190	case EAP_TLV_INTERMEDIATE_RESULT_TLV:
191		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV",
192			    pos, len);
193		if (len < 2) {
194			wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
195				   "Intermediate-Result TLV");
196			tlv->iresult = EAP_TLV_RESULT_FAILURE;
197			break;
198		}
199		if (tlv->iresult) {
200			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
201				   "Intermediate-Result TLV in the message");
202			tlv->iresult = EAP_TLV_RESULT_FAILURE;
203			return -2;
204		}
205		tlv->iresult = WPA_GET_BE16(pos);
206		if (tlv->iresult != EAP_TLV_RESULT_SUCCESS &&
207		    tlv->iresult != EAP_TLV_RESULT_FAILURE) {
208			wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate "
209				   "Result %d", tlv->iresult);
210			tlv->iresult = EAP_TLV_RESULT_FAILURE;
211		}
212		wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s",
213			   tlv->iresult == EAP_TLV_RESULT_SUCCESS ?
214			   "Success" : "Failure");
215		break;
216	case EAP_TLV_CRYPTO_BINDING_TLV:
217		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV",
218			    pos, len);
219		if (tlv->crypto_binding) {
220			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
221				   "Crypto-Binding TLV in the message");
222			tlv->iresult = EAP_TLV_RESULT_FAILURE;
223			return -2;
224		}
225		tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len;
226		if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) {
227			wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
228				   "Crypto-Binding TLV");
229			tlv->iresult = EAP_TLV_RESULT_FAILURE;
230			return -2;
231		}
232		tlv->crypto_binding = (struct eap_tlv_crypto_binding_tlv *)
233			(pos - sizeof(struct eap_tlv_hdr));
234		break;
235	case EAP_TLV_REQUEST_ACTION_TLV:
236		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Request-Action TLV",
237			    pos, len);
238		if (tlv->request_action) {
239			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
240				   "Request-Action TLV in the message");
241			tlv->iresult = EAP_TLV_RESULT_FAILURE;
242			return -2;
243		}
244		if (len < 2) {
245			wpa_printf(MSG_DEBUG, "EAP-FAST: Too short "
246				   "Request-Action TLV");
247			tlv->iresult = EAP_TLV_RESULT_FAILURE;
248			break;
249		}
250		tlv->request_action = WPA_GET_BE16(pos);
251		wpa_printf(MSG_DEBUG, "EAP-FAST: Request-Action: %d",
252			   tlv->request_action);
253		break;
254	case EAP_TLV_PAC_TLV:
255		wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len);
256		if (tlv->pac) {
257			wpa_printf(MSG_DEBUG, "EAP-FAST: More than one "
258				   "PAC TLV in the message");
259			tlv->iresult = EAP_TLV_RESULT_FAILURE;
260			return -2;
261		}
262		tlv->pac = pos;
263		tlv->pac_len = len;
264		break;
265	default:
266		/* Unknown TLV */
267		return -1;
268	}
269
270	return 0;
271}
272