1/* 2 * EAP-FAST common helper functions (RFC 4851) 3 * Copyright (c) 2008, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/sha1.h" 13#include "crypto/tls.h" 14#include "eap_defs.h" 15#include "eap_tlv_common.h" 16#include "eap_fast_common.h" 17 18 19void eap_fast_put_tlv_hdr(struct wpabuf *buf, u16 type, u16 len) 20{ 21 struct pac_tlv_hdr hdr; 22 hdr.type = host_to_be16(type); 23 hdr.len = host_to_be16(len); 24 wpabuf_put_data(buf, &hdr, sizeof(hdr)); 25} 26 27 28void eap_fast_put_tlv(struct wpabuf *buf, u16 type, const void *data, 29 u16 len) 30{ 31 eap_fast_put_tlv_hdr(buf, type, len); 32 wpabuf_put_data(buf, data, len); 33} 34 35 36void eap_fast_put_tlv_buf(struct wpabuf *buf, u16 type, 37 const struct wpabuf *data) 38{ 39 eap_fast_put_tlv_hdr(buf, type, wpabuf_len(data)); 40 wpabuf_put_buf(buf, data); 41} 42 43 44struct wpabuf * eap_fast_tlv_eap_payload(struct wpabuf *buf) 45{ 46 struct wpabuf *e; 47 48 if (buf == NULL) 49 return NULL; 50 51 /* Encapsulate EAP packet in EAP-Payload TLV */ 52 wpa_printf(MSG_DEBUG, "EAP-FAST: Add EAP-Payload TLV"); 53 e = wpabuf_alloc(sizeof(struct pac_tlv_hdr) + wpabuf_len(buf)); 54 if (e == NULL) { 55 wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to allocate memory " 56 "for TLV encapsulation"); 57 wpabuf_free(buf); 58 return NULL; 59 } 60 eap_fast_put_tlv_buf(e, 61 EAP_TLV_TYPE_MANDATORY | EAP_TLV_EAP_PAYLOAD_TLV, 62 buf); 63 wpabuf_free(buf); 64 return e; 65} 66 67 68void eap_fast_derive_master_secret(const u8 *pac_key, const u8 *server_random, 69 const u8 *client_random, u8 *master_secret) 70{ 71#define TLS_RANDOM_LEN 32 72#define TLS_MASTER_SECRET_LEN 48 73 u8 seed[2 * TLS_RANDOM_LEN]; 74 75 wpa_hexdump(MSG_DEBUG, "EAP-FAST: client_random", 76 client_random, TLS_RANDOM_LEN); 77 wpa_hexdump(MSG_DEBUG, "EAP-FAST: server_random", 78 server_random, TLS_RANDOM_LEN); 79 80 /* 81 * RFC 4851, Section 5.1: 82 * master_secret = T-PRF(PAC-Key, "PAC to master secret label hash", 83 * server_random + client_random, 48) 84 */ 85 os_memcpy(seed, server_random, TLS_RANDOM_LEN); 86 os_memcpy(seed + TLS_RANDOM_LEN, client_random, TLS_RANDOM_LEN); 87 sha1_t_prf(pac_key, EAP_FAST_PAC_KEY_LEN, 88 "PAC to master secret label hash", 89 seed, sizeof(seed), master_secret, TLS_MASTER_SECRET_LEN); 90 91 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: master_secret", 92 master_secret, TLS_MASTER_SECRET_LEN); 93} 94 95 96u8 * eap_fast_derive_key(void *ssl_ctx, struct tls_connection *conn, 97 const char *label, size_t len) 98{ 99 u8 *out; 100 101 out = os_malloc(len); 102 if (out == NULL) 103 return NULL; 104 105 if (tls_connection_prf(ssl_ctx, conn, label, 1, 1, out, len)) { 106 os_free(out); 107 return NULL; 108 } 109 110 return out; 111} 112 113 114int eap_fast_derive_eap_msk(const u8 *simck, u8 *msk) 115{ 116 /* 117 * RFC 4851, Section 5.4: EAP Master Session Key Generation 118 * MSK = T-PRF(S-IMCK[j], "Session Key Generating Function", 64) 119 */ 120 121 if (sha1_t_prf(simck, EAP_FAST_SIMCK_LEN, 122 "Session Key Generating Function", (u8 *) "", 0, 123 msk, EAP_FAST_KEY_LEN) < 0) 124 return -1; 125 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (MSK)", 126 msk, EAP_FAST_KEY_LEN); 127 return 0; 128} 129 130 131int eap_fast_derive_eap_emsk(const u8 *simck, u8 *emsk) 132{ 133 /* 134 * RFC 4851, Section 5.4: EAP Master Session Key Genreration 135 * EMSK = T-PRF(S-IMCK[j], 136 * "Extended Session Key Generating Function", 64) 137 */ 138 139 if (sha1_t_prf(simck, EAP_FAST_SIMCK_LEN, 140 "Extended Session Key Generating Function", (u8 *) "", 0, 141 emsk, EAP_EMSK_LEN) < 0) 142 return -1; 143 wpa_hexdump_key(MSG_DEBUG, "EAP-FAST: Derived key (EMSK)", 144 emsk, EAP_EMSK_LEN); 145 return 0; 146} 147 148 149int eap_fast_parse_tlv(struct eap_fast_tlv_parse *tlv, 150 int tlv_type, u8 *pos, size_t len) 151{ 152 switch (tlv_type) { 153 case EAP_TLV_EAP_PAYLOAD_TLV: 154 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: EAP-Payload TLV", 155 pos, len); 156 if (tlv->eap_payload_tlv) { 157 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " 158 "EAP-Payload TLV in the message"); 159 tlv->iresult = EAP_TLV_RESULT_FAILURE; 160 return -2; 161 } 162 tlv->eap_payload_tlv = pos; 163 tlv->eap_payload_tlv_len = len; 164 break; 165 case EAP_TLV_RESULT_TLV: 166 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Result TLV", pos, len); 167 if (tlv->result) { 168 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " 169 "Result TLV in the message"); 170 tlv->result = EAP_TLV_RESULT_FAILURE; 171 return -2; 172 } 173 if (len < 2) { 174 wpa_printf(MSG_DEBUG, "EAP-FAST: Too short " 175 "Result TLV"); 176 tlv->result = EAP_TLV_RESULT_FAILURE; 177 break; 178 } 179 tlv->result = WPA_GET_BE16(pos); 180 if (tlv->result != EAP_TLV_RESULT_SUCCESS && 181 tlv->result != EAP_TLV_RESULT_FAILURE) { 182 wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Result %d", 183 tlv->result); 184 tlv->result = EAP_TLV_RESULT_FAILURE; 185 } 186 wpa_printf(MSG_DEBUG, "EAP-FAST: Result: %s", 187 tlv->result == EAP_TLV_RESULT_SUCCESS ? 188 "Success" : "Failure"); 189 break; 190 case EAP_TLV_INTERMEDIATE_RESULT_TLV: 191 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Intermediate Result TLV", 192 pos, len); 193 if (len < 2) { 194 wpa_printf(MSG_DEBUG, "EAP-FAST: Too short " 195 "Intermediate-Result TLV"); 196 tlv->iresult = EAP_TLV_RESULT_FAILURE; 197 break; 198 } 199 if (tlv->iresult) { 200 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " 201 "Intermediate-Result TLV in the message"); 202 tlv->iresult = EAP_TLV_RESULT_FAILURE; 203 return -2; 204 } 205 tlv->iresult = WPA_GET_BE16(pos); 206 if (tlv->iresult != EAP_TLV_RESULT_SUCCESS && 207 tlv->iresult != EAP_TLV_RESULT_FAILURE) { 208 wpa_printf(MSG_DEBUG, "EAP-FAST: Unknown Intermediate " 209 "Result %d", tlv->iresult); 210 tlv->iresult = EAP_TLV_RESULT_FAILURE; 211 } 212 wpa_printf(MSG_DEBUG, "EAP-FAST: Intermediate Result: %s", 213 tlv->iresult == EAP_TLV_RESULT_SUCCESS ? 214 "Success" : "Failure"); 215 break; 216 case EAP_TLV_CRYPTO_BINDING_TLV: 217 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Crypto-Binding TLV", 218 pos, len); 219 if (tlv->crypto_binding) { 220 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " 221 "Crypto-Binding TLV in the message"); 222 tlv->iresult = EAP_TLV_RESULT_FAILURE; 223 return -2; 224 } 225 tlv->crypto_binding_len = sizeof(struct eap_tlv_hdr) + len; 226 if (tlv->crypto_binding_len < sizeof(*tlv->crypto_binding)) { 227 wpa_printf(MSG_DEBUG, "EAP-FAST: Too short " 228 "Crypto-Binding TLV"); 229 tlv->iresult = EAP_TLV_RESULT_FAILURE; 230 return -2; 231 } 232 tlv->crypto_binding = (struct eap_tlv_crypto_binding_tlv *) 233 (pos - sizeof(struct eap_tlv_hdr)); 234 break; 235 case EAP_TLV_REQUEST_ACTION_TLV: 236 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: Request-Action TLV", 237 pos, len); 238 if (tlv->request_action) { 239 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " 240 "Request-Action TLV in the message"); 241 tlv->iresult = EAP_TLV_RESULT_FAILURE; 242 return -2; 243 } 244 if (len < 2) { 245 wpa_printf(MSG_DEBUG, "EAP-FAST: Too short " 246 "Request-Action TLV"); 247 tlv->iresult = EAP_TLV_RESULT_FAILURE; 248 break; 249 } 250 tlv->request_action = WPA_GET_BE16(pos); 251 wpa_printf(MSG_DEBUG, "EAP-FAST: Request-Action: %d", 252 tlv->request_action); 253 break; 254 case EAP_TLV_PAC_TLV: 255 wpa_hexdump(MSG_MSGDUMP, "EAP-FAST: PAC TLV", pos, len); 256 if (tlv->pac) { 257 wpa_printf(MSG_DEBUG, "EAP-FAST: More than one " 258 "PAC TLV in the message"); 259 tlv->iresult = EAP_TLV_RESULT_FAILURE; 260 return -2; 261 } 262 tlv->pac = pos; 263 tlv->pac_len = len; 264 break; 265 default: 266 /* Unknown TLV */ 267 return -1; 268 } 269 270 return 0; 271} 272