1 /*
2  * EAP server/peer: EAP-SAKE shared routines
3  * Copyright (c) 2006-2019, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "wpabuf.h"
13 #include "crypto/sha1.h"
14 #include "eap_defs.h"
15 #include "eap_sake_common.h"
16 
17 
eap_sake_parse_add_attr(struct eap_sake_parse_attr * attr,u8 attr_id,u8 len,const u8 * data)18 static int eap_sake_parse_add_attr(struct eap_sake_parse_attr *attr,
19 				   u8 attr_id, u8 len, const u8 *data)
20 {
21 	size_t i;
22 
23 	switch (attr_id) {
24 	case EAP_SAKE_AT_RAND_S:
25 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_S");
26 		if (len != EAP_SAKE_RAND_LEN) {
27 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_S with "
28 				   "invalid payload length %d", len);
29 			return -1;
30 		}
31 		attr->rand_s = data;
32 		break;
33 	case EAP_SAKE_AT_RAND_P:
34 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_RAND_P");
35 		if (len != EAP_SAKE_RAND_LEN) {
36 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_RAND_P with "
37 				   "invalid payload length %d", len);
38 			return -1;
39 		}
40 		attr->rand_p = data;
41 		break;
42 	case EAP_SAKE_AT_MIC_S:
43 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_S");
44 		if (len != EAP_SAKE_MIC_LEN) {
45 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_S with "
46 				   "invalid payload length %d", len);
47 			return -1;
48 		}
49 		attr->mic_s = data;
50 		break;
51 	case EAP_SAKE_AT_MIC_P:
52 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MIC_P");
53 		if (len != EAP_SAKE_MIC_LEN) {
54 			wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_MIC_P with "
55 				   "invalid payload length %d", len);
56 			return -1;
57 		}
58 		attr->mic_p = data;
59 		break;
60 	case EAP_SAKE_AT_SERVERID:
61 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SERVERID");
62 		attr->serverid = data;
63 		attr->serverid_len = len;
64 		break;
65 	case EAP_SAKE_AT_PEERID:
66 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PEERID");
67 		attr->peerid = data;
68 		attr->peerid_len = len;
69 		break;
70 	case EAP_SAKE_AT_SPI_S:
71 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_S");
72 		attr->spi_s = data;
73 		attr->spi_s_len = len;
74 		break;
75 	case EAP_SAKE_AT_SPI_P:
76 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_SPI_P");
77 		attr->spi_p = data;
78 		attr->spi_p_len = len;
79 		break;
80 	case EAP_SAKE_AT_ANY_ID_REQ:
81 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ANY_ID_REQ");
82 		if (len != 2) {
83 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid AT_ANY_ID_REQ"
84 				   " payload length %d", len);
85 			return -1;
86 		}
87 		attr->any_id_req = data;
88 		break;
89 	case EAP_SAKE_AT_PERM_ID_REQ:
90 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PERM_ID_REQ");
91 		if (len != 2) {
92 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
93 				   "AT_PERM_ID_REQ payload length %d", len);
94 			return -1;
95 		}
96 		attr->perm_id_req = data;
97 		break;
98 	case EAP_SAKE_AT_ENCR_DATA:
99 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_ENCR_DATA");
100 		attr->encr_data = data;
101 		attr->encr_data_len = len;
102 		break;
103 	case EAP_SAKE_AT_IV:
104 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_IV");
105 		attr->iv = data;
106 		attr->iv_len = len;
107 		break;
108 	case EAP_SAKE_AT_PADDING:
109 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_PADDING");
110 		for (i = 0; i < len; i++) {
111 			if (data[i]) {
112 				wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_PADDING "
113 					   "with non-zero pad byte");
114 				return -1;
115 			}
116 		}
117 		break;
118 	case EAP_SAKE_AT_NEXT_TMPID:
119 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_NEXT_TMPID");
120 		attr->next_tmpid = data;
121 		attr->next_tmpid_len = len;
122 		break;
123 	case EAP_SAKE_AT_MSK_LIFE:
124 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Parse: AT_MSK_LIFE");
125 		if (len != 4) {
126 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid "
127 				   "AT_MSK_LIFE payload length %d", len);
128 			return -1;
129 		}
130 		attr->msk_life = data;
131 		break;
132 	default:
133 		if (attr_id < 128) {
134 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Unknown non-skippable"
135 				   " attribute %d", attr_id);
136 			return -1;
137 		}
138 		wpa_printf(MSG_DEBUG, "EAP-SAKE: Ignoring unknown skippable "
139 			   "attribute %d", attr_id);
140 		break;
141 	}
142 
143 	if (attr->iv && !attr->encr_data) {
144 		wpa_printf(MSG_DEBUG, "EAP-SAKE: AT_IV included without "
145 			   "AT_ENCR_DATA");
146 		return -1;
147 	}
148 
149 	return 0;
150 }
151 
152 
153 /**
154  * eap_sake_parse_attributes - Parse EAP-SAKE attributes
155  * @buf: Packet payload (starting with the first attribute)
156  * @len: Payload length
157  * @attr: Structure to be filled with found attributes
158  * Returns: 0 on success or -1 on failure
159  */
eap_sake_parse_attributes(const u8 * buf,size_t len,struct eap_sake_parse_attr * attr)160 int eap_sake_parse_attributes(const u8 *buf, size_t len,
161 			      struct eap_sake_parse_attr *attr)
162 {
163 	const u8 *pos = buf, *end = buf + len;
164 
165 	os_memset(attr, 0, sizeof(*attr));
166 	while (pos < end) {
167 		if (end - pos < 2) {
168 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Too short attribute");
169 			return -1;
170 		}
171 
172 		if (pos[1] < 2) {
173 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Invalid attribute "
174 				   "length (%d)", pos[1]);
175 			return -1;
176 		}
177 
178 		if (pos + pos[1] > end) {
179 			wpa_printf(MSG_DEBUG, "EAP-SAKE: Attribute underflow");
180 			return -1;
181 		}
182 
183 		if (eap_sake_parse_add_attr(attr, pos[0], pos[1] - 2, pos + 2))
184 			return -1;
185 
186 		pos += pos[1];
187 	}
188 
189 	return 0;
190 }
191 
192 
193 /**
194  * eap_sake_kdf - EAP-SAKE Key Derivation Function (KDF)
195  * @key: Key for KDF
196  * @key_len: Length of the key in bytes
197  * @label: A unique label for each purpose of the KDF
198  * @data: Extra data (start) to bind into the key
199  * @data_len: Length of the data
200  * @data2: Extra data (end) to bind into the key
201  * @data2_len: Length of the data2
202  * @buf: Buffer for the generated pseudo-random key
203  * @buf_len: Number of bytes of key to generate
204  * Returns: 0 on success or -1 on failure
205  *
206  * This function is used to derive new, cryptographically separate keys from a
207  * given key (e.g., SMS). This is identical to the PRF used in IEEE 802.11i.
208  */
eap_sake_kdf(const u8 * key,size_t key_len,const char * label,const u8 * data,size_t data_len,const u8 * data2,size_t data2_len,u8 * buf,size_t buf_len)209 static int eap_sake_kdf(const u8 *key, size_t key_len, const char *label,
210 			const u8 *data, size_t data_len,
211 			const u8 *data2, size_t data2_len,
212 			u8 *buf, size_t buf_len)
213 {
214 	u8 counter = 0;
215 	size_t pos, plen;
216 	u8 hash[SHA1_MAC_LEN];
217 	size_t label_len = os_strlen(label) + 1;
218 	const unsigned char *addr[4];
219 	size_t len[4];
220 
221 	addr[0] = (u8 *) label; /* Label | Y */
222 	len[0] = label_len;
223 	addr[1] = data; /* Msg[start] */
224 	len[1] = data_len;
225 	addr[2] = data2; /* Msg[end] */
226 	len[2] = data2_len;
227 	addr[3] = &counter; /* Length */
228 	len[3] = 1;
229 
230 	pos = 0;
231 	while (pos < buf_len) {
232 		plen = buf_len - pos;
233 		if (plen >= SHA1_MAC_LEN) {
234 			if (hmac_sha1_vector(key, key_len, 4, addr, len,
235 					     &buf[pos]) < 0)
236 				return -1;
237 			pos += SHA1_MAC_LEN;
238 		} else {
239 			if (hmac_sha1_vector(key, key_len, 4, addr, len,
240 					     hash) < 0)
241 				return -1;
242 			os_memcpy(&buf[pos], hash, plen);
243 			break;
244 		}
245 		counter++;
246 	}
247 
248 	return 0;
249 }
250 
251 
252 /**
253  * eap_sake_derive_keys - Derive EAP-SAKE keys
254  * @root_secret_a: 16-byte Root-Secret-A
255  * @root_secret_b: 16-byte Root-Secret-B
256  * @rand_s: 16-byte RAND_S
257  * @rand_p: 16-byte RAND_P
258  * @tek: Buffer for Temporary EAK Keys (TEK-Auth[16] | TEK-Cipher[16])
259  * @msk: Buffer for 64-byte MSK
260  * @emsk: Buffer for 64-byte EMSK
261  * Returns: 0 on success or -1 on failure
262  *
263  * This function derives EAP-SAKE keys as defined in RFC 4763, section 3.2.6.
264  */
eap_sake_derive_keys(const u8 * root_secret_a,const u8 * root_secret_b,const u8 * rand_s,const u8 * rand_p,u8 * tek,u8 * msk,u8 * emsk)265 int eap_sake_derive_keys(const u8 *root_secret_a, const u8 *root_secret_b,
266 			 const u8 *rand_s, const u8 *rand_p, u8 *tek, u8 *msk,
267 			 u8 *emsk)
268 {
269 	u8 sms_a[EAP_SAKE_SMS_LEN];
270 	u8 sms_b[EAP_SAKE_SMS_LEN];
271 	u8 key_buf[EAP_MSK_LEN + EAP_EMSK_LEN];
272 
273 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Deriving keys");
274 
275 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-A",
276 			root_secret_a, EAP_SAKE_ROOT_SECRET_LEN);
277 	if (eap_sake_kdf(root_secret_a, EAP_SAKE_ROOT_SECRET_LEN,
278 			 "SAKE Master Secret A",
279 			 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
280 			 sms_a, EAP_SAKE_SMS_LEN) < 0)
281 		return -1;
282 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-A", sms_a, EAP_SAKE_SMS_LEN);
283 	if (eap_sake_kdf(sms_a, EAP_SAKE_SMS_LEN, "Transient EAP Key",
284 			 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
285 			 tek, EAP_SAKE_TEK_LEN) < 0)
286 		return -1;
287 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Auth",
288 			tek, EAP_SAKE_TEK_AUTH_LEN);
289 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: TEK-Cipher",
290 			tek + EAP_SAKE_TEK_AUTH_LEN, EAP_SAKE_TEK_CIPHER_LEN);
291 
292 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: Root-Secret-B",
293 			root_secret_b, EAP_SAKE_ROOT_SECRET_LEN);
294 	if (eap_sake_kdf(root_secret_b, EAP_SAKE_ROOT_SECRET_LEN,
295 			 "SAKE Master Secret B",
296 			 rand_p, EAP_SAKE_RAND_LEN, rand_s, EAP_SAKE_RAND_LEN,
297 			 sms_b, EAP_SAKE_SMS_LEN) < 0)
298 		return -1;
299 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: SMS-B", sms_b, EAP_SAKE_SMS_LEN);
300 	if (eap_sake_kdf(sms_b, EAP_SAKE_SMS_LEN, "Master Session Key",
301 			 rand_s, EAP_SAKE_RAND_LEN, rand_p, EAP_SAKE_RAND_LEN,
302 			 key_buf, sizeof(key_buf)) < 0)
303 		return -1;
304 	os_memcpy(msk, key_buf, EAP_MSK_LEN);
305 	os_memcpy(emsk, key_buf + EAP_MSK_LEN, EAP_EMSK_LEN);
306 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: MSK", msk, EAP_MSK_LEN);
307 	wpa_hexdump_key(MSG_DEBUG, "EAP-SAKE: EMSK", emsk, EAP_EMSK_LEN);
308 	return 0;
309 }
310 
311 
312 /**
313  * eap_sake_compute_mic - Compute EAP-SAKE MIC for an EAP packet
314  * @tek_auth: 16-byte TEK-Auth
315  * @rand_s: 16-byte RAND_S
316  * @rand_p: 16-byte RAND_P
317  * @serverid: SERVERID
318  * @serverid_len: SERVERID length
319  * @peerid: PEERID
320  * @peerid_len: PEERID length
321  * @peer: MIC calculation for 0 = Server, 1 = Peer message
322  * @eap: EAP packet
323  * @eap_len: EAP packet length
324  * @mic_pos: MIC position in the EAP packet (must be [eap .. eap + eap_len])
325  * @mic: Buffer for the computed 16-byte MIC
326  * Returns: 0 on success or -1 on failure
327  */
eap_sake_compute_mic(const u8 * tek_auth,const u8 * rand_s,const u8 * rand_p,const u8 * serverid,size_t serverid_len,const u8 * peerid,size_t peerid_len,int peer,const u8 * eap,size_t eap_len,const u8 * mic_pos,u8 * mic)328 int eap_sake_compute_mic(const u8 *tek_auth,
329 			 const u8 *rand_s, const u8 *rand_p,
330 			 const u8 *serverid, size_t serverid_len,
331 			 const u8 *peerid, size_t peerid_len,
332 			 int peer, const u8 *eap, size_t eap_len,
333 			 const u8 *mic_pos, u8 *mic)
334 {
335 	u8 _rand[2 * EAP_SAKE_RAND_LEN];
336 	u8 *tmp, *pos;
337 	size_t tmplen;
338 	int ret;
339 
340 	tmplen = serverid_len + 1 + peerid_len + 1 + eap_len;
341 	tmp = os_malloc(tmplen);
342 	if (tmp == NULL)
343 		return -1;
344 	pos = tmp;
345 	if (peer) {
346 		if (peerid) {
347 			os_memcpy(pos, peerid, peerid_len);
348 			pos += peerid_len;
349 		}
350 		*pos++ = 0x00;
351 		if (serverid) {
352 			os_memcpy(pos, serverid, serverid_len);
353 			pos += serverid_len;
354 		}
355 		*pos++ = 0x00;
356 
357 		os_memcpy(_rand, rand_s, EAP_SAKE_RAND_LEN);
358 		os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_p,
359 			  EAP_SAKE_RAND_LEN);
360 	} else {
361 		if (serverid) {
362 			os_memcpy(pos, serverid, serverid_len);
363 			pos += serverid_len;
364 		}
365 		*pos++ = 0x00;
366 		if (peerid) {
367 			os_memcpy(pos, peerid, peerid_len);
368 			pos += peerid_len;
369 		}
370 		*pos++ = 0x00;
371 
372 		os_memcpy(_rand, rand_p, EAP_SAKE_RAND_LEN);
373 		os_memcpy(_rand + EAP_SAKE_RAND_LEN, rand_s,
374 			  EAP_SAKE_RAND_LEN);
375 	}
376 
377 	os_memcpy(pos, eap, eap_len);
378 	os_memset(pos + (mic_pos - eap), 0, EAP_SAKE_MIC_LEN);
379 
380 	ret = eap_sake_kdf(tek_auth, EAP_SAKE_TEK_AUTH_LEN,
381 			   peer ? "Peer MIC" : "Server MIC",
382 			   _rand, 2 * EAP_SAKE_RAND_LEN, tmp, tmplen,
383 			   mic, EAP_SAKE_MIC_LEN);
384 
385 	os_free(tmp);
386 
387 	return ret;
388 }
389 
390 
eap_sake_add_attr(struct wpabuf * buf,u8 type,const u8 * data,size_t len)391 void eap_sake_add_attr(struct wpabuf *buf, u8 type, const u8 *data,
392 		       size_t len)
393 {
394 	wpabuf_put_u8(buf, type);
395 	wpabuf_put_u8(buf, 2 + len); /* Length; including attr header */
396 	if (data)
397 		wpabuf_put_data(buf, data, len);
398 	else
399 		os_memset(wpabuf_put(buf, len), 0, len);
400 }
401