13ff40c12SJohn Marino /*
23ff40c12SJohn Marino * EAP server/peer: EAP-pwd shared routines
33ff40c12SJohn Marino * Copyright (c) 2010, Dan Harkins <dharkins@lounge.org>
43ff40c12SJohn Marino *
53ff40c12SJohn Marino * This software may be distributed under the terms of the BSD license.
63ff40c12SJohn Marino * See README for more details.
73ff40c12SJohn Marino */
83ff40c12SJohn Marino
93ff40c12SJohn Marino #include "includes.h"
103ff40c12SJohn Marino #include "common.h"
11*a1157835SDaniel Fojt #include "utils/const_time.h"
12*a1157835SDaniel Fojt #include "common/dragonfly.h"
133ff40c12SJohn Marino #include "crypto/sha256.h"
143ff40c12SJohn Marino #include "crypto/crypto.h"
153ff40c12SJohn Marino #include "eap_defs.h"
163ff40c12SJohn Marino #include "eap_pwd_common.h"
173ff40c12SJohn Marino
18*a1157835SDaniel Fojt #define MAX_ECC_PRIME_LEN 66
19*a1157835SDaniel Fojt
20*a1157835SDaniel Fojt
213ff40c12SJohn Marino /* The random function H(x) = HMAC-SHA256(0^32, x) */
eap_pwd_h_init(void)223ff40c12SJohn Marino struct crypto_hash * eap_pwd_h_init(void)
233ff40c12SJohn Marino {
243ff40c12SJohn Marino u8 allzero[SHA256_MAC_LEN];
253ff40c12SJohn Marino os_memset(allzero, 0, SHA256_MAC_LEN);
263ff40c12SJohn Marino return crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256, allzero,
273ff40c12SJohn Marino SHA256_MAC_LEN);
283ff40c12SJohn Marino }
293ff40c12SJohn Marino
303ff40c12SJohn Marino
eap_pwd_h_update(struct crypto_hash * hash,const u8 * data,size_t len)313ff40c12SJohn Marino void eap_pwd_h_update(struct crypto_hash *hash, const u8 *data, size_t len)
323ff40c12SJohn Marino {
333ff40c12SJohn Marino crypto_hash_update(hash, data, len);
343ff40c12SJohn Marino }
353ff40c12SJohn Marino
363ff40c12SJohn Marino
eap_pwd_h_final(struct crypto_hash * hash,u8 * digest)373ff40c12SJohn Marino void eap_pwd_h_final(struct crypto_hash *hash, u8 *digest)
383ff40c12SJohn Marino {
393ff40c12SJohn Marino size_t len = SHA256_MAC_LEN;
403ff40c12SJohn Marino crypto_hash_finish(hash, digest, &len);
413ff40c12SJohn Marino }
423ff40c12SJohn Marino
433ff40c12SJohn Marino
443ff40c12SJohn Marino /* a counter-based KDF based on NIST SP800-108 */
eap_pwd_kdf(const u8 * key,size_t keylen,const u8 * label,size_t labellen,u8 * result,size_t resultbitlen)453ff40c12SJohn Marino static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label,
463ff40c12SJohn Marino size_t labellen, u8 *result, size_t resultbitlen)
473ff40c12SJohn Marino {
483ff40c12SJohn Marino struct crypto_hash *hash;
493ff40c12SJohn Marino u8 digest[SHA256_MAC_LEN];
503ff40c12SJohn Marino u16 i, ctr, L;
513ff40c12SJohn Marino size_t resultbytelen, len = 0, mdlen;
523ff40c12SJohn Marino
533ff40c12SJohn Marino resultbytelen = (resultbitlen + 7) / 8;
543ff40c12SJohn Marino ctr = 0;
553ff40c12SJohn Marino L = htons(resultbitlen);
563ff40c12SJohn Marino while (len < resultbytelen) {
573ff40c12SJohn Marino ctr++;
583ff40c12SJohn Marino i = htons(ctr);
593ff40c12SJohn Marino hash = crypto_hash_init(CRYPTO_HASH_ALG_HMAC_SHA256,
603ff40c12SJohn Marino key, keylen);
613ff40c12SJohn Marino if (hash == NULL)
623ff40c12SJohn Marino return -1;
633ff40c12SJohn Marino if (ctr > 1)
643ff40c12SJohn Marino crypto_hash_update(hash, digest, SHA256_MAC_LEN);
653ff40c12SJohn Marino crypto_hash_update(hash, (u8 *) &i, sizeof(u16));
663ff40c12SJohn Marino crypto_hash_update(hash, label, labellen);
673ff40c12SJohn Marino crypto_hash_update(hash, (u8 *) &L, sizeof(u16));
683ff40c12SJohn Marino mdlen = SHA256_MAC_LEN;
693ff40c12SJohn Marino if (crypto_hash_finish(hash, digest, &mdlen) < 0)
703ff40c12SJohn Marino return -1;
713ff40c12SJohn Marino if ((len + mdlen) > resultbytelen)
723ff40c12SJohn Marino os_memcpy(result + len, digest, resultbytelen - len);
733ff40c12SJohn Marino else
743ff40c12SJohn Marino os_memcpy(result + len, digest, mdlen);
753ff40c12SJohn Marino len += mdlen;
763ff40c12SJohn Marino }
773ff40c12SJohn Marino
783ff40c12SJohn Marino /* since we're expanding to a bit length, mask off the excess */
793ff40c12SJohn Marino if (resultbitlen % 8) {
803ff40c12SJohn Marino u8 mask = 0xff;
813ff40c12SJohn Marino mask <<= (8 - (resultbitlen % 8));
823ff40c12SJohn Marino result[resultbytelen - 1] &= mask;
833ff40c12SJohn Marino }
843ff40c12SJohn Marino
853ff40c12SJohn Marino return 0;
863ff40c12SJohn Marino }
873ff40c12SJohn Marino
883ff40c12SJohn Marino
get_eap_pwd_group(u16 num)89*a1157835SDaniel Fojt EAP_PWD_group * get_eap_pwd_group(u16 num)
90*a1157835SDaniel Fojt {
91*a1157835SDaniel Fojt EAP_PWD_group *grp;
92*a1157835SDaniel Fojt
93*a1157835SDaniel Fojt if (!dragonfly_suitable_group(num, 1)) {
94*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "EAP-pwd: unsuitable group %u", num);
95*a1157835SDaniel Fojt return NULL;
96*a1157835SDaniel Fojt }
97*a1157835SDaniel Fojt grp = os_zalloc(sizeof(EAP_PWD_group));
98*a1157835SDaniel Fojt if (!grp)
99*a1157835SDaniel Fojt return NULL;
100*a1157835SDaniel Fojt grp->group = crypto_ec_init(num);
101*a1157835SDaniel Fojt if (!grp->group) {
102*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group");
103*a1157835SDaniel Fojt os_free(grp);
104*a1157835SDaniel Fojt return NULL;
105*a1157835SDaniel Fojt }
106*a1157835SDaniel Fojt
107*a1157835SDaniel Fojt grp->group_num = num;
108*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "EAP-pwd: provisioned group %d", num);
109*a1157835SDaniel Fojt
110*a1157835SDaniel Fojt return grp;
111*a1157835SDaniel Fojt }
112*a1157835SDaniel Fojt
113*a1157835SDaniel Fojt
1143ff40c12SJohn Marino /*
1153ff40c12SJohn Marino * compute a "random" secret point on an elliptic curve based
1163ff40c12SJohn Marino * on the password and identities.
1173ff40c12SJohn Marino */
compute_password_element(EAP_PWD_group * grp,u16 num,const u8 * password,size_t password_len,const u8 * id_server,size_t id_server_len,const u8 * id_peer,size_t id_peer_len,const u8 * token)1183ff40c12SJohn Marino int compute_password_element(EAP_PWD_group *grp, u16 num,
119*a1157835SDaniel Fojt const u8 *password, size_t password_len,
120*a1157835SDaniel Fojt const u8 *id_server, size_t id_server_len,
121*a1157835SDaniel Fojt const u8 *id_peer, size_t id_peer_len,
122*a1157835SDaniel Fojt const u8 *token)
1233ff40c12SJohn Marino {
124*a1157835SDaniel Fojt struct crypto_bignum *qr = NULL, *qnr = NULL;
125*a1157835SDaniel Fojt u8 qr_bin[MAX_ECC_PRIME_LEN];
126*a1157835SDaniel Fojt u8 qnr_bin[MAX_ECC_PRIME_LEN];
127*a1157835SDaniel Fojt u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
128*a1157835SDaniel Fojt u8 x_bin[MAX_ECC_PRIME_LEN];
129*a1157835SDaniel Fojt u8 prime_bin[MAX_ECC_PRIME_LEN];
130*a1157835SDaniel Fojt struct crypto_bignum *tmp2 = NULL;
1313ff40c12SJohn Marino struct crypto_hash *hash;
1323ff40c12SJohn Marino unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
133*a1157835SDaniel Fojt int ret = 0, res;
134*a1157835SDaniel Fojt u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
135*a1157835SDaniel Fojt * mask */
136*a1157835SDaniel Fojt size_t primebytelen = 0, primebitlen;
137*a1157835SDaniel Fojt struct crypto_bignum *x_candidate = NULL;
138*a1157835SDaniel Fojt const struct crypto_bignum *prime;
139*a1157835SDaniel Fojt u8 found_ctr = 0, is_odd = 0;
140*a1157835SDaniel Fojt int cmp_prime;
141*a1157835SDaniel Fojt unsigned int in_range;
1423ff40c12SJohn Marino
143*a1157835SDaniel Fojt if (grp->pwe)
1443ff40c12SJohn Marino return -1;
1453ff40c12SJohn Marino
146*a1157835SDaniel Fojt os_memset(x_bin, 0, sizeof(x_bin));
1473ff40c12SJohn Marino
148*a1157835SDaniel Fojt prime = crypto_ec_get_prime(grp->group);
149*a1157835SDaniel Fojt primebitlen = crypto_ec_prime_len_bits(grp->group);
150*a1157835SDaniel Fojt primebytelen = crypto_ec_prime_len(grp->group);
151*a1157835SDaniel Fojt if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
152*a1157835SDaniel Fojt primebytelen) < 0)
153*a1157835SDaniel Fojt return -1;
154*a1157835SDaniel Fojt grp->pwe = crypto_ec_point_init(grp->group);
155*a1157835SDaniel Fojt if (!grp->pwe) {
1563ff40c12SJohn Marino wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
1573ff40c12SJohn Marino goto fail;
1583ff40c12SJohn Marino }
1593ff40c12SJohn Marino
1603ff40c12SJohn Marino if ((prfbuf = os_malloc(primebytelen)) == NULL) {
1613ff40c12SJohn Marino wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
1623ff40c12SJohn Marino "buffer");
1633ff40c12SJohn Marino goto fail;
1643ff40c12SJohn Marino }
165*a1157835SDaniel Fojt
166*a1157835SDaniel Fojt /* get a random quadratic residue and nonresidue */
167*a1157835SDaniel Fojt if (dragonfly_get_random_qr_qnr(prime, &qr, &qnr) < 0 ||
168*a1157835SDaniel Fojt crypto_bignum_to_bin(qr, qr_bin, sizeof(qr_bin),
169*a1157835SDaniel Fojt primebytelen) < 0 ||
170*a1157835SDaniel Fojt crypto_bignum_to_bin(qnr, qnr_bin, sizeof(qnr_bin),
171*a1157835SDaniel Fojt primebytelen) < 0)
172*a1157835SDaniel Fojt goto fail;
173*a1157835SDaniel Fojt
1743ff40c12SJohn Marino os_memset(prfbuf, 0, primebytelen);
1753ff40c12SJohn Marino ctr = 0;
176*a1157835SDaniel Fojt
177*a1157835SDaniel Fojt /*
178*a1157835SDaniel Fojt * Run through the hunting-and-pecking loop 40 times to mask the time
179*a1157835SDaniel Fojt * necessary to find PWE. The odds of PWE not being found in 40 loops is
180*a1157835SDaniel Fojt * roughly 1 in 1 trillion.
181*a1157835SDaniel Fojt */
182*a1157835SDaniel Fojt while (ctr < 40) {
1833ff40c12SJohn Marino ctr++;
1843ff40c12SJohn Marino
1853ff40c12SJohn Marino /*
1863ff40c12SJohn Marino * compute counter-mode password value and stretch to prime
1873ff40c12SJohn Marino * pwd-seed = H(token | peer-id | server-id | password |
1883ff40c12SJohn Marino * counter)
1893ff40c12SJohn Marino */
1903ff40c12SJohn Marino hash = eap_pwd_h_init();
1913ff40c12SJohn Marino if (hash == NULL)
1923ff40c12SJohn Marino goto fail;
1933ff40c12SJohn Marino eap_pwd_h_update(hash, token, sizeof(u32));
1943ff40c12SJohn Marino eap_pwd_h_update(hash, id_peer, id_peer_len);
1953ff40c12SJohn Marino eap_pwd_h_update(hash, id_server, id_server_len);
1963ff40c12SJohn Marino eap_pwd_h_update(hash, password, password_len);
1973ff40c12SJohn Marino eap_pwd_h_update(hash, &ctr, sizeof(ctr));
1983ff40c12SJohn Marino eap_pwd_h_final(hash, pwe_digest);
1993ff40c12SJohn Marino
200*a1157835SDaniel Fojt is_odd = const_time_select_u8(
201*a1157835SDaniel Fojt found, is_odd, pwe_digest[SHA256_MAC_LEN - 1] & 0x01);
2023ff40c12SJohn Marino if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN,
2033ff40c12SJohn Marino (u8 *) "EAP-pwd Hunting And Pecking",
2043ff40c12SJohn Marino os_strlen("EAP-pwd Hunting And Pecking"),
2053ff40c12SJohn Marino prfbuf, primebitlen) < 0)
2063ff40c12SJohn Marino goto fail;
2073ff40c12SJohn Marino if (primebitlen % 8)
208*a1157835SDaniel Fojt buf_shift_right(prfbuf, primebytelen,
209*a1157835SDaniel Fojt 8 - primebitlen % 8);
210*a1157835SDaniel Fojt cmp_prime = const_time_memcmp(prfbuf, prime_bin, primebytelen);
211*a1157835SDaniel Fojt /* Create a const_time mask for selection based on prf result
212*a1157835SDaniel Fojt * being smaller than prime. */
213*a1157835SDaniel Fojt in_range = const_time_fill_msb((unsigned int) cmp_prime);
214*a1157835SDaniel Fojt /* The algorithm description would skip the next steps if
215*a1157835SDaniel Fojt * cmp_prime >= 0, but go through them regardless to minimize
216*a1157835SDaniel Fojt * externally observable differences in behavior. */
2173ff40c12SJohn Marino
218*a1157835SDaniel Fojt crypto_bignum_deinit(x_candidate, 1);
219*a1157835SDaniel Fojt x_candidate = crypto_bignum_init_set(prfbuf, primebytelen);
220*a1157835SDaniel Fojt if (!x_candidate) {
221*a1157835SDaniel Fojt wpa_printf(MSG_INFO,
222*a1157835SDaniel Fojt "EAP-pwd: unable to create x_candidate");
223*a1157835SDaniel Fojt goto fail;
224*a1157835SDaniel Fojt }
2253ff40c12SJohn Marino
226*a1157835SDaniel Fojt wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate",
2273ff40c12SJohn Marino prfbuf, primebytelen);
228*a1157835SDaniel Fojt const_time_select_bin(found, x_bin, prfbuf, primebytelen,
229*a1157835SDaniel Fojt x_bin);
2303ff40c12SJohn Marino
2313ff40c12SJohn Marino /*
232*a1157835SDaniel Fojt * compute y^2 using the equation of the curve
233*a1157835SDaniel Fojt *
234*a1157835SDaniel Fojt * y^2 = x^3 + ax + b
2353ff40c12SJohn Marino */
236*a1157835SDaniel Fojt crypto_bignum_deinit(tmp2, 1);
237*a1157835SDaniel Fojt tmp2 = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
238*a1157835SDaniel Fojt if (!tmp2)
239*a1157835SDaniel Fojt goto fail;
240*a1157835SDaniel Fojt
241*a1157835SDaniel Fojt res = dragonfly_is_quadratic_residue_blind(grp->group, qr_bin,
242*a1157835SDaniel Fojt qnr_bin, tmp2);
243*a1157835SDaniel Fojt if (res < 0)
244*a1157835SDaniel Fojt goto fail;
245*a1157835SDaniel Fojt found_ctr = const_time_select_u8(found, found_ctr, ctr);
246*a1157835SDaniel Fojt /* found is 0 or 0xff here and res is 0 or 1. Bitwise OR of them
247*a1157835SDaniel Fojt * (with res converted to 0/0xff and masked with prf being below
248*a1157835SDaniel Fojt * prime) handles this in constant time.
249*a1157835SDaniel Fojt */
250*a1157835SDaniel Fojt found |= (res & in_range) * 0xff;
251*a1157835SDaniel Fojt }
252*a1157835SDaniel Fojt if (found == 0) {
253*a1157835SDaniel Fojt wpa_printf(MSG_INFO,
254*a1157835SDaniel Fojt "EAP-pwd: unable to find random point on curve for group %d, something's fishy",
255*a1157835SDaniel Fojt num);
256*a1157835SDaniel Fojt goto fail;
257*a1157835SDaniel Fojt }
2583ff40c12SJohn Marino
2593ff40c12SJohn Marino /*
260*a1157835SDaniel Fojt * We know x_candidate is a quadratic residue so set it here.
2613ff40c12SJohn Marino */
262*a1157835SDaniel Fojt crypto_bignum_deinit(x_candidate, 1);
263*a1157835SDaniel Fojt x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
264*a1157835SDaniel Fojt if (!x_candidate ||
265*a1157835SDaniel Fojt crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
266*a1157835SDaniel Fojt is_odd) != 0) {
267*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
268*a1157835SDaniel Fojt goto fail;
269*a1157835SDaniel Fojt }
270*a1157835SDaniel Fojt
2713ff40c12SJohn Marino /*
272*a1157835SDaniel Fojt * If there's a solution to the equation then the point must be on the
273*a1157835SDaniel Fojt * curve so why check again explicitly? OpenSSL code says this is
274*a1157835SDaniel Fojt * required by X9.62. We're not X9.62 but it can't hurt just to be sure.
2753ff40c12SJohn Marino */
276*a1157835SDaniel Fojt if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) {
2773ff40c12SJohn Marino wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve");
278*a1157835SDaniel Fojt goto fail;
2793ff40c12SJohn Marino }
2803ff40c12SJohn Marino
281*a1157835SDaniel Fojt wpa_printf(MSG_DEBUG, "EAP-pwd: found a PWE in %02d tries", found_ctr);
282*a1157835SDaniel Fojt
2833ff40c12SJohn Marino if (0) {
2843ff40c12SJohn Marino fail:
285*a1157835SDaniel Fojt crypto_ec_point_deinit(grp->pwe, 1);
2863ff40c12SJohn Marino grp->pwe = NULL;
2873ff40c12SJohn Marino ret = 1;
2883ff40c12SJohn Marino }
2893ff40c12SJohn Marino /* cleanliness and order.... */
290*a1157835SDaniel Fojt crypto_bignum_deinit(x_candidate, 1);
291*a1157835SDaniel Fojt crypto_bignum_deinit(tmp2, 1);
292*a1157835SDaniel Fojt crypto_bignum_deinit(qr, 1);
293*a1157835SDaniel Fojt crypto_bignum_deinit(qnr, 1);
294*a1157835SDaniel Fojt bin_clear_free(prfbuf, primebytelen);
295*a1157835SDaniel Fojt os_memset(qr_bin, 0, sizeof(qr_bin));
296*a1157835SDaniel Fojt os_memset(qnr_bin, 0, sizeof(qnr_bin));
297*a1157835SDaniel Fojt os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
298*a1157835SDaniel Fojt os_memset(pwe_digest, 0, sizeof(pwe_digest));
2993ff40c12SJohn Marino
3003ff40c12SJohn Marino return ret;
3013ff40c12SJohn Marino }
3023ff40c12SJohn Marino
3033ff40c12SJohn Marino
compute_keys(EAP_PWD_group * grp,const struct crypto_bignum * k,const struct crypto_bignum * peer_scalar,const struct crypto_bignum * server_scalar,const u8 * confirm_peer,const u8 * confirm_server,const u32 * ciphersuite,u8 * msk,u8 * emsk,u8 * session_id)304*a1157835SDaniel Fojt int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k,
305*a1157835SDaniel Fojt const struct crypto_bignum *peer_scalar,
306*a1157835SDaniel Fojt const struct crypto_bignum *server_scalar,
307*a1157835SDaniel Fojt const u8 *confirm_peer, const u8 *confirm_server,
308*a1157835SDaniel Fojt const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id)
3093ff40c12SJohn Marino {
3103ff40c12SJohn Marino struct crypto_hash *hash;
3113ff40c12SJohn Marino u8 mk[SHA256_MAC_LEN], *cruft;
3123ff40c12SJohn Marino u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN];
313*a1157835SDaniel Fojt size_t prime_len, order_len;
3143ff40c12SJohn Marino
315*a1157835SDaniel Fojt prime_len = crypto_ec_prime_len(grp->group);
316*a1157835SDaniel Fojt order_len = crypto_ec_order_len(grp->group);
317*a1157835SDaniel Fojt
318*a1157835SDaniel Fojt cruft = os_malloc(prime_len);
319*a1157835SDaniel Fojt if (!cruft)
3203ff40c12SJohn Marino return -1;
3213ff40c12SJohn Marino
3223ff40c12SJohn Marino /*
3233ff40c12SJohn Marino * first compute the session-id = TypeCode | H(ciphersuite | scal_p |
3243ff40c12SJohn Marino * scal_s)
3253ff40c12SJohn Marino */
3263ff40c12SJohn Marino session_id[0] = EAP_TYPE_PWD;
3273ff40c12SJohn Marino hash = eap_pwd_h_init();
3283ff40c12SJohn Marino if (hash == NULL) {
3293ff40c12SJohn Marino os_free(cruft);
3303ff40c12SJohn Marino return -1;
3313ff40c12SJohn Marino }
332*a1157835SDaniel Fojt eap_pwd_h_update(hash, (const u8 *) ciphersuite, sizeof(u32));
333*a1157835SDaniel Fojt crypto_bignum_to_bin(peer_scalar, cruft, order_len, order_len);
334*a1157835SDaniel Fojt eap_pwd_h_update(hash, cruft, order_len);
335*a1157835SDaniel Fojt crypto_bignum_to_bin(server_scalar, cruft, order_len, order_len);
336*a1157835SDaniel Fojt eap_pwd_h_update(hash, cruft, order_len);
3373ff40c12SJohn Marino eap_pwd_h_final(hash, &session_id[1]);
3383ff40c12SJohn Marino
3393ff40c12SJohn Marino /* then compute MK = H(k | confirm-peer | confirm-server) */
3403ff40c12SJohn Marino hash = eap_pwd_h_init();
3413ff40c12SJohn Marino if (hash == NULL) {
3423ff40c12SJohn Marino os_free(cruft);
3433ff40c12SJohn Marino return -1;
3443ff40c12SJohn Marino }
345*a1157835SDaniel Fojt crypto_bignum_to_bin(k, cruft, prime_len, prime_len);
346*a1157835SDaniel Fojt eap_pwd_h_update(hash, cruft, prime_len);
3473ff40c12SJohn Marino os_free(cruft);
3483ff40c12SJohn Marino eap_pwd_h_update(hash, confirm_peer, SHA256_MAC_LEN);
3493ff40c12SJohn Marino eap_pwd_h_update(hash, confirm_server, SHA256_MAC_LEN);
3503ff40c12SJohn Marino eap_pwd_h_final(hash, mk);
3513ff40c12SJohn Marino
3523ff40c12SJohn Marino /* stretch the mk with the session-id to get MSK | EMSK */
3533ff40c12SJohn Marino if (eap_pwd_kdf(mk, SHA256_MAC_LEN,
3543ff40c12SJohn Marino session_id, SHA256_MAC_LEN + 1,
3553ff40c12SJohn Marino msk_emsk, (EAP_MSK_LEN + EAP_EMSK_LEN) * 8) < 0) {
3563ff40c12SJohn Marino return -1;
3573ff40c12SJohn Marino }
3583ff40c12SJohn Marino
3593ff40c12SJohn Marino os_memcpy(msk, msk_emsk, EAP_MSK_LEN);
3603ff40c12SJohn Marino os_memcpy(emsk, msk_emsk + EAP_MSK_LEN, EAP_EMSK_LEN);
3613ff40c12SJohn Marino
3623ff40c12SJohn Marino return 1;
3633ff40c12SJohn Marino }
364*a1157835SDaniel Fojt
365*a1157835SDaniel Fojt
eap_pwd_element_coord_ok(const struct crypto_bignum * prime,const u8 * buf,size_t len)366*a1157835SDaniel Fojt static int eap_pwd_element_coord_ok(const struct crypto_bignum *prime,
367*a1157835SDaniel Fojt const u8 *buf, size_t len)
368*a1157835SDaniel Fojt {
369*a1157835SDaniel Fojt struct crypto_bignum *val;
370*a1157835SDaniel Fojt int ok = 1;
371*a1157835SDaniel Fojt
372*a1157835SDaniel Fojt val = crypto_bignum_init_set(buf, len);
373*a1157835SDaniel Fojt if (!val || crypto_bignum_is_zero(val) ||
374*a1157835SDaniel Fojt crypto_bignum_cmp(val, prime) >= 0)
375*a1157835SDaniel Fojt ok = 0;
376*a1157835SDaniel Fojt crypto_bignum_deinit(val, 0);
377*a1157835SDaniel Fojt return ok;
378*a1157835SDaniel Fojt }
379*a1157835SDaniel Fojt
380*a1157835SDaniel Fojt
eap_pwd_get_element(EAP_PWD_group * group,const u8 * buf)381*a1157835SDaniel Fojt struct crypto_ec_point * eap_pwd_get_element(EAP_PWD_group *group,
382*a1157835SDaniel Fojt const u8 *buf)
383*a1157835SDaniel Fojt {
384*a1157835SDaniel Fojt struct crypto_ec_point *element;
385*a1157835SDaniel Fojt const struct crypto_bignum *prime;
386*a1157835SDaniel Fojt size_t prime_len;
387*a1157835SDaniel Fojt
388*a1157835SDaniel Fojt prime = crypto_ec_get_prime(group->group);
389*a1157835SDaniel Fojt prime_len = crypto_ec_prime_len(group->group);
390*a1157835SDaniel Fojt
391*a1157835SDaniel Fojt /* RFC 5931, 2.8.5.2.2: 0 < x,y < p */
392*a1157835SDaniel Fojt if (!eap_pwd_element_coord_ok(prime, buf, prime_len) ||
393*a1157835SDaniel Fojt !eap_pwd_element_coord_ok(prime, buf + prime_len, prime_len)) {
394*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "EAP-pwd: Invalid coordinate in element");
395*a1157835SDaniel Fojt return NULL;
396*a1157835SDaniel Fojt }
397*a1157835SDaniel Fojt
398*a1157835SDaniel Fojt element = crypto_ec_point_from_bin(group->group, buf);
399*a1157835SDaniel Fojt if (!element) {
400*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "EAP-pwd: EC point from element failed");
401*a1157835SDaniel Fojt return NULL;
402*a1157835SDaniel Fojt }
403*a1157835SDaniel Fojt
404*a1157835SDaniel Fojt /* RFC 5931, 2.8.5.2.2: on curve and not the point at infinity */
405*a1157835SDaniel Fojt if (!crypto_ec_point_is_on_curve(group->group, element) ||
406*a1157835SDaniel Fojt crypto_ec_point_is_at_infinity(group->group, element)) {
407*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "EAP-pwd: Invalid element");
408*a1157835SDaniel Fojt goto fail;
409*a1157835SDaniel Fojt }
410*a1157835SDaniel Fojt
411*a1157835SDaniel Fojt out:
412*a1157835SDaniel Fojt return element;
413*a1157835SDaniel Fojt fail:
414*a1157835SDaniel Fojt crypto_ec_point_deinit(element, 0);
415*a1157835SDaniel Fojt element = NULL;
416*a1157835SDaniel Fojt goto out;
417*a1157835SDaniel Fojt }
418*a1157835SDaniel Fojt
419*a1157835SDaniel Fojt
eap_pwd_get_scalar(EAP_PWD_group * group,const u8 * buf)420*a1157835SDaniel Fojt struct crypto_bignum * eap_pwd_get_scalar(EAP_PWD_group *group, const u8 *buf)
421*a1157835SDaniel Fojt {
422*a1157835SDaniel Fojt struct crypto_bignum *scalar;
423*a1157835SDaniel Fojt const struct crypto_bignum *order;
424*a1157835SDaniel Fojt size_t order_len;
425*a1157835SDaniel Fojt
426*a1157835SDaniel Fojt order = crypto_ec_get_order(group->group);
427*a1157835SDaniel Fojt order_len = crypto_ec_order_len(group->group);
428*a1157835SDaniel Fojt
429*a1157835SDaniel Fojt /* RFC 5931, 2.8.5.2: 1 < scalar < r */
430*a1157835SDaniel Fojt scalar = crypto_bignum_init_set(buf, order_len);
431*a1157835SDaniel Fojt if (!scalar || crypto_bignum_is_zero(scalar) ||
432*a1157835SDaniel Fojt crypto_bignum_is_one(scalar) ||
433*a1157835SDaniel Fojt crypto_bignum_cmp(scalar, order) >= 0) {
434*a1157835SDaniel Fojt wpa_printf(MSG_INFO, "EAP-pwd: received scalar is invalid");
435*a1157835SDaniel Fojt crypto_bignum_deinit(scalar, 0);
436*a1157835SDaniel Fojt scalar = NULL;
437*a1157835SDaniel Fojt }
438*a1157835SDaniel Fojt
439*a1157835SDaniel Fojt return scalar;
440*a1157835SDaniel Fojt }
441*a1157835SDaniel Fojt
442*a1157835SDaniel Fojt
eap_pwd_get_rand_mask(EAP_PWD_group * group,struct crypto_bignum * _rand,struct crypto_bignum * _mask,struct crypto_bignum * scalar)443*a1157835SDaniel Fojt int eap_pwd_get_rand_mask(EAP_PWD_group *group, struct crypto_bignum *_rand,
444*a1157835SDaniel Fojt struct crypto_bignum *_mask,
445*a1157835SDaniel Fojt struct crypto_bignum *scalar)
446*a1157835SDaniel Fojt {
447*a1157835SDaniel Fojt return dragonfly_generate_scalar(crypto_ec_get_order(group->group),
448*a1157835SDaniel Fojt _rand, _mask, scalar);
449*a1157835SDaniel Fojt }
450